I have found a video in which the author demonstrated how to bypass Comodo Firewall.
It is located here:
From what I’ve seen, it looks like he hooked into a trust chain (Help Binary - smss.exe) that permitted him to evade firewall.
Still the results of the test were ultimately bypassing COMODO.
Any opinions? Is this a bug or normal behaviour? It can be seen that all shields (HIPS, sandbox, viruscope) are activated
at the beginning of the video.
The file is run virtually, that’s true, but what about the internet connection?
LOL another “bypass” that is demonstrated by someone who has no clue on how CIS works or have a solid understand of each component of CIS. Let me break this down to anyone that might be concerned about this “bypass”. First user intentionally replaces a windows/trusted executable file with an unrecognized executable why would anyone do that? But ok lets move on to the execution of said replaced file, executable is sandboxed and attempts to connect to the internet in which CIS displays a warning. User chooses to block the action and CIS accurately blocks the attempt, then user relaunches executable but passes an argument to hh.exe with another windows system executable, that executable being smss.exe. smss.exe is part of the Windows Systeam Applications file group in CIS and this file group by default, has a custom firewall rule to allow all outgoing connections. If this rule is removed or a different executable was used then the user would have been shown a firewall sandbox alert such as the following example: firefox.exe is running inside the Sandbox. This usually happens when an unrecognized application tries to use firefox.exe in order to connect to the Internet. You can safely allow this request.
Now even though smss was allowed to access the internet without an alert from CIS due to the rule specifically granting access, smss.exe is running in the sandbox so any data that is downloaded and saved to disk will be contained within the sandbox. This is evident at the end of the video where you can see a sandboxed notepad showing the downloaded data that was saved to a file. What people need to realize is that if a sandboxed application executes another executable, that executable will be sandboxed even if its rated as trusted. Any sanboxed process regardless of rating that attempts to access the network will generate a sandbox firewall alert unless a firewall application rule is already defined allowing access for that file.
Ok? That doesn’t change the fact that the users file system is left untouched as all modification occurred inside the virtual file system/sandbox. No bypass actually happened because the only reason smss was able to download data from the internet is because of the default firewall applications rules for the windows system application file group, and the data was saved inside the sandbox anyways. The fact that the user performed a file copy operation against an executable thats located under the Windows directory is something that no one would normally do. User executes a batch file that copies over a trusted executable? Sure I buy that, but that batch file will be executed within the sandbox and will only be modifying the virtual instance of the file system, and any process executed by that batch file will in turn also be sandboxed.
To sum up, there is nothing to see here, move along pass GO do not collect $200, next!
Applications running in the sandbox may not even able to modify files. However, rises certain circumstances (not wanting, but already defending CIS), you may have stolen data in most firewalls programs, even those expensive.
You may have nothing to “see” here, but paid firewalls (these even more than two of the free to use) fail. The CIS corrected part of the failure, some or all of the concurrent did not correct anything.
CIS in Paranoid Mode would still allow the user to change system files. CIS is the nanny of program behaviour not the nanny of user behaviour. The user is allowed to do everything including unintelligent and dangerous things. An unknown program is not.
you can clearly see in the video that he never left the sandbox, the smss.exe was also in the sandbox so no harm could be done to the system.
The problem is that he used the default CIS settings which, in my opinion, are useless.
I understand that they have to be that way for the “newbies” so they can use the Firewall but, in my opinion, not installing the firewall or leaving it on the default settings is the same cause everything is allowed and even the dialog boxes get suppressed by allowing the request.
The default firewall settings should be changed to at least show the dialog boxes.
Maybe it would be even better to make a configuration wizard for the firewall…
Just my opinion…
