Comodo Defence Plus Bypassed by Zeroaccess rootkit

Interesting scenario with zeroaccess rootkit. Tested with Comodo HIPS and GesWall

Comodo Defence plus SAFE mode, sandbox enabled, firewall safe mode, AV turned off

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

GesWall- passed with

- only dll isolated or
- dll and flashplayer.exe both isolated.

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

Nice to see GesWall nail this.

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

Very nice info, thanks. Any chance you could try DefenseWall or Sandboxie against this?

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

Nice to see this thanks.

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

oh now try with sandboxie haha

no bypass

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

I'm pretty sure this is because of limited rights for the sandbox. What if you had it set to restricted or untrusted? I know blocked would well block it.

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

Could be this as he said, you should try it as untrusted

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

Can provide samples, please?

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

Very nice there aigle

If sandbox is disabled will D+ pop-up an alert?

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

I've asked for Comodo team support.
https://forums.comodo.com/av-false-...ess-rootkit-t79079.0.html;msg566512#msg566512

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

what version of comodo

and can you plz try it when comodo sandbox is disabled

also can you try OA

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

Was this the automatic sandbox or fully virtualized sandbox?

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

The OP could do this at the Comodo forum.
Comodo will nail this

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

I do not know what is the significance of such tests? No sample so much, what is the significance? It's like the manufacturers say me how good, but not used how do you know what's good or bad?

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

i did testing with win 7 in VBox in ubuntu host. CIS on default settings but AV was not installed.

Tried on XP under cover of CTM with same settings but strange thing appeared. Day before yesterday, it was giving a pop up alert that flash...exe wants to get unlimited access, it's signed but not white listed by comodo, do you want to allow, or sandbox or block. If sandboxed, all is ok but if allowed rootkit is installed. Yesterday i tried again and strangely it says that this eye wants unlimited access but it's unsigned. That is strange really. I am not able to get previous alert at all.

No such alert on win 7 or may be it's due to vbox. Can any one test on real win 7 system or vmware?

Also tried with proactive mode with sandbox off. It gives many pop up alerts and is a pass for comodo. I wil post screenshots later.
OA doesn't give any alert at all but i need to confirm this as i think i trusted every thing on the computer as trusted. I wil post later.

Sorry that i could not test DW and SBIE but i see no reason for them to pass this test.

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

would running under under a standard user account protect you from this nasty or does it bypass that aswel?

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

not sure but i think it should protect. UAC also protects.

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

Thanks aigle.
Maybe you can submit the file (sample) to the Comodo team.

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

Aigle- can you please post the MD5 of the sample?

There have been 2 that have been floating around this week:

0fc7456a17a43983d55488fcf548410e and
998cb14ac738a8cceefd0ef29017d12f

Running these under CIS where Execution Control was set as Restricted did not produce the same results that you had (both were blocked).

Also, what was your EC setting when you ran the malware?

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

Excellent work fellas, let's get this nailed

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

Not to be seen as disrespectful to Aigle and his tests, but the way some people are testing CIS [a security suite that includes AV + FW + HIPS [D+]/Sannbox] is kind of flawed to me.

It's like telling a guy to run a 10 miles marathon in 1 hour but sawing off his two legs before the competition starts.

The same applies to CIS. They disable the AV, then setup D+ with the weakest settings and also setup the Sandbox to Partially Limited instead of Untrusted/Restricted, and even sit down and wait for it to pass those “tests” .


Honestly, I don't know what to think.


Thanks.

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

I used default settings.