Killed cfp.exe demonstration video by mj0011

[Guest]

[dkmc]

Explain yourself or just cut it.. My comments are about how easy it is to fake a crash, and that this video has very little credibility, I know for a fact that I can "crash" CIS using the task manager if I tamper a bit with it..

In tWo words. You do not know this video and code are fakes. That's for sure.

But despite of this:
* you called some people "trolls" for the fact they didn't want to pass code (supposing they have working code). They may have reasons for this.

* You started to hijack this thread using fraudulent approach to distort case - idiocy about magicians, gold, water, Melih in white house etc.


That's why i said what i said.

I did watch the video now however.. Isn't it a bit "questionable" how even prior to this guy doing his attack CIS is not showing the usual "all okay" under system status..?

Maybe because:

before test cfp.exe , he was kill cmdagent.exe with killcis.exe the first.

[evil_religion]

If you do not want to appear like vulgar loudmouthed creature then....think yourself.

Why do you answer with personal offense only? Didn't I give some arguments?
I will repeat them here in case you didn't get them:

And even if you killed both you still didn't bypass protection because all unknown requests are blocked.

So Comodo hasn't been "bypassed". Make some malware which kills CIS and send it me, I would be pleased to run it.

And BTW: What are the reasons not to share such code which only's purpose seem to be to perform criminal actions?

And BTW2: You should learn more English, some sentences of you two Chinese hacker boys are only hardly to understand.

[commanding the celsius]

In tWo words. You do not know this video and code are fakes. That's for sure.

Yes you are 100% correct I don't know if the video is fake or not.. If you got that impression well that was not my intention Ill try to explain myself:

I buy this "crash" when I see a PoC..

(I pretty much said that I don't rule out that this may be real)

sure its possible that you could have found a flaw..

Pretty much again one of my comments said that its possible this is real..

My posts was mostly directed at pointing out that this video can't be trusted. But as you say, its possible that it is real as well.. But I guess we are never going to find out since there are no evidence pointing either way..

[dkmc]

[at] evil_religion 

Let's make things clear. You left no choice for 3dnow if he refuses to share code (supposing he has one): "criminal loser with psychic problems". After that it is at least strange you talk about personal offenses... And by the way, Your arguments are perfect.

What are the reasons not to share such code which only's purpose seem to be to perform criminal actions?

Haven't you seen answer followed by official Comodo representative? Sense of answer (if we translate diplomatic message into normal words): this code is a crap, but alright, we would make you a favor and look at it.


[at] Monkey_Boy=) 

Excuse me for that word. Those flood with magicians, alchemists, white house etc drove me nuts. Maybe it is better to stay silent instead of flooding next time.

[ssj100]

[at] evil_religion  

Let's make things clear. You left no choice for 3dnow if he refuses to share code (supposing he has one): "criminal loser with psychic problems". After that it is at least strange you talk about personal offenses... And by the way, Your arguments are perfect.
Haven't you seen answer followed by official Comodo representative? Sense of answer (if we translate diplomatic message into normal words): this code is a crap, but alright, we would make you a favor and look at it.


[at] Monkey_Boy=)  

Excuse me for that word. Those flood with magicians, alchemists, white house etc drove me nuts. Maybe it is better to stay silent instead of flooding next time.

Are you being a bit negative on the Comodo forums because Comodo are providing a very good classical HIPS for absolutely free, and Xiaolin isn't?

To be honest, I really don't know of any other classical HIPS that is completely free and as strong as Defense+.  Pity I've moved on from classical HIPS and found a setup that is much stronger and without all the computer "house-work".

[commanding the celsius]

[at] Monkey_Boy=) 

Excuse me for that word. Those flood with magicians, alchemists, white house etc drove me nuts. Maybe it is better to stay silent instead of flooding next time.

No problems! Ofc if you disagree with something feel free to speak up. Its possible my text was misleading to some extent. So I guess thanks to your post its now more clear what I was trying to say. 

[dkmc]

[at] ssj100

Keep this kind of questions to someone else, doc.
But anyway, i would say normally this time.
I'm not Chinese, nor i am political martyr who is against Comodo. I do not defend position of 3dnow, i don't care about this "bypass" and code (because defense plus driver was not unloaded, but that's mine imo and irrelevant). Seriously.

I simply argued with 2 men here.

[ailef]

i start from the idea that the video is true.

wich OS is used ? is it 32bit OS or 64bit OS ?
does this exploit work on win7 64bit ?

[3DNow]

i test it on XP SP2 (x86),but it can also kill cfp under win7 x64.

[OmeletGuy]

Can you please PM me a link, i will have it look at.

Thanks.

[wj32]

i test it on XP SP2 (x86),but it can also kill cfp under win7 x64.

Sorry if this is a redundant post (I haven't read the earlier posts), but would you care to elaborate on how this is done?

[blueshadowlaser]

Mj is a stuff in a security guard software of china named "360 guard". He is a bit arrogant by his technology.

He said the "KILLCIS" is not only can terminate the cis process, but also can  Inject the CIS process.

The method is a secret but I heard about add a "driver". So it is probably not worked at X64 system.

We need more safety software. For example, CIS is intercept the namepipe like "\Device\NamedPipe\lsass" at before, but now is could not intercept this. A Malware can delete all user by "\Device\NamedPipe\lsass" and CIS could do anything.

[3DNow]

Mj is a stuff in a security guard software of china named "360 guard". He is a bit arrogant by his technology.

He said the "KILLCIS" is not only can terminate the cis process, but also can  Inject the CIS process.

The method is a secret but I heard about add a "driver". So it is probably not worked at X64 system.

We need more safety software. For example, CIS is intercept the namepipe like "\Device\NamedPipe\lsass" at before, but now is could not intercept this. A Malware can delete all user by "\Device\NamedPipe\lsass" and CIS could do anything.

not add a "driver" , i said this demo only  implement its function under ring3,and it can work under x64/x86.

[3DNow]

i see the new version of CIS is coming out , i will test it using my old "killcis.exe" if i am free

[3DNow]

i has been tested the newest version(3.13.121240.574) , unfortunately  , our lovely killcis.exe still can terminate and inject cfp.exe.

[Tags:]