CFP- Poor Pop up alerts by compared with other HIPS?

[Guest]

[aigle]

I have made a thread here.I think no need to re-write it here.

http://www.wilderssecurity.com/showthread.php?p=1526872#post1526872

What are your thoughts?

Thanks

[forcespawn]

I have madethe thraed here.I think no need to re-write it here.

http://www.wilderssecurity.com/showthread.php?p=1526872#post1526872

What are your thoughts?

Thanks

Thanks for the tests. I'm concerned that critical driver installation alerts are hidden within registry alerts, to say the least, and I think Defense+ would be greatly improved by alerting users directly to driver installations instead of registry changes. Please post your findings here, because someone has made this suggestion to the wishlist:

https://forums.comodo.com/defense_wishlist/on_driver_install_say_driver_install_not_registry_modification-t43954.0.html

[commanding the celsius]

Most people won't understand any of those alerts.. Thats a problem with HIPS..  I don't think saying that a "driver/ service" is installing is necessary better than telling where in the registry changes are taking place.

Those who do understand alerts to some extent would be perfectly fine with all the alerts presented.. By all the programs..

I prefer CIS alerts since thats what Iam used to.. 

Anyway, testing and uninstalling/installing software takes time.. good job! 

[panic]

[at] aigle,

I think you might have posted the wrong CIS screenshot in your post on Wilders. The CIS screenshot clearly shows it alerting about loading a device driver, using those exact words. As such, it is as good as the EQS screenshot.

Wouldn't it be better if the CIS screenshot was one showing where it is alerting about the registry mod?

Cheers,
Ewen :-)

[commanding the celsius]

OMG.. Aigle this time don't let it be like the wrongly preformed conflicker test please.. Were users was made believe that CIS in proactive only popped once.. something some users there still thinks.. 


If what Panic says is correct then please post that on wilders.. Not telling when comodo actually passes, or as in this case, alerts nicley isn't really fair.. 

I feel your intentions are not to fool anyone.. But as a rumor starter you should end it now..

Prehaps post a link here and tell them that you missed the alert or screwed over when testing and that CIS actually alerts about loading a device driver.  Cus thats a fact... Highly doubt Panic would lie..?? If you think he is.. I will test as well..
But I hope I don't have to..

[jp10558]

Well, when I installed Process hacker, what started all this (follow the threads back) it installed a driver, but I never saw ANY pop-up that said a driver was being installed...

Can you post a screenshot of the claimed driver pop-up, because I've never seen one in using CIS for about a year...

[aigle]

[at]panic
[at]Monkey_Boy=)

Post the picture of an alert by CFP saying about a driver/ service install with this software installer. I doubt that you might not even bothered to read my long thread.

[panic]

I doubt that you might not even bothered to read my long thread.

Think again. I've been following this thread and its spawns since the beginning. Both you and forcespawn have made good points about the obscurity of some of CIS's alerts and about the fact that a driver install can apparently bypass CIS.

I was only trying to help.

My post referred to your link http://www.wilderssecurity.com/showpost.php?p=1526881&postcount=19, where the CIS screenshot clearly shows a driver install alert, which seemed at odds with the rest of the topic.

Your other Wilders topic, http://www.wilderssecurity.com/showthread.php?p=1526872#post1526872, is really well done and I really hope the CIS devs are monitoring it.

I hope you bother to read my short post.

[The Joker]

KIS has very intuitive pop up alerts! CIS should follow it!

[wj32]

Well, when I installed Process hacker, what started all this (follow the threads back) it installed a driver, but I never saw ANY pop-up that said a driver was being installed...

Can you post a screenshot of the claimed driver pop-up, because I've never seen one in using CIS for about a year...

Please read my comment on this in the PH thread:

There are two main ways a program can load a driver. One is by writing to the registry in HKLM\System\CurrentControlSet\Services and then calling NtLoadDriver. The other is by contacting the services controller (services.exe) and telling it to create a service to load the driver. In the first case, D+ correctly reports that a program is attempting to load a driver, and tells you the filename of the driver. The prompt is also in red (I think). In the second case however, D+ only prompts you about registry access (which most people will allow since it comes from services.exe) and then the driver is loaded. This is a HUGE problem with D+ and I hope the developers will fix it.

I will elaborate on this. In the Wilders Security thread, gmer was shown with the correct CIS alert. That's because it uses the first technique I discussed (NtLoadDriver). Process Explorer and Process Monitor also use this method. Most other software uses the second technique, and the alerts are broken. I find it puzzling why we are alerted to registry access by services.exe but we are not alerted to services.exe calling NtLoadDriver...

Attached is a small test program demonstrating the two methods. You will be able to see how CIS responds to the two methods with different alerts...

[Kyle]

Yes D+ alerts could be displayed clearer..

[commanding the celsius]

[at] aigle,

I think you might have posted the wrong CIS screenshot in your post on Wilders. The CIS screenshot clearly shows it alerting about loading a device driver, using those exact words. As such, it is as good as the EQS screenshot.

Wouldn't it be better if the CIS screenshot was one showing where it is alerting about the registry mod?

Cheers,
Ewen :-)

hehe.. I understood this as if you had tested this yourself and got alerted "about loading a device driver, using those exact words"..

Hard to tell you was referring to something else..
Therefor I got a little upset with aigle for not showing that popup..

Then my mum pulled the plug to my Internet.. hehe.. 

There are two main ways a program can load a driver. One is by writing to the registry in HKLM\System\CurrentControlSet\Services and then calling NtLoadDriver. The other is by contacting the services controller (services.exe) and telling it to create a service to load the driver. In the first case, D+ correctly reports that a program is attempting to load a driver, and tells you the filename of the driver. The prompt is also in red (I think). In the second case however, D+ only prompts you about registry access (which most people will allow since it comes from services.exe) and then the driver is loaded. This is a HUGE problem with D+ and I hope the developers will fix it. Sad

I will elaborate on this. In the Wilders Security thread, gmer was shown with the correct CIS alert. That's because it uses the first technique I discussed (NtLoadDriver). Process Explorer and Process Monitor also use this method. Most other software uses the second technique, and the alerts are broken. I find it puzzling why we are alerted to registry access by services.exe but we are not alerted to services.exe calling NtLoadDriver...

Attached is a small test program demonstrating the two methods. You will be able to see how CIS responds to the two methods with different alerts...

I hope the Devs reads this.. Everyone loves work so Iam sure they jump right on it..
http://www.youtube.com/watch?v=jqiwEafCJ74

[aigle]

My post referred to your link http://www.wilderssecurity.com/showpost.php?p=1526881&postcount=19, where the CIS screenshot clearly shows a driver install alert, which seemed at odds with the rest of the topic.

Your other Wilders topic, http://www.wilderssecurity.com/showthread.php?p=1526872#post1526872, is really well done and I really hope the CIS devs are monitoring it.

I hope you bother to read my short post.

I did not mention first link as it was a bit irrelevent as no such alert was shown with virtual CD drive software install. This alert was shown by gmer and I did mention in that case that CIS alert was correct.

And Monkey_Boy=) thought I am trying to hide something. He might not even bother to read the threads and supposed that you have tested and found the results contrary to me. It took me all the day to make this thread and some one just supposing that I am hiding some thing and he is asking me to confess. That,s sad and funny.

Any way wj32 has already made it very clear.

There are two main ways a program can load a driver. One is by writing to the registry in HKLM\System\CurrentControlSet\Services and then calling NtLoadDriver. The other is by contacting the services controller (services.exe) and telling it to create a service to load the driver. In the first case, D+ correctly reports that a program is attempting to load a driver, and tells you the filename of the driver. The prompt is also in red (I think). In the second case however, D+ only prompts you about registry access (which most people will allow since it comes from services.exe) and then the driver is loaded. This is a HUGE problem with D+ and I hope the developers will fix it.

Thanks wj32. 

[commanding the celsius]

And Monkey_Boy=) thought I am trying to hide something. He might not even bother to read the threads and supposed that you have tested and found the results contrary to me. It took me all the day to make this thread and some one just supposing that I am hiding some thing and he is asking me to confess. That,s sad and funny.

Well perhaps I misunderstood panics post..  poo happens..   
I did not read and certainly wasn't aware of this thread/post: http://www.wilderssecurity.com/showpost.php?p=1526881&postcount=19 and that the alert in there was what panic was talking/referring to.. I only read the one link you posted here.. Without clicking any further links at wilders..

Well sorry "mate"..

[3xist]

Wait till CIS ver 4...

Zero pop ups is the future with max security guys.

Cheers,
Josh

[Tags:]