Comodo bypassed (allegedly)

View previous topic View next topic Go down

Comodo bypassed (allegedly)

Post by ssj100 on 5/7/2010, 18:27

https://forums.comodo.com/news-announcements-feedback-cis/another-mrg-video-t58497.0.html;msg412479#msg412479

Please see latest video here http://www.youtube.com/watch?v=4AYeIDI4CB4 As you will see, we are able to bypass CIS from within the sandbox, with CIS displaying no alerts.

Cheers,

Chris

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Comodo bypassed (allegedly)

Post by doskey on 10/7/2010, 09:15

Relax. This is just a video. If these guys want to help us, please provide binaries. No 100% security in the world, what we can do and what we are doing is fighting with malware. Never stop.
That's all.

Thanks,
Doskey.

doskey
Security Professional
Security Professional

Posts : 4
Join date : 2010-04-26
Location : COMODO

View user profile http://www.comodo.com

Back to top Go down

Re: Comodo bypassed (allegedly)

Post by languy99 on 14/8/2010, 01:31

It's interesting that I don't see anymore videos coming with the new beta version from MRG. I guess they can't bypass it anymore since the new command-line scanning feature has been implemented.
avatar
languy99
Valued Member
Valued Member

Posts : 54
Join date : 2010-07-20

View user profile

Back to top Go down

Re: Comodo bypassed (allegedly)

Post by ssj100 on 14/8/2010, 01:47

It's also interesting to see such little activity at their own forums. Ever since that Wilders thread was locked, I'd completely forgotten about MRG. I think if they released their POC to the public, it would get much more interest!

And it's fairly clear that they are out there to belittle Comodo etc. It's rather sad really.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Comodo bypassed (allegedly)

Post by languy99 on 14/8/2010, 01:50

from what I heard, this is just what I heard, it is not their POC. They took it from someone else and modified it a little.
avatar
languy99
Valued Member
Valued Member

Posts : 54
Join date : 2010-07-20

View user profile

Back to top Go down

Re: Comodo bypassed (allegedly)

Post by languy99 on 14/8/2010, 01:51

also have you tired to new beta 3 .1079? I like it, and it is much better. I just found a java exploit and it caught it and put it in the sandbox. Much improved.
avatar
languy99
Valued Member
Valued Member

Posts : 54
Join date : 2010-07-20

View user profile

Back to top Go down

Re: Comodo bypassed (allegedly)

Post by ssj100 on 14/8/2010, 01:55

I only tested it against the LNK POC exploit.

Java exploit? Any chance you could PM me this?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Comodo bypassed (allegedly)

Post by languy99 on 14/8/2010, 02:00

I got it from the mbam forum, I'll pm it to you. here is results for it.

http://virscan.org/report/3ce30cc58d51d3646fb7facbd2f9640b.html
avatar
languy99
Valued Member
Valued Member

Posts : 54
Join date : 2010-07-20

View user profile

Back to top Go down

Re: Comodo bypassed (allegedly)

Post by ssj100 on 14/8/2010, 02:01

By the way, this concept of sandboxing unknown applications is exactly the same approach as what I've been employing for nearly a year - I use Sandboxie to open any newly introduced file, even likely benign files like .txt etc. In my opinion, Comodo are definitely employing a very good security approach. The great thing is that they are automating things so that even the "noob" user can handle it.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Comodo bypassed (allegedly)

Post by languy99 on 14/8/2010, 02:08

Sent to you.

Comodo is working very hard to keep security at high as possible while keeping user interaction as low as possible. It is very hard to do it, but the end goal is to reduce pop ups so much that when the user sees a pop up they should be like whoa, wait a minute, this is strange. I have never seen a program ask for this, to be safe I will block it.
avatar
languy99
Valued Member
Valued Member

Posts : 54
Join date : 2010-07-20

View user profile

Back to top Go down

Re: Comodo bypassed (allegedly)

Post by languy99 on 14/8/2010, 05:05

I just tested a pdf exploit against comodo V5.1079 and it did very well.

CIS saw the exploit, and sandboxed it. The exploit tries to access svchost.exe and CIS notified me. I blocked it.

Then it tries to modify the setupapi.app.log file. After that it tries to once again access svchost.exe, I block it again. Then it gives up and closes.

avatar
languy99
Valued Member
Valued Member

Posts : 54
Join date : 2010-07-20

View user profile

Back to top Go down

Re: Comodo bypassed (allegedly)

Post by ssj100 on 14/8/2010, 05:10

languy99 wrote:I just tested a pdf exploit against comodo V5.1079 and it did very well.

CIS saw the exploit, and sandboxed it. The exploit tries to access svchost.exe and CIS notified me. I blocked it.

Then it tries to modify the setupapi.app.log file. After that it tries to once again access svchost.exe, I block it again. Then it gives up and closes.


Again, can I please have the sample via PM? Thanks.

By the way, it sounds like older versions of CIS would have done well too.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Comodo bypassed (allegedly)

Post by languy99 on 14/8/2010, 05:25

I will send it to you. I tested it with a older version of adobe reader and it worked. I don't know if older version with sandbox would have caught it.
avatar
languy99
Valued Member
Valued Member

Posts : 54
Join date : 2010-07-20

View user profile

Back to top Go down

Re: Comodo bypassed (allegedly)

Post by ssj100 on 14/8/2010, 05:27

languy99 wrote:I will send it to you. I tested it with a older version of adobe reader and it worked. I don't know if older version with sandbox would have caught it.

I'm sure Defense+ would have caught it even in version 3.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Comodo bypassed (allegedly)

Post by languy99 on 14/8/2010, 05:32

yeah in v3 it would have easily.
avatar
languy99
Valued Member
Valued Member

Posts : 54
Join date : 2010-07-20

View user profile

Back to top Go down

Re: Comodo bypassed (allegedly)

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum