Does CIS have self-protection? | Install / Setup / Configuration Help

alexo2003

Comodo Member

Offline

Posts: 33

Does CIS have self-protection?

« on: March 06, 2011, 06:56:02 AM »

Hi!

The question concerning possibility to kill processes of Comodo. I have the latest version of CIS installed and KillSwitch utility from latest CCE. It is very simple to terminate both cfp.exe and cmdagent.exe, and CIS does not reload them. So, now we have no CIS, no protection, am I right?


	Logged

Valentin N

Malware Research Group
Comodo's Hero

Offline

Posts: 2833

Usability Study Group

Re: Does CIS have self-protection?

« Reply #1 on: March 06, 2011, 07:14:48 AM »

Hey and warm welcome to comodo forums Alex!

CIS has selfprotection. Keep in mind that CIS is not the nanny of the users decisions so if you decide to delete some file from CIS folder CIS won't stop you. BUT if a malware tires to do the same as you do, it won't succeed but fail.

Regards,
Valentin N


« Last Edit: March 06, 2011, 07:17:25 AM by Valentin N »	Logged

Skype: comodohelper (Personal)

CEVPN: Valentin N

CIS 5.9

Keep CTM alive by voting

alexo2003

Comodo Member

Offline

Posts: 33

Re: Does CIS have self-protection?

« Reply #2 on: March 06, 2011, 11:31:41 AM »

OK, I understand that termination using Killswitch is some artificial task. But let's imagine a malware having legitimate digital signature, so it is treated as trusted app by Comodo, and CIS won't stop such termination. I mean that if there exists some possibility of such killing, Comodo should increase its protection. There are some other products that give no chance to terminate them by Killswitch. Well it is only my apprehension and you say CIS is strong enough just "out of the box".

Thank you.


	Logged

JoWa

Product Translator
Global Moderator
Comodo's Hero

Offline

Posts: 2934

Re: Does CIS have self-protection?

« Reply #3 on: March 06, 2011, 11:53:49 AM »

Quote from: alexo2003 on March 06, 2011, 11:31:41 AM

There are some other products that give no chance to terminate them by Killswitch.

Which products? And are you sure they were not restarted (= new PID)? Are you sure that KillSwitch’s driver was loaded?

If an application successfully loads a well written kernel mode driver (such as the one KillSwitch/Process Hacker uses), it can terminate any process.

Quote from: alexo2003 on March 06, 2011, 11:31:41 AM

But let's imagine a malware having legitimate digital signature, so it is treated as trusted app by Comodo, and CIS won't stop such termination.

Trusted applications are not allowed to terminate cfp and cmdagent. There are exceptions though, as you can see in Protection settings.


	Logged

alexo2003

Comodo Member

Offline

Posts: 33

Re: Does CIS have self-protection?

« Reply #4 on: March 06, 2011, 07:58:12 PM »

Quote from: JoWa on March 06, 2011, 11:53:49 AM

Which products? And are you sure they were not restarted (= new PID)? Are you sure that KillSwitch’s driver was loaded?

Bitdefender:

.

This is from discussion here: http://www.kadets.info/showthread.php?t=78288, sorry it is in Russian. You are right, there is e.g. Ikarus, that restarts just killed process.


	Logged

wj32

Comodo's Hero

Offline

Posts: 387

Re: Does CIS have self-protection?

« Reply #5 on: March 07, 2011, 02:39:04 PM »

Please do not use an old version of Process Hacker (like KillSwitch). Upgrade to the latest version and retest.


	Logged

MCTS: Windows Internals
Process Hacker, a free and open source process viewer.

alexo2003

Comodo Member

Offline

Posts: 33

Re: Does CIS have self-protection?

« Reply #6 on: March 07, 2011, 08:30:51 PM »

Quote from: wj32 on March 07, 2011, 02:39:04 PM

Please do not use an old version of Process Hacker (like KillSwitch). Upgrade to the latest version and retest.

Well, I downloaded latest Process Hacker 2.12, installed just Comodo Firewall with maximal proactive security and tested again on XP SP3. Nothing changed.

First I terminated cmdagent.exe at TP1 (!!!), then cfp.exe was successfully terminated at TT2. I made find in Process Hacker and it shows no "comodo" in Handless or DLLs.

In addition. After termination all Comodo processes I can't start any program from shortcut on the Desktop. System reboot fixes normal behavior of Comodo and XP.


« Last Edit: March 07, 2011, 08:56:25 PM by alexo2003 »	Logged

wj32

Comodo's Hero

Offline

Posts: 387

Re: Does CIS have self-protection?

« Reply #7 on: March 08, 2011, 12:40:37 AM »

Quote from: alexo2003 on March 07, 2011, 08:30:51 PM

Well, I downloaded latest Process Hacker 2.12, installed just Comodo Firewall with maximal proactive security and tested again on XP SP3. Nothing changed.

I meant with BitDefender... (Why would a newer version of PH remove the ability to terminate Comodo processes?)


	Logged

MCTS: Windows Internals
Process Hacker, a free and open source process viewer.

OldRampant

Newbie

Offline

Posts: 8

Re: Does CIS have self-protection?

« Reply #8 on: March 08, 2011, 12:48:35 AM »

BitDefender 2011 Win 7 32 bit real

http://www.youtube.com/watch?v=Ryh_zdDWoac


	Logged

languy99

Global Moderator
Comodo's Hero

Offline

Posts: 3943

Re: Does CIS have self-protection?

« Reply #9 on: March 08, 2011, 01:06:32 AM »

I cannot terminate cmdagent using killswitch at all.


	Logged

http://www.youtube.com/languy99

Software Reviews for all.

Follow me on Twitter http://twitter.com/#!/languy99

wj32

Comodo's Hero

Offline

Posts: 387

Re: Does CIS have self-protection?

« Reply #10 on: March 08, 2011, 01:07:15 AM »

Quote from: OldRampant on March 08, 2011, 12:48:35 AM

BitDefender 2011 Win 7 32 bit real

http://www.youtube.com/watch?v=Ryh_zdDWoac

1. Why are you using an old version of Process Hacker?
2. KProcessHacker (the driver) does not appear to be loaded. I have had some reports of AVs blocking KPH from loading.

EDIT: I just tested PH on Windows 7 64-bit, and it terminates BitDefender processes just fine.