Comodo Memory Firewall Final Released

Tested it in my VM, and same over here, I wonder what the Comodo folks will have to say about this test. Btw, I have just received a PM from LUSHER, and he didn´t say that CMF is not effective (he still needs to test this), he said that the Comodo testing tool is, so my mistake.

Thanks, but this tool is way too advanced for me, I started a topic about how to use it, but no one replied.

 

Well cmf supposedly fails because there tests are fake?

 

Whom have you quoted?

/C.

 

Comodo Forum Moderator

 

Hi,

I don´t get it, I have this .ani file that triggers a BO on my VM, and now I want to see if CMF can stop it, but even with DEP turned off, it still seems like if DEP is the one who´s stopping it, it keeps restarting explorer.exe, any ideas? How to turn DEP off inside a VM?

 

Please see http://forums.comodo.com/feedbackco...t_comodo_memory_firewall_worked-t18683.0.html for a test against a real world proof of concept exploit.

 

Yes! I was able to make this POC exploit work on my VM (thanks a lot MrBrian), and I was happy to see that CMF was able to stop it. I tested it in all modes (restart, terminate, ask user) and it did the job. I have to say that I was a bit surprised that DEP couldn´t stop it, or perhaps I need to test again.

Btw, the buffer overflow would make Winamp v5.12 execute code (launch calc.exe) so I thought, why not test the process execution protection from SSM/NG, and both stopped the execution, so you would think that even if a BO occured, HIPS might still be able to stop the attack, by simply blocking process execution.

 

Software DEP? Hardware DEP? Which DEP mode (AlwaysOn, OptiOut, OptiIn)? BTW, I'm not sure if DEP works correctly in VMs.

 

You're welcome Rasheed187

You can think of buffer overflow exploit code as having a first and possibly a second stage. The first stage code runs within the process attacked itself, and so can do whatever your computer security policy allows the attacked process to do. This first stage gives no alert in Comodo Firewall. For this reason, I don't advocate running Defense+ in any mode that allows training, except maybe for just the first few days or maybe weeks after installation. Let me give an example. Suppose your favorite video media player has a buffer overflow vulnerability. Let's suppose this video media player is on Comodo's whitelist. Let's suppose you are using a Defense+ mode that allows training for programs on Comodo's whitelist. Let's suppose you play a poisoned video file in your video media player, and buffer overflow exploit code within the video media player process runs a keylogger and also sends the results to a rogue website using Internet Explorer via COM interface. Both of these actions, the low-level keyboard access, and also the COM interface used, will be learned by Comodo Firewall, assuming you are in a training mode that trains for the video media player! I use Paranoid mode in Defense+, so that I can be alerted to such behavior that might provoke suspicion.

The buffer overflow exploit code may try to do things such as download further exploit code via a web browser and execute the downloaded file in a new process. This I refer to as the second stage of the attack. Comodo Firewall, or your other favorite HIPS, could indeed alert about the second stage actions, depending on your HIPS configuration. This second stage may not exist, but I am guessing that usually it exists in most buffer overflow exploits.

 

Thanks for the feedback. So basically, CMF recognizes the fact that a BO attack is in progress, and will take action in the "second stage" (by killing the attacked process), while other HIPS will simply try to block the things that the BO tries to achieve, like loading a process, correct? Isn´t the CMF approach better? Btw, I´ve also tested it with KAV v7 (who claims to be able to stop BO´s), but it didn´t make a sound. But I have to admit that currently my VM is not the best testing environment, because sometimes other HIPS also malfunction.

It´s hardware DEP, enabled for all processes, and I think I have seen DEP in action on VM´s.

 

Enabled from within Windows (OptiOut) or by editing the BOOT.INI file (AlwaysOn)?

 

Better yet, Comodo Memory Firewall prevents the first stage code from executing APIs, from what I have read. On http://forums.comodo.com/comodo_mem..._beta_v1016_bug_reports_closed-t12960.15.html is found the statement that Comodo Memory Firewall "detects only API calls in shellcodes, not instructions." If Comodo Memory Firewall didn't stop the first stage code from executing APIs, then you should have received an alert in your HIPS when, for example, calculator was launched in the proof of concept. In this example, the first stage code is the code that launches calculator, while the second stage is the separate calculator process.

I would guess that there usually is a second stage, because I would think that the malicious code would want to establish itself in your system permanently somehow. Also, the amount of space available for the first stage code might be quite limited, depending on the particular vulnerability. You're right that HIPS can warn about the second stage, but of course it depends on how your HIPS is configured for the particular program attacked. Fortunately, Comodo Firewall, when in one of the learning modes, will not learn modification of protected files nor launching of processes. Unfortunately though, Comodo Firewall will learn actions other than these 2 types, if in a training mode and training on the particular program attacked. If you had previously applied the Comodo Firewall predefined policy 'Trusted Application' to the process attacked, then Comodo Firewall would have allowed the first stage exploit code modification of protected files, but alerted upon launching of new processes. If you had previously applied the Comodo Firewall predefined policy 'Windows System Application' to the process attacked, then Comodo Firewall would have allowed the first stage exploit code modification of protected files and launching of new processes.

 

I´ve checked it, and it´s Optin, but I have also tried to disable DEP completely by editing the boot.ini file, I can´t remember which VM it was though. But you would think that DEP should be able to stop the attack also. Btw, I´ve done some searching, and I found the bug that this POC tries to exploit:

http://secunia.com/advisories/18649/

Thanks for the feedback MrBrian, but just to clarify, I´m not using CFP at the moment, it´s quite powerful but I don´t like it because of various reasons.

 

Rasheed187, only the off switch is worst than OptIn.

Try reading from here.
I'm tired, sorry for not expanding. But most of what i found out is there, link by link, Illya's replies and so on.

 

cool the comodo products are great

but is integrated in comodo 3 or should i run with comodo?

 

It isnt integrated in CFP but will be in the future. You can run both together.

 

IIRC doesn't Comodo Firewall already have this?? I remember seeing something about this during installation.

 

Not yet. Perhaps you were thinking of Defense+, which does not detect buffer overflows.

 

I think CMF is more or less for WinXP folks, not so much for Vista.

 

I installed it also, because my boot-to-restore ignores my memory completely, while malware loves my memory.

 

dude, i should have listened to you. i actually tried installing this thing. after installation it asked to reboot, i did BAM! BSOD. i couldn't boot into windows. i had to go into safe mode, disable the service, disable the startup entries, and only then was i able to boot into windows normally. after that i uninstalled this thing ASAP.

for the record i'm running windows xp media center edition with sp2 fully patched. the only security software i have running is geswall, antivir, and secunia PSI.

 

Zopzop, it patches the kernel (!) afaik.

 

Sorry if it has been mentioned before, but Comodo Memory Firewall will soon be integrated into CFP 3.

Check here

 

I hope they keep CMF also as a standalone software.
CMF works fine on my computer, but the Comodo Free Firewall was a disaster in my system, I couldn't get it work, even after the right settings.