Kernel Mode Protection !!!! where is it ?!!

Hello…I’m an expert in computer security software, few days ago , I installed COMODO internet security 5.0.162636.1135…, OS: Windows 7 Ultimate 32-bit (6.1, Build 7600)

Usually I do some tests to see how tough is software(s)…!!

My test was concern about Defense + , specially about Kernel Mode Protection…

As we all know , all security software use kernel mode drivers (ring 0) driver to protect itself from threat and be able to protect PC and remove any threat ???

Unfortunately , some threats use this technology and i mean by this Rootkit , and the live example for this the rootkit TDSS, these threats use Kernel Mode drivers >>>>>

Briefly I do 2 tests :

1- Installation legitimate software contain kernel mode driver , this software was BitDefender Anti-virus 2009 free edition ,this version only a scanner , doesn’t contain real time protection , the point is during installation BitDefender installed Kernel Mode Driver “BDSELFPR.SYS” , Comodo didn’t notice this process…

2- I installed a software injected with hidden driver -kernel mode driver - also comdo didn’t notice the installation process ?!!!

The problem is that, once these drivers are installed, they hide in the system and can’t be seen in the task manager and most of them only delete it by Bootable Anti-virus…

The point is that your software doesn’t have real time protection against rootkit , it only protects (detect)user mode drivers , I hope you fix this issue in the next versions of Comodo …

I’m writing to you because I really concern about developing comodo and I want it always to be the best …

Hey and welcome to the forums haitham653!

I don’t think comodo has kernel mode protection. I haven’t seen that much Kernel in windows; I have seen more in Linux OS. I think nprotect has some sort of kernel protection or something like that.

good that you mention it :slight_smile:

Maybe you could tell comodo what they can improve and what is missing in CIS, :slight_smile: It’s nice to see an expert here :slight_smile:

Regards,
Valentin

Thanks Valentiin for your reply …

I know kernel mode drivers are not used widely in windows xp and 7 because this area are belonged to operating system …in this area windows controls all drivers on your pc …ex the software windows uses to run CPU , running in Kernel mode ring 0 …

Any driver run in this area will have full privilege over anything else running in windows…

what kernel mode drivers can do:

1- Terminate any process no matter how is it strong ?!!including security software…
2- Write ,delete ,read and create anything on your PC…
3- Connect to internet , upload and download anything to your PC…
4- Steal your password , credit card no…etc. spying

all these things will happen invisibly…

but the good news , these kind of drivers can only be writen by a few of professional programmers (Hackers)

but I guess any good security software should have kernel Mode protection …

additional note:
Device drivers, particularly on modern Windows platforms xp ,vista and 7, can run in kernel-mode (Ring 0) or in user-mode (Ring 3). The primary benefit of running a driver in user mode is improved stability, since a poorly written user mode device driver cannot crash the system by overwriting kernel memory. On the other hand, user/kernel-mode transitions usually impose a considerable performance overhead, thereby prohibiting user mode-drivers for low latency and high throughput requirements.

Regards…
haitham653

WoW nice info:) I will put this forum to what comodo can develop as well. Maybe you could be a part of it:)

Regards,
Valentin

I have posted your idea here https://forums.comodo.com/which-product-do-you-want-comodo-to-develop-next/which-product-to-develop-next-t125.0.html.

If you have other ideas bring them on.

Thanks for helping comodo improving.

Regards,
Valentin

no problem I’ll do my best :smiley:

Even if being a little rude, Valentinchen, people talking too much often don’t read enough: 3 posts weren’t needed to understand the issue posted by haitham.

Nevertheless, installing Bit Defender or some malware we don’t know at the day speaking anything of does not make it easy for other people to test the said behaviour under various CIS settings: haitham, would you please have some “lighter” software as to run the tests (or, if not, can you PM me your testing malware or its link?).

Hey brucine! :slight_smile:

To be honest I never though this topic as an issue but as an idea what comodo can develop.

You think I talk to much? It happen that I don’t read everything or that I miss something… happens. I don’t think your rude; I appreciate your honesty.

Regards,
Valentin

he point is that your software doesn't have real time protection against rootkit

:‘( :’( :‘( :’(

that’s just a pathetic conclusion for your so called " tests " …

when you have " a real life malware " go ahead and send it to me < btw I’ve already asked him a couple of times to confirm his conclusions but I got nothing , why ? because he is nothing but an enthusiast who learned two words and want to see them in life and missed the big picture which is the reality.

let me tell you who really he is :slight_smile:

this expert " believes " that the analysis @ threatExpert.com is being done " manually " !! :smiley:

http://www.zyzoom.org/vb/showpost.php?p=2573673&postcount=22

let me translate here :slight_smile: !!!

what we want is just the first sentence which can be translated as " the analysis in threatExpert is being done manually and not automatically "

so ;D that’s the expert that we are dealing with :wink: !!!

does he have any proof ?
No

does he know what he is doing ?

No

is he a fan of other products ?

Yes : he is an angry fan of KIS 88)

Next time I check the incoming expert to get more info. Thanks for reply knk2006:) I am surprised how you found him and what he is.

Was i stupid to take him seriously?

Regards,
Valentin

no you are not !!

I took him seriously when he showed up in the first time, however, after digging in his head I found out what he really is :slight_smile:

I think this needs to be looked at in the normal forum before it is accepted as an issue.

Accordingly I will move this to announcements which is the open forum where such discussions seem to take place.

haitham653. Thanks for your report.

What I guess would be appreciated is some replicable steps that demonstrate that your assertion is true, a link to establish the credibility of those steps, plus perhaps a test file (not malware) that demonstrates a vulnerability.

If a valid concern is demonstrated, we will be happy to consider this as an issue or wish list item, if it is put into standard format, if and all requested information is supplied. Please see the bug report stickies for the standard format.

Many thanks and best wishes

Mouse

There’s one thing I would like to be clarified (all this conversation is a bit to technical for me); is there a flaw in CIS as it comes to kernel protection?
Because if there is it will put in question the whole concept of HIPS.
Could someone explain in plain english (the Queen’s one, God bless Her).

Regards.

Just redefine protection settings for “Windows System” & “Trusted” Applications and You’ll be protected. :slight_smile:


http://img202.imageshack.us/img202/879/97987.th.png

CIS allows driver installation for trusted application by default

What You mean under “software injected with hidden driver”?

if u do that , u will get dozens of alerts for trusted applications !! , and this is not good at all for usability

why do i have to do that for a trusted application ?? , is it a security matter ? , plz explain

I don’t understand how come an untrusted software like ( rootkit TDSS ) can get permission to install Kernel Mode drivers ?! these installations are blocked in the CIS 5 ( limited & isolated ) predefined policies , and only a legitimate trusted application can do that according to it’s CIS 5 trusted predefined policy …

+1

No. In fact, only few system applications and in very rare occasions wants to install drivers and very few requesting write access to physical disk. When system is installed and CIS is fully configured I have almost no chance to see such alerts. :slight_smile:

Just because I want to know Who, When, Why and What For is trying to install kernel modules on my system or trying to get write access to physical drives. Frankly, many legitimate and trusted, in terms of CIS, programs wants to install drivers (e.g. Winamp installer), even when these drivers are not used. Moreover, unnecessary ability of some programs (e.g. notorious Adobe Reader, various browsers, p2p clients etc. and even system services from M$) to access vital points of system may be exploited by malware through known or future vulnerabilities.