Author Topic: RST antivirus 2010. rogue av bypassed CIS  (Read 9714 times)

Offline dave_mustaine

  • Comodo Family Member
  • ***
  • Posts: 87
RST antivirus 2010. rogue av bypassed CIS
« on: May 09, 2010, 09:42:45 AM »
Installed a rogue called RST antivirus 2010 without any warnings from CIS att all. It was not placed in the sandbox either.

Offline disPPlay

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 887
  • Join the REVOLUTION!
Re: RST antivirus 2010. rogue av bypassed CIS
« Reply #1 on: May 09, 2010, 10:10:13 AM »
Pretty strange you don't even received and elevation alert?
Can you export your Defense+ log to us please?

« Last Edit: May 09, 2010, 10:13:12 AM by DiSP »

Offline disPPlay

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 887
  • Join the REVOLUTION!
Re: RST antivirus 2010. rogue av bypassed CIS
« Reply #2 on: May 09, 2010, 03:55:17 PM »
Tested on my Vmware and I had the same result as you. The rogue completely bypassed comodo.
The funny thing is that the unninstaler is sandboxed by comodo.
« Last Edit: May 09, 2010, 04:03:22 PM by DiSP »

Offline thejoedoe

  • Product Translator
  • Comodo Loves me
  • *****
  • Posts: 107
Re: RST antivirus 2010. rogue av bypassed CIS
« Reply #3 on: May 09, 2010, 05:40:17 PM »
try to uncheck  "Automatic detect installers/updaters ..." in Sandbox Settings.

Offline JoWa

  • Humanist
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 6741
  • I believe in doubt.
    • Evolutionary history of life
Re: RST antivirus 2010. rogue av bypassed CIS
« Reply #4 on: May 10, 2010, 02:20:23 AM »
Windows Installer…

SetupRSTAV2010.msi (VirusTotal) never runs. Only msiexec.exe runs, with this command line:

"C:\WINDOWS\System32\msiexec.exe"  /i "[path]\SetupRSTAV2010.msi"

The installed files are automatically added to My Own Safe Files
Ubuntu | Firefox | HTTPS Only Mode | Privacy Badger
Forum Policy | Comodo Product Help

Offline Cavehomme

  • Comodo's Hero
  • *****
  • Posts: 395
Re: RST antivirus 2010. rogue av bypassed CIS
« Reply #5 on: May 10, 2010, 09:30:48 AM »
try to uncheck  "Automatic detect installers/updaters ..." in Sandbox Settings.

Personally i think sanbox is quite useless at the moment, or more specifically it gives a false sense of security.

I have disabled it, config chosen is pro-active security, Defense + on safe mode and it seems to block everything nasty...at least so far.

Offline knk2006

  • Comodo's Hero
  • *****
  • Posts: 540
Re: RST antivirus 2010. rogue av bypassed CIS
« Reply #6 on: May 10, 2010, 09:42:41 AM »
the sandbox doesn't block threat it does something better , it makes the threat handicapped !! maybe a rogue or fake can run once however terminating it is just a matter of clicks on the task manager , if you wanna C the real impact of this rogue try to run it without sandbox and enjoy the dozen of alerts or if you want to see what it actually does on the computer, try throwing it into a virtual machine and then try to stay with that computer for an hour , you will commit suicide  :P

Offline Cavehomme

  • Comodo's Hero
  • *****
  • Posts: 395
Re: RST antivirus 2010. rogue av bypassed CIS
« Reply #7 on: May 10, 2010, 10:06:47 AM »
the sandbox doesn't block threat it does something better , it makes the threat handicapped !! maybe a rogue or fake can run once however terminating it is just a matter of clicks on the task manager , if you wanna C the real impact of this rogue try to run it without sandbox and enjoy the dozen of alerts or if you want to see what it actually does on the computer, try throwing it into a virtual machine and then try to stay with that computer for an hour , you will commit suicide  :P

I think f you choose pro-active mode and the first alert is whether to allow the exe to run and you choose no, then i think there should not be any further alerts? I have not personally tested this rogue, but recently tested some test spyware that bypassed easily the sandbox but then when i changed settings and disabled sandbox this software was all immediately blocked and no further alerts. You can see the other thread for more information on this ....

http://forums.comodo.com/news-announcements-feedback-cis/comodo-fails-with-the-new-spyshelter-leaktests-t55558.0.html

Offline Endymion

  • Comodo's Hero
  • *****
  • Posts: 1360
  • Reality is subordinate to perception.
    • Faces -The Madman (Kahlil Gibran, 1918)
Re: RST antivirus 2010. rogue av bypassed CIS
« Reply #8 on: May 10, 2010, 10:19:55 AM »
D+ sandbox is not a panacea and IMHO understanding the limits of each protection approach contributes to each user security-sense (as much important as the feaures a tool provides) thus provides a way to select the best approach (whereas available) fit to address a specific scenario (whenever possible).

As Jowa pointed out this threat rely on a msi (Windows Installer) file.

Sandboxing won't be applied whereas double-clicking on the msi file implicitly cause "C:\WINDOWS\System32\msiexec.exe"  /i "[path]\SetupRSTAV2010.msi" command to run the installer (no elevation alert will occur a well for .msi files)

Automated sanboxing for msi files would be applied only in case (AFAIK) an unrecognized application/batch directly spawn "C:\WINDOWS\System32\msiexec.exe"  /i "[path]\SetupRSTAV2010.msi" process (eg a batch file with such msiexec.exe command).

In theory it would be possible to configure msiexec.exe to get always sandboxed (D+ > Sandbox >"Add programs to the sandbox") but whereas this rule is active even legitimate msi installers will be thwarted.

AFAIK Proactive/D+ safe mode won't apply to (double-clicked) .msi installers as well:
msiexec.exe (MS executabe esponsible for interpreting .msi files and carrying installations for them) is part of "Windows Updater Applications" group with an installer/updater policy and msiexec.exe is a safelisted Microsoft executable.

IIRC in  Proactive/D+ safe mode, execution will be silently granted without alert if both the parent and child apps are safelisted (eg explorer --> msiexec.exe) but an Execution alert will occur whereas an unrecognized application attempt to run a safelisted one (though the previous batch file example won't apply)

To get D+ alerts for installations carried though .msi files it might be necessary to switch D+ to Paranoid mode and remove msiexec.exe from "Windows Updater Applications" group


One last thing might worth mentioning is that according to some of the removal instructions on the interernet, RST antivirus 2010 might be more than rogue (if intended only as fake/fraud) whereas some of the removal instructions might describe traces of BHO extensions, services/drivers or drivers.
« Last Edit: May 10, 2010, 12:27:10 PM by Endymion »
I have learnt silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet strange, I am ungrateful to these teachers.
Kahlil Gibran (1883 - 1931)

Offline JoWa

  • Humanist
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 6741
  • I believe in doubt.
    • Evolutionary history of life
Re: RST antivirus 2010. rogue av bypassed CIS
« Reply #9 on: May 10, 2010, 02:29:36 PM »
In Paranoid Mode, CIS gives one alert for the safe application msiexec.exe. :-TD

Online Armor gives an alert for SetupRSTAV2010.msi. :-TU

[attachment deleted by admin]
Ubuntu | Firefox | HTTPS Only Mode | Privacy Badger
Forum Policy | Comodo Product Help

Offline Endymion

  • Comodo's Hero
  • *****
  • Posts: 1360
  • Reality is subordinate to perception.
    • Faces -The Madman (Kahlil Gibran, 1918)
Re: RST antivirus 2010. rogue av bypassed CIS
« Reply #10 on: May 10, 2010, 02:34:04 PM »
In Paranoid Mode, CIS gives one alert for the safe application msiexec.exe. :-TD

To get alers for msiexec.exe as well it would be needed to edit "Windows Updater Applications" group but of course this will not cause msi filename to be mentioned in D+ execution alert.
« Last Edit: May 10, 2010, 02:35:51 PM by Endymion »
I have learnt silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet strange, I am ungrateful to these teachers.
Kahlil Gibran (1883 - 1931)

Offline JoWa

  • Humanist
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 6741
  • I believe in doubt.
    • Evolutionary history of life
Re: RST antivirus 2010. rogue av bypassed CIS
« Reply #11 on: May 10, 2010, 02:41:03 PM »
I tried that (also monitored dlls…). Nothing interesting, only safe applications, and “you can safely allow this request”. :-\ No alerts for anything unknown. :(
Ubuntu | Firefox | HTTPS Only Mode | Privacy Badger
Forum Policy | Comodo Product Help

Offline Endymion

  • Comodo's Hero
  • *****
  • Posts: 1360
  • Reality is subordinate to perception.
    • Faces -The Madman (Kahlil Gibran, 1918)
Re: RST antivirus 2010. rogue av bypassed CIS
« Reply #12 on: May 10, 2010, 05:49:32 PM »
I tried that (also monitored dlls…). Nothing interesting, only safe applications, and “you can safely allow this request”. :-\
No alerts for anything unknown. :(

As msiexec.exe process might remain active for some time after either installation (or uninstallation) stopping "Windows Installer" service using services.msc might be necessary whereas msiexec.exe was previosly granted installer/updater policy (even using alerts) and would retain such access rights as long it is running.


Thought SetupRSTAV2010.msi would behave the same whenever I did not test this installer (but others .msi), but IIRC removing msiexec.exe  from "Windows Updater Applications" policy and switching to paranoid mode  will have msiexec.exe trigger D+ alerts  eg registry and file ones (whenever msiexec.exe will be mentioned as saflisted in each alert even in paranoid mode)



« Last Edit: May 10, 2010, 07:27:58 PM by Endymion »
I have learnt silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet strange, I am ungrateful to these teachers.
Kahlil Gibran (1883 - 1931)

Offline JoWa

  • Humanist
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 6741
  • I believe in doubt.
    • Evolutionary history of life
Re: RST antivirus 2010. rogue av bypassed CIS
« Reply #13 on: May 11, 2010, 02:21:15 AM »
I got numerous alerts for msiexec.exe, and it seems I answered them too slowly, because I got an error message that Windows Installer service could not be started (after I had allowed msiexec.exe to start msiexec.exe).

But I don't see the point… No matter what configuration I use, there should be an alert for the unknown SetupRSTAV2010.msi (or any unknown msi, of course). I'm disappointed. :( And why can't I add it to My Pending Files or My Own Safe Files? (And why can't CIS read digital signatures from msi files?) :-\
Ubuntu | Firefox | HTTPS Only Mode | Privacy Badger
Forum Policy | Comodo Product Help

Offline Shaoran

  • Comodo's Hero
  • *****
  • Posts: 901
    • La Confrérie des Marteleurs de claviers
Re: RST antivirus 2010. rogue av bypassed CIS
« Reply #14 on: May 11, 2010, 03:49:42 AM »
There is lot of issues like this. It comes from safe file. All hips try to by userfriend with this kind of list, but they don't handle it properly, you can easily execute a code throw a safe file which have all rights.

I think it is what we have here, execute SetupRSTAV2010.msi throw the safe application msiexec.exe

But it's not the only issue, I try few days ago to use this idea, I can destroy cmdagent easily with sandbox or not. The only way to have an pop up is to use paranoïa mode because CIS didn't use the safe list. But something strange, for my example, the pop up didn't mention the real action I made unlike cis 3.

And don't think CIS is the only one, for example, for Online Armor, it's the same problem, you can also disable its hips easily, but it's a little more intelligent than cis.
« Last Edit: May 11, 2010, 04:00:34 AM by Shaoran »

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek