Microsoft Security Essentials - Self protection? quick test.

[Guest]

[Kyle]

The process deletion is performed before defense+\comodo has started. I don't see how v4 will change anything.

[AlphaRosea]

According to eXPerience it seems all the program's actions would be sandboxed to begin with, which results in no harm..... now there's a little concern of the novice user being able (or not) to prior mark programs as trusted too easily.

[Endymion]

Here I tried to update a copy of a2 Free inside my virtual machine by copy-pasting over that install with an install on the host machine. Conveniently I had to try and kill a2service.exe with Unlocker to finish the "update."

Screenshot:
1: Unlocker's trying to load its driver.
2: It's allowed. I proceed as planned to deal with a2service.exe.
3: This is what Kyle (and the rest of us involved) needs to see.
4: Normal reaction with or without OA's itervention. a2service.exe does not die easy (via Task Manager).

I assume that OA is preventing Unlocker from perusing its directories and hence from listing any file inside that may be targeted, i.e. Unlocker can't look inside and "confirm" its target so Unlocker will "go its merry way."

I don't see a reboot mentioned between step 3 and 4. Though step 1 mention a driver load alert which does not appear to be involved in the reboot deletion either.

No explanation was provided about how the whole OA test was conveniently carried either though it looks like it was mentioned something else than a driver was blocked.

What anybody is supposed to see?
 

[eXPerience]

According to eXPerience it seems all the program's actions would be sandboxed to begin with, which results in no harm..... now there's a little concern of the novice user being able (or not) to prior mark programs as trusted too easily.

Hi and yes, I meant that it was sandboxed from the first second.

eXp

[Kyle]

Good point. I guess the restrictions the sandbox apply's would not let a driver load.   "Duh, Kyle?"

Would be interested in a response from staff about unlocker able to delete cmdagent after reboot.

[Endymion]

Of course everybody is aware that Unlocker is a legitimate and safelisted application...

...and that if it were not they would get an alert to prevent deletion after reboot...

[sirio]

You don't need anyone to tell you that this is indeed a fatal vulnerability. Imagine if a malware the likes of Conficker showed up and targeted every PC that's "protected" by CIS and/or any other brand of IS whose product also has this weakness. Factor in that most windows users are always logged in with admin privileges and their novice selves likely allow everything if a HIPS is present...

Any fatal vulnerability, Unlocker is an application "Safe" for this motive D+ in Safe Mode learns all the activities without stopping nothing.

It would spell doomsday for Comodo and/or the other vendor(s). Trust, reputation and (consequently) income would do like a sky-diver who forgot his parachute...

Or imagine that you allow some "safe/trusted system-looking" program to run... Defense+ alerts you, yes, but the alert doesn't tell you that the program is targeting CIS' (or non-CIS critical) components. Whatever's done is done in the background and you go about your merry way... come back... turn off the PC and catch a sleep.

Then the next morning you turn on your PC and realize either immediately... or too late (after, let's say, the program's trojan horse strikes/has struck) that CIS. No. Longer. Works. Then what?

A program "Safe" it doesn't have as target the elimination of cmdagent.exe.
Putting D+ in Paranoid Mode we will have more popups that they point out us what it happens, I put the last two, those that stop the elimination of cmdagent.exe (I attach screenshot).

screen 1 Allow (..Block is better )

screen 2 Si (yes)

screen 3 Block

Restart..cmdagent isn't deleted (also accept driver installation).

Sorry for my English, thanks.

Regards.

[Tags:]