Comodo not blocking auto-load scripts from usb stick


I just wanted to make a little test as I may see if Comodo protects against scripts auto-loading from USB sticks, CDs, etc.
I’ve created an autorun.inf file with the following code:

shellexecute=wscript.exe yes.vbs

then I’ve created a vbs script called yes.vbs that was displaying random messages on desktop and finally shutting down the PC.

I copied them on my USB flash drive and when I inserted it Comodo said it is learning that rundll32.exe is running yes.vbs and the script was loaded. I have Defence+ set to “Train with Safe Mode”.
Shouldn’t it prompt me for this action ?
Can you add this feature to protect against these type of malwares spreading like this ?

Thank you!

if you were in clean pc mode - it should have prompted you… as for “training with safe mode”… rundll32 is a safe app, but accesses a file in untrusted zone, so that must be asked for too… This looks like a vulnerability

Try setting your D+ to Paranoid mode.

Ewen :slight_smile:

I’ve tried this and now I received 2 prompts: just before the script was about to execute the shutdown process, Comodo warned me that wscript.exe tries to acces the COM interface. I choose Allow.
Then it prompted again that wscript.exe tries to execute shutdown.exe. I choose Block and the script failed to shut down my PC. It was better, but I think very few are using Paranoid Mode.
wscript.exe and shutdown.exe are both safe files in my computer and that results in no prompt in “Train with Safe Mode” I guess, but could be a method to intercept the autorun.inf actions from every removable drive.
The same autorun.inf could be used to launch an .exe file or another sript. This technique is very used today.

i think it’s better to control program parameters :-))) like a SAFE program is trying to run something from UNSAFE location :-)))) or implement a special control for VBScripts, Javascripts and other stuff (like cmd)

pykko, could you take it a bit further, and create a vbs script that would execute “C:\Program Files\Internet Explorer.exe” with the argument “-new”? And then use the same procedure (autorun.inf, wscript.exe) to run it, while you are in Train With Safe mode?

I mean, if you can slip by Comodo and open a certain URL, it is definitely a leak, since this way you can also post any data via the HTTP GET method, can you not?

Burillo, I think this is an avenue worth looking into - having totally separate control parameteres depending upon the location, rather than the executable (i.e. all USB ports are untrusted).

Can you please post this in the wishlist?

EWen :slight_smile:

I did a little script that executes Notepad and writes down some lines there. In Paranoid mode Comodo prompts for every attempt of wscript.exe to execute notepad.exe and to acces the keyboard. In Train with Safe mode these actions are simply learned.

Now, my problem is would I be protected against an inserted CD\USB with an autorun.inf that has the syntax to execute an .exe file on that removable drive ?
I don’t have enough time to test now, but maybe later.

Not to be obtuse but why would this kind of behaviour have anything to do with a firewall? Surely the primary purpose of a firewall is to protect network traffic/applications?

This kind of thing is leading into anti-malware, anti virus and similar territory. One thing leads to another and next thing you know you’ll end up with bloatware of Symantec proportions. One reason I’m looking at Comodo is precisely because it doesn’t pretend to be anti virus, ad blocking, coffee making everything in one bloatware…

I think you would. Every time an executable is launched, it is checked against the safe applications list. If it’s not in the list, an alert is fired. So, if the application on the usb stick is unsafe, you won’t be able to autorun it without alert. Unless the process that autoruns it (BTW, what is that process?) has that executable in it’s Allowed Applications list (in Access Rights / Run an executable), which shouldn’t be the case.

But scripts are different. You don’t launch scripts directly. You call wscript.exe which then executes the given script. The problem is:

  • wscript.exe is a safe application, so no alert is fired when it is called;
  • the script can do some nasty things using COM Interfaces, protected files/registry keys access, or other trusted applications, which also won’t trigger an alert, since wscript.exe is considered safe.

So what you’ve found looks very serious. I think it needs to be investigated further. Could you post the scripts you used? I’ve never written VBS scripts, so I could use yours as a starting point.

You see, a firewall that only controls applications’ connections is not very effective these days. Leak tests demonstrate how easily you can fool it.

Say you have a trojan that collects some sensitive info about you and sends it via a GET HTTP method to “;password=pmulaffeh”. It could easily fool your “simple” firewall by executing something like “iexplore.exe -new;password=pmulaffeh”. If you don’t control this, then all you will see is Internet Explorer making an outbound TCP connection to port 80 (something normally allowed by firewall rules) without any alerts from the “simple” firewall.

That’s why many modern firewalls have some sort of Host Intrusion Protections System (HIPS) functionality built-in. It’s not just about connections anymore.

Ok that’s fair enough then :slight_smile: I just worry because I seen what happened to, for example, original Norton Personal Firewall and what is happening to Outpost as well. They start off small(ish) and do their job but then the developers keep adding more and more things and soon it becomes some kind of “replace all your antivirus and everything else” all in one package which gets too much :slight_smile: I hope Comodo doesn’t end up like that! It’s one reason why I’m looking to move away from Outpost because they adding too much stuff and making the menus and easy access too much nested!

I’ve noticed the exe files are prompted when I insert a CD with autorun pointing to an .exe file. This is good.

Regarding the .vbs and other scripts don’t. I’ll attach 2 vbs scripts: one launching internet explorer with a specific webpage (I used and the other one launchin Notepad and autotyping some words and closing then.

[attachment deleted by admin]