Rootkit-driver install not intercepted?

[Guest]

[egemen]

I removed all default rules/ policy for msiexec.exe and unfoirtunately no alerts for a driver install/ load. CFP does not at all behaves like other HIPS here.

See my thread here for some more explanation.

http://www.wilderssecurity.com/showthread.php?t=216750

Thanks

As I said, it is not the ideal way. msiexec.exe is trying to load a driver. So what? It is a legitimate application and it does this for a lot of applications. what is the application behind this? Wihtout catching these details, showing the users about services.exe or msiexec.exe is not the solution.

Services.exe is trying to load a driver: so what? It is what services.exe is supposed to do... We will see what sort of COM access is happening there and why CFP is not catching it.

[Vettetech]

Thank you egemen.............................................. (B)

[aigle]

As I said, it is not the ideal way. msiexec.exe is trying to load a driver. So what? It is a legitimate application and it does this for a lot of applications. what is the application behind this? Wihtout catching these details, showing the users about services.exe or msiexec.exe is not the solution.

Services.exe is trying to load a driver: so what? It is what services.exe is supposed to do... We will see what sort of COM access is happening there and why CFP is not catching it.

I undersatnd that but it,s common for legit applicatiosn to be exploited very often by malware. U catch the COM access that is good but IMO no harm in detecting a driver install by msiexec.exe.

As far as a driver install by msiexec.exe being a legit operation-- this should be valid only if u use default CFP policy for msiexec.ex but if u use a custom policy, u must get a pop up about driver install by it.

Otherwise I am afraid if we extend ur theory to other OS applications then we should not get any alert for execution of any application by explorer.exe. Afterall it,s a legit operation of explorer.exe to execute any appliaction.

[forcespawn]

As I said, it is not the ideal way. msiexec.exe is trying to load a driver. So what? It is a legitimate application and it does this for a lot of applications. what is the application behind this? Wihtout catching these details, showing the users about services.exe or msiexec.exe is not the solution.

Services.exe is trying to load a driver: so what? It is what services.exe is supposed to do... We will see what sort of COM access is happening there and why CFP is not catching it.

this is true. however, finding the application behind the loading of the driver and being alerted when services.exe or msiexec.exe are trying to load a driver are not mutually exclusive. ideally, comodo can find the application when it attempts to invoke msiexec.exe and also alert the user when the driver is actually loaded by these known system applications.

still, i like your philosophy of finding out the application that is behind the loading, egeman. this brings up a question: when comodo detects that an installer or program is trying to invoke a system application like msiexec.exe or services.exe that typically loads drivers, is the ONLY possible alert type COM access? i ask because i'm trying to uncheck as many of those boxes as possible to reduce the number of popups. would having COM access and device driver loading options checked be enough to stop rootkits?

[Dennis2]

Please do not post in topics which are outdated August 2008

Topic Locked

Dennis

[Tags:]