Author Topic: Defence Plus doesn't intercept dll injection?  (Read 4900 times)

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 716
Defence Plus doesn't intercept dll injection?
« on: December 20, 2014, 03:24:30 PM »
Comodo v 8 on windows 8.1, proactive config with even paranoid mode.

It doesn't detect dll injection by MalwareBytes Antiexploit and EMET( mbae.dll and emet.dll) into browsers or any other protected process. I am disappointed.

There is some interception for MBAE on XP by Comodo Defence Plus v 5 but here also alert is rather strange.

 :-TD

[attachment deleted by admin]
« Last Edit: December 26, 2014, 02:08:27 AM by aigle »

Offline Sanya IV Litvyak

  • Comodo's Hero
  • *****
  • Posts: 4213
  • Lurking
Re: Defence Plus doesn't intercept dll injection
« Reply #1 on: December 20, 2014, 03:38:26 PM »
Are you using HIPS in Safe Mode or Paranoid Mode?
I support privacy and freedom online - eff.org

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 716
Re: Defence Plus doesn't intercept dll injection
« Reply #2 on: December 20, 2014, 03:44:55 PM »
Paranoid mode in proactive config.

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 716
Re: Defence Plus doesn't intercept dll injection
« Reply #3 on: December 21, 2014, 03:28:06 AM »
Here is the interception of dll injection by EQsecure HIPS on XP. 

[attachment deleted by admin]

Offline Redstraw

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 403
Re: Defence Plus doesn't intercept dll injection
« Reply #4 on: December 21, 2014, 11:18:36 PM »
Because these dll files are all trusted by comodo.
Why do you want these trusted dll injections be detected? They even don't harm your OS and data .

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 716
Re: Defence Plus doesn't intercept dll injection
« Reply #5 on: December 22, 2014, 09:53:05 AM »
Hmmm.... I don't think these are trusted. I tested with paranoid settings and trusted files feature off.

I am just testing it as if my findings are correct, same thing can be done by a malware without interception by Comodo. I might be wrong some where though.

Offline Wisdom

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 1026
  • Default-Deny Protection
    • CFI
Re: Defence Plus doesn't intercept dll injection
« Reply #6 on: December 22, 2014, 11:27:51 AM »
Hmmm.... I don't think these are trusted. I tested with paranoid settings and trusted files feature off.

I am just testing it as if my findings are correct, same thing can be done by a malware without interception by Comodo. I might be wrong some where though.

It depends on whether the files are safe or not. If these files are trusted, you are right, CIS won't monitor them and it's a normal behavior. So to do a
perfect test you need to set the File Rating Settings according to what you see in the attached picture. It will make the same situation for the files to see what the defense reactions are against an unknown program that it injects arbitrary code into arbitrary processes. Please make sure the files are not in the Trusted Files list before testing as well.


[attachment deleted by admin]
Heuristics: detecting tomorrow’s threats today

Offline Sanya IV Litvyak

  • Comodo's Hero
  • *****
  • Posts: 4213
  • Lurking
Re: Defence Plus doesn't intercept dll injection
« Reply #7 on: December 22, 2014, 02:44:29 PM »
It depends on whether the files are safe or not. If these files are trusted, you are right, CIS won't monitor them and it's a normal behavior. So to do a
perfect test you need to set the File Rating Settings according to what you see in the attached picture. It will make the same situation for the files to see what the defense reactions are against an unknown program that it injects arbitrary code into arbitrary processes. Please make sure the files are not in the Trusted Files list before testing as well.


HIPS in Paranoid mode will ignore whether a file is trusted/safe, it will monitor and alert for both safe and unknown applications.
I support privacy and freedom online - eff.org

Offline Wisdom

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 1026
  • Default-Deny Protection
    • CFI
Re: Defence Plus doesn't intercept dll injection
« Reply #8 on: December 22, 2014, 03:52:39 PM »
I tested this tool a few minute ago. CIS passed the test. In general CIS can protect you against code injection if the injector is not trusted.

I'm not sure but it seems a couple of vendors can't pass the test.

http://s21.postimg.org/kejpvv0ev/Exploit_Test_Norton.png
http://s15.postimg.org/myn0wrz9n/Exploit_Test_Mc_Afee.png
http://s23.postimg.org/xki241p9n/Exploit_Test_ESET.png
http://s24.postimg.org/x9d0atlfp/Exploit_Test_Avira.png
http://s8.postimg.org/w4dhi6sc5/Exploit_Test_AVG.png
http://s23.postimg.org/pz9zbgnxn/Exploit_Test_Avast.png

And what about CIS? attached

[attachment deleted by admin]
« Last Edit: December 22, 2014, 04:09:47 PM by Wisdom »
Heuristics: detecting tomorrow’s threats today

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 716
Re: Defence Plus doesn't intercept dll injection
« Reply #9 on: December 23, 2014, 11:35:52 AM »
I tested this tool a few minute ago. CIS passed the test. In general CIS can protect you against code injection if the injector is not trusted.

I'm not sure but it seems a couple of vendors can't pass the test.

http://s21.postimg.org/kejpvv0ev/Exploit_Test_Norton.png
http://s15.postimg.org/myn0wrz9n/Exploit_Test_Mc_Afee.png
http://s23.postimg.org/xki241p9n/Exploit_Test_ESET.png
http://s24.postimg.org/x9d0atlfp/Exploit_Test_Avira.png
http://s8.postimg.org/w4dhi6sc5/Exploit_Test_AVG.png
http://s23.postimg.org/pz9zbgnxn/Exploit_Test_Avast.png

And what about CIS? attached
Hmmm... seems you have no idea what I am complaining about. >:(

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 716
Re: Defence Plus doesn't intercept dll injection
« Reply #10 on: December 23, 2014, 11:37:48 AM »
It depends on whether the files are safe or not. If these files are trusted, you are right, CIS won't monitor them and it's a normal behavior. So to do a
perfect test you need to set the File Rating Settings according to what you see in the attached picture. It will make the same situation for the files to see what the defense reactions are against an unknown program that it injects arbitrary code into arbitrary processes. Please make sure the files are not in the Trusted Files list before testing as well.
I made it very clear already, Paranoid mode and no trusted files/ vendors. My settings were essentially same as shown in your pic.

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
Re: Defence Plus doesn't intercept dll injection
« Reply #11 on: December 23, 2014, 11:45:40 AM »
Comodo v 8 on windows 8.1, proactive config with even paranoid mode.

It doesn't detect dll injection by MalwareBytes Antiexploit and EMET( mbae.dll and emet.dll) into browsers or any other protected process. I am disappointed.

There is some interception for MBAE on XP by Comodo Defence Plus v 5 but here also alert is rather strange.

 :-TD

Let us see.  In the mean time, can you please share the links to those files so that we can download and test?

Thanks,
Egemen

Offline Sanya IV Litvyak

  • Comodo's Hero
  • *****
  • Posts: 4213
  • Lurking
Re: Defence Plus doesn't intercept dll injection
« Reply #12 on: December 23, 2014, 12:05:16 PM »
I made it very clear already, Paranoid mode and no trusted files/ vendors. My settings were essentially same as shown in your pic.

Just wondering, could it be possible there were rules currently in place in the HIPS rules that would allow said application to access memory of other applications?
I support privacy and freedom online - eff.org

Offline windstorm

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 3571
Re: Defence Plus doesn't intercept dll injection
« Reply #13 on: December 23, 2014, 12:14:21 PM »
Let us see.  In the mean time, can you please share the links to those files so that we can download and test?

Thanks,
Egemen

I'm not sure if we understand the process or motive, actually. Why are such kind of tests marked as "trusted" if these originate from a "trusted vendor" ? I've noticed that whitelisting requests are processed (with mentioned scenario).
Similarly, malware tests such as eicar ones are not "trusted". The problem might lie in the process.

Link to requested exploit test  :
https://forums.malwarebytes.org/index.php?/topic/139368-how-to-verify-that-mbae-is-working-correctly/


Thanks.

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
Re: Defence Plus doesn't intercept dll injection
« Reply #14 on: December 23, 2014, 12:16:08 PM »
I'm not sure if we understand the process or motive, actually. Why are such kind of tests marked as "trusted" if these originate from a "trusted vendor" ? I've noticed that whitelisting requests are processed (with mentioned scenario).
Similarly, malware tests such as eicar ones are not "trusted". The problem might lie in the process.

Link to requested exploit test  :
https://forums.malwarebytes.org/index.php?/topic/139368-how-to-verify-that-mbae-is-working-correctly/


Thanks.
Thanks.
What he is saying is he disabled whitelist check and put HIPS into paranoid mode. In this case, alerts would appear.

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek