Some tests

[Guest]

[disPPlay]

Nice combo.. To me however CIS is enough. Also can sandboxie protect you from keylogging? can sandboxie prevent malware dialing home and sending your info somewhere? If no then sandboxie is not enough..

Sandboxie has a history of letting stuff escape from time to time as well. I wouldn't pick sandboxie over CIS..
Especially not if your definition of properly configured means "run your web browser sandboxed".

Thats not a "total" protection but could serve as a compliment. As it would guard one thing, the web browser.. And the stuff it might "install".

However all your other applications (whatever those might be), would still connect home with no checking and with no firewall there to guard them (your system is still there running in the back, its not just a browser).. + you would lack info on the stuff thats already on your computer and what they are doing sandboxie would never detect any baddie you already got.. Something that CIS actually does. =)

well sandboxie its all you need in this case because if you run a keyloger we will install in the sandbox and not actually on your system and he don't have right's to do nothing sandboxie + CIS it's very nice

[Commanding The Celsius]

Mate, I don't think you understand the power of Sandboxie.  Yes, it does protect against keyloggers etc.

well sandboxie its all you need in this case because if you run a keyloger we will install in the sandbox and not actually on your system and he don't have right's to do nothing sandboxie + CIS it's very nice

Hm, so you guys are claiming sandboxie protects from keyloggers when their very own website says it don't..
http://www.sandboxie.com/index.php?DetectingKeyLoggers

Sandboxie is not designed to detect or disable key-loggers, but it is designed to make sure that sandboxed software stays in the sandbox, that such software can't integrate into Windows, and that it can be completely discarded when you delete the sandbox.

I think it speaks for itself.. Anyway Iam not that experienced with sandboxie so I guess maby it can protect to some extent if properly configured..

I could go on why I think sandboxie can't offer that 100% protection.. But that would be going off topic. If needed lets PM..

Regarding the termination tests.. Was there any termination alerts, or some kind of bla bla bla bla explorer bla bla bla bla..? 

[burebista]

Regarding the termination tests.. Was there any termination alerts, or some kind of bla bla bla bla explorer bla bla bla bla..? 

No bla,bla. Just mouse and explorer killed silently.
But you can try yourself, it doesn't bite. 

[OmeletGuy]

I uploaded it to CIMA and here are results:

Htaaa: Wating for results over 24 hours soon
Htaac: Not Rated as Suspicious
Htaab: Wating for results over 24 hours soon (lol if it froze CIMA)Uploaded at 4:30 PM MT April 22
Stop: Not Rated as Suspicious
Stop2: Not Rated as Suspicious

Htaaa: http://camas.comodo.com/cgi-bin/submit?file=41ddd6a2f429b6c103f8afa6406fa7a98b08db65ff1f91d3330008fe90f96253

Htaab: http://camas.comodo.com/cgi-bin/submit?file=2c0624a3aa86e1cf0ad8ebab94953c34b849d60be6b7dc704a73c0cc77769f11

Here are links to the files in CIMA

I also uploaded it to Virustotal here are results

Htaaa: 3/40
Htaac: 3/40
Htaab: 3/40
Stop: 3/40
Stop2:4/40

I also tested them (keep im mind that i have comfigured CIS for maxmium protection)
passed all but STOP2 that did give a promt on CIS and i selected Isolated Application. did not work it still ran!
CIS did NOT crash, Explorer did not crash! Still failed Stop2

Config: Proactive
Defense + : Paranoid
Firewall: Safe mode
Image Execution Control Setting: normal setting + All applications + executables

[MagisDing]

I uploaded it to CIMA and here are results:

Htaaa: Wating for results over 30 minuts now
Htaac: Not Rated as Suspicious
Htaab: Wating for results over 30 minuts now (lol if it froze CIMA)Uploaded at 4:30 PM MT
Stop: Not Rated as Suspicious
Stop2: Not Rated as Suspicious

Htaaa: http://camas.comodo.com/cgi-bin/submit?file=41ddd6a2f429b6c103f8afa6406fa7a98b08db65ff1f91d3330008fe90f96253

Htaab: http://camas.comodo.com/cgi-bin/submit?file=2c0624a3aa86e1cf0ad8ebab94953c34b849d60be6b7dc704a73c0cc77769f11

Here are links to the files in CIMA

I also uploaded it to Virustotal here are results

Htaaa: 3/40
Htaac: 3/40
Htaab: 3/40
Stop: 3/40
Stop2:4/40

I also tested them (keep im mind that i have comfigured CIS for maxmium protection)
passed all but STOP2 that did give a promt on CIS and i selected Isolated Application. did not work it still ran!
CIS did NOT crash, Explorer did not crash! Still failed Stop2

Config: Proactive
Defense + : Paranoid
Firewall: Safe mode
Image Execution Control Setting: normal setting + All applications + executables

Thank you for testing. You mentioned that CIS had passed all but stop 2. I am wondering what pop-up dialogs appeared when you run htaab, and did htaac terminate the explorer.exe? Did stop lock you mouse?

[OmeletGuy]

Thank you for testing. You mentioned that CIS had passed all but stop 2. I am wondering what pop-up dialogs appeared when you run htaab, and did htaac terminate the explorer.exe? Did stop lock you mouse?

Remeber Im running CIS on Maximum security setting i made!
Config: Proactive
Firewall: Safe Mode (all settings on)
D+ : Paranoid Mode (all settings on)

Oh and im on Windows XP Media Center!
It tryed to access all of this in this oder!

Htaaa ------> imm32.dll ----->(again) imm32.dll ------> \Device\KseDD ----->guard32.dll (failed to act)
Htaac ------> imm32.dll ----->(again) imm32.dll ------> \Device\KseDD ----->guard32.dll (failed to act)
Htaab ------> imm32.dll ----->(again) imm32.dll ------> \Device\KseDD ----->guard32.dll (failed to act)
Stop  ------> imm32.dll ----->(again) imm32.dll ------> \Device\KseDD ----->guard32.dll  (failed to act)

Limited user account (non admin) Had no effect they still tryed to lunch!

imm32.dll is a library used by the Microsoft Windows Input Method Manager (IMM).
DO not DELETE imm32.dll its critical to windows working ok
With Imm32.dll blocked! (just blocked for one login)
It tryed to access all of this in this oder!

Htaaa ----->Device\KseDD -----> guard32.dll (failed to act)
Htaac ----->Device\KseDD -----> guard32.dll (failed to act)
Htaab ----->Device\KseDD -----> guard32.dll (failed to act)
Stop ----->Device\KseDD -----> guard32.dll   (failed to act)

DO not DELETE imm32.dll its critical to windows working ok
I will keep all of you updated on STOP2.exe Testing! What a nasty exploit!
STOP2 update:
stop2 -----> imm32.dll -----> gaurd32.dll (worked)
With Imm32.dll off:
stop2 -----> gaurd32.dll (worked)
With Policy Isolated Application: IT STILL WORKED 
My Blocked Files STOPS IT

I opened Stop2 In Notepad and it said on topline "This program must be run under Win32"  (i dont have a 64-bit to test on) Yes OR No?

Also it has these DLL's meationed in the Notepad: NEL32.DLL advapi32.dll user32.dll
And it also said: Boÿûÿÿrland Edition © 2004,5 PierîoËÿre le Rich/rofess
I have tryed everything I could THINK of!!!!
D+ has LOST a MATCH! against STOP2

[ssj100]

Yes Defense+ fails against those malware programs.  Apparently Defensewall and Online Armor are fixing this problem in their next releases.  The question is: how about Comodo?

[metalforlife]

OmeletGuy, try providing guard32.dll, imm32.dll and your mouse device-driver termination protection in D+ Computer Policy. Does that work?

[sirio]

Thanks for testing CIS. I have asked to the developers to have news.

Regards,

sirio 

[OmeletGuy]

OmeletGuy, try providing guard32.dll, imm32.dll and your mouse device-driver termination protection in D+ Computer Policy. Does that work?

No it does not work It still gets killed after i let all run!

Currently testing:
Just so no one askes EVERY popup in CIS i had remeber action off

I provided access to all it asked for
Htaaa:  imm32.dll ----->(again) imm32.dll ------> \Device\KseDD ----->guard32.dll ------> fltlib.dll -----> \global??\fltMgrMsg ------> uxtheme.dll ------> msctf.dll ------>msctfime.imc(failed to act)

Htaab.exe ------> imm32.dll ----->(again) imm32.dll ------> \Device\KseDD ----->guard32.dll ------> fltlib.dll -----> \global??\fltMgrMsg ------> uxtheme.dll ------> msctf.dll ------>msctfime.imc ------> \Device\NamedPipe\Isarpc ------>Wants Debug Privilege -----> SPOOLSV.EXE ------> Vpnservice.exe -------> Ehtray.exe ------> rundll32.exe ------> ehrecvr.exe ------> ehSched.exe ------> Nvsvc32.exe ------> mcrdsvc.exe ------> dllhost.exe ------>alg.exe------>Creating folder in registry ------> ehmsas.exe ----- outlook.exe ------> iexplorer.exe
(failed to act But still got loaded in mem)

Htaac.exe imm32.dll ----->(again) imm32.dll ------> \Device\KseDD ----->guard32.dll ------> fltlib.dll -----> \global??\fltMgrMsg ------> uxtheme.dll ------> msctf.dll ------>msctfime.imc ------> \Device\NamedPipe\Isarpc ------>Wants Debug Privilege -----> SPOOLSV.EXE ------> ehrecvr.exe -----> ehsched.exe------> nvsvc32.exe------> mcrdsvc.exe -----> alg.exe -----> explorer.exe (crashed and it restarted back) ------> ehtray.exe ------> shdocvw.dll ------> rundll32.exe ------> ehmsas.exe ------> Iexplorer.exe (killed)! KILLS IE and Explorer (CIS failed to block it)

Stop: imm32.dll ------> \Device\KseDD ----->guard32.dll ------> fltlib.dll -----> \global??\fltMgrMsg ------> uxtheme.dll ------> msctf.dll ------>msctfime.imc (Ran and Stoped mouse) ( may have forgten some apps)

Stop2: i cant block it but i did manage to KILL it after it did Its job side effects continued

I will keep you updated on the others tests i can think of!
Clean PC mode With files in MY pending files!
All loaded in to mem But only STOP2.exe acted

[simmikie]

Hm, so you guys are claiming sandboxie protects from keyloggers when their very own website says it don't..
http://www.sandboxie.com/index.php?DetectingKeyLoggers

I think it speaks for itself.. Anyway Iam not that experienced with sandboxie so I guess maby it can protect to some extent if properly configured..

I could go on why I think sandboxie can't offer that 100% protection.. But that would be going off topic. If needed lets PM..

Regarding the termination tests.. Was there any termination alerts, or some kind of bla bla bla bla explorer bla bla bla bla..? 

while not preventing the 'logger from running, the sandbox can be configured to restrict internet access to the 'logger or if desired by end-user, restrict internet access to all apps running in that 'box. a 'logger that can not phone home is essentially defeated.

[OmeletGuy]

So what do the dev's say?

[ssj100]

Yes, I've been waiting on a response from the developers.  Anyone?

Online Armor and DefenseWall has fixed the issue.  Comodo?

[aigle]

Infact very good work by OA and DW. 

Where is Comodo? 

[egemen]

We are analyzing the files. IF we see it as an important threat, we will certainly fix and you will see.

Acording to my initial tests:

1 - Mouse can be freezed and this is not captured by D+.
This is not really a threat.
2 - Explorer.exe is terminated

Obviously none of these 2 issues are high priority threats.  However these samples are actually malware. Not leak tests. So they are being analyzed to make sure that we dont miss more important threats.

After the analysis, we ill see if we wil include the fixes in 3.9 or not. 

Egemen

[Tags:]