Author Topic: Proofs of Concepts Vs. CFP3  (Read 43879 times)

Offline a256886572008

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 963
Re: A small program which cann't be blocked by CFP (Defense+)
« Reply #15 on: August 30, 2007, 07:02:37 PM »
That would be interesting to see.  Based on their explanations, it would seem like it should but in reality it might not.  Never know, until it's tested.  Seems that would get some good information for Comodo to use to improve the product. 

At present, looks like ProSecurity is the leader there...

LM

Another  two  HIPS ,SSM  &  EQ-Secure, had  passed  the  unhookers  tests !

http://membres.lycos.fr/nicmtests/Unhookers/update.htm

PS: Direct  modify  with  SCC  (System  Core  Center)

          =  Debug  at  system  level

Offline a256886572008

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 963
Re: A small program which cann't be blocked by CFP (Defense+)
« Reply #16 on: August 30, 2007, 08:23:27 PM »
This  virus  could  modify  the  system  time  to  the  year  ,2002!

EQ-Secure  v3.4







CPF  V3





Moderator's Edit:  Virus attachment removed.  Please do not post live viruses in the forums.  Thank you.
« Last Edit: August 31, 2007, 11:52:37 AM by Little Mac »

Offline siLence_Again

  • Newbie
  • *
  • Posts: 3
Re: A small program which cann't be blocked by CFP (Defense+)
« Reply #17 on: August 30, 2007, 11:18:03 PM »
Another problem , when the "cs.exe" create a file , CFP couldn't show me the file path rightly , it shows me unknow path , as I know the program use the alternate data streams , maybe this is the reason , but other HIPS could show the right file path . I have post it on 32bit bug report.
"\Device\HarddiskVolume3\" equal to "D:\"

Offline siLence_Again

  • Newbie
  • *
  • Posts: 3
Re: A small program which cann't be blocked by CFP (Defense+)
« Reply #18 on: August 30, 2007, 11:22:23 PM »
I think you should talk more about your toy :THNK
smth more?

ZwSystemDebugControl SysDbgCopyMemoryChucks_0(used to read kernel-memory,SysDbgCopyMemoryChunks_0 = 8)  & SysDbgCopyMemoryChucks_1(used to write kernel-memory,SysDbgCopyMemoryChunks_1 = 9)

Offline nubiatech

  • Comodo Family Member
  • ***
  • Posts: 94
Re: A small program which cann't be blocked by CFP (Defense+)
« Reply #19 on: August 31, 2007, 04:26:51 AM »
smth more?

ZwSystemDebugControl SysDbgCopyMemoryChucks_0(used to read kernel-memory,SysDbgCopyMemoryChunks_0 = 8)  & SysDbgCopyMemoryChucks_1(used to write kernel-memory,SysDbgCopyMemoryChunks_1 = 9)

Good job! Thanks for this.

Offline rcbblgy

  • Comodo Loves me
  • ****
  • Posts: 130
A badjoke program CFP cann't block (defense+)
« Reply #20 on: September 14, 2007, 10:10:42 AM »
A badjoke program with a bad name  (:SHY)
CFP can block it just when it is executed , if it begins to work , it will shutdown system , CFP can do nothing . ProSecurity can block it , I wish CFP to add this protection .

[attachment deleted by admin]
« Last Edit: September 14, 2007, 10:14:18 AM by rcbblgy »

Offline Little Mac

  • Forum Volunteer
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 6303
  • The Colonel told me to.
Re: A badjoke program CFP cann't block (defense+)
« Reply #21 on: September 14, 2007, 01:00:17 PM »
How is it that v3 cannot block it?  If the program cannot shut down the system until it is allowed to run, and CFP can prevent it from executing, then....

Can you please explain more about what you are experiencing when you test this with v3?

Tnx,

LM
These forums are focused on providing help and improvement for Comodo products.  Please treat other users with respect and make a positive contribution.  Thanks.
Forum Policy

Offline rcbblgy

  • Comodo Loves me
  • ****
  • Posts: 130
Re: A badjoke program CFP cann't block (defense+)
« Reply #22 on: September 14, 2007, 09:42:08 PM »
A badjoke program with a bad name  (:SHY)
CFP can block it just when it is executed , if it begins to work , it will shutdown system , CFP can do nothing . ProSecurity can block it , I wish CFP to add this protection .
Some information about the program:
(ntdll.ZwShutdownSystem)
======================================
nRet=RtlAdjustPrivilege(0x13,1,1,&en);
if(nRet==0x0C000007C)
    nRet = RtlAdjustPrivilege(0x13,1,0,&en);
nRet=ZwShutdownSystem(2);
================================

Those are found by using OllyDbg .

[attachment deleted by admin]
« Last Edit: September 14, 2007, 09:55:15 PM by rcbblgy »

Offline rcbblgy

  • Comodo Loves me
  • ****
  • Posts: 130
Re: A badjoke program CFP cann't block (defense+)
« Reply #23 on: September 14, 2007, 09:49:49 PM »
How is it that v3 cannot block it?  If the program cannot shut down the system until it is allowed to run, and CFP can prevent it from executing, then....

Can you please explain more about what you are experiencing when you test this with v3?

Tnx,

LM
Yes , CFP can block it when it is executed , then it cann't run and shutdown system . In this opinion , all bad programs cann't do bad things if they are blocked when they are executed . But if I don't know that this program is a bad one , then I will allow it to run . When the "flip*.exe" is executed , I allow it , then my system is shut down , and there is no alerts .

Offline rcbblgy

  • Comodo Loves me
  • ****
  • Posts: 130
Re: A small program which cann't be blocked by CFP (Defense+) (add two new ones)
« Reply #24 on: September 15, 2007, 09:54:54 AM »
One more , CFP can block it when it is executed , if it runs , it will restart system , CFP cann't deny it , ProSecurity and SSM can deny it .

[attachment deleted by admin]

Offline Little Mac

  • Forum Volunteer
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 6303
  • The Colonel told me to.
Re: A badjoke program CFP cann't block (defense+)
« Reply #25 on: September 15, 2007, 09:27:32 PM »
Yes , CFP can block it when it is executed , then it cann't run and shutdown system . In this opinion , all bad programs cann't do bad things if they are blocked when they are executed . But if I don't know that this program is a bad one , then I will allow it to run . When the "f**k.exe" is executed , I allow it , then my system is shut down , and there is no alerts .
If you're allowing it to execute using CFP, then I don't think CFP has missed it; it's doing what you told it you wanted to do.  That would qualify under "user" error, rather than "program" error... ;) 

Wouldn't the same be true of ProSecurity?  If you allowed this application to execute in PS, wouldn't ****.exe do the same thing and shut down the system?  Or does PS somehow block it even tho you say to allow it?

LM
These forums are focused on providing help and improvement for Comodo products.  Please treat other users with respect and make a positive contribution.  Thanks.
Forum Policy

Offline rcbblgy

  • Comodo Loves me
  • ****
  • Posts: 130
Re: A small program which cann't be blocked by CFP (Defense+) (add two new ones)
« Reply #26 on: September 15, 2007, 11:42:46 PM »
PS can block the program when it is executed , then I allow , the program will try to shutdown system , at this time , PS will alarm me that the program wants to shutdown system , I can deny it and the system wouldn't be shuttn down . But CFP cann't , it only can block the program when it is executed , CFP cann't find and block the program want to shutdown system , but PS and SSM can . As I said , if I don't know this program is a bad one or virus , I will allow when it is executed , CFP cann't block the operation after the program runs , I think CFP fails .
« Last Edit: September 15, 2007, 11:52:39 PM by rcbblgy »

Offline rcbblgy

  • Comodo Loves me
  • ****
  • Posts: 130
About API "BlockInput" and reg link
« Reply #27 on: September 22, 2007, 07:22:51 AM »
There is a program which uses "BlockInput" , after it runs ,click "start" in its interface , then the mouse and keyboard will not work . Because the program only blocks the keyboard and mouse once , you can press ctrl+alt+del , they will work again , if the program blocks the keyboard and mouse all the time , I think they will never work until you reboot . After clicking "start" (when keyboard and mouse are being blocked), the program will modify the registry , but there is no alert about that . I don't know what reg link is , the author said the program would create reg link .

[attachment deleted by admin]
« Last Edit: September 23, 2007, 10:39:51 AM by rcbblgy »

Offline MasterTB

  • Comodo Family Member
  • ***
  • Posts: 85
Re: A badjoke program CFP cann't block (defense+)
« Reply #28 on: September 23, 2007, 08:16:22 PM »
If you're allowing it to execute using CFP, then I don't think CFP has missed it; it's doing what you told it you wanted to do.  That would qualify under "user" error, rather than "program" error... ;) 

Wouldn't the same be true of ProSecurity?  If you allowed this application to execute in PS, wouldn't ****.exe do the same thing and shut down the system?  Or does PS somehow block it even tho you say to allow it?

LM

I MUST DISAGREE, because if the program is sth you don't know it's bad, then Comodo should block it's BAD actions for your protection... if other HIPS can do it then Comodo is in need of a new function, despite what you say, it is not human error but a program error if Comodo doesn't have the ability to block a kill function in a program...
AMD Phenom II 955 BE [at]3.81 Ghz.
MSI 790FX-GD70 Mobo
Sapphire HD 5830 GPU (OCed)
4GB DDR3 RAM
Creative X-Fi Fatal1ty ExremegamerPro
2x1TB SATA II HDD'2
LG LED 24" Monitor

Offline gibran

  • Average User
  • Comodo's Hero
  • *****
  • Posts: 5056
  • A bad workman always blames his tools
Re: A badjoke program CFP cann't block (defense+)
« Reply #29 on: September 23, 2007, 09:10:31 PM »
I MUST DISAGREE, because if the program is sth you don't know it's bad, then Comodo should block it's BAD actions for your protection... if other HIPS can do it then Comodo is in need of a new function, despite what you say, it is not human error but a program error if Comodo doesn't have the ability to block a kill function in a program...

I would like to know is there any other hips that block a dangerous exploit like shutdown -s or RUNDLL32.EXE user.exe,exitwindows :P?
« Last Edit: September 23, 2007, 09:13:34 PM by gibran »
"In the beginning the Universe was created. This has made a lot of people very angry and has been widely regarded as a bad move."- Douglas Adams

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek