03-24-2017 , 11:26 PM
I saw this on comodo facebook page i am posting this for all those who use comodo or who would like to now about this: Carlos Chaparro
Yesterday at 12:18pm
Hey Comodo, hurry up and fix this asap!
1 Like2 Comments
Like · Comment
Top Comments
Comodo - Security likes this.
Comments
Comodo - Security
Comodo - Security https://forums.comodo.com/.../new-attack...microsofts...
Hello Guys,
No we are not vulnerable to this AppVerifier injection. Michael [from
Cybellum] contacted us on this issue at our security response email, and we
had a long discussion on the topic.
The claim was: Malware can use this registry key to inject arbitrary code into
COMODO processes and hence disable the protection. DLL injection through
AppVerifier registry keys has been around since Windows XP i.e. the last 10
years, and CIS [Comodo Internet Security], by default, protects these keys
against malicious modifications already. Check the attachment
CIS_protected.png. In order for the attack to be successful, malware has to
write to this registry key, and CIS already protects against this by default.
There are actually hundreds of similar ways of injecting into other processes,
and I am not sure other AVs are even aware of them.
Most of the disagreement comes from not understanding how CIS layered defense
works and assuming CIS is like the classical antivirus products mentioned in
the original article. Nevermind protecting itself against such attacks, CIS
protects EVERY other application against such attacks too.
For this attack to be successful, the malware author should be able to bypass
CIS protection. CIS, by default, allows only whitelisted applications to
modify such critical keys. Non-whitelisted applications will be either blocked
or sandboxed, rendering the attack ineffective.
To his credit however, during our discussions with Michael[from Cybellum],
another attack vector was disclosed to us. This can cause problems with
default configuration so we will be addressing it with an update in April. We
will be giving more details on it with the release.
Thanks
General Discussion (off topic) Anything and everything...
General Discussion (off topic) Anything and everything...
FORUMS.COMODO.COM
Like · Reply · 1 · Yesterday at 6:25pm · Edited
Carlos Chaparro
Carlos Chaparro Thank you!
Like · Reply · 1 · Yesterday at 3:17pm
Yesterday at 12:18pm
Hey Comodo, hurry up and fix this asap!
1 Like2 Comments
Like · Comment
Top Comments
Comodo - Security likes this.
Comments
Comodo - Security
Comodo - Security https://forums.comodo.com/.../new-attack...microsofts...
Hello Guys,
No we are not vulnerable to this AppVerifier injection. Michael [from
Cybellum] contacted us on this issue at our security response email, and we
had a long discussion on the topic.
The claim was: Malware can use this registry key to inject arbitrary code into
COMODO processes and hence disable the protection. DLL injection through
AppVerifier registry keys has been around since Windows XP i.e. the last 10
years, and CIS [Comodo Internet Security], by default, protects these keys
against malicious modifications already. Check the attachment
CIS_protected.png. In order for the attack to be successful, malware has to
write to this registry key, and CIS already protects against this by default.
There are actually hundreds of similar ways of injecting into other processes,
and I am not sure other AVs are even aware of them.
Most of the disagreement comes from not understanding how CIS layered defense
works and assuming CIS is like the classical antivirus products mentioned in
the original article. Nevermind protecting itself against such attacks, CIS
protects EVERY other application against such attacks too.
For this attack to be successful, the malware author should be able to bypass
CIS protection. CIS, by default, allows only whitelisted applications to
modify such critical keys. Non-whitelisted applications will be either blocked
or sandboxed, rendering the attack ineffective.
To his credit however, during our discussions with Michael[from Cybellum],
another attack vector was disclosed to us. This can cause problems with
default configuration so we will be addressing it with an update in April. We
will be giving more details on it with the release.
Thanks
General Discussion (off topic) Anything and everything...
General Discussion (off topic) Anything and everything...
FORUMS.COMODO.COM
Like · Reply · 1 · Yesterday at 6:25pm · Edited
Carlos Chaparro
Carlos Chaparro Thank you!
Like · Reply · 1 · Yesterday at 3:17pm
