What is the point of guard32.dll?

Seriously, if you have a driver, why a dll in every app? It is completely pointless.

Here are a few easy ways to bypass

-Fix LdrUnloadDll, Unload guard32.dll
-Repair exports
-Don’t link to user32.dll

I uninstalled comodo for this reason. Why use a driver but then not utilize it? I did notice that luckily OpenProcess and CreateProcess along with a few others are handled via the driver hooks but you can still write files and much more by just removing guard32.dll.

I think that a malware will have to specifically have support for CIS to be able to bypass it, which is unlikely (but still possible, so I can understand you point).
I’ve had lots of virus samples which detected some security suites and AV software, locking the system down or rebooting it if you tried to use them, but they’ll need to add support for every single suite if they want to block everything, which would be very hard.
Generic attacks at CIS protection are all stopped as shown by Matousec’s leak tests. I guess there will always be a way to bypass a specific security protection if you’re a good coder, even more because of the flaws of Windows.

Btw, are you sure your security settings are the right ones (Defense+ activated) and you denied all attempts of that application?

I’m sure some of us has our own possible opinions why, but instead of creating possible reasons or arguing here. I think this should better be answered by a developer instead of us.

When you run the program you use to do this and D+ is in Paranoid mode does this get alerted or not? When it gets alerted D+ can intercept it and it’s a user bypass. When no alert is there it is a genuine bypass.

-Repair exports
I don't know what you mean.
-Don't link to user32.dll
I don't know what you mean.
I uninstalled comodo for this reason. Why use a driver but then not utilize it? I did notice that luckily OpenProcess and CreateProcess along with a few others are handled via the driver hooks but you can still write files and much more by just removing guard32.dll.
Can you clarify this part for the non technical users like your truly? What does the orange part mean? What does the blue part mean? You are suggesting a contradiction between the two. Can you explain the contradictions and its consequences?

In short when claiming a bypass I would like to see a Proof Of Concept that clearly describes the situation. Check this POC by wi32 for reference: My Protected Files is flawed.

Comodo firewall and defense+ do not show an alert when I have my test application download and save a file.

I will create a video showing a PoC of disabling comodo entirely.

Thank you for making a video, Make sure CIS is in Proactive Mode and set to Paranoid with no existing rules for the application. Then we know for sure it bypasses CIS.

For practical purposes shouldn’t D+ be in it’s default configuration in order to demonstrate a bypass,since this is how the large majority of ordinary users have it set up?

Try it with Internet Security and with Proactive. :stuck_out_tongue: ;D

I see bypass in a strict technical sense: does CIS have the ability to intercept it or not? That can only be determined in Proactive/Paranoid configuration.

Questions to whether it can be intercepted in less secure modes or by user bypass are secondary; that doesn’t mean they are not important but should be asked after the technical assessment.

It seems it does protect its files using the driver and seeing as I am not a malware person I don’t know what to try next.

Anyways, as long as the intention of the malware is not to create a bot or something but instead to just gather information then it can do so. Unless you configure sensitive directories/registries in comodo then any program can access them and upload them without warning.

Also I find it silly that they don’t block unloading guard32.dll via the driver. Although I guess it doesn’t matter either way because you can easily repair the exports.

Once a program is allowed to install a driver and getting kernel access then it is basically game over; the program can then unload all other drivers. Installing a driver is what we want to prevent and CIS should be able to catch it.

Catch is, does the driver you apparently use to unload guard32.dll (they don’t block unloading guard32.dll via the driver.) generate an alert to load your driver or not?

That should only be determined in Proactive mode with D+ set to Paranoid when claiming a bypass.

Is this by any chance accomplished allowing a driver, allowing debug privileges and/or allowing physical memory access?

For what it matters an user can even allow CIS “Add and Remove components” to uninstall CIS itself… :-X

unloading guard32.dll and repairing the exports do not require a driver. And doing both actions do not generate an alert under paranoid mode with everything on.

Now repairing the syscalls is another thing and would indeed require a driver.

Can you answer this as well?

No it does not need anything special.

I just send a PM to egemen, the head developer, to come and take a look. Are you willing to provide your program you are using for testing to us?

Ya sure, may be a bit hard to understand due to it being a PoC but if you have any questions let me know.

Hmm, it isn’t working like last nights build. I also reinstalled comodo to try it on a fresh install so maybe there was something with my comodo. Hm…

Anyways, the original point still stands. Guard32.dll is useless as it is so easy to bypass/remove it.

Edit:


http://solidfiles.com/info_imgs/PyaD.jpg

I will see if I can get it working like it was last night…

Anyways, it repairs every export. Really all that needs to be repaired is

GetProcAddress
GetModuleHandleW
LdrGetProcedureAddress

Once those 3 are repaired you can easily repair LdrDllUnload and just unload guard32.dll.

I’m not sure but what I get from this is that you’re asking CIS to detect and ask permissions for file access for folders/files that are not in the “My Protected Files” section?
First CIS will warn you if the program will try to access the network (like for downloading/uploading data), then CIS is only meant to warn for the files and folders in that list.
Or did you mean something else?

I also compiled that PoC with my VC2008 express but couldn’t build the release version, only the debug one (it gave me errors and I’m kinda noob at C++, as I use other languages, so I don’t know how fix them). It runs for like 10/15 seconds using one of my CPU cores at 100% but it doesn’t unload the guard32.dll. There has been no warnings from CIS, but I also don’t know if it did something.

Apparently your PoC file needs to be compiled. I am not a programmer so it is not clear how to do so. However, could you post a compiled version?

What do you mean with repairing export? Do you refer to export of a configuration under Miscellaneous → Manage My Configurations?

I am not a programmer so I don’t know Windows internals and how they work. As a consequence I don’t understand implications of scenarios with Windows internals.

However, I can understand clearly described scenarios structured like:

  • We expect to CIS to protect when applying application X
  • However when applying the following call(s) we would expect to be alerted
  • We don’t get the alert and Y now will occur
  • This causes breach Z with the following implications

I can clearly understand the reasoning of PoC’s of wj32. So, there is no problem understanding abstract technical scenarios.

Can you present the PoC in a structured fashion as described in the above? You are going a bit over the place when stating

Hmm, it isn’t working like last nights build. I also reinstalled comodo to try it on a fresh install so maybe there was something with my comodo. Hm…
Makes me wonder does your PoC still stand or not?
unloading guard32.dll and repairing the exports do not require a driver. And doing both actions do not generate an alert under paranoid mode with everything on.
Do you create a service for this purpose that loads a driver to gain kernel access?

Anyway. Please provide a compiled file for testing and a clear description telling what should happen, what doesn’t happen, how we can see the guard32.dll got unloaded. Please only unload on a process the PoC adds so we don’t have to reboot our system to restore the damage done…:wink:

Thread title question was (partially) explained by wj32 :