Shellcode injection detection and Bitvise SSH Server

Hello,

I’m running into an issue using Bitvise SSH Server with Comodo Internet Security.

Comodo doesn’t agree with the way the SSH server behaves and so it prevents execution of anything under it.
For example, I try to connect to the SSH shell and it gets disconnected immediately.
Then I add %SystemRoot%\System32\cmd.exe to the exceptions and it connects but then it prevents the execution of any command in that shell. For example, in order to run ipconfig.exe I have to specifically add it to the exceptions too and the same for any other command or program. At the moment the solution has been to completely override the shellcode injection detection by adding “All applications” to the exclusion list, which probably is not a great idea in terms of security. I’ve tried adding the SSH server process and other files to the exclusion list but that did not work either, only by adding individual programs or all of them.

On another note, I find it curious that Comodo only cares if the command prompt is 64-bits, if I setup the SSH server to use the command prompt from %SystemRoot%\SysWOW64\cmd.exe then it completely ignores any command executed and the shell works fine, just not in a 64-bit environment.

I would like to know if there is a safe workaround that allows me to use my shell without sacrificing security.
Thank you.

What OS are you using? Is the ssh server executable marked trusted in the file list? Are you using the most recent CIS version? This could be a bug and I remember a similar issue with another SSH server implementation long ago that I wonder never was fixed.

Edit: Looks like it never really did get fixed: https://forums.comodo.com/resolvedoutdated-issues-cis/comodo-cis-disables-winsshd-t51432.0.html

Thanks for the reply futuretech.
I am using Windows 10 (x64).

It’s funny that the link you posted which mentions another SSH server is actually the same SSH server product in it’s earlier days, it was rebranded from WinSSHD to Bitvise SSH since.
And yes, the problem is exactly the same as in that topic. A member of Bitvise’s support team mentioned that it is understandable that Comodo would see this as a threat because of the way the SSH server captures the terminal output. We still are surprised to see that Comodo behaves like this with the x64 command prompt but not with the x86 one. But on that linked topic a developer mentions that there is a different interaction with the x64 version and that may be the reason why Comodo pick on one but not the other.

I am running the latest version of CIS suite and Comodo sees the company/application as a trusted vendor.
Honestly I am a bit disappointed to see that this issue has been ongoing for 6 years, which basically means that it won’t be fixed.
I think the way I’m doing it, disabling shellcode injection, is probably the only way to get around the issue and will be for a long time, I do hope I’m wrong.

I forgot to ask which ssh client are you using to connect? Have you tried putty?

Edit: More funny is that it only affects Windows 10 as I had no issues on Windows 7 x64. Instead of using the shellcode injections exclusions, setup SSH to use the 32-bit command shell seeing as how you didn’t have issues using it that way. I will be filing a bug report in the tracker to let the devs know of this issue.

I didn’t test under any other OS, but I’ll take your word.
As for using the 32-bit command prompt instead, this was my first solution but while using I had a few cases where it caused low virtual memory errors, but this is all very recent so I’m not completely sure if that is due to using the 32-bit prompt or some issue with breakaway processes and Bitvise’s handling of that.

In any case, I’ll stick with one of those two options but prefer to eventually be able to use Comodo in harmony with Bitvise SSH.
Thanks for the help, futuretech.