PoC bypass Auto-Sandbox CIS

I was also released new version of AntivirusDefender with Comodo bypass which makes computer into recovery mode, but you can destroy computer instead of making new service GitHub - Siradankullanici/AntivirusDefender: Very Destructive Batch File Source Code old code with bootkits AntivirusDefender 2.1 now 3.2 available look the antivirusdefender11.7z

1 Like

Bravo for your excellent work and your perseverance.

Try to rally people around you.

You could consider replacing Comodo CIS in Open Source mode, and everyone would be happy!

1 Like

So with this fix there’s no need to disable UAC anymore ?

2 Likes

That’s correct. The update solved this issue.

2 Likes

The problem that still exists in this poc is that if you disable ANTIVIRUS and HIPs, containment cannot be secured, and the ransomware continues to encrypt all files.

Dear New_Style_xd, if you can go into more detail ā€œin more detailā€

There’s not much to explain, what the Comodo team did was just block the DLL for this POC.

The problem is that if you disable the antivirus and HIPs, this problem still persists. There are videos on YouTube showing that the exe file was created, executing this DLL, with the CIS disabled the antivirus and HIPs module, thus only leaving the CONTAINMENT working, and the Comodo containment fails.

What the Comodo team did was just block this malware in the cloud. It didn’t solve the problem with the containment.

There are videos on YouTube showing this, videos made recently.

And if I have all the security features enabled: HIPS, Viruscope, Comodo Antivirus, Firewall, Auto Container, then what?

I always have everything on and the settings are as high as possible.

There are people who only use Comodo’s Firewall with containment. That’s why it needs to be fixed.
Since COMODO’s product has good containment, it fails in this POC.

If you disable any element of any antivirus product, you are leaving yourself vulnerable. What would happen if you disable key features of other AVs e.g. Eset’s HIPS or the Behaviour protection of Bitdefender? You won’t get full protection just like you wouldn’t with of CIS/CFW if you disable security features. The rule of thumb here is take these tests with a pinchof salt if they are disabling features or lowering security settings. As Cruelsister has stated many times CFW works best when you don’t mess with it beyond her recommended tweaks.

2 Likes

I understand everything you said.
But Comodo’s self-containment test fails with this POC, since Comodo’s product is known for its self-containment.
Unfortunately, it fails.

If this is about the original ā€œPOCā€ at the top of this thread, then please note that Comodo 8162 does not fail in any way. The text box does not drop, and Comodo is never disabled. Also the other files on this thread (HydraDragon and Rmibab111a) are also contained without system changes.

I even dumbed things down and just used Containment at the default Partially Limited level.

4 Likes

They’re back to barking, but thanks for proving them wrong once again.

4 Likes

For me, the answer is simple: Then you, or rather, I’ve been protected. I’m not surprised that some user have to deal with malware, Trojans, etc.

1 Like

Dear prodex, I respect your opinion and completely agree with it!!!

Actually this is very AV specific.

Leo from the PC Security Channel (YouTube) and some experts on his Discord channel tested it for few AVs to assess behavioral / 0-Day / Exploit protection that does not rely on signature.

BitDefender does the best and blocked malwares at their roots.
Kaspersky slightly behind, because it restored encrypted files by reverted back a started encryption in progress (if I understood well what happened in the video) before blocking everything.
Eset is unbelievably bad because all modules rely on each other so if you disable one, the other does not work, and nothing tells you that.
Sophos rely mostly on mitigation and ASR rules (I may be wrong on this one).

I would rather trust an AV with a better behavioral detection rather than one that’s signature based ; other way Windows Defender would have been the best AV out there, as they litterally has billions of samples / metadatas more than the second most AV has.

Still, its behavioral engine is one of the worst.

1 Like

Greetings Angelarme. What about COMODO, what is your conclusion?

I don’t like his testing methodology for a number of reasons but pick what works for you. Comodo has very little to do with AV as it’s a firewall, a blocker and container of unknown files where they are blocked or contained until trusted by Comodo following analysis (true 0-day). It’s analysis tools e.g. Valkyrie check a file including it’s behaviour before it’s allowed. The AV element is just to identify what it has signatures for but not the front end protection like other products.
Emsisoft was a favourite of mine for awhile and that has decent behaviour detection.

My question is though. How long does an infection have to take place before the behaviour is picked up and in the meantime it’s downloaded a payload, executed a simple cmd script and gained read/right permission to an ambiguous folder. In likelihood probably not going to get that far but I’d rather have something contained without infecting my system before it’s vetted and safe to run. MD is actually pretty top notch in detection including behaviour analysis though much improved if you tweak it some. I still find it funny you have to whitelist Leo’s python script to run though the automated malware test :smiley:

2 Likes

What’s MD?

I’m also not taking his methodology for granted, and he deliberately orienting things up a some points, but unfortunately sources are few and his seems to bring much of AVs result differences among tests.

I like how Comodo operates and its prevention approach, so everything is already picked on my side :slight_smile:

3 Likes