Author Topic: The Good, The Bad and The UGLY (ugly because its unknown!!)  (Read 32522 times)

Offline Kyle

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 3679
Re: The Good, The Bad and The UGLY (ugly because its unknown!!)
« Reply #60 on: June 01, 2010, 10:57:38 PM »
Yes, Tested multiple times.
Don't worry, be happy ????

*No longer active*

Offline Endymion

  • Comodo's Hero
  • *****
  • Posts: 1360
  • Reality is subordinate to perception.
    • Faces -The Madman (Kahlil Gibran, 1918)
Re: The Good, The Bad and The UGLY (ugly because its unknown!!)
« Reply #61 on: June 01, 2010, 11:05:25 PM »
Yes, Tested multiple times.

Only difference with yours and mine is that your showing a recognized string from eicar, It by passes defense+ and is picked up by the AV. Not D+. Relying on pure detection only from the AV.

Code: (omygosh.py) [Select]
import os

text = "X5O!P%[at]AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"
txtfile = open("\\omygosh.com", "w")
txtfile.write(text)
txtfile=open('\\omygosh.com','r')
print txtfile.readlines()
txtfile.close()
os.remove('\\omygosh.com')


Then let me explain.

This code doesn't actually contain an EICAR payload but it does write a com file.

My point? it's explained in the first post i made.

Code: [Select]
import os #This module is used for deleting after the file has been created\written and read.

#---------------------------------------------------------------------#
text = "Some random text to write in the test file" #txt that will be written
#---------------------------------------------------------------------#
txtfile = open("\\txtfile.txt", "w") #Creates a new file for writting
txtfile.write(text) #write the txt
#---------------------------------------------------------------------#
txtfile=open('\\txtfile.txt','r') #open the file for reading
print txtfile.readlines()#read lines and output on screen.
txtfile.close() #close the file
#---------------------------------------------------------------------#
os.remove('\\txtfile.txt') #This deletes the file
#----------------------------------End--------------------------------#
In English...
File creation,File Writing, File Reading and lastly File Deletion.
No alerts from CIS at all.

Your real point: There is no alert when a txt file is written...
« Last Edit: June 01, 2010, 11:10:29 PM by Endymion »
I have learnt silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet strange, I am ungrateful to these teachers.
Kahlil Gibran (1883 - 1931)

Offline Kyle

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 3679
Re: The Good, The Bad and The UGLY (ugly because its unknown!!)
« Reply #62 on: June 01, 2010, 11:11:14 PM »
Code: [Select]
import os #This module is used for deleting after the file has been created\written and read.

#---------------------------------------------------------------------#
text = "Some random text to write in the test file" #txt that will be written
#---------------------------------------------------------------------#
txtfile = open("\\txtfile.txt", "w") #Creates a new file for writting
txtfile.write(text) #write the txt
#---------------------------------------------------------------------#
txtfile=open('\\txtfile.txt','r') #open the file for reading
print txtfile.readlines()#read lines and output on screen.
txtfile.close() #close the file
#---------------------------------------------------------------------#
os.remove('\\txtfile.txt') #This deletes the file
#----------------------------------End--------------------------------#
# and ---- are just comments or separators to make it a bit easier to read for you guys.
In English...
File creation,File Writing, File Reading and lastly File Deletion.
No alerts from CIS at all.


Just going to quote myself, Pls read it.. I don't think you quite understand whats going on.
I specifically pointed out that u get no alerts from CIS when you do the following things.
File creation,File Writing, File Reading and lastly File Deletion.



EDIT: Had to update post cause endymion updated his and i didnt want to double post.


Don't worry, be happy ????

*No longer active*

Offline Endymion

  • Comodo's Hero
  • *****
  • Posts: 1360
  • Reality is subordinate to perception.
    • Faces -The Madman (Kahlil Gibran, 1918)
Re: The Good, The Bad and The UGLY (ugly because its unknown!!)
« Reply #63 on: June 01, 2010, 11:13:39 PM »
Just going to quote myself, Pls read it.. I don't think you quite understand whats going on.
Yes Kyle I did.

You do understand that the code you provided write a txt file?
I have learnt silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet strange, I am ungrateful to these teachers.
Kahlil Gibran (1883 - 1931)

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14692
    • Video Blog
Re: The Good, The Bad and The UGLY (ugly because its unknown!!)
« Reply #64 on: June 01, 2010, 11:16:37 PM »
Just going to quote myself, Pls read it.. I don't think you quite understand whats going on.
I specifically pointed out that u get no alerts from CIS when you do the following things.
File creation,File Writing, File Reading and lastly File Deletion.



EDIT: Had to update post cause endymion updated his and i didnt want to double post.




all this proves is how intelligent that D+ is. Why bother the user with things that pose no threat? If you want to create, modify and delete a .txt file..whats the harm? Why should users be warned about it?

Melih

Offline Kyle

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 3679
Re: The Good, The Bad and The UGLY (ugly because its unknown!!)
« Reply #65 on: June 01, 2010, 11:18:32 PM »
It doesn't matter if it's a text file. I could read your personal information, I could infect by writting into other files and I could do a very nasty thing which viruses do.. delete files.
Can do anything that a virus could do in an exe form, Only without defense+ alerting -  I repeat... If I compiled this into an EXE you  WOULD get an alert from defense+. if you run it through a trusted process, you WONT get an alert.


No alerts, Zero, Zilch Nada.
« Last Edit: June 01, 2010, 11:21:32 PM by Kyle »
Don't worry, be happy ????

*No longer active*

Offline Endymion

  • Comodo's Hero
  • *****
  • Posts: 1360
  • Reality is subordinate to perception.
    • Faces -The Madman (Kahlil Gibran, 1918)
Re: The Good, The Bad and The UGLY (ugly because its unknown!!)
« Reply #66 on: June 01, 2010, 11:25:25 PM »
It doesn't matter if it's a text file. I could read your personal information, I could infect by writting into other files and I could do a very nasty thing which viruses do.. delete files.

Kyle the code you provided doesn't prove that. It doesn't read any information. It doesn't delete any critical file.

And lastly it doesn't even write an EICAR payload...

What it does?  Zero, Zilch Nada.
I have learnt silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet strange, I am ungrateful to these teachers.
Kahlil Gibran (1883 - 1931)

Offline Kyle

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 3679
Re: The Good, The Bad and The UGLY (ugly because its unknown!!)
« Reply #67 on: June 01, 2010, 11:31:17 PM »
Endymion.. U srsly don't know what your talking about lol.. If u had 5 minutes of python\anylanguage experience you'd understand what its doing, It's a very simple thing. (I thought the comments in the code was enough, guess not..)

Your saying it's false when it's true,  There is no maybe's or sorta's.  It either is or isnt. There is no leeway unfortunately Endymion and I can't explain it any better to you sorry, Your wrong.
Don't worry, be happy ????

*No longer active*

Offline Endymion

  • Comodo's Hero
  • *****
  • Posts: 1360
  • Reality is subordinate to perception.
    • Faces -The Madman (Kahlil Gibran, 1918)
Re: The Good, The Bad and The UGLY (ugly because its unknown!!)
« Reply #68 on: June 01, 2010, 11:37:16 PM »
Endymion.. U srsly don't know what your talking about lol.. If u had 5 minutes of python\anylanguage experience you'd understand what its doing, It's a very simple thing. (I thought the comments in the code was enough, guess not..)

Your saying it's false when it's true,  There is no maybe's or sorta's.  It either is or isnt. There is no leeway unfortunately Endymion and I can't explain it any better to you sorry, Your wrong.


Can do anything that a virus could do in an exe form

Kyle I hope you do understand that if what you wrote was a Proof of Concept even Notepad (!) would be a virus...
« Last Edit: June 01, 2010, 11:39:10 PM by Endymion »
I have learnt silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet strange, I am ungrateful to these teachers.
Kahlil Gibran (1883 - 1931)

Offline Kyle

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 3679
Re: The Good, The Bad and The UGLY (ugly because its unknown!!)
« Reply #69 on: June 02, 2010, 12:06:30 AM »
Since Melih and Endymion are either not understanding or are being difficult.. Here's some updated code It doesn't deal with a txt file now, It deals with executables.
Code: [Select]
import os #This module is used for deleting after the file has been created\written and read.

#---------------------------------------------------------------------#
text = "Some random text to write in the test file" #text that will be written
#---------------------------------------------------------------------#
testfile = open("\\testfile.exe", "w") #Creates a new file for writting
testfile.write(text) #write the text
#---------------------------------------------------------------------#
testfile=open('\\testfile.exe','r') #open the file for reading
print testfile.readlines()#read lines and output on screen.
txtfile.close() #close the file
#---------------------------------------------------------------------#
os.remove('\\testfile.exe') #This deletes the file
#----------------------------------End--------------------------------#
The above demonstrates File creation,Modification and Deletion. CIS does not alert you.


Compile it, Run it as an exe and  you will get alerts.


[attachment deleted by admin]
« Last Edit: June 02, 2010, 12:15:03 AM by Kyle »
Don't worry, be happy ????

*No longer active*

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14692
    • Video Blog
Re: The Good, The Bad and The UGLY (ugly because its unknown!!)
« Reply #70 on: June 02, 2010, 12:15:47 AM »
K, Replace everything that ends with  .txt and rename it to  .exe - same results.

Run the code raw and CIS does not alert u.  Compile it, Run it as an exe and  I get plenty of alerts.


Some people look at the picture and see nothing...
some people look at the picture and see Mona Lisa.....

I see Mona Lisa ....the intelligence and sophistication built into CIS...how very beatiful....

what do you see Kyle ;)

renaming: is done manually...CIS knows...user intended to...don't bother with alerts...
Exe: unknown...trying to run....alert....

oh Mona CISa :)......

Melih

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14692
    • Video Blog
Re: The Good, The Bad and The UGLY (ugly because its unknown!!)
« Reply #71 on: June 02, 2010, 12:17:57 AM »
Some people look at the picture and see nothing...
some people look at the picture and see Mona Lisa.....

I see Mona Lisa ....the intelligence and sophistication built into CIS...how very beatiful....

what do you see Kyle ;)

renaming: is done manually...CIS knows...user intended to...don't bother with alerts...
Exe: unknown...trying to run....alert....

oh Mona CISa :)......

Melih

PS: Kyle, joke aside..you really have to understand how CIS is intended to work in the first place...create real threats and lets see how it handles it ;)

Offline Kyle

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 3679
Re: The Good, The Bad and The UGLY (ugly because its unknown!!)
« Reply #72 on: June 02, 2010, 12:19:15 AM »
Melih can you tell me why CIS doesn't alert me when I run the code raw? and why does it alert me when It's compiled to an exe? The same actions are being done.
Don't worry, be happy ????

*No longer active*

Offline Endymion

  • Comodo's Hero
  • *****
  • Posts: 1360
  • Reality is subordinate to perception.
    • Faces -The Madman (Kahlil Gibran, 1918)
Re: The Good, The Bad and The UGLY (ugly because its unknown!!)
« Reply #73 on: June 02, 2010, 02:48:03 AM »
Since Melih and Endymion are either not understanding or are being difficult..

I understood correctly that a txt file is not meant to trigger alerts just like the invalid EICAR signature of the second example (I asked you to explain) won't


Alas , despite you added many comments, your first example did not mention anywhere that it was not designed to trigger any protected file alert whereas D+ is not explictly configured to warn the user about .txt (!) files  ???



It became even more confusing whereas  I asked you to clarify the difference with the second version I provided...


Only difference with yours and mine is that your showing a recognized string from eicar, It by passes defense+ and is picked up by the AV. Not D+. Relying on pure detection only from the AV.

...you were apparently sure there were AV alerts for an invalid EICAR text ???

Yes, Tested multiple times.

I did ask you to confirm and you mentioned you tested it multiple times.  ???

can you tell me why CIS doesn't alert me when I run the code raw?
  • The fist example you provided was specifically designed to not trigger any alert (txt files are not added to Protected files by default.)
  • The second example (you did not provide) will trigger an alert for .com files when D+ is set to paranoid mode but  won't trigger any AV alert because the EICAR text is invalid (not-an-eicar).




Python is 40+ Mb safelisted software, to have D+ alert about the first example you provided you need to add *.txt to D+ Protected Files (D+ > Common files) and switch D+ to Paranoid mode

Had you not be willing to use D+ paranoid mode, Python entire path can be added to CIS sandbox ( D+ > Sandbox > Add programs to the Sandbox).

Were you not to know, it is also possible to sandbox only Python and use D+ for everything else:
  • uncheck Automatically detect the installers/updaters and run them outside the Sandbox (Defense+ Tasks > Sandbox >Sandbox Settings)
  • unckeck Automatically run unrecognized programs inside the Sandbox (Defense+ Tasks > Sandbox >Sandbox Settings)
« Last Edit: June 02, 2010, 02:56:43 AM by Endymion »
I have learnt silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet strange, I am ungrateful to these teachers.
Kahlil Gibran (1883 - 1931)

Offline Kyle

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 3679
Re: The Good, The Bad and The UGLY (ugly because its unknown!!)
« Reply #74 on: June 02, 2010, 02:56:08 AM »
Endymion you did not read post #69
http://forums.comodo.com/news-announcements-feedback-cis/the-good-the-bad-and-the-ugly-ugly-because-its-unknown-t56938.0.html;msg400888#msg400888
I realized that your thoughts were that txt files are not applicable. Thats why I modified the code so that instead of txt files it would Create, Modify and delete executable files.


Still, The point remains; Run that code I made and you will not get any defense+ alerts. Compile the same code into an exe, Run it - you get plenty of alerts. Both 'items' perform exactly the same function.

Don't worry, be happy ????

*No longer active*

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek