update:
Grab test program by wj32 here. If allowed to run it modifies registry permissions for HKLM bypassing Defense+ silently!
- Do not run it unless you know what exactly you are doing and how to revert back changes *
Defense+ (v3.12) settings:
Paranoid mode.
Computer security policy is on screenshot #1 - all items have default predifined/custom policies/exceptions etc.
Image execution control is set to normal with default extensions to check: exe, bat, com.
Shellcode injections protection is on without exceptions, though it is irrelevant for the test.
All units to monitor under
Defense+/Advanced/Defense+ Settings/Monitor Settings are checked (enabled).
“My protected files”, “My protected COM interfaces” groups have default (for v3.12) items.
“My protected registry keys” group has default items, except one more item is added to the list: HKEY_LOCAL_MACHINE* .
P.S.:
SubInACL program described in original post can be prevented by Defense+ from modifiying registry permissions if we do following modification to Defense+ settings:
However, mentioned protected interface can guard registry’s permissions from SubInAcl only because of coincidence:
-------------- original post start here ----------------------
I used MS app called SubInAcl for the test. Though this app is safe and harmless (with proper application), technique which is used by it to modify registry hives’ permissions (ACLs) is NOT intercepted by Defense+.
I’m not sure, whether this technique can be used (or is already used) by malware writers. Would like to see any live malware which modifies registry hives’ ACLs.
Modifying ACLs probably could lead to operating system destruction or other not desirable consequences.
Test (OS and Comodo details are in my sig).
subinacl.msi is downloaded from this MS page. Then it is installed. At the end we end up with subinacl.exe (packed as zip archive and attached).
Defense+ options are following.
Paranoid mode.
Computer security policy is on screenshot #1 - all items have default predifined/custom policies/exceptions etc. Only explorer.exe has exception to allow to launch cmd.exe.
Image execution control is set to normal with default extensions to check: exe, bat, com.
Shellcode injections protection is on without exceptions, though it is irrelevant for the test.
All units to monitor under
Defense+/Advanced/Defense+ Settings/Monitor Settings are checked (enabled).
“My protected files”, “My protected COM interfaces” groups have default items.
“My protected registry keys” group has default items, except one more item is added to the list: HKEY_LOCAL_MACHINE* .
Now we launch cmd.exe and execute following command:
somepath\subinacl.exe /keyreg “HKEY_LOCAL_MACHINE” /deny=system .
please do not execute this or similar command on your system unless you know what exactly U r doing
Defense+ alert “cmd.exe tries to execute subinacl.exe” appears and we allow this activity.
Then second alert (screenshot #2) appears and we block this activity.
No more alerts from Defense+ (what about “subinacl.exe tries to modify protected registry key” ?).
SubInAcl successfully modified ACL for HKEY_LOCAL_MACHINE hive. We can see it on command output (screenshot #3) and confirm it by launching regedit and verifying permissions for HKEY_LOCAL_MACHINE.
[attachment deleted by admin]