How to kill CIS easily

Hi all,

As I said before, I think use safe list can be dangerous because hips don’t handle it properly so we can use them to do what we want on the computer with all rights.

Today, I will show one way by using java. You can download it and try it (if you use vista (I didn’t try on seven) you must run it has admin with the command java -jar kill_cis.jar ). You need to have install Comodo in partition C:\

Just execute kill_cis.jar, and reboot your machine (warning : as it works, use it on a test machine only). After restart, check CIS.

It’s really a very very very very very very stupid method that works on Online armor too just because java is considered as safe application, so we just have to make a malware in java.

[attachment deleted by admin]

Thanks I’ll test this out some time. Sounds very interesting, and perhaps has implications for SRP/AppLocker too - for example, if your SRP/AppLocker rules allow javaw.exe to run, this could cause havoc, although the attacks would likely be mitigated particularly in a limited/restricted/standard user account.

Regardless, this is why it’s very important to handle new files intelligently, as well as add a containment level of protection to your security setup/approach.

Will post back once I’ve done some testing. Thanks once again.

As I do a modification in windows registry that require an administrator level, if you are not admin, it won’t work. But there is other way, I just want an easy way because I don’t want use lot of my time for this ;D

Someone ask me to try it on Vipre Antivirus premium because there is some protection like registry protections, it failed too, but as it’s not a real hips maybe all applications can do that.

Which is exactly why running as a LUA/RUA/SUA will prevent most malware infections from running successfully.

So what your saying is CIS can be killed, by an application that is in Comodo’s Safelist or Trust Vendor List, if it’s some what modified to do malicious actions, eg. Java?

his script uses Java to terminate CIS.

Yes… Java Scripts (malicious ones) are off course heard of and CIS does, always with me, prevent these because its smart enough to know its doing a malicious action. Anyway. Letting Egemen know about this thread sounds like a plan for analyzing the tool attached in this thread.

Yes and no, we ask to a safe application to do something, if you directly modify the safe application, I think CIS will see it. And you will need an unknow application, so CIS will see you.
Here, I ask java to execute a java code, here I think it’s the same issue, it ask to msiexec.exe to execute SetupRSTAV2010.msi

I don’t kill it directly, I think CIS will try to protect itself, so I modify cmdagent. After the restart, look his size, 0 byte 88)

Umm didn’t u just read what he said? This script Terminates CIS so there is a huge vulnerability. That script could of been something Malicious -It’s just a POC.

ADDED::
You’d think that CIS would be able to protect itself even from “Trusted” Processes… Guess not :o

I’m not sure to understand all you said (as you may already see, I’m French and my English is still not perfect xD)
But if you said that Comodo can’t protect itself from safe applications, I say yes. I said it long time ago in French corner, I try it last week end. We just have to know what application we will use. I think there is lot of way to do this, we just have to find a method to stay in the safe application.

Just try, on vista or seven only (I don’t know why it don’t work on XP, I didn’t look at this), if you execute (with admin rights) java -jar kill_cis.jar it’ll work. If you try kill_cis.jar, Comodo will sandbox it.

Just imagine how many possibilities we have just with that method. And for Online Armor, it’s the same issue, but they think at it a little, so some of them can’t be used.

I understand. You use a bad script through java to do bad things.
Je comprends. Vous utilisez un script java mauvaise grâce à faire de mauvaises choses.

there could be a lot of possibilities. more than just java, That exploit Comodo’s trusted list.
il pourrait y avoir beaucoup de possibilités. plus que Java, qui exploitent la liste de confiance de Comodo.

Big question is whether Online Armor also has this issue, since Kyle is using it haha.

Arg, don’t use google translate, sometime it’s correct, but generally … 88)

Stay in English, I’ll understand.
You may not know but I’m the lead translator of French versions, so I think I can read you :wink:

Python is not in Comodo’s trusted vendor list and I cannot add it. However, If i set python.exe as “Trusted” I can run a malicious script THROUGH PYTHON. For example I can terminate some process, could probably do other things. I don’t see why not.

import win32api
import win32pdhutil
import win32con

win32pdhutil.ShowAllProcesses()
pids = win32pdhutil.FindPerformanceAttributesByName('SOME PROCESS HERE')

for p in pids:
    handle = win32api.OpenProcess(win32con.PROCESS_TERMINATE, 0, p)
    win32api.TerminateProcess(handle,0) 
    win32api.CloseHandle(handle) 

Exactly, and this is only the easy way.

I take it would be possible to add all java executables (eg java.exe) to the sandbox (Sandboxx > “Add Progams to the Sandbox”) with Limited (no file/registry virtualization) permission and this would be enough to cripple this PoC.

Even those who prefer to use D+ alone can keep the sandbox enabled and disable automated sandboxing and installer detection (Defense+ Tasks > Sandbox >Sandbox Settings):

Untick Automatically run unrecognized programs inside the Sandbox
Untick Automatically detect the installers/updaters and run them outside the Sandbox

The problem is that there’s always got to be a trade-off in order to keep down the volume of pop-ups.It’s perfectly possible to lock down the system and mistrust everything but you can expect to be answering a huge number of prompts.For a long time on the system I’m using CIS on I’ve had Mamutu protecting CIS against malicious activity,in case it’s self-protection fails.

Am I missing something??? I believe this to be a big deal… You load web pages (often have JavaScript) and it could load a malicious script through Java (trusted process from comodo, high rights)… I see it as a huge hole… Again - Am I missing something ???

Actually you’re not missing anything Kyle,this is potentially a very big issue.Alas it’s somewhat inevitable that if you trust any potential ‘exploit vector’ then problems can happen.

with comodo’s sandbox, There may also be a very efficient way to guard against these sorts of things.

IMO I think browsers,Interpreters,Email clients should be in their own special group. Threat gates (idea stolen from GesWall) should be sandboxed with reduced privilege’s, and possibly some consideration into network access should be taken into account…