AEP does this by intercepting system calls that might present a threat to the applications such as Terminate Process or Create Remote Thread are obvious examples of calls that might pose a risk to AEP. Other less obvious but actually more dangerous call would be CreateFile as it can do a lot more than just create a file. Comodo AEP intercepts these calls and only allows them to proceed if they won’t harm the Comodo process. Comodo AEP also contains a kernel mode driver that it uses to prevent attempts to modify the system kernel directly.
One potential method of interfering with AEP execution is to install a global customized module to target the application by calling the command SetWindowsHook/SetWinEventHook. AEP prohibits this by intercepting these system calls in the driver and intercepting these operations in file system minifilter that prevents unknown modules from being loaded into AEP applications.
Controlling the Graphical User Interface
Window GUI APIs such as include SendMessage, PostMessage, and EndTask can be used to change or close target windows and generate messages that can potentially affect window status. AEP closely monitors these API and prevents its user interface windows from being controlled by other applications. Preventing attacks through the user interface.
AEP saves its configuration and internal data in registry. In order to protect this data from being changed by malicious applications, AEP uses a registry filtering driver to monitor all sensitive registry locations and block write attempts from untrusted applications.
Data Execution Prevention & ASLR
Additionally, Comodo Advanced Endpoint Protection also employs DEP – Data Execution Prevention along with Address Space Layout Randomization (ASLR). These protocols randomize where application data is stored in system memory, effectively hiding from malicious attempts to find and shut down the application, with these protocols enabled, only applications that are authorized are allowed to modify AEP’s application data..
Protection of Ports and Handles for Internal Communication
AEP uses filter ports and LPC to communicate between its internal components (driver, services, injected module, etc). If a malicious application somehow managed to inject code into the AEP application, the malware could attempt to disconnect these ports and thereby disable protection features. In order to prevent against these types of attacks, the system call, NtClose, is intercepted to prevent these communication handles from being closed unexpectedly.
Simulating Keyboard & Mouse Inputs
There are also attacks that simulate mouse and keyboard input to manipulate the target application. These types of attacks can launch the AEP GUI and modify the settings automatically. AEP detects and blocks all these types of inputs by intercepting related system calls like NtUserSendInput to ensure the user interface is not being maliciously manipulated.
Controlling Windows Driver
The Windows driver has a high privilege and can take control of an entire system including AEP. AEP intercepts all related system calls to prevent harmful applications from installing drivers that call either service related API or NtLoadDriver routine directly.