[Defense+]Cannot detect or defend process termination & file deletion

Generally CIS Detects unsafe application’s termination attempts and blocks if denied.

but with this small tool you can demolish comodo’s defense and do anything you want >:-D

i tested this with D+ Paranoid mode, with CLT 340/340.

i only accepted initial execution warning, and I DENIED AFTER ALL WARNINGS.

Comodo cannot defend it and after rebooting comodo is completely removed.
dev guys should be interested this if I’m not wrong.

(I submit the file cause it was not designed to invade comodo system
It’s ‘xuetr’, a rootkit detector/remover.
and it’s closed source I’m sure everyone can reproduce this problem)

*PS : It can’t be sandboxed by comodo whereas sandboxie can protect it

Edit by EricJH: changed the topic title from all caps to normal case

[attachment deleted by admin]

With sandbox on - I run the file, get an unknown alert, I hit sandbox, then I get another alert about it wanting to create a new file or or directory (XueTr.sys), I hit block. The driver cannot load, the program cannot run. The program is totally blocked. If you hit allow at the second alert, allowing it to create the .sys file yes it will kill cmdagent. ( cmdagent fixed by running comodo diagnostics)

With sandbox off - all you get is the alert about it wanting to create the .sys driver.

( the above were done in internet security mode)

Now with CIS in Proactive mode.

Sandbox on - unknown alert → hit sandbox → explorer trying to execute Xuetr alert ( if allow) - XueTr trying to get debug privileges alert.

Sandbox off - explorer trying to execute XueTr alert if allow - > another explorer executing xuetr alert → if allow then a elevated privilege alert.

Hitting block any of these times renders the program useless. Pictures to show the alerts following.

[attachment deleted by admin]

xuetr is a tool of ark, it need load drive.so in theory comodo can not stop any behavior of xuetr unless you stop it to load the drive.

The strong difficulty to protect the computer IF a driver was already loaded with admin privileges…

ok i see so that’s not a disaster :-[ :-[
but i didn’t see any of the .sys loading warnings and “unlimited access” alert (The red one)
i just saw the privilege elevation alert.
was it just my configuration flaw? ???
I’m using the latest version. and of course i didn’t added that program to trusted list.

the privilege elevation alert is enough.
the application can do anything without any alert if you allow the privilege elevation alert.

that’s becasue you have the sandbox off. Keeping the sandbox on will give you that alert.

ok many thanks ;D
now I feel confident about comodo again 8) :P0l :P0l