Comodo v 8 on windows 8.1, proactive config with even paranoid mode.
It doesn’t detect dll injection by MalwareBytes Antiexploit and EMET( mbae.dll and emet.dll) into browsers or any other protected process. I am disappointed.
There is some interception for MBAE on XP by Comodo Defence Plus v 5 but here also alert is rather strange.
:-TD
[attachment deleted by admin]
Are you using HIPS in Safe Mode or Paranoid Mode?
Paranoid mode in proactive config.
Here is the interception of dll injection by EQsecure HIPS on XP.
[attachment deleted by admin]
Because these dll files are all trusted by comodo.
Why do you want these trusted dll injections be detected? They even don’t harm your OS and data .
Hmmm… I don’t think these are trusted. I tested with paranoid settings and trusted files feature off.
I am just testing it as if my findings are correct, same thing can be done by a malware without interception by Comodo. I might be wrong some where though.
It depends on whether the files are safe or not. If these files are trusted, you are right, CIS won’t monitor them and it’s a normal behavior. So to do a
perfect test you need to set the File Rating Settings according to what you see in the attached picture. It will make the same situation for the files to see what the defense reactions are against an unknown program that it injects arbitrary code into arbitrary processes. Please make sure the files are not in the Trusted Files list before testing as well.
[attachment deleted by admin]
HIPS in Paranoid mode will ignore whether a file is trusted/safe, it will monitor and alert for both safe and unknown applications.
I tested this tool a few minute ago. CIS passed the test. In general CIS can protect you against code injection if the injector is not trusted.
I’m not sure but it seems a couple of vendors can’t pass the test.
http://s21.postimg.org/kejpvv0ev/Exploit_Test_Norton.png
http://s15.postimg.org/myn0wrz9n/Exploit_Test_Mc_Afee.png
http://s23.postimg.org/xki241p9n/Exploit_Test_ESET.png
http://s24.postimg.org/x9d0atlfp/Exploit_Test_Avira.png
http://s8.postimg.org/w4dhi6sc5/Exploit_Test_AVG.png
http://s23.postimg.org/pz9zbgnxn/Exploit_Test_Avast.png
And what about CIS? attached
[attachment deleted by admin]
Hmmm… seems you have no idea what I am complaining about. >:(
I made it very clear already, Paranoid mode and no trusted files/ vendors. My settings were essentially same as shown in your pic.
Let us see. In the mean time, can you please share the links to those files so that we can download and test?
Thanks,
Egemen
Just wondering, could it be possible there were rules currently in place in the HIPS rules that would allow said application to access memory of other applications?
I’m not sure if we understand the process or motive, actually. Why are such kind of tests marked as “trusted” if these originate from a “trusted vendor” ? I’ve noticed that whitelisting requests are processed (with mentioned scenario).
Similarly, malware tests such as eicar ones are not “trusted”. The problem might lie in the process.
Link to requested exploit test :
Thanks.
Thanks.
What he is saying is he disabled whitelist check and put HIPS into paranoid mode. In this case, alerts would appear.
Sorry, Could you make a video of the test? I want to see how CIS fails it.
Here is the alert we see.
[attachment deleted by admin]
Thanks egemen. Seems somthing wrong in my settings. I tested on windows 8.1. Need to test it again. Are you able to get an alert about EMET.dll injection as well? I don’t get that alert with any of the HIPS.
BTW I am too confused about thev . Comodo alert has been since long like this. Here actually dll is injected by MBAE into test.exe but alert is showing the opposite. I have seen same sort of confusing alert in case of ThreatFire in the past. On the other hand some HIPS like EQsecure show the dll injection by MBAE into the test.exe.
I think the alert is not from v 8 as the GUI is different formeon win 8.1 with version 8.I tried again and checked settings. All Ok but no alert.
I have couple of other security software like Sandboxie etc installed. May be a conflict?
Emet.dll is not injected in traditional sense hence you wont see any alerts. MBAE does injection through its kernel component and hence we do not interfere with it(It has stability implications). This is a method used by many other security software including CIS.