Author Topic: Big scurity risk due to lack of CIS self-defense  (Read 2628 times)

Offline bazolo

  • Comodo Family Member
  • ***
  • Posts: 66
Re: Big scurity risk due to lack of CIS self-defense
« Reply #30 on: July 02, 2018, 07:47:01 AM »
That's a point I get sometimes no good feeling if I install (albeit very, very rarely in the meantime) programs which are not so trusty for me because they are not so clearly trustworthy (but therefore not dangerous, i.e. ccleaner a.s.o.).

I do not know what they really are doing in my PC. When the message appears, "do you allow the program making changes to your registry" then I have no good or undefined (because of my lack of knowledge) feeling. No security program can protect me from my decision. But signature of umesh: "We can't stop malware entering user's PC but we render them use-less when they enter PC: Welcome to Comodo's Default Deny innovation."

That's right, and that's why CIS settings not just that they should be, but they MUST be specially protected.
Usually hackers do not reveal their secrets, but I use CIS myself so want to be also protected  ;)  :-X

Offline prodex

  • Comodo Loves me
  • ****
  • Posts: 160
Re: Big scurity risk due to lack of CIS self-defense
« Reply #31 on: July 02, 2018, 08:29:10 AM »
I could change protected registry keys.

What means "protected objects" when I can change it? Is any program or any hacker to do this or is it so how Eric wrote:

Quote
... not a big one and one that has not been seen in the wild.

What have I done wrong or what don't I understand? It seems to be a piece of cake to change that. Or is it so that comodo discovers when someone/any program tries to manipulate my computer? Then I am NOT a hacker for my PC and for comodo  :-\  and so comodo has not to protect me from myself - is this so?
« Last Edit: July 02, 2018, 08:31:30 AM by prodex »

Offline bazolo

  • Comodo Family Member
  • ***
  • Posts: 66
Re: Big scurity risk due to lack of CIS self-defense
« Reply #32 on: July 02, 2018, 08:57:43 AM »
I could change protected registry keys.

What means "protected objects" when I can change it? Is any program or any hacker to do this or is it so how Eric wrote:

What have I done wrong or what don't I understand? It seems to be a piece of cake to change that. Or is it so that comodo discovers when someone/any program tries to manipulate my computer? Then I am NOT a hacker for my PC and for comodo  :-\  and so comodo has not to protect me from myself - is this so?

Default CIS config has disabled HIPS but even if you enable HIPS you can still change this protected keys because regedit is just Trusted app.
To patch it, try following in HIPS Rules:
Code: [Select]
HIPS:On with SafeMode with modified predefined "All Applications" rule with:
Access Rights -> Access Name:Protected Registry Keys; Exclusions:BlockedRegistryKeys:Registry Groups:COMODO Keys

Blocking Important Keys for all trusted applications will crash the system.
But you can block Important Keys for selected trusted apps (for example for regedit) by make the rules in HIPS.
The main protection of these keys is the administrator permission for the application that wants to modify them.
Note: COMODO Keys != Important Keys but Important Keys includes some of COMODO Keys
« Last Edit: July 02, 2018, 09:31:35 AM by bazolo »

Offline prodex

  • Comodo Loves me
  • ****
  • Posts: 160
Re: Big scurity risk due to lack of CIS self-defense
« Reply #33 on: July 02, 2018, 09:26:24 AM »
Blocking Important Keys for all trusted applications will crash the system.

Thank you!
I did it for trying, only.

Offline bazolo

  • Comodo Family Member
  • ***
  • Posts: 66
Re: Big scurity risk due to lack of CIS self-defense
« Reply #34 on: July 02, 2018, 09:40:02 AM »
ops, just seems to me that I found a new security risk field, this time related to firewall. As my fears confirm, I will start a new thread.

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 24888
Re: Big scurity risk due to lack of CIS self-defense
« Reply #35 on: July 02, 2018, 10:28:53 AM »
Default CIS config has disabled HIPS but even if you enable HIPS you can still change this protected keys because regedit is just Trusted app.
To patch it, try following in HIPS Rules:
Code: [Select]
HIPS:On with SafeMode with modified predefined "All Applications" rule with:
Access Rights -> Access Name:Protected Registry Keys; Exclusions:BlockedRegistryKeys:Registry Groups:COMODO Keys
Regedit is trusted but unknown programs cannot start trusted applications without notifying the user (when using HIPS only). Luring an unsuspected user to open Regedit to make changes to the registry is an unrealistic scenario so I see no need to patch the rule for regedit.

Offline bazolo

  • Comodo Family Member
  • ***
  • Posts: 66
Re: Big scurity risk due to lack of CIS self-defense
« Reply #36 on: July 02, 2018, 10:50:01 AM »
Regedit is trusted but unknown programs cannot start trusted applications without notifying the user (when using HIPS only). Luring an unsuspected user to open Regedit to make changes to the registry is an unrealistic scenario so I see no need to patch the rule for regedit.

Yes, it's clear.

But this patch is to protect COMODO Keys against all trusted apps, not only for regedit.
This patch also protects against the attack I described earlier:
Code: [Select]
HIPS:On with SafeMode with modified predefined "All Applications" rule with:
Access Rights -> Access Name:Protected Registry Keys; Exclusions:BlockedRegistryKeys:Registry Groups:COMODO Keys

Offline prodex

  • Comodo Loves me
  • ****
  • Posts: 160
Re: Big scurity risk due to lack of CIS self-defense
« Reply #37 on: July 02, 2018, 11:49:39 AM »
Regedit is trusted but unknown programs cannot start trusted applications without notifying the user (when using HIPS only).

That's sometimes the/my problem. Should I or shouldn't I when comodo says:

"xxxx is a known program but yyyy is unknown. If it is your program you use you can allow it.
But in case you have any doubts, block it" which is what I do, then.

If I have only a little doubt I cancel it even if it is i.e. cmd which is a known but by comodo mentioned as unknown and I think comodo knows what I don't know might happen in the background).
« Last Edit: July 02, 2018, 11:56:46 AM by prodex »

Offline ReeceN

  • Comodo Loves me
  • ****
  • Posts: 129
  • Paranoid B#st#rd - CIA
Re: Big scurity risk due to lack of CIS self-defense
« Reply #38 on: July 03, 2018, 08:19:02 PM »
You did not understand me. I do not want third-party applications to have access to CIS settings. Only the owner should have this right.

A) If you don't trust the certificates then disable the option to use them.

B) Malware can bypass software based protection modules. There is no point in attempting to create a software based self-defence system because if your system can become infected in the first place, then you are potentially screwed anyway.

C) Nothing you have shown above seems to be a bypass. You are just disabling settings and complaining that you are able to be attacked.. because you just DISABLED the settings. That's like locking your car but leaving your windows open and complaining things got stolen. It's not the cars fault you kept the windows open.

The only thing I would point out, that in a perfect world, the file reputation system would provide instant analysis so that you do not have to wait if certificate checking is disabled.
« Last Edit: July 03, 2018, 08:42:18 PM by ReeceN »

Offline bazolo

  • Comodo Family Member
  • ***
  • Posts: 66
Re: Big scurity risk due to lack of CIS self-defense
« Reply #39 on: July 04, 2018, 08:19:03 AM »
A) If you don't trust the certificates then disable the option to use them.

B) Malware can bypass software based protection modules. There is no point in attempting to create a software based self-defence system because if your system can become infected in the first place, then you are potentially screwed anyway.

C) Nothing you have shown above seems to be a bypass. You are just disabling settings and complaining that you are able to be attacked.. because you just DISABLED the settings. That's like locking your car but leaving your windows open and complaining things got stolen. It's not the cars fault you kept the windows open.

The only thing I would point out, that in a perfect world, the file reputation system would provide instant analysis so that you do not have to wait if certificate checking is disabled.

AD A) Blocking certificates would become a nightmare. Then the Safe Mode would become the Paranoid Mode and it is not a solution, because a whole life would only be spent on defining endless (often uncertain) rules. But you can not trust the certifications endlessly, rather you should use the method of limited trust with the additional lines of defense that I am proposing.

AD B) Omitting one of the progam modules does not mean winning the battle, when others are active, they can win the fight with attacker, but you want to give everything with the walkover at once.

AD C) So write for example to Microsoft or Avira or others, because they just blocks access to own settings. Convince them that it is nonsense that they do.

I'm sorry I do not have time to repeat the same over and over again. I work a lot.
Comodo's bosses decided it is a threat, convince them now, not me.

« Last Edit: July 04, 2018, 10:12:49 AM by bazolo »

Online liosant

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 961
  • Terra é circo onde nós somos palhaços...
Re: Big scurity risk due to lack of CIS self-defense
« Reply #40 on: July 04, 2018, 12:22:05 PM »
Solution possible:

if config is comodo internet security, apply protection Objects protect in HIPS when commandline, applications safe... running in contaiment.

Safe Applications is not 100% safe and exploited for malwares or applications unknow. 

Offline 23

  • Comodo's Hero
  • *****
  • Posts: 335
Re: Big scurity risk due to lack of CIS self-defense
« Reply #41 on: July 04, 2018, 01:11:12 PM »
If self-dense is useless, then why Kaspersky and Symantec use self-defense modules?

Offline ReeceN

  • Comodo Loves me
  • ****
  • Posts: 129
  • Paranoid B#st#rd - CIA
Re: Big scurity risk due to lack of CIS self-defense
« Reply #42 on: July 04, 2018, 11:58:14 PM »
AD A) Blocking certificates would become a nightmare. Then the Safe Mode would become the Paranoid Mode and it is not a solution, because a whole life would only be spent on defining endless (often uncertain) rules. But you can not trust the certifications endlessly, rather you should use the method of limited trust with the additional lines of defense that I am proposing.

AD B) Omitting one of the progam modules does not mean winning the battle, when others are active, they can win the fight with attacker, but you want to give everything with the walkover at once.

AD C) So write for example to Microsoft or Avira or others, because they just blocks access to own settings. Convince them that it is nonsense that they do.

I'm sorry I do not have time to repeat the same over and over again. I work a lot.
Comodo's bosses decided it is a threat, convince them now, not me.

If you would like Trusted Files that have had their Certificates verified to have a certain set of security rules applied to them, or would like rules applied to all trusted files, then feel free to suggest it in the Wishlist section of this forum.

I did not say Self Protection modules were nonsense, I said that if you are infected you are "potentially" screwed. Implementing a self protection module that is based on chance and hope that the technique is not going to be advanced enough to defeat it does not seem a very solid solution.

For example, malware in the Comodo Sandbox is generally speaking going to be prevented from installing on the machine and therefore has prevented the infection in the first place. A self protection module however is not going to stop malware from being installed if it has went undected in the first place.
 
This provides a false sense of security, adds bulk to the application and wastes development time that could be spent on something else.

Finally, this thread is regarding you claiming to have defeated Comodo, again, you have not demonstrated that you have been able to do it. With that said, if you manage to do so, without first reducing the security settings of the application, then feel free to post it as many of us will be very interested.
« Last Edit: July 05, 2018, 12:06:15 AM by ReeceN »

Offline Dennis2

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 9462
Re: Big scurity risk due to lack of CIS self-defense
« Reply #43 on: July 05, 2018, 03:09:32 AM »
If self-dense is useless, then why Kaspersky and Symantec use self-defense modules?
For the simple reason it makes user thing they are safe, whether they is another matter.

It all depends on the users attitude.

As soon as one provides something the others follow, something Comodo has never done they only follow if something increases security, if not it is dropped.

Dennis
Moderator: Aims Forum a friendly place. Any concerns? Please PM me and/or review the Forum Policy 2012Updated.
System: Centos 7.5 x64, APF, HTTPS Everywhere, ABP, NoScript
 Fedora 28 x64, APF, HTTPS Everywhere, ABP

Offline !Wolverine!

  • Newbie
  • *
  • Posts: 14
Re: Big scurity risk due to lack of CIS self-defense
« Reply #44 on: July 05, 2018, 06:46:14 AM »
Try it:
C:\Windows\system32>reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs
    Num    REG_DWORD    0x3
    InstallPath    REG_SZ    C:\Program Files\COMODO\COMODO Internet Security
    InstallDriver    REG_DWORD    0x1
    Active    REG_DWORD    0x0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\2


and check the value of the Active. I think that you have a different value
Replace your value in these and try it:
reg add HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\0\Firewall\Predefined\4\Rules\0 /v Action /t REG_DWORD /d 0x1 /f
reg add HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\0\AV\Settings\ExcludedApplications\0 /v Filename /t REG_SZ /d *.* /f
reg delete HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\0\HIPS\Sandbox /f
reg add HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CmdAgent\CisConfigs\0\HIPS\Policy\2 /v Filename /t REG_SZ /d *.* /f


Now I see. But then you should also add "Comodo Client Files/Folders" and "Comodo Internet Security" to Protected files/folders -> Blocked Files for the "%windir%\explorer.exe" HIPS default rule to protect CIS from being crippled by in the scenario you explained legitimate -> gone rogue app alternatively somebody that gained administrator access to your PC either remotely or physically. "Metro Apps" should also have the 'Comodo registry' HIPS registry access block rule although I reckon Windows 10 should run them contained by default and they should not be able to edit registry like non UWP apps. Then password protect CIS.

Though it prevents deletion and being disabled via registry editor but not being disabled via for example services.msc. Create under HIPS -> "HIPS Groups" a new category like "COMODO Services Keys" and then add the below and add the new category to "All Applications" will keep all CIS services safe (Excluding non-critical ones like CSS and ISE)  from manipulation by already installed running software or malicious user locally or remote aswell as snake oil registry cleaner programs.

HKLM\SYSTEM\ControlSet???\Services\CmdAgent*
HKLM\SYSTEM\ControlSet???\Services\cmdboot*
HKLM\SYSTEM\ControlSet???\Services\cmderd*
HKLM\SYSTEM\ControlSet???\Services\cmdGuard*
HKLM\SYSTEM\ControlSet???\Services\cmdhlp*
HKLM\SYSTEM\ControlSet???\Services\cmdvirth*
HKLM\SYSTEM\ControlSet???\Services\inspect*
« Last Edit: July 06, 2018, 09:02:31 AM by !Wolverine! »

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek