Author Topic: Proofs of Concepts Vs. CFP3  (Read 43696 times)

Offline Ultra-Bot

  • Comodo Family Member
  • ***
  • Posts: 73
Re: A badjoke program CFP cann't block (defense+)
« Reply #90 on: November 20, 2007, 11:22:03 AM »
Why don't you try them out yourself and report back any problems you find?

This may help you better understand how V3 works or doesn't work :)

Al

Trust me,I would honestly,but it seems to me I'll have to ask vendor so they can test it. And again I would honestly ask them to test them with every possible test the have on this/their website:
http://membres.lycos.fr/nicmtests/Dynamic-Security-agent-tests/DSA_index.htm

These are ALL of the tests possible on how good an HIPS really is.

I only need confirmation of both Egemen and Melih so that I can send e-mail to them to ask them to test Comodo's HIPS on both default-level and highest level as well.
That's why I truly hope Egemen or Melih will answer me.

The fact is I already asked Melih to look after these tests since these tests are extremely important since  these strange rootkits and trojans, tested in this comparative, are changing the rule : Some of these samples try to 'break' the HIPS - or firewall - in order to bypass it .

As the website says(http://membres.lycos.fr/nicmtests/Unhookers/unhooking_tests.htm)

"The reason is that in normal circumstances, the HIPS would detect and prevent the changes needed by the malware to install, or to work the way they are designed to do, thanks to its 'sensors' (kernel-mode hooks). Thus, it is probably a kind of workaround the authors of these malwares have found : They try to break the 'sensors' of programs that are in theory able to block them, to prevent their install. By breaking these 'sensors', the  HIPS or firewall running is left in a state where it is still running, but completely blind : It is not able to intercept anything anymore, thus to prevent anything either. Exactly as if it has been uninstalled...

This way, these malwares are free to install and to perform any changes they need on the system (for example, during tests with one program, after a simple process execution, a rootkit was installed, undetected, and could install 2 other kernel-mode rootkits, without any alerts from the HIPS; nothing in the logs either : The program was like dead). Once they've anaesthetized/killed the HIPS, or the firewall, nothing can stop them, except detection/removal by an antivirus, antispyware or antitrojan. Or manual removal with specific tools, like some antirootkits.

These malwares are then very dangerous, not only because they can bypass programs that are supposed to block them, but because once they're installed, nothing abnormal is showing on the system protected by an HIPS which was bypassed : If the HIPS was killed, the program interface is still showing its status as 'OK', 'running', leaving the user in a false sense of security (thinking he is protected, although he isn't).

Remember that this comparative is only meant to test programs on these unhookers, which is a very special, singular, and uncommon kind of malwares - though all these samples (except Bifrost server) are coming from real infections, meaning that such malware are spreading for real. "

This is why I'm so much concerned.

I should also write e-mail to http://www.techsupportalert.com/Security%20Tests/HIPS/Security%20Tests%20-%20CyberHawk%20V1.2.htm
so they test it-the same Online Armor has done,to re-test their newest version.

But again,I don't want to do it without Egemen's or Melih's approval-or simple they can both send  e-mail requests to test against all rojans,worms,rootkits tests the same as Dynamic Security Agent was tested-  http://membres.lycos.fr/nicmtests/Dynamic-Security-agent-tests/DSA_index.htm

Any other opinions???



Offline Ultra-Bot

  • Comodo Family Member
  • ***
  • Posts: 73
Re: A badjoke program CFP cann't block (defense+)
« Reply #91 on: November 20, 2007, 11:25:37 AM »
Trust me,I would honestly,but it seems to me I'll have to ask vendor so they can test it. And again I would honestly ask them to test them with every possible test the have on this/their website:
http://membres.lycos.fr/nicmtests/Dynamic-Security-agent-tests/DSA_index.htm

These are ALL of the tests possible on how good an HIPS really is.

I only need confirmation of both Egemen and Melih so that I can send e-mail to them to ask them to test Comodo's HIPS on both default-level and highest level as well.
That's why I truly hope Egemen or Melih will answer me.

The fact is I already asked Melih to look after these tests since these tests are extremely important since  these strange rootkits and trojans, tested in this comparative, are changing the rule : Some of these samples try to 'break' the HIPS - or firewall - in order to bypass it .

As the website says(http://membres.lycos.fr/nicmtests/Unhookers/unhooking_tests.htm)

"The reason is that in normal circumstances, the HIPS would detect and prevent the changes needed by the malware to install, or to work the way they are designed to do, thanks to its 'sensors' (kernel-mode hooks). Thus, it is probably a kind of workaround the authors of these malwares have found : They try to break the 'sensors' of programs that are in theory able to block them, to prevent their install. By breaking these 'sensors', the  HIPS or firewall running is left in a state where it is still running, but completely blind : It is not able to intercept anything anymore, thus to prevent anything either. Exactly as if it has been uninstalled...

This way, these malwares are free to install and to perform any changes they need on the system (for example, during tests with one program, after a simple process execution, a rootkit was installed, undetected, and could install 2 other kernel-mode rootkits, without any alerts from the HIPS; nothing in the logs either : The program was like dead). Once they've anaesthetized/killed the HIPS, or the firewall, nothing can stop them, except detection/removal by an antivirus, antispyware or antitrojan. Or manual removal with specific tools, like some antirootkits.

These malwares are then very dangerous, not only because they can bypass programs that are supposed to block them, but because once they're installed, nothing abnormal is showing on the system protected by an HIPS which was bypassed : If the HIPS was killed, the program interface is still showing its status as 'OK', 'running', leaving the user in a false sense of security (thinking he is protected, although he isn't).

Remember that this comparative is only meant to test programs on these unhookers, which is a very special, singular, and uncommon kind of malwares - though all these samples (except Bifrost server) are coming from real infections, meaning that such malware are spreading for real. "

This is why I'm so much concerned.

I should also write e-mail to http://www.techsupportalert.com/Security%20Tests/HIPS/Security%20Tests%20-%20CyberHawk%20V1.2.htm
so they test it-the same Online Armor has done,to re-test their newest version.

But again,I don't want to do it without Egemen's or Melih's approval-or simple they can both send  e-mail requests to test against all rojans,worms,rootkits tests the same as Dynamic Security Agent was tested-  http://membres.lycos.fr/nicmtests/Dynamic-Security-agent-tests/DSA_index.htm

Any other opinions???




The fact is there is NO LINK from where I can simply download these special HIPS tests-that's why I think the only way to test Comodo's HIPS on these special HIPS tests is simply to write e-mail to the author/creator of these tests.
Any other opinions???

 

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek