PoC bypass Auto-Sandbox CIS

CIS no longer detects shell code injections from buffer overflow exploits, that setting is only used to add application exclusions that you don’t want cis to load the guard.dll into.

When guard32/guard64 is not loaded into an application, then HIPS and containment effectiveness is reduced for that application. For instance, if you add a keylogger to the shell code injection exclusion, you won’t get direct keyboard access HIPS alerts to block keylogging attempts.

In regards to the PoC, it doesn’t matter if the guard dll is loaded into the executable, because cis does not monitor access to the service control manager by default.

4 Likes

For this one, don’t think too much about Settings for Comodo but more for drivers and affiliated Services): also things have to be in place prior to the trigger being pulled which is a great deal more problematic for the malware.

Better yet is not to waste time and obsess on this at all as it is less than meets the eye.

3 Likes

If that setting is only used to add application exclusions that you don’t want CIS to load the guard.dll into, then isn’t your response “What is there to fix when the shellcode detection setting was disabled…” for PoC incorrect?

I finished the third version of the POC and now it does not require any additional files :partying_face:

shellcode detection is enabled, untrusted restricted mode, and embedded code detection on
cmdbypass3

1 Like

Still, it won’t works

1 Like

nothing is 100% secure.
everytime there is a legitimate workaround, we’ll work fast to fix it.

4 Likes

The certificate has been revoked for 2 months now, imagine with this flaw that people mentioned, will it be 2 years or more?

2 Likes

Comodo Firewall-- Bypassing a Bypass

https://youtu.be/qvU38wl9oh8

4 Likes

Hello Melih.
When can we expect a new certificate for CIS 2025?
Thank you in advance for your answer.

1 Like

Upload the file to CAMAS Cloud Verdict Customer Login | Xcitium Cloud Verdict to see if its Malware or Suspicious

@Boris_3 Maybe they don’t think it is a crucial issue that should be fixed.

@Nik123 It’s a PoC that breaches the containment, which should not be treated that way…

1 Like

So?
Its still an executable and it can be uploaded to CAMAS

To be clear did you add *\Device\NamedPipe\ntsvcs to the protected files or protected com interfaces? Namedpipes should be added to protected files. HIPS can block access to namedpipes so it should also be blocked in containment, at least it did on windows 7. If it doesn’t work on windows 11 then it is another compatibility issue that shows cis is not fully functional or compatible on windows 11.

1 Like

Yes @DecimaTech


No it looks like you only made adjustments to protected com and protected data. Namedpipes paths needs to be added to protected files Protected Files, PC Files, Folders Protection From Malicious Software | COMODO

1 Like

Still



3 Likes

This PoC bypass in Xcitium OpenEDR as well @Loyisa ?

2 Likes

Comodo and UAC

3 Likes

@cruelsister So according to your video, Microsoft/Windows should be blamed for this bypass rather than COMODO/CIS?