Author Topic: Phide.exe rootkit bypassed Defence Plus [Reason found]  (Read 35466 times)

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 716
Phide.exe rootkit bypassed Defence Plus [Reason found]
« on: July 27, 2008, 06:05:57 PM »
I tied this POC against CFP D Plus and sadly Defence Plus gave no alert about physical memory access. Rootkit was able to start a hidden process.

EQS on the other hand stopped it dead. Can anyone confirm my findings? PM me for the sample.

Thanks

[attachment deleted by admin]
« Last Edit: August 07, 2008, 07:11:08 AM by eXPerience »

Vettetech

  • Guest
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #1 on: July 27, 2008, 06:28:32 PM »
Send me a link where you downloaded it from. Here you go again. Why dont you try running only Comodo instead of having Geswall and that Shield running in the back round. Your using an Nvidia main board and there firewall is junk. Your tests arent exactly accurate when your running other security software in the back round. I am pretty sure the Shield belongs to your Nvidia mobo. Your also using RootRepeal which is beta software.
« Last Edit: July 27, 2008, 06:40:41 PM by Vettetech »

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 716
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #2 on: July 27, 2008, 06:42:34 PM »
Shield is part of Eaz-Fix instant recovery. Nothing from Nividia. I can,t discard GW, it,s much more reliable. Sent u the link. Pls do post ur results here.
« Last Edit: July 27, 2008, 06:44:45 PM by aigle »

Vettetech

  • Guest
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #3 on: July 27, 2008, 06:43:27 PM »
Also from your sig at Wilders I see your using Threatfire. Are you running that in real time mode along side Comodo?

Vettetech

  • Guest
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #4 on: July 27, 2008, 06:55:18 PM »
Ok now after I reboot I am back. That program made D+ go nuts. I had " Hi Guys" D+ alerts all over the place. Once again I do not see the problem. D+ is doing its job. It must be your set up that is effecting D+ and how it worls. Look at my logs. I had atleast 10 alerts from D+. Too many that I couldnt hit my screen rubbish* button.



[attachment deleted by admin]

Vettetech

  • Guest
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #5 on: July 27, 2008, 07:06:27 PM »
Just ran the test again. Here is proof once more that your wrong. D+ is doing its job and doing it well. So sad to say your wrong again.



[attachment deleted by admin]
« Last Edit: July 27, 2008, 07:08:59 PM by Vettetech »

Vettetech

  • Guest
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #6 on: July 27, 2008, 07:09:22 PM »
 (B) (J) (L) (M) (R) (S) (V) (CNY) (CWY) (CLY)

Offline fOrTy_7

  • Comodo's Hero
  • *****
  • Posts: 593
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #7 on: July 28, 2008, 03:25:32 AM »
Your tests arent exactly accurate when your running other security software in the back round.

Aigle, I have to admit he's right here. Unless you use multiple virtual machines on which there is instaled only one HIPS software then there is always a risk that it won't behave as it is supposted to.

« Last Edit: July 28, 2008, 08:18:27 AM by fOrTy_7 »

Vettetech

  • Guest
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #8 on: July 28, 2008, 07:27:35 AM »
I did this test on a real world machine. My desktop. No virtualization on. I only run Comodo and NOD32. Have you ever stop to think for once that maybe Geswall running along side Comodo is screwing up D+. Also why dont you shut off shadow surfer. Until your running any of your tests in a real environment with only Comodo running I will consider your threads like this null envoid.
« Last Edit: July 28, 2008, 07:30:25 AM by Vettetech »

Offline doktornotor

  • Comodo's Hero
  • *****
  • Posts: 222
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #9 on: July 28, 2008, 08:48:44 AM »
And as shown here, this speak volumes about using multiple things doing the same task in real time. You actually may end up with your protection being degraded instead of being improved.  ;)

Vettetech

  • Guest
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #10 on: July 28, 2008, 09:21:41 AM »
Well if you go into Wilders you will see that aigle is a member there and his sig says "Comodo Firewall,Threatfire and Gewall. If all of these are in real time then BINGO. We found his problem. He keeps making threads stating D+ sucks and is not doing its job but all these other programs are. But I have shown twice that D+ works. Screen shots do not lie.

Offline loverboy

  • Comodo's Hero
  • *****
  • Posts: 427
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #11 on: July 28, 2008, 10:25:07 AM »
Just ran the test again. Here is proof once more that your wrong. D+ is doing its job and doing it well. So sad to say your wrong again.



Congratulations for the wallpaper Vettetech :-TU
Could you please post it 1280*1024 so that I can use it too? ;)
Windows 7 Home Premium 64bit SP1
NOD32 Antivirus 8.0.319.0
COMODO CIS 8.4.0.5165
Configuration: Proactive Security
Firewall: Custom Ruleset
HIPS: Clean PC Mode
Auto-Sandbox: Disabled

Vettetech

  • Guest
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #12 on: July 28, 2008, 10:30:33 AM »
LOL. I think I got it from wallpaperstock or ewallpapaers. Sorry off topic.
« Last Edit: July 28, 2008, 10:36:49 AM by Vettetech »

Someone

  • Guest
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #13 on: July 28, 2008, 11:28:10 AM »
He keeps making threads stating D+ sucks and is not doing its job but all these other programs are.
No he doesn't. He tested CFP, and opened a thread to see if the results are the same for others. He is perfectly aware of possible conflicts, and he asks for others to verify.

He's been doing this for quite some time, unlike you.
Vettetech, i remember you "testing" Online Armor, saying it passed a test because OA prompted for execution. It took a while for you to sink in the notion that it wasn't about execution...

Vettetech

  • Guest
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #14 on: July 28, 2008, 11:32:55 AM »
Look at this. See here. Duh. With 2 screen shots in 2 different posts I have proved aigle wrong period. I havent used OA in over 6 months.



http://forums.comodo.com/leak_testingattacksvulnerability_research/driver_service_install_not_detected-t25349.0.html
« Last Edit: July 28, 2008, 11:34:29 AM by Vettetech »

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek