What will COMODO will do about it?

Eventually (perhaps in 2 decades) all other security product vendors will follow COMODO steps with Default Deny Technology, if they will.

By then, hackers will not be testing security products to see if signature-based or blacklist-based software can detect them. They will steal certificates to sign their malware with those, so AVs allow it’s execution. This is rare today, but it started to happen already. It’s a fact, Default Deny is good, but comes with it’s own attack vector attached.

What is or will do COMODO to protect against this when the time comes, or better yet, to start protecting today?

Hey w-e-v Whats happenin!

All of those Guru’s out there correct me if I’m wrong.

Short Way of saying it: Comodo already prevents this from happening with default deny;

Long Way: In order for a malware to bypass CIS, is almost impossible. Reason that it’s almost impossible and not completely impossible is two reasons, 1) USER - The User makes the decision whether or not to allow something on their system 2) Humans - Even though CIS is a good security application it’s built by humans and not robots thus by nature it does have bugs

They (Community and Comodo Staff) thoroughly tests D+ & Sandbox to make sure its top notch and nothing can get by, and so far Comodo is still in business and CIS is still getting Millions of installations so they must be doing something right :stuck_out_tongue: . I believe one time Melih actually offered an award to those who find a bypass in D+.

[i]The following components make that impossible:
Signed Malware Wants To Run and It is going to be checked against the following lists
Safe List: You must be analyzed by top notch Malware Analysts in order to be on here
Vendor List: You too must be analyzed by Analysts and have direct communication with Comodo in order to be on here.
Black List: If you are on here than you are going to be either deleted or quarantined

If Signed Malware is not on either of the above than it continues down the line
Sandbox: Malware gets its own room to play in until Comodo Analyzes it and determines whether or not it is safe.

HIPS: (Default Disabled) If You are trying to access something than I’m telling on you! and you have to wait til User says Yes or No

BB: You Can’t Act Up! Or Else~

AV: AARG! I’m going to see if your scripts or your structure is like one of the malware that is on my list

Signed malware isn’t much of a big deal, It’s like with every other signed software whether it’s good or bad, CIS just pretty much leaves it up to Comodo Analyst to say yes or no and if that is disabled than it’s up to the user but the Sandbox is a safety net.


If certificates would get stolen at a big scale then I am inclined to think the solution would be in making it harder to steal them. Also using strict revocation checking may help some.

It’s not easy to steal certificates so I am not expecting it to become a big issue in the future.

Thank you Jacob and EricJH.

But unfortunately, CIS will trust any software if it comes with a valid (and yes, stolen) certificate, bypassing by default all CIS defenses.

Like I said, we are already witnessing certificates being stole here and there:

And the list goes on…

Revoked certificates? Well of course is a way to stop the spread. But sometimes, certificate owners don’t even know they were stolen and/or will take them days to revoke their certificate (as it happened recently). Plus, this will become like Blacklisting a malware: “During the time a new malware is discovered and is blacklisted, thousands of users are infected. During the time a certificate is stolen and revoked, it will also infect thousands of users too”. So why waiting to REACT, if we can be PROACTIVE?

So my friends, we are starting a new era of attacks with Trusted Malware, and so far CIS cannot stop it.
That is the reason why I posted my question.

This is certainly becoming a serious issue, Comodo must be already aware of it, but it sounds like there are more and more of stealed certificates cases now (which is quite obvious since malware authors are just adjusting their methods to Default Deny).

I cannot immediately think of a strategy to counter a stolen certificate by a security program. That was the point I was trying to make.

That is exactly my point. In the near future we will see even more.

So any words from COMODO. I trust COMODO and the Staff, they always have great ideas on how to protect users. Hopefully they can comment too in this topic.

Point taken. :slight_smile:

I was also trying to make you see that it is a big issue in the future as well as it is now, based on what you said before: “I am not expecting it to become a big issue in the future.”

In two decades, how will your OS work? How will you install and update applications? Will you even have any locally installed applications (the way applications are installed on Windows today)?

I’m sure they will come up with something new in the future. They will have to… It will be a very different chase game… But that’s my opinion.

But first stolen certificates have to become more widespread though before making any big changes I mean…

Yeah, “perhaps in 2 decades” was to far away. We already started witnessing this. :wink:

Hopefully, so far no words from COMODO about this subject. Very Hermetic.

I remember having seen a comment from egemen going back a couple of years ago when asked about an attack vector that was theoretical that it was not going to be considered to be added to protected areas.

When malware evolves and new attack vectors are used Comodo will adapt the protected areas. A typical example is protecting spoolserver as it got under attack by a well known malware which name escaped me.

Analogous to the problem with signed malware this problem may not be handled by the program but rather upstream.

Exactly. So, in my humble opinion it is about time for CIS to start adapting to this new attack vector.

We are also already witnessing OSs changing. The problem discussed here is present in an OS designed before the Internet-age, when software was distributed on floppy disks… When the distribution moved to the Internet, the “fun” began. >:-D
But installing applications by downloading installers from arbitrary websites and running them with admin privileges is an insane thing of the past. All modern OSs use some form of “store”, from which applications are installed in a safe manner. Install something like CIS, with kernel-mode drivers and a service running as admin/root on Windows RT or Chrome OS? Out of the question, of course.
But in the Windows-world things move slowly. 12 years after its launch, Windows XP is still the second most used desktop-OS, and Windows 7 will be supported until January 2020 (and probably used even longer), so phasing the past out will be a painfully slow process. :frowning:

Couldn’t agree more. So what’s COMODO gonna do? For me is a pretty good question.

Can you think of a strategy to counter the effects of stolen

Oh oohh… Hooray for Teletubby OS… :wink:

Teletubby OS a.k.a. Fisher-Price OS a.k.a. Windows XP? :stuck_out_tongue:

Nah, it’s a new variation of Teletubbyness… :wink: