Comodo Security Not Detecting New MS 0-Day

minntech · May 31, 2022, 11:21pm

See the thread here regarding the threat
https://www.reddit.com/r/msp/comments/v0tuvs/ms_office_vuln_polite_warning_about_nearterm/

I downloaded the malware sample to an endpoint running Comodo Client Security, fully updated. It doesn’t detect the sample as a threat and when I manual scan it says its clean. When turning on Windows Defender the file is detected right away and removed.

This is a concern that CCS is not detecting this potential threat even with updated definitions.

libretech · May 31, 2022, 11:40pm

Did you open and ran the file and it was not run in containment?

minntech · May 31, 2022, 11:57pm

No I was merely testing signature detection/real-time protection since execution is not required with this 0-day, just having Explorer file preview open is enough to trigger the exploit:
https://twitter.com/KyleHanslovan/status/1531138449536958465

Im just surprised since this seems to be getting a lot of attention and yet Comodo has no basic signature or real-time capability yet to detect these malicious payloads prior to execution.

libretech · June 1, 2022, 1:09am

Remember with Comodo prevention is first, all unknown files are auto contained until there is a good or bad verdict.

ithelps · June 1, 2022, 8:01pm

I am hoping to build or get a script that deletes the ms-msdt registry key . Can someone help create this script? I have one I think might work. Can I post it here for your review?

minntech · June 1, 2022, 8:17pm

Yes the best way to prevent an infection is to make sure your real-time protection can detect malicious code prior to it needing to executed. Containment is a great fail-safe, but no excuse to lack normal detections on a well reported 0-day especially with built in ‘free’ windows defender is detecting and quarantine them. Also will Comodo even intervene if we are talking Explorer preview pane, previewing the infected document? I don’t know I haven’t tested that, but I don’t recall Comodo running containment when previewing normal word docs in Explorer.

minntech · June 1, 2022, 8:31pm

this is what I came up with according to MS site:
https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

command1=r’reg export HKEY_CLASSES_ROOT\ms-msdt C:\ms-msdt_backup.reg’
command2=r’reg delete HKEY_CLASSES_ROOT\ms-msdt /f’
import ctypes
from subprocess import PIPE, Popen
def ecmd(command):
class disable_file_system_redirection:
_disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirect ion
_revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirecti on
def enter(self):
self.old_value = ctypes.c_long()
self.success = self._disable(ctypes.byref(self.old_value))
def exit(self, type, value, traceback):
if self.success:
self._revert(self.old_value)
with disable_file_system_redirection():
obj = Popen(command, shell = True, stdout = PIPE, stderr = PIPE)
out, err = obj.communicate()
ret=obj.returncode
if ret==0:
if out:
return out.strip()
else:
return ret
else:
if err:
return err.strip()
else:
return ret
print ecmd(command1)
print ecmd(command2)

PremJkumar · June 3, 2022, 1:12pm

Hi @minntech,

Thanks for taking the time to share your script to help other customers.

Kind Regards,
PremJK