Author Topic: Defence Plus doesn't intercept dll injection?  (Read 4901 times)

Offline Wisdom

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 1026
  • Default-Deny Protection
    • CFI
Re: Defence Plus doesn't intercept dll injection
« Reply #15 on: December 23, 2014, 12:30:29 PM »
I made it very clear already,

Sorry, Could you make a video of the test? I want to see how CIS fails it.
« Last Edit: December 23, 2014, 12:42:52 PM by Wisdom »
Heuristics: detecting tomorrow’s threats today

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
Re: Defence Plus doesn't intercept dll injection
« Reply #16 on: December 23, 2014, 02:17:45 PM »
Comodo v 8 on windows 8.1, proactive config with even paranoid mode.

It doesn't detect dll injection by MalwareBytes Antiexploit and EMET( mbae.dll and emet.dll) into browsers or any other protected process. I am disappointed.

There is some interception for MBAE on XP by Comodo Defence Plus v 5 but here also alert is rather strange.

 :-TD

Here is the alert we see.

[attachment deleted by admin]

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 716
Re: Defence Plus doesn't intercept dll injection
« Reply #17 on: December 26, 2014, 02:05:17 AM »
Thanks egemen. Seems somthing wrong in my settings. I tested on windows 8.1. Need to test it again. Are you able to get an alert about EMET.dll injection as well? I don't get that alert with any of the HIPS.

BTW I am too confused about thev . Comodo alert has been since long like this. Here actually dll is injected by MBAE into test.exe but alert is showing the opposite. I have seen same sort of confusing alert in case of ThreatFire in the past. On the other hand some HIPS like EQsecure show the dll injection by MBAE into the test.exe.
« Last Edit: December 26, 2014, 02:10:58 AM by aigle »

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 716
Re: Defence Plus doesn't intercept dll injection?
« Reply #18 on: December 26, 2014, 02:38:42 AM »
I think the alert is not from v 8 as the GUI is different formeon win 8.1 with version 8.I tried again and checked settings. All Ok but no alert.

I have couple of other security software like Sandboxie etc installed. May be a conflict?

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
Re: Defence Plus doesn't intercept dll injection
« Reply #19 on: December 26, 2014, 10:33:34 AM »
Thanks egemen. Seems somthing wrong in my settings. I tested on windows 8.1. Need to test it again. Are you able to get an alert about EMET.dll injection as well? I don't get that alert with any of the HIPS.

BTW I am too confused about thev . Comodo alert has been since long like this. Here actually dll is injected by MBAE into test.exe but alert is showing the opposite. I have seen same sort of confusing alert in case of ThreatFire in the past. On the other hand some HIPS like EQsecure show the dll injection by MBAE into the test.exe.

Emet.dll is not injected in traditional sense hence you wont see any alerts. MBAE does injection through its kernel component and hence we do not interfere with it(It has stability implications). This is a method used by many other security software including CIS.

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 716
Re: Defence Plus doesn't intercept dll injection?
« Reply #20 on: December 26, 2014, 02:54:29 PM »
Thanks, I understand that.

BTW just to make sure, the alert you posted is from v 8 ? I am using different skin on version 8 so I am not sure.

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
Re: Defence Plus doesn't intercept dll injection?
« Reply #21 on: December 26, 2014, 04:23:36 PM »
Thanks, I understand that.

BTW just to make sure, the alert you posted is from v 8 ? I am using different skin on version 8 so I am not sure.

YEs from CIS 8. Im using Classic Theme. You can change themes from Advanced Settings->User Interface

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 716
Re: Defence Plus doesn't intercept dll injection?
« Reply #22 on: December 26, 2014, 05:21:04 PM »
Thanks. Yes, I know about themes but just wanted to be sure.  :) Thanks. Seems something related to my system. Thanks for your time to test it for me.

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek