Author Topic: Phide.exe rootkit bypassed Defence Plus [Reason found]  (Read 35879 times)

Someone

  • Guest
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #30 on: July 28, 2008, 06:46:14 PM »
Vettetech, see why it's important to stick with facts, and be polite? Aigle is using CFP + ShadowSurfer.

Here is what happens when I tried to use that trojan dropper you sent me. My NOD32 picks it right up and deletes it. So I guess you do not believe in using an av either and you only use HIPS for your protection.
And this means you haven't progressed much since the "you have to allow the execution" part.

You are testing CFP, not NOD32..


Someone

  • Guest
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #32 on: July 28, 2008, 07:10:58 PM »
I replied. It is my conviction you do not know how to test.

At least ask questions. It's not wrong not to know things. No one knows everything. But you should ask when you don't understand.
Like "what's this supposed to do?". Alternatively, disassemble the malware/POC....

Offline andyman35

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1579
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #33 on: July 29, 2008, 08:29:09 PM »
Lets try and keep things friendly here guys.

This only highlights the difficulties of accurately testing protection software and correctly interpreting the results.IMHO a 'clean'VM is probably the best method since it avoids the results being clouded by other running applications.If the OP was only running D+ and nothing else,then it'd be interesting to compare configurations in order to determine the different results.Were they both using the default configuration and at the same level setting?

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 717
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #34 on: July 29, 2008, 08:34:08 PM »
Ok, I tried it with CFP( safe mode) without ShadowSurfer or any other security software. I don,t get physical memory access alert at all. Acc to Vettetech , he gets the alert. I am confused. 

Can anyone test it with CFP? Thanks

Vettetech

  • Guest
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #35 on: July 29, 2008, 08:45:39 PM »
Is everything stock on your install of Comodo? Did you tweak anything? Last month I did a fresh install of Comodo and the only thing I change is D+ to safe mode. Everything else is how it comes. Did you get an explorer.exe message first?

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 717
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #36 on: July 29, 2008, 08:51:32 PM »
Is everything stock on your install of Comodo? Did you tweak anything? Last month I did a fresh install of Comodo and the only thing I change is D+ to safe mode. Everything else is how it comes. Did you get an explorer.exe message first?

No I used default settings in safe mode. I did get execution alert by explorer.exe.

I wish some body can try it as well. Can it be stardock that is acusing difference? Or SP3 in ur case?
« Last Edit: July 29, 2008, 08:54:13 PM by aigle »

Vettetech

  • Guest
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #37 on: July 29, 2008, 08:59:15 PM »
What..............Stardock is a company that makes WindowBlinds and Icon Packager. I doesn't run a back round service and has nothing to do with security. SP3 was very small service pack.

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 717
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #38 on: July 30, 2008, 04:41:13 AM »
It,s quiet possible due to the very nature of stardock product.

Offline pykko

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 558
    • Intr-o lume plina de virusi, ai un prieten
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #39 on: August 07, 2008, 05:58:28 AM »
I've just run this test and I get no physical memory access warning from Comodo.

I trully hope you will fix this issue.

Offline fOrTy_7

  • Comodo's Hero
  • *****
  • Posts: 594
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #40 on: August 07, 2008, 06:32:08 AM »
Egemen already verified that it is a rare bug which could happend on some systems and has been fixed. Unfortunately, a new release of CFP is planned to be released in next three or four weeks.

« Last Edit: August 07, 2008, 06:38:00 AM by fOrTy_7 »

Offline eXPerience

  • Left the Forums
  • Comodo's Hero
  • *****
  • Posts: 6958
  • Free Forever !
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #41 on: August 07, 2008, 07:10:22 AM »
Well, thanks to fOrTy_7 I think it's solved, now. Are there any that have this problem on Vista ?

I will mark this thread as solved but leave it open for further discussion, Aigle if you want it closed. Just send me a pm.

Xan

Offline pykko

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 558
    • Intr-o lume plina de virusi, ai un prieten
Re: Phide.exe rootkit bypassed Defence Plus [Reason found]
« Reply #42 on: August 07, 2008, 09:37:21 AM »
Thank you f0rTy_7.
I can't wait that release.  (:LOV)

Offline fOrTy_7

  • Comodo's Hero
  • *****
  • Posts: 594
Re: Phide.exe rootkit bypassed Defence Plus [Reason found]
« Reply #43 on: August 07, 2008, 09:59:13 AM »
No problem, but really I didn't do anything :D. If you want to thank someone then you should thank Aigle for finding this issue, and Egemen for fixing it :).
« Last Edit: August 07, 2008, 10:05:15 AM by fOrTy_7 »

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 717
Re: Phide.exe rootkit bypassed Defence Plus
« Reply #44 on: August 07, 2008, 08:44:54 PM »
I will mark this thread as solved but leave it open for further discussion, Aigle if you want it closed. Just send me a pm.

Xan
IMO it,s better to leave it open until we get a new release and the fix is confirmed.

Thanks

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek