Generally CIS Detects unsafe application’s termination attempts and blocks if denied.
but with this small tool you can demolish comodo’s defense and do anything you want >:-D
i tested this with D+ Paranoid mode, with CLT 340/340.
i only accepted initial execution warning, and I DENIED AFTER ALL WARNINGS.
Comodo cannot defend it and after rebooting comodo is completely removed.
dev guys should be interested this if I’m not wrong.
(I submit the file cause it was not designed to invade comodo system
It’s ‘xuetr’, a rootkit detector/remover.
and it’s closed source I’m sure everyone can reproduce this problem)
*PS : It can’t be sandboxed by comodo whereas sandboxie can protect it
Edit by EricJH: changed the topic title from all caps to normal case
With sandbox on - I run the file, get an unknown alert, I hit sandbox, then I get another alert about it wanting to create a new file or or directory (XueTr.sys), I hit block. The driver cannot load, the program cannot run. The program is totally blocked. If you hit allow at the second alert, allowing it to create the .sys file yes it will kill cmdagent. ( cmdagent fixed by running comodo diagnostics)
With sandbox off - all you get is the alert about it wanting to create the .sys driver.
( the above were done in internet security mode)
Now with CIS in Proactive mode.
Sandbox on - unknown alert → hit sandbox → explorer trying to execute Xuetr alert ( if allow) - XueTr trying to get debug privileges alert.
Sandbox off - explorer trying to execute XueTr alert if allow - > another explorer executing xuetr alert → if allow then a elevated privilege alert.
Hitting block any of these times renders the program useless. Pictures to show the alerts following.
ok i see so that’s not a disaster :-[ :-[
but i didn’t see any of the .sys loading warnings and “unlimited access” alert (The red one)
i just saw the privilege elevation alert.
was it just my configuration flaw? ???
I’m using the latest version. and of course i didn’t added that program to trusted list.