[Exploit] Disable Comodo

Not going to get into the details yet, but ya… You can easily disable/delete comodo.

Whoa that is pretty cool/maybe cool is not the right word but still, have you tried it with CIS V4?

Not sure because the image was blurred, even in full screen, but

Comodo protects its files - I believe via Defense+ / My Protected files ;
It appears to me that the exploit depends upon the user choosing to UNprotect Comodo ;
Was it a properly installed Comodo - or does the exploit only happen with a Sun Virtual box ?

Alan

Like I said, it was a default install, nothing changed.

Also would test CIS 4 but don’t know how to change the admin mode.

Edit:

Ah, CIS 4 auto sandboxes new files with limited permissions. Don’t know how the sandbox works but I am assuming it would stop this from working because it works by dropping a file.

Since you are claiming to have found a way to bypass Comodo the burden of proof lies with you. A video does not proof anything yet to me. An explanation and a PoC for us to test are the only ways to convince.

You can easily disable/delete comodo.

- YouTube

Your program manages to delete cfp.exe. That is “just” the client program and since you don’t show your task manager for all I know cmdagent is still running; cmdagent that’s doing all the work and would be still protecting you.

Studying your video showed that cmdagent was still present in the CIS installation folder.

You are not making your case stronger by now showing the protected files and folders list.For all I know you can have meddled with that.

For now I am not convinced.

What Eric Said. +1 :-TU

I’m too lazy to type my own opinion

No need to bend fingers. high6 said:

No it wouldn’t, unless D+ option “block all unknown requests when app is closed” is turned ON (which is off by default).

Yeah, I’ll join in on the “It sounds good to me and it saves me from typing” bandwagon too ;). The video did seem to leave alot to be desired though, maybe he was also lazy.

high6

Not going to get into the details yet, but ya.. You can easily disable/delete comodo.
I can understand why, you don't what to go into details here

You can “PM” EricJH , with the written detailed step-by-step on reproducing it. (including what windows version was used)

Since you are claiming to have found a way to bypass Comodo the burden of proof lies with you. A video does not proof anything yet to me. An explanation and a PoC for us to test are the only ways to convince.
Let "high6" have a chance to prove it, Some people don't know how to properly prove an exploit

That is not Exploit.

Think about what is Exploit.

I don’t wanna waste my time to point it out.

I see what you are hiding in your movie, otherwise you probably don’t know what is wrong.

I actually had no interest in whether your “exploit” works on ANY sort of sandbox.

I was observing that at 1 minute 34 seconds into a 2 minute 54 second video there was a SUN VIRTUALBOX Boot selector, and I was wondering if Comodo was permanently installed on the computer, or if this “exploit” is ineffective on “normal” systems that have no VIRTUALBOX Technology.

Alan

You removed services.exe and rundll32.exe rules what results in applications being able to install drivers and to create processes out of Comodo’s control.

Just fake smoke about nothing until you don’t share the “exploit” (wrong wording).

Wrong. Removing services.exe and rundll32.exe results in extra alerts for these entities, taking into account D+ runs in Paranoid (which is the case on video).

[speaking aside]
Once D+ of one of versions of Comodo could not catch Global Hooks on VirtualBox, but on real system it was catching them perfectly 88)

Is there a program you want me to run before and after? I guess I could just download a virus.

Don’t know a lot about services. But cmdAgent can be removed, just takes an extra step.

Also to protect against this there are a few things you need to do.

1.) Protect C:\Windows. (No idea why comodo doesn’t protect by default, explorer.exe is in that directory)
2.) NEVER use the trusted policy. (Unless you protect the directory the executable is in)
3.) Don’t use the trusted vendors option. (This is basically the trusted policy but applied without you knowing)
4.) Disable the learning mode*.

*I don’t know if this really applies because I don’t know how the learning mode works. My guess is it stops alerting about different things based on what you allow. Which not alerting the user of everything is a bad idea.

Basically this is a process hijack so if a process has trusted mode it can hijack any program with ease. Let me clarify, You can hijack any process not in a protect directory. In order to hijack a process in a protected directory the process doing the hijacking must be in trusted mode.

Although this one is a bit different. Basically I have it hijack explorer.exe and because it takes for of the autoruns, I can have it block cfp.exe from executing on startup.

Now I am not too sure about cmdagent.exe, but like someone said it seems that by default it wont block requests if cfp.exe is not open.

That’s true. What I was trying to convey was that even if the client, cfp.exe, is not running anymore cmdagent would still protect you with the policies you set in CIS.

I am surely interested to know how the termination works. Meanwhile I was writing High6 posted a reply.

Does anybody know? Anybody using Sun VirtualBox?

Will post a reply to High 6 in a separate post.

Please do. This could get interesting…

Safe / Clean PC mode conception are about to break :slight_smile:

How could that be done?

Also to protect against this there are a few things you need to do.

1.) Protect C:\Windows. (No idea why comodo doesn’t protect by default, explorer.exe is in that directory)

Explorer is an .exe file and therefor protected.

2.) NEVER use the trusted policy. (Unless you protect the directory the executable is in) 3.) Don't use the trusted vendors option. (This is basically the trusted policy but applied without you knowing) 4.) Disable the learning mode*.

*I don’t know if this really applies because I don’t know how the learning mode works. My guess is it stops alerting about different things based on what you allow. Which not alerting the user of everything is a bad idea.

True but doesn’t explain anything we have seen on your video yet.

Basically this is a process hijack so if a process has trusted mode it can hijack any program with ease. Let me clarify, You can hijack any process not in a protect directory. In order to hijack a process in a protected directory the process doing the hijacking must be in trusted mode.
We didn't see any alert from CIS when you executed the PoC file. How did it slip CIS attention? That's what we want to know when you claim a bypass. What Windows call was used that was not caught by CIS?
Although this one is a bit different. Basically I have it hijack explorer.exe and because it takes for of the autoruns, I can have it block cfp.exe from executing on startup.
In your video you showed cfp.exe was removed from the installation folder. That means that Comodo's self protection was bypassed. For all I know you may have removed the Comodo folders from the Protected Files list for this; you didn't show the list in your video.
Now I am not too sure about cmdagent.exe, but like someone said it seems that by default it wont block requests if cfp.exe is not open.
Don't forget Comodo's self protection will not let a program terminate its CIS processes. Simply try terminating cmdagent.exe or cfp.exe from Task Manager. It won't work.

Recap:

  • We didn’t see any alert from CIS when you executed the PoC file. How did it slip CIS attention? That’s what we want to know. What Windows call(s) were used that were not caught by CIS?
  • How was Comodo’s self protection bypassed?
  • Does it reproduce outside Sun VirtualBox?

high6,

are You going to reveal the secret of magic ? :wink: