Why Usermode Hooking Sucks – Bypassing Comodo Internet Security

Discussion in 'other anti-malware software' started by kupo, May 13, 2012.

Thread Status:
Not open for further replies.
  1. kupo
    Offline

    kupo Registered Member

    I found this in the COMODO forums. I thought I share it here. -http://rce.co/why-usermode-hooking-sucks-bypassing-comodo-internet-security/
    EDIT: I'll read it later and try if I can understand it, lol.
    Last edited: May 13, 2012
  2. tomazyk
    Offline

    tomazyk Guest

    That's interesting reading. :thumb:

    On 64 bit OS most HIPS software can be bypassed somehow. Patchguard prevents them to implement same level of protection they can on 32 bit.

    However, I still believe that protection Comodo and other HIPS developers are offering on 64 bit, is still better, than AV's and other blacklisting software can give you.

    It would be nice if someone would test POC provided at the end of article and post results.
  3. Kees1958
    Offline

    Kees1958 Registered Member

    Yes user mode hooking has it weakness, but to to replace dll injection in every process by a malware instead of the Comodo dll, an malware executable has to run in the first place.

    Windows7 does allow appinit technique for backward compatibility, but it has a hardening option when your HIPS does use this technique: allow only signed dll's to be used for AppInit Dll's, see http://msdn.microsoft.com/en-us/library/dd744762(v=vs.85).aspx

    So when a member on Win7 x64 could check whether guard64.dll and guard32.dll are signed, then this hardening technique could be applied: use the RequireSignedAppInit_DLLs setting, see

    http://msdn.microsoft.com/en-us/library/dd744762(v=vs.85).aspx

    Apply this hardening tweak only when no other program is listed in AppInit section AND Comodo dll's are signed. It does not actually prevents the bypass, but makes it harder to replace the guard.dll

    Regards Kees
  4. Hungry Man
    Offline

    Hungry Man Registered Member

    The thing about patchguard is that it puts the entire responsibility of security onto the operating system but it only tries to solve a single problem - rootkits.

    So while MS does a great job at protecting themselves from rootkits they now prevent any security software from supplementing their product, which really sucks because their handling of security isn't too great (this may change with 8.)

    When they implemented patchguard they basically said "We're the only ones who can handle security now." Big mistake sinc ethey suck at it.

    So this only applies to 32bit applications running on 64bit Windows.
    Last edited: May 13, 2012
  5. Ranget
    Offline

    Ranget Registered Member

    i don't understand or have any idea about rootkit
    but i know that TDs rootkit found to Beat this Patchguard why Don't Security
    stuff use the same technique o_O


    also want to know if OA is the same also what is comodo Response to this ?
    Last edited: May 13, 2012
  6. Brandonn2010
    Offline

    Brandonn2010 Registered Member

    Ha! I love that idea, but I'm sure MS would patch it somehow.
  7. blacknight
    Offline

    blacknight Registered Member

    I'm not sure to have understood, Comodo HIPS doesn't install itself at the kernel level ? As EqSesure done.
  8. tomazyk
    Offline

    tomazyk Guest

    Not on 64 bit Windows. MS does not allow it. On 32 bit it does.
  9. Hungry Man
    Offline

    Hungry Man Registered Member

    It tried to bypass patchguard by writing to the MBR through the BIOS or some such thing.

    It's generally best practice when writing a security program not to hack the operating system I would think lol
  10. TheWindBringeth
    Offline

    TheWindBringeth Registered Member

  11. blacknight
    Offline

    blacknight Registered Member

    Thanks :) . Good reason to don't use 64 bit. :mad:
  12. tomazyk
    Offline

    tomazyk Guest

    I believe that vendors won't risk the damage they can make by trying to "patch" the Patchguard.
    Also, MS would probably sue them if they try to hack MS's OS. It would probably break some TOS, that user has agreed on, when OS was installed.
  13. tomazyk
    Offline

    tomazyk Guest

    Yes, for me, right now, it's the only reason I don't move to 64 bit :(
  14. funkydude
    Offline

    funkydude Registered Member

    Then you will never move to 64bit because it will always be there. KPP ensures stability and security by preventing the fools that make these "security" products from tampering with the kernel.

    I honestly can't believe people actually trust 3rd party vendors over MS to keep their system secure. We're talking about the same vendors that time and time again introduce their OWN security holes into the OS by doing dumb things like installing non-ASLR binaries. Every other month there's a thread about a security hole in a security product.

    Also stability, there's a reason Win x64 is so much more stable than the old days of Windows XP, you don't have every program under the sun modifying the kernel so that even MS themselves is afraid to push Windows updates in fear of causing system crashes. The reason it's far safer to install updates these days isn't that MS somehow got better at it, it's that they stopped all this software from patching the kernel in the first place.
  15. tomazyk
    Offline

    tomazyk Guest

    I will move to 64 bit when I will get any benefits from using 64 bit instead of 32. Right now there is no benefits for me.

    "I honestly can't believe people actually trust 3rd party vendors over MS to keep their system secure." Well, when it comes to security, people have trusted 3rd party vendors over MS for many years and rightly so. So, should we all abandon all 3rd party AVs, firewalls and other apps, just so we don't introduce new security holes to OS? Will that make computing safer?

    BTW, most security holes that I read about are introduced by OS itself, MS software or other 3rd party non security related software.
    Last edited by a moderator: May 14, 2012
  16. blacknight
    Offline

    blacknight Registered Member

    Disagree. Many security products are much more reliable and trusty than MS, and is much more easy to find security holes and vulnerability in it
  17. kupo
    Offline

    kupo Registered Member

    Your choice if you want to abandon. But with Windows alone, you can have a secure computer.
    Anti-Virus - MSE
    Firewall - Windows Firewall w/ Advance Security
    Drive Encryption - Bitlocker
    Default-Deny - SRP or Applocker
    Combine all with a Standard User Account and UAC, your pretty much secure without 3rd party software. Oh, I almost forgot the built-in imaging of Windows 7. System Restore also have improved in Vista and 7. You can also add EMET if you want to.

    It's not only security holes with 3rd party software, there is also stability.
  18. tomazyk
    Offline

    tomazyk Guest

    Yes I know the possibilities that Windows 7 has introduced. Those are great security tools but I still wouldn't trade the software that I use for them. I might use some of them when I'll move to 64 bit.

    P.S.: I haven't had any stability issues with setup that I'm using.
  19. Cudni
    Offline

    Cudni Global Moderator

    User needs to let it run first. Nothing new. If it can execute without Comodo noticing that would be worrying.
  20. funkydude
    Offline

    funkydude Registered Member

    Wow you brought up so many valid counter points I completely changed my mind!

    That's factually incorrect, since the days of Vista, 7 and now taking it further with 8, MS have hardened their software a LOT. More exploits are found in 3rd party software.

    Oh really?
    Kaspersky: https://secunia.com/advisories/product/26220/
    ESET: https://secunia.com/advisories/product/29913/
    Avira: https://secunia.com/advisories/product/14194/
    Symantec: https://secunia.com/advisories/product/18161/
    McAfee: https://secunia.com/advisories/product/5273/

    Now, I'm not saying these are a lot of exploits (although if you combine each companies products together they are a lot) but it just goes to show that the software "protecting" you can just as easily do the complete opposite.
  21. RejZoR
    Online

    RejZoR Polymorphic Sheep

    Since all my systems have 4+ GB of RAM i'm simply forced to use 64bit OS...
  22. tomazyk
    Offline

    tomazyk Guest

    Yes the number of exploits is small compared to number of holes in Flash, Java, Office, IE ... Also, exploits in other 3rd party software are probably more targeted than exploits in security apps.

    So, I still think that using security software is in most cases better than using none. Probability of getting hacked through hole in let's say AV, is much smaller, than probability of situation, when the same AV will save you from some kind of malware.
  23. funkydude
    Offline

    funkydude Registered Member

    I wasn't recommending using no security software, I was trying to say the idea of not upgrading to the better version of an OS whilst using security software as the sole reason for avoiding it is silly.

    They may have reduced security software functionality in 64bit, but that is replaced by the improved protection mechanisms the OS itself brings, such as superior ASLR.
  24. blacknight
    Offline

    blacknight Registered Member

  25. adrenaline7
    Offline

    adrenaline7 Registered Member

    You just described my setup :)

    Since this is an issue of not having access to the kernel, these issues would apply also to Online Armor, Defense Wall and Private Firewall?
Thread Status:
Not open for further replies.