COMODO as AE

View previous topic View next topic Go down

COMODO as AE

Post by Rico on 4/8/2010, 10:55

I have read somewhere that you could configure comodo defense to act as an anti-execute mechanism. Can someone give me a hand here Smile
How effective is it compared to faronics ant-execute? does it stop scripts, reg, dlls etc??

Just curious also:
does faronics ae have a annual subscription model or fee per version? also is it true that v 3.x does not handle dlls?

Rico
Advanced Member
Advanced Member

Posts : 118
Join date : 2010-06-18

View user profile

Back to top Go down

Re: COMODO as AE

Post by ssj100 on 4/8/2010, 11:18

Yes, I'm fairly sure the instructions are posted somewhere on the Comodo forums by a Comodo moderator called "Josh" (although he went by another name in those times..."3xist"?).

I'd imagine it's just as effective as Faronics Anti-Executable. I'm not sure about any program blocking all "scripts" though. The problem is that some scripts can run freely when a (third-party) program has been white-listed. For example, if "Java.exe" is allowed to run (and of course it would be if you need/want it), scripts coded in "Java" may be allowed to run freely via "Java.exe".

Another example would be with a Microsoft Word/Excel/Powerpoint file - if all Macros are allowed to run (only trusted/signed ones are allowed by default), then (malicious) code could theoretically be programmed as a macro inside a Word/Excel/Powerpoint file. And of course, Word/Excel/Powerpoint would be white-listed by your anti-executable mechanism, and allowed to run, thus also allowing the macro to run and potentially infect your system. This is how Didier Stevens managed to disable SRP in his demonstration a couple of years back.

The (default-deny) "anti-executable" mechanism is a very powerful strategy against malware. In practise, it'd probably stop dead the majority of malware out there. However, I personally believe you also need some form of "containment" mechanism to stop the rest. This is why I always open newly introduced files sandboxed. I've also written in the past that mechanisms/programs like DefenseWall do NOT guarantee all files will be opened "sandboxed" or "untrusted" via double-click (which the average user will almost always do) - you'd need to always right click each file and (manually) run it as "untrusted" to guarantee that it will open "untrusted". With Sandboxie, this is much more easily/conveniently done by simply always opening the folder containing the newly introduced files with a sandboxed "explorer.exe". I think Comodo and its sandboxing mechanism is also on the right track to suit the average user.

Anyway, sorry for the rant. And sorry, I don't know how Faronics charge people these days. With regards to DLL blocking, I'd be surprised if version 3 didn't do this, as version 2 did. I'll check in my VM at some stage for you - I'll test it against the LNK POC exploit (which loaded a foreign DLL).

EDIT: Faronics Anti-executable version 3 fails against Test A of the LNK POC exploit, and I can't find a way to configure it to pass. Therefore, it appears that version 3 doesn't block DLL loading, which is bizarre.


Last edited by ssj100 on 4/8/2010, 12:21; edited 1 time in total

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: COMODO as AE

Post by burebista on 4/8/2010, 11:31

ssj100 wrote:Yes, I'm fairly sure the instructions are posted somewhere on the Comodo forums by a Comodo moderator called "Josh" (although he went by another name in those times..."3xist"?).
I found this thread on Comodo about pure anti-executable.
Maybe it helps.
avatar
burebista
New Member
New Member

Posts : 9
Join date : 2010-07-23
Age : 50
Location : Romania

View user profile

Back to top Go down

Re: COMODO as AE

Post by Rico on 6/8/2010, 08:11

Hi ssj, If its not much trouble, could you please create a subforum for AE apps exclusively? I believe that this type of security deserves special attention as it may be one of the only things left to ward off the cyberplague for surfers. Maybe creating a sticky thread comparing and contrasting all the different AE capable apps and their performance --in terms of file types blockedand exploit resistance etc-- would be great;(considering you have time ofc). This could be sthg of its own right; rivaling the sandboxing/virtualization thread on wilders

On a side note; how does sbie deliever in terms of purely AE against the lnk exploit? does it block dlls and the like?

Thanks. cheers

Rico
Advanced Member
Advanced Member

Posts : 118
Join date : 2010-06-18

View user profile

Back to top Go down

Re: COMODO as AE

Post by ssj100 on 6/8/2010, 09:21

Rico wrote:Hi ssj, If its not much trouble, could you please create a subforum for AE apps exclusively? I believe that this type of security deserves special attention as it may be one of the only things left to ward off the cyberplague for surfers. Maybe creating a sticky thread comparing and contrasting all the different AE capable apps and their performance --in terms of file types blockedand exploit resistance etc-- would be great;(considering you have time ofc). This could be sthg of its own right; rivaling the sandboxing/virtualization thread on wilders

On a side note; how does sbie deliever in terms of purely AE against the lnk exploit? does it block dlls and the like?

Thanks. cheers

I'll have a think about creating a separate sub-forum, and I'm sure patrick etc will have thoughts on it too (we'll discuss it in our own time in a private thread as necessary).

Doing tests against AE capable apps will require exploits in the form of POCs or live malware - I'm afraid I simply don't have the resources for that (I've found it incredibly hard to come across such POCs and live malware). And when I do come across more fancy live malware, they don't seem to work in my VM (for example those rootkits tested in the sandboxing/virtualisation threads) which makes it boring haha. If you know of any source where I can freely and easily get POC/live malware, please feel free to PM me. And I'm not talking about the average malware here in the form of a ".exe" - I'm more interested in testing execution via remote code exploits or via Java code/macros etc. Heck, I'd even be willing to test any privilege escalation exploits to see if they really do bypass SRP once and for all - the fact that it's so hard to actively/purposefully find a POC/live malware of any of these makes me wonder why we're even concerned about them in the first place.

Sandboxie's anti-execution mechanism does not block DLL loading (as far as I can tell), and therefore it does nothing to block the LNK POC exploit. What it does do is contain everything in the sandbox (that is, it does its job).

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: COMODO as AE

Post by Rico on 7/8/2010, 05:50

Thank you for considering this, it would be a freat idea IMHO. Smile I do know quite a few sites with a plethora of exploits and POC, that you may or may not know of. I will PM them to you.

Rico
Advanced Member
Advanced Member

Posts : 118
Join date : 2010-06-18

View user profile

Back to top Go down

Re: COMODO as AE

Post by Rico on 7/8/2010, 07:56

one of the many informative posts initiated by you on sbie forums. http://www.sandboxie.com/phpbb/viewtopic.php?t=6198&highlight=dll

thought id post the link for future reference

Rico
Advanced Member
Advanced Member

Posts : 118
Join date : 2010-06-18

View user profile

Back to top Go down

Re: COMODO as AE

Post by ssj100 on 7/8/2010, 09:58

Rico wrote:Thank you for considering this, it would be a freat idea IMHO. Smile I do know quite a few sites with a plethora of exploits and POC, that you may or may not know of. I will PM them to you.

It's all very well to get the sites (yes I did know of most of them), but it's much harder to get working exploits. For example, out of the many buffer overflow exploits discussed in this thread, I could only find one that worked:
http://ssj100.fullsubject.com/security-f7/buffer-overflow-exploit-writing-tutorial-t97.htm

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: COMODO as AE

Post by MrBrian on 11/8/2010, 04:53

Here's my method: http://forums.comodo.com/defense-sandbox-help-cis/using-comodo-internet-security-as-an-antiexecutable-t60303.0.html

MrBrian
Member
Member

Posts : 14
Join date : 2010-07-01

View user profile

Back to top Go down

Re: COMODO as AE

Post by Soyabeaner on 14/8/2010, 00:19

I discovered that one can further lighten the load on disk activity by really disabling the firewall driver (inspect.sys). At least it worked for me in Windows 7 64.

Soyabeaner
Member
Member

Posts : 10
Join date : 2010-04-18

View user profile

Back to top Go down

Re: COMODO as AE

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum