Author Topic: Big scurity risk due to lack of CIS self-defense  (Read 2621 times)

Offline Ploget

  • Comodo's Hero
  • *****
  • Posts: 806
  • 'Your best teacher, is your last mistake'
    • Traditional Protection
Re: Big scurity risk due to lack of CIS self-defense
« Reply #15 on: June 30, 2018, 03:19:33 PM »
So far, the only example you have shown is of 'yourself' being able to modify these settings. If you could show a third-party application that does this (w/o major CIS warnings etc.), then I'm sure there will be great interest in exploring this. Hypothetical 'what ifs' don't really cut it I'm afraid

You did not understand me. I do not want third-party applications to have access to CIS settings. Only the owner should have this right.
Ploget
 
Win10x64 Pro 1809 (17763.316) Win7x64 Pro x 2 - all Test systems
CIS v.11.0.0.6778 - CCAV v.2.0.470195.867 Beta
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
'If you think you are too small to make a difference; try sleeping with a Mosquito'

Offline bazolo

  • Comodo Family Member
  • ***
  • Posts: 66
Re: Big scurity risk due to lack of CIS self-defense
« Reply #16 on: June 30, 2018, 04:08:07 PM »
So far, the only example you have shown is of 'yourself' being able to modify these settings. If you could show a third-party application that does this (w/o major CIS warnings etc.), then I'm sure there will be great interest in exploring this. Hypothetical 'what ifs' don't really cut it I'm afraid

ok, for example 'trusted' applications like CCleaner or jv16 PowerTools for clearing registry.
How can I be sure that by clearing and optimizing the registry, they do not recognize data that is important to CIS as trash and will remove or damage it?
This is a real example. Recently, CCleaner demolished millions of chrome browsers by interfering with their data:

changelog
v5.42.6499 (16 May 2018)
CCleaner IMPORTANT FIX

Browser Cleaning
- Fixed a critical issue where very long float values were saved in scientific format, causing the Chrome profile to be lost
- Fixed a critical issue where systems using non-standard decimal separators caused data to be stored incorrectly, causing the Chrome profile to be lost


It hit chrome, but it might as well have touched the CIS.
We are talking about a security-related application, not a communicator for children. The point is that it is impossible to trust even trusted applications when it comes to accessing CIS settings. Built-in protection of CIS settings would increase resistance to various potential attacks.
« Last Edit: June 30, 2018, 04:11:20 PM by bazolo »

Offline prodex

  • Comodo Loves me
  • ****
  • Posts: 160
Re: Big scurity risk due to lack of CIS self-defense
« Reply #17 on: June 30, 2018, 04:10:38 PM »
Would that be possible if you protected it with hips "protected objects" ?

Offline bazolo

  • Comodo Family Member
  • ***
  • Posts: 66
Re: Big scurity risk due to lack of CIS self-defense
« Reply #18 on: June 30, 2018, 04:16:09 PM »
Would that be possible if you protected it with hips "protected objects" ?
Yes maybe possible, I'm just experimenting with blocking access to Comodo Keys from HIPS for all trusted applications, with the exception of Comodo itself.

Offline Ploget

  • Comodo's Hero
  • *****
  • Posts: 806
  • 'Your best teacher, is your last mistake'
    • Traditional Protection
Re: Big scurity risk due to lack of CIS self-defense
« Reply #19 on: June 30, 2018, 05:10:34 PM »
Again, with CCleaner and especially jv16 - you are trying to protect the user with all rights against themselves and what they are running.

You mean like this: https://help.comodo.com/topic-72-1-522-6311-Protected-Registry-Keys.html?
ok, for example 'trusted' applications like CCleaner or jv16 PowerTools for clearing registry.
How can I be sure that by clearing and optimizing the registry, they do not recognize data that is important to CIS as trash and will remove or damage it?
This is a real example. Recently, CCleaner demolished millions of chrome browsers by interfering with their data:
Built-in protection of CIS settings would increase resistance to various potential attacks.
Ploget
 
Win10x64 Pro 1809 (17763.316) Win7x64 Pro x 2 - all Test systems
CIS v.11.0.0.6778 - CCAV v.2.0.470195.867 Beta
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
'If you think you are too small to make a difference; try sleeping with a Mosquito'

Offline bazolo

  • Comodo Family Member
  • ***
  • Posts: 66
Re: Big scurity risk due to lack of CIS self-defense
« Reply #20 on: June 30, 2018, 05:20:39 PM »
Seems to, the following global solution works and solves the problem.
The first tests look promising with:

HIPS:On with SafeMode with modified predefined "All Applications" rule with:
Access Rights -> Access Name:Protected Registry Keys; Exclusions:BlockedRegistryKeys:Registry Groups:COMODO Keys

Results:
Code: [Select]
C:\Windows\system32>reg delete HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox /f
ERROR: Access is denied.

I'm testing it further.
« Last Edit: June 30, 2018, 07:22:16 PM by bazolo »

Offline John Buchanan

  • "Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well armed lamb contesting the outcome of the vote." ~ Benjamin Franklin
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 6680
  • Personal Dragons can be defeated. Improve yourself
Re: Big scurity risk due to lack of CIS self-defense
« Reply #21 on: June 30, 2018, 07:54:52 PM »
 Again, you are trying to protect it from yourself.  There is no point in this, unless you consider the person on the other side of the keyboard to be an idiot  >:-D
Please follow Comodo Forum Policy

Bah! Ban 'em all! The only good member is a banned member
And a member is just a policy violator who hasn't been caught yet. >:-D

Offline bazolo

  • Comodo Family Member
  • ***
  • Posts: 66
Re: Big scurity risk due to lack of CIS self-defense
« Reply #22 on: June 30, 2018, 09:52:42 PM »
Again, you are trying to protect it from yourself.  There is no point in this, unless you consider the person on the other side of the keyboard to be an idiot  >:-D

The commands from keyboard was only for test purposes.
I think you have not read the content of the discussion. It is not about access to the registry from the keyboard but about access to the CIS config for thousands of applications recognized as trusted. I prefer to be sure I have protected the CIS settings and not only to believe that they are safe.

But if you want ok, I can describe an exemplary attack using .reg, which disarms CIS:
Our hypothetical victim is the average computer user.
She uses a computer for browsing the internet, shopping and payments.
She does not know about computers.
She has a CIS installed with default settings by her friend's son.
One day she gets an email "Hi, look so funny pic haha!" with an attachment containing .reg used to disarm the CIS.
Windows defaults hide file extensions, and the name of this .reg for confusion is set to Funny Photo.
She opens it, CIS stops completely protecting her computer and she does not even know it.
She then gets a second email, this time with the attached real Trojan.
CIS no longer protects her computer, so she runs the Trojan without any problem.
The Trojan turns on her webcam and the perverted hacker films her naked in the evening dancing in front of the mirror.
In the morning comes the third email with the information "pay 1000 $, because if not this movie will go to the net."
The lady pays.
And John from the Comodo forum still tells her that she is really safe  :P0l

hmm
I do not want to be a monster, but it seems to me that in this scenario, the woman would be protected if she did not have Comodo at all, but only the usual Windows Defender, which can not be turned off by .reg and it would not allow the Trojan to run.
« Last Edit: June 30, 2018, 10:41:57 PM by bazolo »

Offline prodex

  • Comodo Loves me
  • ****
  • Posts: 160
Re: Big scurity risk due to lack of CIS self-defense
« Reply #23 on: July 01, 2018, 03:01:46 AM »
I can understand the intention of bazolo which is similar to to the security precautions of large companies that use hackers to detect security holes. But I will link once more to this report:

Quote
https://avlab.pl/en/comodo-security-were-difficult-overcome-even-hackers-cia

No antivirus does not have perfect security is impossible to hack all and everything, but for professionals from the CIA security, Comodo have proven to be particularly difficult to overcome.


Note: not was corrected by me!

And I tell once more what I had posted some times ago:
My nephew who is responsible vor IT security in a system-relevant company uses comodo for himself.
Perhaps it may be maybe you're actually protecting yourself.

Some INet-users are proud not to need any protection but brain 2.0 or later versions.   :o

comodo (or whatever) + another go-hand-in-hand-av + brain 2.4 -----> good protection means for my part:

comodo + malwarebytes + sometimes checking the computer with tdsskiller.exe and adwcleaner + brain 2.x or later.

Nowedays everyone who uses internet should know about dangers like when I use a car. That doesn't mean I have to be an IT specialist but I have to be careful and that I told children for long a time, already.

What you're doing certainly needs some knowledge and therefore I don't know if that may happen in reality (in the PC-World) or only in your computer.

I furthermore trust in comodo + ....... and it's been good so far.

Decent hackers, on the other hand, are really important for security.
« Last Edit: July 01, 2018, 11:51:38 AM by prodex »

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 24880
Re: Big scurity risk due to lack of CIS self-defense
« Reply #24 on: July 01, 2018, 03:28:29 PM »
Bazolo, I now see where your concern is coming from. I see it as a security risk; not a big one and one that has not been seen in the wild.

I have sent a pm to umesh informing him about the scenario and this topic.

Offline bazolo

  • Comodo Family Member
  • ***
  • Posts: 66
Re: Big scurity risk due to lack of CIS self-defense
« Reply #25 on: July 01, 2018, 05:01:58 PM »
Great  :-TU. EricJH, prodex and all other interlocutors thank you for the lively discussion.

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 24880
Re: Big scurity risk due to lack of CIS self-defense
« Reply #26 on: July 01, 2018, 05:41:53 PM »
Thank you for persevering your point of view.

How do you know that Defender protects it's registry keys against user actions? Does it also protect its self against changes to the registry made by trusted applications?

Offline Umesh

  • Comodo Alumni
  • Comodo's Hero
  • *****
  • Posts: 3421
  • Comodo Alumni
    • COMODO
Re: Big scurity risk due to lack of CIS self-defense
« Reply #27 on: July 01, 2018, 10:57:46 PM »
Thanks, will get back on it.
Bazolo, I now see where your concern is coming from. I see it as a security risk; not a big one and one that has not been seen in the wild.

I have sent a pm to umesh informing him about the scenario and this topic.
We can't stop malware entering user's PC but we render them use-less when they enter PC: Welcome to Comodo's Default Deny innovation

Offline prodex

  • Comodo Loves me
  • ****
  • Posts: 160
Re: Big scurity risk due to lack of CIS self-defense
« Reply #28 on: July 02, 2018, 03:08:18 AM »

How do you know that Defender protects it's registry keys against user actions? Does it also protect its self against changes to the registry made by trusted applications?

That's a point I get sometimes no good feeling if I install (albeit very, very rarely in the meantime) programs which are not so trusty for me because they are not so clearly trustworthy (but therefore not dangerous, i.e. ccleaner a.s.o.).

I do not know what they really are doing in my PC. When the message appears, "do you allow the program making changes to your registry" then I have no good or undefined (because of my lack of knowledge) feeling. No security program can protect me from my decision. But signature of umesh:
Quote
We can't stop malware entering user's PC but we render them use-less when they enter PC: Welcome to Comodo's Default Deny innovation.

« Last Edit: July 02, 2018, 03:14:41 AM by prodex »

Offline bazolo

  • Comodo Family Member
  • ***
  • Posts: 66
Re: Big scurity risk due to lack of CIS self-defense
« Reply #29 on: July 02, 2018, 06:02:45 AM »
How do you know that Defender protects it's registry keys against user actions? Does it also protect its self against changes to the registry made by trusted applications?

Windows Defender protects own regkeys.
I attached screenshots.

But even if Windows Defender could be blocked, Windows Notifications will signal an alarm about the security inactivity.
And in case of my attack, Windows Notification is also cheated.
« Last Edit: July 02, 2018, 07:11:04 AM by bazolo »

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek