ZeroAccess rootkit can bypass CIS 5.8

I’ve tested CIS 5.8 against ZeroAccess rootkit, two days old sample.

CIS had sandboxing enabled, but when I run the malware the only alert from Defence+ was: “malware.exe is trying to launch explorer.exe”.

This would seem legit for many users and hit Allow.

In that moment Comodo is deactivated.

What was Sandbox set to?
parially limited

I always set it to untrusted as that’s been proven to tackle most…
Was AV set to On Access and Cloud options ticked and Enable Rootkit scanning?

Can’t comment any further after this, was just asking for more info that others who do know more will ask in advance. :slight_smile:

2011-09-09 17:13:45 C:\Documents and Settings\Roger\桌面\virus\123\screensaver.exe Sandboxed As Partially Limited

2011-09-09 17:13:46 C:\WINDOWS\explorer.exe Sandboxed As Partially Limited

2011-09-09 17:13:53 C:\WINDOWS\explorer.exe Modify File C:\Documents and Settings\Roger\桌面\virus\123\screensaver.exe

2011-09-09 17:13:53 C:\WINDOWS\explorer.exe Access COM Interface LocalSecurityAuthority.Tcb

It is obvious now that default Internet Security with Partailly Limited setting can be bypassed…
Switching to Proactive Security setting should also raise the level of Unrecognized files to Restricted or Untrusted.

Agreed, until we get v6 and then it will be fully virtualised…

What are differences between them?

Partially Limited - The application is allowed to access all the Operating system files and resources like clipboard. Modification of protected files/registry keys is not allowed. Privileged operations like loading drivers or debugging other applications are also not allowed.

Limited - Only selected operating system resources can be accessed by the application. The application is not allowed to execute more than 10 processes at a time and is run with out Administrator account privileges.

Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights.

Untrusted - The application is not allowed to access any of the Operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights.

Blocked – The application is not allowed to run at all.

comodo sandbox by default can not be bypassed by the 0access rootkit

You have to check this one for enabling the sandbox.

You’re right, I didn’t do it.

I wanted to test CIS with default settings.

Enabling that option, the file is sandboxed.
It’s strange Comodo doesn’t enable it by default.

Use Custom installation.

the auto mode is terminated when you install firewall only

You can set the configuration as CIS, and then the problem is solved.

So to the OP, can you confirm your problem is no longer and now resolved/solved? ;D

The Internet Security configuration is the default configuration when you install CIS. The sandbox is enabled in this configuration. The sandbox is only disabled if you switch your configuration to Firewall Security.

I’m confused because your latest post contradicts your original post. Your original post says the sandbox was enabled and CIS was bypassed.

Now you are saying the sandbox was in fact disabled, but when it is enabled, CIS is not bypassed? ???

Which is it? :-\

As a256886572008 pointed out, you probably did not use the default settings. In default settings, CIS can NOT show you execution alerts. You probably used some other mode.

I remember that when I installed CIS FW5.8 beta the setting that a256886572008 pointed out was not active by default. Can anybody check this too?

I hope that the default configuration for “comodo firewall” will be CIS but not CFS.


CIS: autosandbox enabled

CFS:autosandbox disabled

If you don’t install the AV the setting is disabled by default.

I installed CIS FW with default settings (I just choose, not to install the AV, Geekbuddy, and DNS)
The profile active by default is Firewall security.

Why a user that does not install the AV get a lower protection in D+? does not make any sense since is not related at all with the AV

[attachment deleted by admin]

Most of the users who install firewall only are looking for a firewall i.e. network based filtering. They dont want an anti-malware solution from CFW. All they want is a strong firewall which has good indirect internet access control while they let other antivirus solutions to protect them.

COMODO Firewall can well be turned into an antimalware solution with one click configuration switching though if its what you need.

what?? comodo fw comes together with the HIPS

Thats is the excuse to offer a weak and easily to bypass settings using the default settings of CIS fw?

It’s so hard to admit it and change the default settings? I can’t even believe that you wrote all those paragraph to say that instead to spend the same time changing the default settings on CIS FW.

In fact you argumentation doesn’t make any sense, if they want a strong protection (proactive mode) why offer by default the weakest one (fw protection), CIS fw should be configured by default like CIS is the only thing that make sense.