Author Topic: Phide.exe rootkit bypassed Defence Plus [Reason found]  (Read 35878 times)

Someone

  • Guest
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #15 on: July 28, 2008, 11:39:56 AM »
I think i'm going to have a hard time again, explaining you a simple thing.

This is not "aigle claims CFP failed", and "aha see you luser CFP passes, i proved you wrong".

Look at what he said: "Can anyone confirm my findings?". He is asking for confirmation, he's not claiming anything.

Aigle came here to see if his results match the results from others.
In future, do not participate. You have the wrong attitude, and you make people not want to post tests.

Get you fanboy hat off. No one is attacking Comodo.


Offline doktornotor

  • Comodo's Hero
  • *****
  • Posts: 222
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #16 on: July 28, 2008, 12:16:27 PM »
This is not "aigle claims CFP failed", and "aha see you luser CFP passes, i proved you wrong".
Look at what he said: "Can anyone confirm my findings?". He is asking for confirmation, he's not claiming anything.
Aigle came here to see if his results match the results from others.

You apparently missed the (original) Wilders Security thread...

Vettetech

  • Guest
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #17 on: July 28, 2008, 12:21:58 PM »
You apparently missed the (original) Wilders Security thread...

I do not care to post at Wilders so can you post my screen there proving the D+ shows the memory block. Thanks.

Offline doktornotor

  • Comodo's Hero
  • *****
  • Posts: 222
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #18 on: July 28, 2008, 12:23:05 PM »
I do not care to post at Wilders so can you post my screen there proving the D+ shows the memory block. Thanks.

Well, been already done  ;)

Someone

  • Guest
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #19 on: July 28, 2008, 12:30:30 PM »
You apparently missed the (original) Wilders Security thread...
A person, in good faith, having read both threads as you did, will understand that aigle wants feedback, and confirmation.

He may have forgotten to include "Can anyone confirm my findings?" in Wilders, but that is mostly tied to the fact that in Wilders it's obvious, and long time Wilders members will verify results if possible, have a friendly discussion, purely based on technical issues.

Offline LeoniAquila

  • Retired moderator
  • Comodo's Hero
  • *****
  • Posts: 6745
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #20 on: July 28, 2008, 12:34:54 PM »
I think we should end this discussion now, or at least stay at the very topic.

LA

Offline doktornotor

  • Comodo's Hero
  • *****
  • Posts: 222
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #21 on: July 28, 2008, 01:01:18 PM »
Sigh, I beg your pardon but splitting a topic which turned out to be the very cause of the issue discussed here is rather unfortunate and confusing like hell.  >:(

Vettetech

  • Guest
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #22 on: July 28, 2008, 01:05:35 PM »
Aigle himself said he will not turn off Geswall which means extra layers of security better yet overlapping security is giving him false results.

Vettetech

  • Guest
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #23 on: July 28, 2008, 01:11:11 PM »
AI might conclude here how can we know what is truth and what is not. Aigle has made 2 threads stating that D+ is not doing its job when I have shown with proof and screen shots that it is. I am only using Comodo with D+ and NOD32. No other security software running. Aigle is running other security programs on top of Comodo then making posts. Now if he can show us a screen shot of running process and D+ failing then I believe him. Point being screen shots do  not lie.

Someone

  • Guest
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #24 on: July 28, 2008, 01:42:44 PM »
Then say that normally. Here's what a normal person would say:

'Hello aigle. After trying your sample, i have different results.
CFP passes on my machine. My guess is GeSwall or TF is conflicting with CFP on your machine.'

Simple, polite and to the point. No 'look at Wilders' (??), 'this is why <whatever>'.

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 717
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #25 on: July 28, 2008, 04:42:47 PM »
Hi guys! calm down pls. Thanks for your contribution. I am not attacking any one. Pls note:

1- I tested all this in a fresh snapshot of XP Home SP2. Totally clean. No security software except CFP. Even no Antivirus( I did use SahdowSurfer).

2- Seems atleast on my system CFP is missing detection of some behaviors.

3- Strangely when i run physical memory access POC SDTRrestore.exe, CFP does give me pop up alert about Physical memory access. I don,t understand why it does not give alert with phide.exe.

4- The only problem I can guess may be Eaz-Fix or ShadowSurferr that I use for testing. OK, I will test without shadowuser and see how it goes. Will report back. Unfortunately I have no VM or test PC.

5- [at] Vettetech! Do u have XP Home SP2 also? Ok, I will send u another malware bypassing CFP on my system. Let,s see how it does on urs? BTW how did u get higuys alerts? Can u explain it please?  Thanks a lot

6- I will be happy if my findings are wrong. It,s a good sign for my seciruty that is based laregely on CFP.

Thanks all of you
« Last Edit: July 28, 2008, 04:46:19 PM by aigle »

Vettetech

  • Guest
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #26 on: July 28, 2008, 04:57:31 PM »
I got the Hi Guys by simply running Phide.exe. I first got an alert about explorer.exe trying to run Phide which I aloud. Then D+ started giving me atleast 10 pop ups. I blocked them and had to reboot. Once back up I ran the test from a command line and as soon as I did BAM. D+ kicked in and gave me the alert you see. I am also using safe mode for both the firewall and D+. Both my machines aree XP SP3. You need to uninstall Geswall also for accuracy. I also deleted all entires of the test and ran it again with the same results.
« Last Edit: July 28, 2008, 05:00:18 PM by Vettetech »

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 717
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #27 on: July 28, 2008, 05:02:25 PM »
Seems you don,t care to read my posts.

I wrote very clear that there was no GesWall, No TF, NO av, nothing else except CFP. It was only CFP( with ShadowSurfer) I do use Eaz-Fix also.

I also asked u have XP Home or Pro?

Thanks

Vettetech

  • Guest
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #28 on: July 28, 2008, 05:05:40 PM »
I have XP Home SP3 on both machines. I wrote it to you. I didnt include Home. Sorry. Also tell your buddies at Wilders I am on XP.

Vettetech

  • Guest
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #29 on: July 28, 2008, 06:11:12 PM »
Here is what happens when I tried to use that trojan dropper you sent me. My NOD32 picks it right up and deletes it. So I guess you do not believe in using an av either and you only use HIPS for your protection.






[attachment deleted by admin]

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek