Details are here.
http://ssj100.fullsubject.com/security-f7/0-day-exploit-speaks-chinese-bypasses-uac-t298.htm
Exploit bypasses CIS even with paranoid settings and proactive mode. 
Try creating a D+ rule for PoC which denies read (or all types of) access to ntkrnlpa.exe. Does it help?
I have read it rapidly and my conclusion is that you need to change from partially limited to Untrusted. Then the exploit wonāt pass by. But by default settings it will get through.
To Langguy99. I would like to know what configuration itās need to make CIS almost Bullet proof. May I ask what configuration your CIS has?
Thanks
Regards,
Valentin
Languy said that he has got deafult configuration.
no , he changed the automatic sandbox settings from ( partially limited ) to ( untrusted ) to block the POC exploit , it gets bypassed in any other mode other than (untrusted) ā¦
itās already set to ( untrusted ) on my machine all the time :-TU
Even when I set it to untrusted, the POC still bypassed CIS 5. The POC would be blocked if I disabled the sandbox and just relied on Defense+. I was hoping others would also test and see what they find for their machines.
tested the POC on real machine (W7 64 bit). Comodo sucessfully blocked itā¦
Proactive Config set + Sandbox set to Untrusted + Disabled FileSystem & Registry Virtualization.
Above config is the one i use it daily.
Thanks,
Harsha.
but shouldnāt the virtualization work as an extra layer of protection?
If the COMODO sandbox/exe control setting is set to āblockā ā would that intercept the exploit?
Also, does SandboeIE conflict or somehow weaken the sandbox in COMODO (or vice-versa) if they are used side-by-side?
Thanks
Not necessarily. With CIS 5, the Comodo developers have tried hard to make things more user friendly. Therefore, this has arguably caused it to be weaker in default mode. As far as I can tell, anything unknown is allowed to be executed by default (often) without a pop-up. This is because it is automatically executed āsandboxedā. However, this sandbox doesnāt appear to be in the same league as Sandboxie.
If Comodo can develop something more like Sandboxie, then it could be truly powerful (and potentially still very user friendly) indeed.
I was under the impression that if Virtualization is disabled then no files were created at allā¦
pls. correct me if iām wrongā¦
Thanks,
Harsha.
Iām not sure about conflicts. I have read about many in the (recent) past, and in principle, I no longer run more than one third party security software. Iāve posted about this many times in the past.
I see that it is still commonplace for many folk to run or have two, three or even four or more different security software programs installed on their sysytems. This can potentially bring about wicked conflicts, both seen and unseen. Also, the more different programs you have on your system, the more chance of having exploitable software code to be used as a vessel for malware.
I just got my hands on this āpocā thing.
default setting !
sandbox got it
and anti virus detected it
looks like we have it under control
So what happens if you run it with the antivirus disabled? Can it do any damage?
Not sure why this question is being asked?
Fact: CIS version 5 was bypassed in default settings and damage could be done. This was initially tested by me, and was verified by Comodo moderator ālanguy99ā.
Comodo may have added signatures to their database to detect this type of āmalwareā since that time.
ssj100, your testing this in virtualbox from what you told me and it is known that comodo does not run well in virtualbox, it only runs like it should in a real system or VMware. Virtualbox stops comodo from being able to fully protect the system.
This POC is blocked by automatic sandbox if you set it to untrusted or if you right click on it and run in sandbox.
In order to to answer Valentinās question - I have to confirm what some users (sorry for not mentioning names, guys ā¦ Iām in a hurry) said :
ālanguy99 tests mainly the default settingsā
But that doesnāt matter actually in this case - whatever you would like to set
The UAC bypass and the new Rootkitās for x64 will bypass no matter what ā¦ including the fact how the latest CIS is developed (ā¦wronglyā¦) regarding sandbox
There is no "ārealā (can that be āunrealā :)) virtualization as a matter of fact
So, the statements that security will be stronger after introducing the Patch Guard were basically almost hopeless as I told way long ago & before the new releases of Comodo discussing its sandbox at that time
In addition to improper Comodoās sandbox implementation (SandboxIE is still incomparably much stronger - on Win 7 x64 ā¦missing just around 5%-10%; no questions about 32bit), sure any security now have problems since they cannot hook, so basically, nobody is to blame except MS
Relax, guys & have fun! 
Cheers!
The UAC bypass and the new Rootkit's for x64 will bypass no matter what ... including the fact how the latest CIS is developed (...wrongly...) regarding sandboxCan you please be more precise. I mean are you refering to Windows zero day exploit or sth else...
In addition to improper Comodo's sandbox implementation (SandboxIE is still incomparably much stronger - on Win 7 x64 ....missing just around 5%-10%; no questions about 32bit), sure any security now have problems since they cannot hook, so basically, nobody is to blame except MSI think Comodo Sandbox (automatic one) is implemented in much different way. If you set the Sandbox level set to "Untrusted", it provides pretty much good isolation/protection from malware touching the system. (it protects succesfully from Windows zero-day exploit POC and .lnk vulnerability even). Could some one give me POC to .lnk vulnerability. As if i remember correctly in my testing of that particular POC it actually contained. And remember, Comodo has another Sandbox (the right-click one) it actually virtualizes.
And last but not leastā¦sorry for off-topic
what is the status of DACS patent? What is the progress of it being integrated into CIS? When supposedly it will be released?
Hi harsha,
Not āsthā else - thatās all over the place
Do you really want me 2 b āmore preciseā ?
sure - different , but the wrong way 88) ā¦ hmmmā¦ like removing tonsils āper ā ā ā ā ā ā ā 
No! by any means. You are kidding yourself (donāt get it wrongā¦ no offense intended) just test against the real threats , not against āunknownā Applications - this sandbox is itās just a perfect ācolanderā
There is no real virtualizilsation - Please use proper Tools for that
What patent? Nobody knows
There are several threads here in the forum already ā¦ kinda competition about the abbreviation
May users posted excellent interpretations , but Iām still have feeling like this
or the new one came to mind
āDonāt Anticipate Cool Stuffā
Cheers!
"Don't Anticipate Cool Stuff"lolz... :)
No! by any means. You are kidding yourself (don't get it wrong... no offense intended) just test against the real threatI always used to test latest malware (malwaredomainlist) inside sandboxie to test the effieciency of Comodo Fw. And it always passed in flying colors... :) ofcourse i agree it is very very tiny sample size...Once i mistakenly ran TDSS sample outside the sandboxie and it (Comodo) protected the system succesfully. Perhaps i should try in VM to test it more efficiently. All, any good free VMs other than virtual box (knowing that comodo won't run it properly)?
Cheers,
Harsha.