Ok, now about security.
Does V 3 of CFP protect us against the exploit of mshta.exe?
Why doesn't more malware use it, since it seems to be efficient?
Is HIPS the only way to do that?
In greenborder.com they use a GreenBorder-Security-Test.hta file that you download and run.
It uses mshta.exe (just like some new malware) to create a folder on your desktop with "stolen" documents and so on... It also creates a mshta.exe.mui on your desktop.
It creates a scriptfile that do a "eggdrop"...?
It's called GreenBorderEgDrop.js that do something and saves to "GreenBorderPsSee.exe".
Both files are found in C:\Documents and Settings\YourName\Local settings\Temp
There is something about a MZKERNEL32.DLL...
I found mshta.exe in three folders.
I found some info that it use lsass.exe so that the process talks to LSASS and it reads the data from the
registry, this path is not visible from the Admin context. Permissions needs to be changed to read
it. (stealing passwords?)
These are my observations without knowledge in programming or using special tools.
It would be nice if someone at Comodo explain this test/scenario in a normal language.
The main question is, should I keep mshta.exe renamed?
Do you know if it's needed in other files than .hta?
I only found one .hta file on my PC besides those testfiles. It was for WMP.