Author Topic: Proofs of Concepts Vs. CFP3  (Read 43878 times)

Offline rcbblgy

  • Comodo Loves me
  • ****
  • Posts: 130
Proofs of Concepts Vs. CFP3
« on: August 29, 2007, 10:45:22 PM »
Of course , when I start it , there are two or three alerts , but those are not important , if the program begins to work , and you can click "Protect" , if the program shows you "Failed" or your software gives you an alert , that means your software could block it , if it shows you "Done" , that means your softeware cann't block it . CFP cann't block it , when I click the "Protect" , there is no alert and the program shows me "done" . After it protects itself , CFP couldn't terminate it , maybe there is few software can terminate it . The name of the program is "kill.exe" , it is in the "danger.rar" , and the password is "virus" . Another program in "danger.rar" is "cs.exe" , it uses the technology of alternate data streams , it could be found and blocked by CFP .

[attachment deleted by admin]
« Last Edit: September 15, 2007, 09:48:57 AM by rcbblgy »

Offline rcbblgy

  • Comodo Loves me
  • ****
  • Posts: 130
Re: A small program which cann't be blocked by CFP (Defense+)
« Reply #1 on: August 29, 2007, 10:50:18 PM »
CFP cann't block it , maybe because it cann't block a program oprate the System essence , some other HIPS software can block the "kill.exe" because they can stop and alarm for oprating the system essence .

Offline a256886572008

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 963
Re: A small program which cann't be blocked by CFP (Defense+)
« Reply #2 on: August 29, 2007, 11:15:45 PM »
EQ-Secure V3.4



press "Protect"



press "Deny"



and I can terminate the process "KiLL.exe"

If I press "Allow" ,the process will NOT be terminated!

Offline rcbblgy

  • Comodo Loves me
  • ****
  • Posts: 130
Re: A small program which cann't be blocked by CFP (Defense+)
« Reply #3 on: August 29, 2007, 11:18:30 PM »
A suggestion , I wish CFP could block a program changing the system time , many virus will change the system time in my country ,  because if the time is changed to a long time ago or a long time later ,  most of AV software will not work  normally .

Offline panic

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11813
  • Linux is free only if your time is worthless.;-)
Re: A small program which cann't be blocked by CFP (Defense+)
« Reply #4 on: August 30, 2007, 04:04:53 AM »
Of course , when I start it , there are two or three alerts , but those are not important .....

Says who? What did the alerts say? If they are about the application accessing some system functionality, then I'd say they're reasonably important, wouldn't you?

Can you post a screenshot of htese allegedly unimportant alert dialogues.

Thanks in advance,
Ewen :-)
As your mums would say, "If you can't play nice with all the other kiddies, go home".
All users are asked to please read and abide by the  Comodo Forum Policy.
If you can't conform, don't use the forum.

Offline rcbblgy

  • Comodo Loves me
  • ****
  • Posts: 130
Re: A small program which cann't be blocked by CFP (Defense+)
« Reply #5 on: August 30, 2007, 06:04:32 AM »
http://forums.comodo.com/index.php?action=dlattach;topic=12141.0;attach=6650
http://forums.comodo.com/index.php?action=dlattach;topic=12141.0;attach=6652
When I start the program , CFP gives me these alerts just like when I start other programs , but when the program begins to work and try to protect itself(when I click "Protect") , there is no alert for me , I think this is the important point , because if it wants to protect itself , it should operate the system essence , and CFP cann't block this kind of operation , some other HIPS softwares such as EQ-Sucure can block this operation . If the program protects itself successfully , almost no software can terminate it .

Offline panic

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11813
  • Linux is free only if your time is worthless.;-)
Re: A small program which cann't be blocked by CFP (Defense+)
« Reply #6 on: August 30, 2007, 06:57:00 AM »
Apologies, I didn't realise that you hgad attached screenshots of the alerts. :-\

That's interesting ( ??? >:() that the firewall doesn't detect escalation of application privelege. I made the mistake of assuming this would be covered by the HIPS component.

Can you please post this in the 32 bit and 64 bit bug reports (assuming that it isn't detected on both platforms).

Thanks,
Ewen :-)
As your mums would say, "If you can't play nice with all the other kiddies, go home".
All users are asked to please read and abide by the  Comodo Forum Policy.
If you can't conform, don't use the forum.

Offline rcbblgy

  • Comodo Loves me
  • ****
  • Posts: 130
Re: A small program which cann't be blocked by CFP (Defense+)
« Reply #7 on: August 30, 2007, 08:32:39 AM »
Thanks , I post it in the 32bit bug report . But I don't think this is a bug , maybe it is just that CFP doesn't have this function . My OS is 32bit , I am sure the 64bit OS must be same to me .

Offline siLence_Again

  • Newbie
  • *
  • Posts: 3
Re: A small program which cann't be blocked by CFP (Defense+)
« Reply #8 on: August 30, 2007, 09:38:20 AM »
hi everyone here
i have been here because RCBB's(may be rcbbly?) pm:)

i'm Luzi,who is a member of 0GiNr, and the author of this toy

i'm sorry that i haven't try Comodo before i post this reply.

if I have understood this topic correctly, it it talking about my little toy at the point of accessing kernel-memory.

have I understood correctly?  if yes, well, it just called ZwSystemDebugControl. :)

i feel sorry for my poor english, it's my first post at an english site :)
« Last Edit: August 30, 2007, 09:42:19 AM by siLence_Again »

Offline rcbblgy

  • Comodo Loves me
  • ****
  • Posts: 130
Re: A small program which cann't be blocked by CFP (Defense+)
« Reply #9 on: August 30, 2007, 10:09:34 AM »
I think you should talk more about your toy :THNK

Offline rcbblgy

  • Comodo Loves me
  • ****
  • Posts: 130
Re: A small program which cann't be blocked by CFP (Defense+)
« Reply #10 on: August 30, 2007, 10:16:56 AM »
There is another program which will debug at system level , I post it here , I hope it can help you .

[attachment deleted by admin]

Offline rcbblgy

  • Comodo Loves me
  • ****
  • Posts: 130
Re: A small program which cann't be blocked by CFP (Defense+)
« Reply #11 on: August 30, 2007, 10:43:26 AM »
Another problem , when the "cs.exe" create a file , CFP couldn't show me the file path rightly , it shows me unknow path , as I know the program use the alternate data streams , maybe this is the reason , but other HIPS could show the right file path . I have post it on 32bit bug report.

[attachment deleted by admin]

Offline a256886572008

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 963
Re: A small program which cann't be blocked by CFP (Defense+)
« Reply #12 on: August 30, 2007, 11:25:59 AM »
I  test  the  "prueba.exe"  by  CPF V3  & EQ-Secure V3.4



 

 

We  must BLOCK  "prueba.exe  is  trying  to  execute  ntoskrnl.exe"!

Or , the computer could not be controlled!
« Last Edit: August 30, 2007, 11:28:20 AM by a256886572008 »

Offline a256886572008

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 963
Re: A small program which cann't be blocked by CFP (Defense+)
« Reply #13 on: August 30, 2007, 12:12:44 PM »
Can  CPF V3  pass  the  unhookers  tests  ?

http://membres.lycos.fr/nicmtests/Unhookers/unhooking_tests.htm

Offline Little Mac

  • Forum Volunteer
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 6303
  • The Colonel told me to.
Re: A small program which cann't be blocked by CFP (Defense+)
« Reply #14 on: August 30, 2007, 02:35:05 PM »
Can  CPF V3  pass  the  unhookers  tests  ?
That would be interesting to see.  Based on their explanations, it would seem like it should but in reality it might not.  Never know, until it's tested.  Seems that would get some good information for Comodo to use to improve the product. 

At present, looks like ProSecurity is the leader there...

LM
These forums are focused on providing help and improvement for Comodo products.  Please treat other users with respect and make a positive contribution.  Thanks.
Forum Policy

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek