Comodo AV and Sandbox bypass

Actually I think that Comodo’s sandbox approach is very good. You take any unknown binaries and automatically distrust them and place them into sandbox. Thus if we for example bypass its Antivirus Heuristics and manage to get a shell on the target we wont be able to do much on the system level as the whole expolit process will be separated by the sandbox.

It took a while to defeat the sandbox and for a time Comodo was on my top list of AV products. This method can bypass the Defense+ in paranoid mode and the Antivirus heuristics. Metasploit reverse payload is slightly customized of course in order to get by the AV.  I cannot disclose the details of the Sandbox escape in order to protect the innocent and from the abuse by script-kiddies.  Below is a demonstration on how the attack if performed featuring Viktor Cleaner giving a final strike.

In case you wonder what strange language the Windows 7 is in its Czech.

 

Advertisements
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

5 Responses to Comodo AV and Sandbox bypass

  1. ez says:

    COM RPC is one motherfucking moving target for avers :/
    // Mno vida, hezke ze se v cechach jeste nekdo zabejva virii :)

  2. pentest0r says:

    Any tricks to inject shellcode to exists process ???

  3. x4r0r says:

    hola bro sin lugar ha duda eres el mejor , quisiera saber como haces eso , aver si te animas ha enseñarme hablo en español

  4. x4r0r says:

    Hello bro without place has no doubt you are the best , i would like to know how you do that , malfunction if you animas has teach me speaking in Spanish

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s