Congratulations Comodo! - Buffer overflow exploit PASS

Check this out:

Comodo is the only application that I’ve tested so far that completely passes this exploit. I’m quite impressed.

Thank you!

Confiker virus spread using BO as well. CIS stopped it in its tracks too!

Not many people realise the power of BO protection built in CIS. There are too many attacks that uses BO to infect a computer.

thank you for this info ssj100.


Thanks Melih. What’s interesting is that Comodo Memory Firewall (a 2 year old application) not only completely passes the test, but it also identifies the type of attack - ret2libc.

This has some dire implications for Hardware DEP based on the vulnerability to ret2libc attacks:

Anyway, I’ve got a question - is Comodo Memory Firewall (abandoned project) using the same technology as the one built into CIS 4?

its not abandoned at all!
its built into CIS and maintained. You have seen the power of it :wink:


Yes indeed, but I’m wondering if anything has significantly changed since it got integrated into CIS. I know many people who would only want to use Comodo Memory Firewall and not CIS or Defense+.

This is precisely why I trust COMODO the most!

Melih plz mengz have y00 m3n fix the god ■■■■ CPU hog in CIS related to CAV and its updates and cmdagent.exe so I can say bye-bye to all the other apps. 8)

Hey ssj100.

Hope your keeping well. :wink:

I attached the Alert you would see if you left Comodo Sandbox enabled and at default configuration (internet security).

Elevated Privilege Alert (Because installers/updater’s are run outside the sandbox). This is a installer.

User is advised to Sandbox… so we sandbox… try to install and what happens… sandbox says no way :wink:

But it’s still good enough either way. :slight_smile:


ok for your demo, but most users will want to install their program (destinymp3.exe … looks cool, no ?) anyway (because they can’t imagine it’s a virus !) … so they will allow next time … and then ? What happens ? do we get D+ buffer overflow alert ?

If you decide to run it outside the sandbox at elevation prompt it will be the same as running it with sandbox disabled to this should be followed by the BO alert if not sandboxed.

I hate to break it to you but CIS does NOT protect against Ret2Libc buffer overflow attack at all on 64 bit operating systems. So if the app would be native x64, then what would happened ?

[attachment deleted by admin]

ok so this is what i had not understood : clicking “allow” doesn’t desactivate D+ protection. It just bypass the sandbox but D+ still reacts :-TU

Well D+ would not alert for general alerts it otherwise would because this is more like the previous "automatic installer detection… but preventing D+ regular alerts it will still catch BO’s

So NO general D+ alerts if allowed Elevated and YES BO alerts if allowed Elevated.

I’m not sure about this. I don’t currently run a 64-bit system so someone else will have to test it for you. Unfortunately, given the track record on Comodo (and many other forums) at testing and accurately discussing buffer overflow attacks/exploits, I doubt anyone will do this. I’ll to glad to be proved wrong though haha.

Also I still maintain that Sandboxie + LUA/SUA + SRP/AppLocker + Hardware DEP would be able to block (or mitigate to such an extent that it might as well be considered a block) most if not all buffer overflow attacks out there. For those who are more paranoid than me, they may consider adding Comodo Memory Firewall or Comodo Firewall/Defense+ from version 3.8.

Melih, did you ever get a chance to ask your team if Comodo Memory Firewall version is any different to the memory firewall built into CIS 4.1?

same engine

So it hasn’t been updated at all to improve buffer overflow protection? I ask this because Comodo Memory Firewall (released over 2 years ago) was able to easily block the real-world exploit in my testing.

that is correct…it didn’t need updating…

Another question (probably Egeman would know the answer). Does this Memory Firewall hook the kernel? That is, does CMF install any of its components into the kernel?