Author Topic: Sad: No progress with the x64 HIPS of CIS  (Read 25425 times)

Offline evil_religion

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 475
Sad: No progress with the x64 HIPS of CIS
« on: March 25, 2010, 04:25:52 PM »
Hello,
version 4 of CIS didn't improve anything regarding passing leaktests on Windows Vista or Seven x64.
Still it doesn't block the Matousec SSTS tests regarding:
-keylogging
-DLL injections (global hooks)
-window messages
-OLE automation
-DDE

It fails these tests (incomplete list but should include ~all techniques):
kill3f (example for window messages)
keylog1 (keylogging)
breakout1
cpilsuite2 (Outpost warns about global hook)
ddetest
flank
osfwbypass

Tested with proactive profile, sandbox disabled.

I don't say that it has to pass all tests but at least the ones which are passed by other products. Matousec has already announced tests on Windows x64, so Comodo should speed up there.


Also, the direct keyboard access warnings are still way to aggressive on x64, it gives warnings if any application receives keyboard input (e.g. typing text). It's only on x64, can't be too hard to fix, reported this long ago.

Offline begemot

  • Comodo Loves me
  • ****
  • Posts: 129
Re: Sad: No progress with the x64 HIPS of CIS
« Reply #1 on: March 25, 2010, 05:20:59 PM »
That's interesting, I've tested all of Matousec's tests with proactive and sandbox disabled, and Comodo successfully blocked everything - so it seems I can't reproduce your results... Are you sure you cleaned your system out prior to testing of any old tests?

Offline Citizen K

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26177
Re: Sad: No progress with the x64 HIPS of CIS
« Reply #2 on: March 25, 2010, 07:32:00 PM »
Begemot are you using 32 or 64 bits OS?

Offline begemot

  • Comodo Loves me
  • ****
  • Posts: 129
Re: Sad: No progress with the x64 HIPS of CIS
« Reply #3 on: March 26, 2010, 04:36:16 AM »
Win 7 x64

Offline Ronny

  • Retired - Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13551
  • Retired - Volunteer Moderator
Re: Sad: No progress with the x64 HIPS of CIS
« Reply #4 on: March 26, 2010, 04:46:33 AM »
Do the tests "fail" if you disabled all security on your system?

Just to make sure your test is "valid"... and are you testing under Standard or Admin account, UAC enabled/disabled?
Retired - Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline begemot

  • Comodo Loves me
  • ****
  • Posts: 129
Re: Sad: No progress with the x64 HIPS of CIS
« Reply #5 on: March 26, 2010, 05:10:30 AM »
Admin account, UAC disabled, and I'll retest them with comodo disabled asap.

Offline evil_religion

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 475
Re: Sad: No progress with the x64 HIPS of CIS
« Reply #6 on: March 26, 2010, 08:20:53 AM »
That's interesting, I've tested all of Matousec's tests with proactive and sandbox disabled, and Comodo successfully blocked everything
That shouldn't be possible. Can you post screenshots?

Offline begemot

  • Comodo Loves me
  • ****
  • Posts: 129
Re: Sad: No progress with the x64 HIPS of CIS
« Reply #7 on: March 26, 2010, 11:37:33 AM »
Sorry, turns out that I was using a 32 bit virtual machine - good job i double checked before posting the screenshots...  >:(

Offline Ronny

  • Retired - Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13551
  • Retired - Volunteer Moderator
Re: Sad: No progress with the x64 HIPS of CIS
« Reply #8 on: March 26, 2010, 12:16:37 PM »
No problem can happen  ;)
Do you happen to have the ability to build a 64bit test environment?
Retired - Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline begemot

  • Comodo Loves me
  • ****
  • Posts: 129
Re: Sad: No progress with the x64 HIPS of CIS
« Reply #9 on: March 26, 2010, 01:34:56 PM »
Should be able to at the start of next week, will post some updates then.

Offline evil_religion

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 475
Re: Sad: No progress with the x64 HIPS of CIS
« Reply #10 on: March 26, 2010, 03:13:34 PM »
There won't be a difference to my results, but test and see urself. :)

Edit: Some tips:
-Don't enable DEP for all processes.
-Disable UAC.
-You need to start some of the tests in XP compatbility mode.
-Not all tests are working on x64, some are even crashing.
-You won't see any activity of Cpilsuite2 & 3 because the code they are attempting to inject is 32 bit and not compatible to 64 bit processes. If they had compatible code Comodo would visibly fail these tests because SSTS can unhook the usermode hooks of Comodo for SetWinEventHook. Like I already stated, some other x64 HIPSes give correct warnings for these tests, e.g. Outpost.
« Last Edit: March 26, 2010, 03:20:47 PM by evil_religion »

Offline vigen

  • Comodo Loves me
  • ****
  • Posts: 182
Re: Sad: No progress with the x64 HIPS of CIS
« Reply #11 on: March 28, 2010, 08:52:46 AM »
many lots of bug on seven 64 bits, i come back to the version 3...

Conflict to WOW64 on sandbox...

Offline evil_religion

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 475
Re: Sad: No progress with the x64 HIPS of CIS
« Reply #12 on: October 09, 2010, 06:11:23 AM »
Online Armor has an unhooking protection, so it doesn't fail the Matousec tests on x64:


And Comodo is doing nothing, they happily fail many tests and say the world is alright. :-X

Offline lordraiden

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 921
Re: Sad: No progress with the x64 HIPS of CIS
« Reply #13 on: October 09, 2010, 07:02:55 AM »


And Comodo is doing nothing, they happily fail many tests and say the world is alright. :-X

Wellcome to Comodo world, where everything is wonderful xD and nobody cares about bugs, wishlist, or unfinished components of the security suite.

Offline tommymacangel

  • Comodo Loves me
  • ****
  • Posts: 134
Re: Sad: No progress with the x64 HIPS of CIS
« Reply #14 on: October 09, 2010, 09:46:50 AM »
I think it's MS fault :-TD And also W7 64 is really poor, really new and not so popular ;D
« Last Edit: October 09, 2010, 09:48:57 AM by tommymacangel »

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek