Zero day windows exploit bypasses Defence Plus

Details are here.

http://ssj100.fullsubject.com/security-f7/0-day-exploit-speaks-chinese-bypasses-uac-t298.htm

Exploit bypasses CIS even with paranoid settings and proactive mode. :frowning:

Try creating a D+ rule for PoC which denies read (or all types of) access to ntkrnlpa.exe. Does it help?

I have read it rapidly and my conclusion is that you need to change from partially limited to Untrusted. Then the exploit won’t pass by. But by default settings it will get through.

To Langguy99. I would like to know what configuration it’s need to make CIS almost Bullet proof. May I ask what configuration your CIS has?

Thanks

Regards,
Valentin

Languy said that he has got deafult configuration.

no , he changed the automatic sandbox settings from ( partially limited ) to ( untrusted ) to block the POC exploit , it gets bypassed in any other mode other than (untrusted) …

it’s already set to ( untrusted ) on my machine all the time :-TU

Even when I set it to untrusted, the POC still bypassed CIS 5. The POC would be blocked if I disabled the sandbox and just relied on Defense+. I was hoping others would also test and see what they find for their machines.

tested the POC on real machine (W7 64 bit). Comodo sucessfully blocked it…

Proactive Config set + Sandbox set to Untrusted + Disabled FileSystem & Registry Virtualization.

Above config is the one i use it daily.

Thanks,
Harsha.

but shouldn’t the virtualization work as an extra layer of protection?

If the COMODO sandbox/exe control setting is set to ‘block’ – would that intercept the exploit?

Also, does SandboeIE conflict or somehow weaken the sandbox in COMODO (or vice-versa) if they are used side-by-side?

Thanks

Not necessarily. With CIS 5, the Comodo developers have tried hard to make things more user friendly. Therefore, this has arguably caused it to be weaker in default mode. As far as I can tell, anything unknown is allowed to be executed by default (often) without a pop-up. This is because it is automatically executed “sandboxed”. However, this sandbox doesn’t appear to be in the same league as Sandboxie.

If Comodo can develop something more like Sandboxie, then it could be truly powerful (and potentially still very user friendly) indeed.

I was under the impression that if Virtualization is disabled then no files were created at all…
pls. correct me if i’m wrong…

Thanks,
Harsha.

I’m not sure about conflicts. I have read about many in the (recent) past, and in principle, I no longer run more than one third party security software. I’ve posted about this many times in the past.

I see that it is still commonplace for many folk to run or have two, three or even four or more different security software programs installed on their sysytems. This can potentially bring about wicked conflicts, both seen and unseen. Also, the more different programs you have on your system, the more chance of having exploitable software code to be used as a vessel for malware.

I just got my hands on this “poc” thing.
default setting !
sandbox got it
and anti virus detected it

looks like we have it under control

So what happens if you run it with the antivirus disabled? Can it do any damage?

Not sure why this question is being asked?

Fact: CIS version 5 was bypassed in default settings and damage could be done. This was initially tested by me, and was verified by Comodo moderator “languy99”.

Comodo may have added signatures to their database to detect this type of “malware” since that time.

ssj100, your testing this in virtualbox from what you told me and it is known that comodo does not run well in virtualbox, it only runs like it should in a real system or VMware. Virtualbox stops comodo from being able to fully protect the system.

This POC is blocked by automatic sandbox if you set it to untrusted or if you right click on it and run in sandbox.

In order to to answer Valentin’s question - I have to confirm what some users (sorry for not mentioning names, guys … I’m in a hurry) said :
“languy99 tests mainly the default settings”
But that doesn’t matter actually in this case - whatever you would like to set

The UAC bypass and the new Rootkit’s for x64 will bypass no matter what … including the fact how the latest CIS is developed (…wrongly…) regarding sandbox
There is no "“real” (can that be “unreal” :)) virtualization as a matter of fact

So, the statements that security will be stronger after introducing the Patch Guard were basically almost hopeless as I told way long ago & before the new releases of Comodo discussing its sandbox at that time

In addition to improper Comodo’s sandbox implementation (SandboxIE is still incomparably much stronger - on Win 7 x64 …missing just around 5%-10%; no questions about 32bit), sure any security now have problems since they cannot hook, so basically, nobody is to blame except MS

Relax, guys & have fun! :wink:

Cheers!

The UAC bypass and the new Rootkit's for x64 will bypass no matter what ... including the fact how the latest CIS is developed (...wrongly...) regarding sandbox
Can you please be more precise. I mean are you refering to Windows zero day exploit or sth else...
In addition to improper Comodo's sandbox implementation (SandboxIE is still incomparably much stronger - on Win 7 x64 ....missing just around 5%-10%; no questions about 32bit), sure any security now have problems since they cannot hook, so basically, nobody is to blame except MS
I think Comodo Sandbox (automatic one) is implemented in much different way. If you set the Sandbox level set to "Untrusted", it provides pretty much good isolation/protection from malware touching the system. (it protects succesfully from Windows zero-day exploit POC and .lnk vulnerability even). Could some one give me POC to .lnk vulnerability. As if i remember correctly in my testing of that particular POC it actually contained. And remember, Comodo has another Sandbox (the right-click one) it actually virtualizes.

And last but not least…sorry for off-topic
what is the status of DACS patent? What is the progress of it being integrated into CIS? When supposedly it will be released?

Hi harsha,

Not “sth” else - that’s all over the place
Do you really want me 2 b “more precise” ?

sure - different , but the wrong way 88) … hmmm… like removing tonsils “per ■■■■■■” :smiley:

No! by any means. You are kidding yourself (don’t get it wrong… no offense intended) just test against the real threats , not against “unknown” Applications - this sandbox is it’s just a perfect “colander”

There is no real virtualizilsation - Please use proper Tools for that

What patent? Nobody knows
There are several threads here in the forum already … kinda competition about the abbreviation
May users posted excellent interpretations , but I’m still have feeling like this
or the new one came to mind
Don’t Anticipate Cool Stuff” :smiley:

Cheers!

"Don't Anticipate Cool Stuff"
lolz... :)
No! by any means. You are kidding yourself (don't get it wrong... no offense intended) just test against the real threat
I always used to test latest malware (malwaredomainlist) inside sandboxie to test the effieciency of Comodo Fw. And it always passed in flying colors... :) ofcourse i agree it is very very tiny sample size...Once i mistakenly ran TDSS sample outside the sandboxie and it (Comodo) protected the system succesfully. Perhaps i should try in VM to test it more efficiently. All, any good free VMs other than virtual box (knowing that comodo won't run it properly)?

Cheers,
Harsha.