Firewall doesn't show any alert if HIPS alrts alwd app injcts in scvhost [M1230]

A. THE BUG/ISSUE (Varies from issue to issue)
Can U reproduce the problem & if so how reliably?:
Yes, every time.
If U can, exact steps to reproduce. If not, exactly what U did & what happened:
1: Disable the Auto-Sandbox and enable the HIPS.
2: Download the sample and then run it. Allow all HIPS alerts, but no firewall alerts.
3: When I run the sample it is injected into the process “svchost”. After this the app is allowed to connect to the internet without triggering a firewall alert.
One or two sentences explaining what actually happened:
If all HIPS alerts are allowed for the sample it is able to bypass the firewall.
One or two sentences explaining what you expected to happen:
Even with all HIPS alerts allowed the firewall should still be able to restrict the app from connecting to the internet. This is a vulnerability.
If a software compatibility problem have you tried the advice to make programs work with CIS?:
NA
Any software except CIS/OS involved? If so - name, & exact version:
NA
Any other information, eg your guess at the cause, how U tried to fix it etc:
A video which shows this issue can be downloaded from here:
http://www.myupload.dk/showfile/c4ix93.7z
Even at maximum configurable protection, with Auto-Sandbox disabled and HIPS enabled, it is still allowed to bypass the firewall if all HIPS alerts are allowed.
The sample has a digital signature fake,. Maybe this is the main reason, I’m not sure of this because Comodo did not trust the digital signature.

B. YOUR SETUP
Exact CIS version & configuration:
CIS 8.0.332922.4281 BETA

Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
Configuration: firewall Security
Have U made any other changes to the default config? (egs here.):
firewall: safe mode and custom Ruleset
Have U updated (without uninstall) from CIS 5 or CIS6?:
No
if so, have U tried a a a clean reinstall - if not please do?:
NA
Have U imported a config from a previous version of CIS:
No
if so, have U tried a standard config - if not please do:
NA
OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
V.Machine : virtual box , win 7 x32
Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
a=None b=None

I watched the video, and I noticed that there were many Defense+ HIPS alerts, of which you allowed all. I assume that if you denied them, or perhaps even just one of them, the injection would fail. Thus, please clarify which alert you were expecting (and did not receive) and why it is a bug when so many other alerts were shown. I’m trying to fully understand this issue.

Thank you.

I’m waiting Alert firewall, this is true that I have to allow for all alerts, but this does not mean that the firewall is not called any alert

What happens if you switch to Proactive Security. Then, without changing any other settings, disable the Auto-Sandbox. Then see if running the app causes a Firewall alert?

Also, please try the same, only under Proactive Security now have the Auto-Sandbox enabled, and the HIPS disabled. Then see if running the app causes a Firewall alert?

Let me know what you find.

Thanks.

Even if the change firewall settings to custom Ruleset Will not show any alert

Thanks

That’s strange. Are you sure that it’s making a connection?

http://camas.comodo.com/cgi-bin/submit?file=4774b7f3a70985fb6f783512caff0a9290036538c918cbd9b755c52e60f37748

I’m sorry. I don’t understand your reply. Are you certain that it’s making a connection?

I’m sorry about this , Please Watch this video which shows Hack Firewall Comodo “sample Rat”

[attachment deleted by admin]

Thank you. Does this application patch a system file? If so, are you expecting the firewall alert after that file has been allowed to be patched?

The sample is injected into the “svchost” from a the trusted files, maybe this is the reason

And a little protection programs to monitor contact This shows the seriousness of this sample

From the videos it seems that the injection is caught by CIS. It is only successful because all of the alerts were allowed. I’m not sure where you are saying the bug is? Please clarify in words as I know I am misunderstanding something.

Thanks.

Alert appeared that there is a process of injection by “Hips”, but the connection has not been Alert by firewall

Please see this image has been monitoring contact

http://im75.gulfup.com/EFsA6Y.jpg

Isn’t that allowed though because you allowed a system process to be patched? My thoughts are that perhaps, since you allowed the other file to be altered, that you have therefore compromised the system.

Is my thinking wrong?

“hips” nothing to do with to bypass the firewall, the firewall is not monitor the ​​contact injected into the process “svchost” because it is trusted from Comodo

Suppose that a customer uses a firewall only, does not need to hips and Sandbox ,Simply will be Hack the client machine without any alert of the firewall

Does this same issue reproduce with the new Beta?

Thanks.

The problem still exists in beta version

Okay. I have asked mouse1 if they have any insights to this issue. They are very busy at the moment, but hopefully they will be able to look it over in the near future.

Thanks.

thank you :-TU

Are you sure? Block alert you allowed (see attach) and look at result.

the firewall is not monitor the ​​contact injected into the process "svchost" because it is trusted from Comodo

The firewall does not detect injection into the processes, it's not the firewall problem. It manages network permissions only.

Suppose that a customer uses a firewall only, does not need to hips and Sandbox ,Simply will be Hack the client machine without any alert of the firewall

If customer uses only the firewall without HIPS, about any protection, except network connections control, can not be considered.

(Sorry for my English)

[attachment deleted by admin]