Author Topic: Driver/ service install not detected?  (Read 15921 times)

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 716
Driver/ service install not detected?
« on: July 20, 2008, 04:24:09 PM »
I tried this tool

http://www.iterati.org/Developers/HideProc/Default.aspx

Very strange that CFP gives no warning about a driver/ service install on my system. Can anyone confirm this?

Thanks

[attachment deleted by admin]

Offline fOrTy_7

  • Comodo's Hero
  • *****
  • Posts: 593
Re: Driver/ service install not detected?
« Reply #1 on: July 20, 2008, 04:49:57 PM »
I've just tried this tool after setting Defense+ into Paranoid Mode.
I've got BSOD twice, saying DRIVER IRQL NOT LESS OR EQUAL caused by HideProcDrv.sys, just after I allowed explorer.exe to execute HideProc.exe.

Offline ruiky

  • Comodo Family Member
  • ***
  • Posts: 75
Re: Driver/ service install not detected?
« Reply #2 on: July 20, 2008, 06:39:41 PM »
comodo cant block this drive install because service.exe be trusted by cfp even if you delete the rule of service.exe. I dont know it is a bug or the design of cfp, but I think this is dangerous. some virus will call service.exe to install drive and cfp will no alarm. I hope comodo will improve it as soon as possible.

you can see this link to know more discussing, it is a chinese, you can translate it by google:http://bbs.kafan.cn/viewthread.php?tid=263063&extra=page%3D2%26amp%3Bfilter%3Dtype%26amp%3Btypeid%3D6

thank you
« Last Edit: July 20, 2008, 06:41:26 PM by ruiky »

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 716
Re: Driver/ service install not detected?
« Reply #3 on: July 20, 2008, 07:05:36 PM »
Hmmm... I have put services.exe on my sytem with Custom policy. It,s too bad that CFP still treats it as trusted. I will say it a security hole in CFP.

[attachment deleted by admin]

Offline ruiky

  • Comodo Family Member
  • ***
  • Posts: 75
Re: Driver/ service install not detected?
« Reply #4 on: July 20, 2008, 07:18:32 PM »
yes, I think this is a serious issue, I hope it can be fixed as soon as possible

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 716
Re: Driver/ service install not detected?
« Reply #5 on: July 20, 2008, 10:05:44 PM »
I really like the development of CFP and it,s my favourite HIPS. Recently I feel less and less feedback from developers on the forums. I wish if egemen can repond about this.

Not only this but also CFP does not detect the behaviour of this application after driver loading( but that is being discussed in another thread).

To me it,s very serious issue. I never expected that CFP will not detect driver/ service install loading while most other HIPS like SSM, EQS, OA detect it in this case. Seems it will be good if fixed as soon as possible.


Thanks

Vettetech

  • Guest
Re: Driver/ service install not detected?
« Reply #6 on: July 22, 2008, 11:24:03 PM »
Looks like your finds are wrong. See my screen shot.



[attachment deleted by admin]

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 716
Re: Driver/ service install not detected?
« Reply #7 on: July 23, 2008, 01:00:19 PM »
Looks like your finds are wrong. See my screen shot.

Because you are using Vista. No such alert on my side with XP home SP2.  :-TD :-TD

By the way, pop up about service control manager access is rather vague as it is not even specific like a driver/ service instal alertl.
« Last Edit: July 23, 2008, 01:04:19 PM by aigle »

Vettetech

  • Guest
Re: Driver/ service install not detected?
« Reply #8 on: July 23, 2008, 01:15:23 PM »
I am not on Vista. That is XP. Think again. Both my pc's are XP. I guess you never heard of Stardock. I have XP SP3 on both my machines. The pop up is the same as the one you got for EQSecure. Services and control.
« Last Edit: July 23, 2008, 01:26:25 PM by Vettetech »

Offline Sr Lluny

  • Product Translator
  • Comodo's Hero
  • *****
  • Posts: 373
  • I use only the best, I use Comodo firewall
Re: Driver/ service install not detected?
« Reply #9 on: July 23, 2008, 01:46:28 PM »
Sorry, but i tested that program, and i need to allow it.
If i don't allow ther program, it freezes.

Vettetech

  • Guest
Re: Driver/ service install not detected?
« Reply #10 on: July 23, 2008, 01:48:45 PM »
Sorry, but i tested that program, and i need to allow it.

What? You should have had 3 D+ alerts. 1 for explorer.exe. 1 for the HideProc running. Then a third after you try to hide a certain running program.

Offline Sr Lluny

  • Product Translator
  • Comodo's Hero
  • *****
  • Posts: 373
  • I use only the best, I use Comodo firewall
Re: Driver/ service install not detected?
« Reply #11 on: July 23, 2008, 02:13:50 PM »
Nop, if i allow the program, ican hide a process wthout an alert when i try to hide that process.

Vettetech

  • Guest
Re: Driver/ service install not detected?
« Reply #12 on: July 23, 2008, 02:17:47 PM »
Nop, if i allow the program, ican hide a process wthout an alert when i try to hide that process.

Works for me. Screen shots don't lie. I did a fresh install of Comodo last month.

Offline Sr Lluny

  • Product Translator
  • Comodo's Hero
  • *****
  • Posts: 373
  • I use only the best, I use Comodo firewall
Re: Driver/ service install not detected?
« Reply #13 on: July 23, 2008, 02:37:24 PM »
Today i formated my system. Tonight i retest the program with a fres install.

Offline ruiky

  • Comodo Family Member
  • ***
  • Posts: 75
Re: Driver/ service install not detected?
« Reply #14 on: July 24, 2008, 04:07:35 AM »
Looks like your finds are wrong. See my screen shot.


sorry, you are wrong. SCM access is not means drives installation.
CFP just can block the SCM access but cant block drives installation if you allow the SCM access, and SCM access sometimes is a normal behaver for many applications. some of them maybe opreation mistake if we block the SCM access. But for CFP they can install drive if they want when we allow the SCM access!

so I think this is a security bug. CFP need block the drives install after the SCM access was allowed.

thank you

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek