I just found some interesting article in Internet. Looks like there is a way of overcoming HIPS in Comodo products. Author has contacted Comodo representatives already (about 5 months ago) and looks like there is no any reaction.
Is it possible to get some answer from authorities here?
Conclusions
To conclude with, we’d like to stress that we do not hate the Comodo HIPS product. The bypassing method presented in this post is rather remote and applies only on SysWoW64 ( 32bit ) applications running on a 64bit Windows version. Attached you will find a proof of concept application that automates the process of generating executable that can bypass the installation of hooks throughout the process address space. Thank you for reading.
This is the example POC program in action. sswhk.exe is a simple keylogger program. First run is the original program which gets detected by the paranoid security settings of Comodo. Next, the AddTLSSection.exe program is executed to generate the code required to bypass comodo. [b]A new program is created and executed sswhk_.exe and is successfully capturing keystrokes without comodo detecting it[/b].
Description of the video on YouTube. We would need sswhk.exe to test with, it is not included.
Not on 64 bit Windows. MS does not allow it. On 32 bit it does.
Very interesting. So it means TDL4 installs itself in kernelmode at x64 in some mysterious way that none of vendors knows? Or possibly none of vendors can sign drivers in a correct way so Wx64 will allow to load it?
Will anybody from developers respond here or we still continue discussing nonsense?
The discussion of user space hooks is not new. Actually, the leak tests of www.matousec.com, always bypass user space hooks while doing intended operations. Hence almost everyone fails in Windows x64 in their tests( Except CIS ofcourse).
In the article, i dont see any bypass. The author just unhooked user space hooks which are used for various purposes however failed to demonstrate what sort of security leak is caused by this. What is bypassed i.e. what security leak did this unhooking cause? Did it allow the attacker to change a protected file? Protected key? etc. As i explained above, there are MANY counter defenses implemented in D+ which copes with these user space hooking issues.
The most significant of them is enhanced mode for example. The author intentionally or unknowingly, didn’t mention Enhanced protection mode which is automatic when one switches to paranoid mode. They could not mention perhabs othrwise there would be nothing left to discuss.
Architecturally, user space hooks in CIS are used for compatibility and not for security as much as possible. As of today, CIS even in 64 bit operating systems offers full kernel based protection.
Thank your for stepping in and explaining this in more detail.
As of today, CIS even in 64 bit operating systems offers full kernel based protection.
What does this mean for the 64 bit platform? Does it mean kernel hooking is used even though prevented by design? Or are there other techniques being used?
egemen, thanks for explanation.
Could you please comment video also? How is it possible that blocked on every action, sandboxed application was able to monitor mouse and keyboard events, to log them and even write down them into the file? Why the obvious keylogger activity wasn’t blocked?
Keylogging is possible within the sandbox. It is by design. It has nothing to do with bypass. You see CIS rigt now doesnt block non-infectious actions of sandboxed applications in order to improve the compatibility. Infectious actions are the ones that can change the computer permanently and let malware persist after a restart.
