New method could let Windows malware bypass detection

Source: New method could let Windows malware bypass detection | Computerworld

Basically they say that this new malware can use legitimate windows calls to evade detection.

I guess the malware will be categorized as unknown and run in comodo sandbox… But can you confirm that this will actually happen or does it have the chance to evade the firewall and sandbox (will leave AV part out for this discussion)?

Maybe HIPS will detect DLL Injection and prompt… But will it prompt or will it block directly for example?

Thank you.

  1. Defense+ alerts on atombombing.exe trying to access memory of chrome process, the sandbox also automatically prevents applications from accessing other processes in memory.

Wow… Comodo can prevent so many types of attacks… It really has been architected very well…

Then why many articles cite security researchers who say that this attack had no known patch because of the way the windows OS was designed in the first place?

I think it’s time for them to hear about comodo… Moments like this i think count from PR perspective for comodo. And thoughts about this which are initiated by comodo staff (blog, TV, online journals etc) can have positive effects on the company overall.

Many of the people i know don’t know about comodo… Or even if they do, they still think it as being classic AV… They don’t know about Default Deny and many other features that make comodo so powerful and unique.

I wish that comodo can become even bigger because at least to me as a user it has given back so much.

Thank you for the clarification on this subject.

This a long time already happens, trojanscrypt and older malware already did that.
The problem may be the fact that malware using the “same path” in the background, which are memory-resident pass hit by antivirus and anticheats (used in online games)

It may be possible for a program to avoid detection by HIPS by only using Windows calls that are not normally considered potentially suspicious, but it would still be contained by the “Default Deny” mechanism used by CIS because it would be unknown (i.e. not in the whitelist or blacklist).