PoC bypass Auto-Sandbox CIS

DecimaTech · October 24, 2024, 5:01pm

CIS no longer detects shell code injections from buffer overflow exploits, that setting is only used to add application exclusions that you don’t want cis to load the guard.dll into.

When guard32/guard64 is not loaded into an application, then HIPS and containment effectiveness is reduced for that application. For instance, if you add a keylogger to the shell code injection exclusion, you won’t get direct keyboard access HIPS alerts to block keylogging attempts.

In regards to the PoC, it doesn’t matter if the guard dll is loaded into the executable, because cis does not monitor access to the service control manager by default.

cruelsister · October 24, 2024, 5:59pm

For this one, don’t think too much about Settings for Comodo but more for drivers and affiliated Services): also things have to be in place prior to the trigger being pulled which is a great deal more problematic for the malware.

Better yet is not to waste time and obsess on this at all as it is less than meets the eye.

khanyash · October 25, 2024, 7:33am

If that setting is only used to add application exclusions that you don’t want CIS to load the guard.dll into, then isn’t your response “What is there to fix when the shellcode detection setting was disabled…” for PoC incorrect?

Loyisa · October 25, 2024, 8:24am

I finished the third version of the POC and now it does not require any additional files

shellcode detection is enabled, untrusted restricted mode, and embedded code detection on
cmdbypass3

Loyisa · October 25, 2024, 3:09pm

Still, it won’t works

Melih · October 26, 2024, 12:26am

nothing is 100% secure.
everytime there is a legitimate workaround, we’ll work fast to fix it.

New_Style_xd · October 26, 2024, 12:40am

The certificate has been revoked for 2 months now, imagine with this flaw that people mentioned, will it be 2 years or more?

cruelsister · October 26, 2024, 10:28am

Comodo Firewall-- Bypassing a Bypass

https://youtu.be/qvU38wl9oh8

Boris_3 · October 26, 2024, 11:39am

Hello Melih.
When can we expect a new certificate for CIS 2025?
Thank you in advance for your answer.

Nik123 · October 26, 2024, 3:47pm

Upload the file to CAMAS Cloud Verdict Customer Login | Xcitium Cloud Verdict to see if its Malware or Suspicious

Redstraw · October 27, 2024, 7:27am

@Boris_3 Maybe they don’t think it is a crucial issue that should be fixed.

Redstraw · October 27, 2024, 7:29am

@Nik123 It’s a PoC that breaches the containment, which should not be treated that way…

Nik123 · October 27, 2024, 11:52am

So?
Its still an executable and it can be uploaded to CAMAS

DecimaTech · October 27, 2024, 3:35pm

To be clear did you add *\Device\NamedPipe\ntsvcs to the protected files or protected com interfaces? Namedpipes should be added to protected files. HIPS can block access to namedpipes so it should also be blocked in containment, at least it did on windows 7. If it doesn’t work on windows 11 then it is another compatibility issue that shows cis is not fully functional or compatible on windows 11.

Loyisa · October 27, 2024, 3:55pm

Yes @DecimaTech

DecimaTech · October 27, 2024, 4:09pm

No it looks like you only made adjustments to protected com and protected data. Namedpipes paths needs to be added to protected files Protected Files, PC Files, Folders Protection From Malicious Software | COMODO