CIS can block it for accessing the interprocess memory of explorer.exe.
And the zbot will terminate itself if CIS blocks this action.
mod edit: Split & renamed from here. kail
CIS can block it for accessing the interprocess memory of explorer.exe.
And the zbot will terminate itself if CIS blocks this action.
mod edit: Split & renamed from here. kail
I am not sure why did you mention explorer.exe
If there is any relevance please tell & clarify
Anyway, win explorer’s access to Internet can be if not must be (as in my case) disallowed - just create rule(s)
If any security caught and block a suspect - that means that the security is in charge - so after that neither zbot no any other cannot “terminate itself”… What that suppose to mean? (may I ask)
We are not talking about unique Flame that can deactivate itself & eliminate all traces of itself by receiving “kill” request from its controller server(s)
As for “if CIS blocks…” - sure, but that’s only “IF”. Zeus / zbot / & alike was known since 2006-2007 as far as I know, but just in 2012 (which is still “now” 88) ) we have around 5-6 modifications. Therefore - yes … “IF”
Finally, as in a few previous posts we are talking about one particular test
Cheers!
logs for the zbot
2011-11-09 22:55:53 C:\Documents and Settings\Roger\Local Settings\Temp\0.028543354169504265exe Sandboxed As Partially Limited
2011-11-09 22:55:54 C:\Documents and Settings\Roger\Application Data\Egriu\owwe.exe Sandboxed As Partially Limited
2011-11-09 22:56:23 C:\Documents and Settings\Roger\Local Settings\Temp\tmpfcd49f63.bat Sandboxed As Partially Limited
2011-11-09 22:56:27 C:\WINDOWS\system32\conime.exe Sandboxed As Partially Limited
2011-11-09 22:56:27 C:\Documents and Settings\Roger\Application Data\Egriu\owwe.exe Access Memory C:\WINDOWS\explorer.exe
2011-11-09 22:56:27 C:\Documents and Settings\Roger\Local Settings\Temp\0.028543354169504265exe Modify Key HKUS\S-1-5-21-1004336348-1383384898-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1609
2011-11-09 22:56:27 C:\Documents and Settings\Roger\Local Settings\Temp\tmpfcd49f63.bat Modify Key HKUS\S-1-5-21-1004336348-1383384898-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1609
2011-11-09 22:56:27 C:\WINDOWS\system32\conime.exe Modify Key HKUS\S-1-5-21-1004336348-1383384898-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1609
2011-11-09 22:56:30 C:\Documents and Settings\Roger\Local Settings\Temp\0.16917603943976056exe Sandboxed As Partially Limited
Hello again a256886572008,
1st, red highlighted string in your last post
2011-11-09 22:56:27C:\Documents and Settings\Roger\Application Data\Egriu\owwe.exe Access MemoryC:\WINDOWS\explorer.exemeans absolutely nothing!
You probably do not install enough Applications if that one was any surprize for you
I do not care (at the moment) about owwe.exe / 0.028543354169504265exe / …
Could be or may not be a malware. If the latter & was caught - Bravo!
Did you ever looked into Defense+ events re “Access Memory”? (attached)
Furthermore
(forget about Comodo’s sandbox for a while, please)
You can get similar messages when installing legit Software. Are you saying that you’ve never seen that?
… hmmm … I can give many examples, but how about the following?
Etc. & so on…
“\Internet Settings\Zones\0\1609” zone stuff won’t mean a thing in a hundred years as well concerning the matter in question
Then, you are talking about whatever you’ve discovered in 2011
I was basically saying about performance by Comodo (& EAM) in 2012
… and 5-6 new modification of Zeus/zlob currently in the wild.
I have to be honest - I am aware though whether those were tested
And finally, TonyChipper911 was requesting “man-in-the-browser attacks” therefore was my Q about explorer
Cheers!
[attachment deleted by admin]
!ot!
Guys, if you’re going to continue this dialogue, it’s probably best to move it elsewhere. Do you want me to split it for you?
Not OffTopic at all on your behalf
My reply to TonyChipper911 here was basically about Comodo & others performance concerning particular test, which he probably missed
But sure, if you want to split “explorer” ??? & the following discussion(s) - please do
Cheers!