has cis problems under windows vista/7 64bit??

[Guest]

[Timo Schmidt]

However, CIS still protects 64bit enough. Comodo would NOT leave you vulnerable knowingly.

Let me translate. There are some Protection Features that are disabled in CIS on 64 bit?

Or to speak "leaktest": Many matousec-tests won't be passed on 64bit.


Greetings

Timo

[evil_religion]

Let me translate. There are some Protection Features that are disabled in CIS on 64 bit?

They aren't disabled, they are implemented via a weak way.

Or to speak "leaktest": Many matousec-tests won't be passed on 64bit.

Indeed

[wj32]

But it's wrong. Comodo partially uses unsecured ring 3 hooks which can be avoided by Matousec SSTS.

Any evidence? I know I didn't give any for my case, but you have made quite a big statement. Also, what do you mean by "unsecured"?

window messages don't get intercepted in kernel mode by Comodo.

And impossible to do correctly (i.e. in kernel-mode) due to the fact that the shadow SSDT is protected by PatchGuard and MS doesn't provide any callbacks for win32k.

Outpost FW passes some more tests of SSTS on x64 than Comodo, maybe they use secured user mode hooks. Comodo should do the same. I don't think that it won't be useful if Agnitum goes this way.

What do you mean by "secured", and how secure can they get? Are they secure from people directly using the "syscall" instruction?

[evil_religion]

Any evidence? I know I didn't give any for my case, but you have made quite a big statement.

egemen said so (indirectly) and SSTS proves that. For the original non SSTS leaktests Comodo gives warnings, but the SSTS ones with ring 3 unhooker are failed by Comodo, for example keyloggers.

Also, what do you mean by "unsecured"?

That the unhooker of SSTS can unhook them.

And impossible to do correctly (i.e. in kernel-mode) due to the fact that the shadow SSDT is protected by PatchGuard and MS doesn't provide any callbacks for win32k.

However, KIS catches the window message handles of SSTS on x64. So what?

What do you mean by "secured", and how secure can they get?

I don't know, ask the Outpost developers, hopefully they will share their secret with Comodo

Are they secure from people directly using the "syscall" instruction?

You are the expert, not me
Maybe you should look into the SC of SSTS and get your own impressions of how several products score on x64.

[wj32]

 

However, KIS catches the window message handles of SSTS on x64. So what?

Then it uses user-mode hooks. Unlike kernel-mode hooks, user-mode hooks can always be bypassed, no matter what protection you try to set up.

[evil_religion]

It seems the Kaspersky and Agnitum developers have another opinion.

You are an expert, you could look how KIS and Outpost hook several calls on x64.

[Tags:]