I just got hacked!
Okay, let me explain. A friend of mine works with forensics and penetration testing, and we agreed to do a little test of the latest version of Comodo Firewall with the setting “Clean PC Mode”. We simulated a drive-by attack and he ran a script on my PC. The script did not execute any actual malware on my computer but instead manipulated the Windows component powershell.exe to do the dirty work. Through Powershell he got full access to my microphone as well as webcam, and were also able to execute other programs etc. Not a single pop-up from Comodo Firewall.
The explanation must be that Defence+ was set to “Clean PC Mode”, thereby trusting all currently installed programs, including of course all build-in Windows components such as PowerShell. What caught me by surprise was that he could hack my PC this way, without any actual malware executing on my PC. Of course any new executables would have coursed a reaction from Defence+, but PowerShell was already a whitelisted program.
So perhaps the whole concept of whitelisting programs, which CIS is based on, does have it’s limitations against a skilled attacker.
Any comments so far?
I now wonder how much better the Defence+ will handle this kind of attack if I choose Safe Mode or Paranoid mode.
Also, here is a question I really hope some of you know the answer to:
Is the sensitivity of Viruscope (a behavior blocker if I’m not mistaken) influenced by choosing Safe Mode or Paranoid mode rather than Clean PC Mode? Or can it be made more sensitive in some other way, so that perhaps it will react when a program like Powershell performs potentially dangerous actions?