Termination PoC test with different CIS settings


Note that Online Armor appears to be the only classical HIPS which passes this test in default configuration. Malware Defender, EQSecure, CIS, SSM all fail.

I’d like to know what the CIS developers think about this.


EDIT: note that it is the classical HIPS component of CIS that is bypassed. If you run the test “sandboxed” with CIS, it doesn’t even work to start with (and therefore you can’t test the POC).

CIS passed, and osss also passed.

what do u mean by **classical HIPS ** beside, what was your configuration ! if it was the default then the sandbox will be enabled and it will pass ;D !! are you trying to say that comodo will fail if the sanbox disalbed and will pass with the sandbox ???

Yes, CIS will “pass” if you run it in its sandbox. Although that defeats the point of the test - it’s not even able to run properly. It’s like saying CIS passes because you denied initial execution - the test isn’t even able to run, so you’re not testing it in the first place.

Classical HIPS software, including Defense+, are expected to be able to control the behaviour of processes.

To do the test properly, you must allow the executable to run and for the command prompt window to open successfully. From there, you would expect the classical HIPS to control the behaviour of the test, including prevent it from terminating processes. CIS’s Defense+ fails to do this. Malware Defender also fails, and these findings have been confirmed by many people including myself.

I have not tested OSSS. I may try that some time. Keep in mind that Online Armor Free passes too.

EDIT: just tested OSSS, and confirm it passes.

So basically what you’re saying is D+ is useless?

For this test yes.

I mean overall. If D+ is unable to monitor the behaviour of processes what is it good for?

I used D+ for over one year, and I’ve been observing it for the last 2-3 years.

I’ve only ever come across 2 bypasses in that time - this is the 2nd one.

As I said, I’d be interested to see what the developers think about this. I’ve been told by fairly reliable sources that it shouldn’t be too hard to remedy. It will be interesting to see if Xiaolin (Malware Defender’s developer) will do anything about this too.

If I’m understanding this correctly (not had time to read up in depth),this bypass is the default configuration on Windows XP admin account correct?

Has anybody tested this on modern OSes or with hardened CIS settings?

Perhaps more will, if ssj100 explain how to reproduce the claimed bypass (and the meaning of the following garbled text).

The PoC is apparently a Console application

[code=Console Output of test.exe ]Malware Defender 2.7.0, EQSysSecure 4.1 ╜°│╠╚¿╧▐┐╪╓╞┬⌐╢┤╤▌╩╛│╠╨≥
0: ▓┘╫≈│╔╣ª═Ω│╔íú
1: ▓┘╫≈│╔╣ª═Ω│╔íú
╟δ╩Σ╚δ╜°│╠ IDú║

But the above text is unreadable...

Inserting the PID of a running application looks able to put something in motion but there are apparently no bypasses [i]whereas D+ is used as intended (with or W/O sandboxing)[/i]. 

But perhaps the text explain a special mode or something...  ???

BTW it might be pratical to provide the relevant info in these forums.

Original link:http://bbs.kafan.cn/thread-695301-1-1.html

This test program can bypass Malware Defender 2.7.0/EQSysSecure 4.1 ‘s control of process privilege to kill any process(except HIPS themseflves’ )

Malware Defender 2.7.0 may have few more flaws to discover in the future and EQSysSecure 4.1 has more ,even itself could be killed …

This test program runs successfully on XP sp3 with Admin privilege

This is GUI i commented some so you guys could use it

this is the text program

Virustotal info for test.exe

The test.exe PoC got an embedded UAC Elevation manifest and will tigger D+ Sandbox elevation alert if sandbox and “Automatically detect the installers/updaters and run them outside the Sandbox” (D+ > Sandbox > sandbox setting) are both enabled (default).

Allowing such alert will likely cause a bypass just like Treating test.exe As installer/updater or trusted application (policies) would.

D+ Elevation alert is displayed whereas an unrecognized (not safelisted) application request elevated privileges.

The alert provides a way to submit the execuatable to Comodo and to prevent its execution (block).

[attachment deleted by admin]

10 to 1 comodo inc’s going to ignore this…whilst educating us on the frivolity of this test. … ;D

I got a lot of pop ups , I’m not sure how CIS bypassed in all cases ??? with sandbox enabled I got the elevated privilage directly .However , disabling the sandbox will trigger a lot of pop ups from the D+ ! anything that says run test.exe were allowed ! then the test.exe tried to control conime.exe where I blocked it !!<< so I don’t think it has been bypassed at all << correct me if i’m wrong :-\ if you are asking why D+ doesn’t control conime.exe after the execution , actually it does , just move the cursor to paranoide and change the image execution control to aggressive and you will C alot of things which I believe will make you happy ;D

I didn’t know there was a jokes contest but please enjoy yourself. :smiley:

Whereas Proof of Concepts/tests are submitted to everybody attention, of course these forums are an appropriate place to let everybody know how to successfully pass them (rather than educate us to have them Fail). :slight_smile:

Couple of points:

  1. If all this program does is terminates process then… :-TD It must’ve been 4am when Egemen was reviewing all the .net, c# etc commands covered by D+ and forgotten this one. :wink:
  2. are you sure you used safe mode + paranoid/safe settings. In cleanPC mode D+ auto checks Process terminations. Make sure you are using the right settings.
  3. windows 7 uac blocks this, if by blocking you mean asking if you wanna run as admin. :smiley:

to the guy whose calling everyone an idiot: 85% programs run as admin… oh really … wait you mustn’t have heard of UAC.

If test.exe was actually able to terminate a process please provide also relevant details such as the configuration/setting used, OS version (SP etc) and confirm if it is only necessary to type the PID of the process to terminate (or test.exe require additional tests) and steps to reproduce

The test.exe operative details would be appreciated considering test.exe only display unintellegible text and no explicit indication about how to use it to terminate something.

For me, Seven x64, FW and D+ in Safe Mode, Sandbox enabled, Proactive configuration. If I put a PID number and hit Enter associated process is terminated.
The only popup from CIS is when I launch test.exe. If I allow it no other popups.
If I run it in sandbox it cannot reach PID line it shows only what’s in screenshot.

[attachment deleted by admin]

If I did not misunderstand you allowed D+ elevation prompt to exceute test.exe and after allowing such alert itis only needed to type the PID of a running application to achieve termination.

Is that correct?

Were you able to confirm also what alert is essential to Pass (if blocked) or Fail(if allowed) this PoC when Sandbox Security level is set to disabled?

are you guys kidding me , this test is just another idiotic failure ;D

I tried to terminate iexplore.exe, instead it terminated itself ;D ! you instruct comodo to allow debug privilage and then you come back here and say " hey I byapssed comodo " ;D

Yes sir.

To terminate a process with Sandbox disabled I must Allow 3 popups. If I deny any of those popups I cannot terminate any process so test.exe fails.

[attachment deleted by admin]