Hey folks, upon doing my monthly virus testing I ran across two completely different samples that bypass 1079 completely, one a rogue, the other a backdoor.
*Paranoid Mode.
*Do not creating rules for safe/trusted applications.
I executed the first (rogue) and it installed and was in the taskbar within 5 seconds, no sandbox, no alerts from COMODO. The second sample installed itself, opened a browser window, no sandbox, no alerts from COMODO. For good measure I switched to my second snapshot with V4 installed, it blocked both of the samples as expected.
I am willing to upload these samples to COMODO for analysis, to be added to the virus database…etc. But this to me sounds like a major bug that needs to be addressed ASAP.
[quote author=AlanMcAlan link=topic=60601.msg425380#msg425380 date=1282091726]
Sure, unfortunately CIMA does not work for me, never has. Both were from MDL.
Yes i have tested the same chinise malware and +1 for me, xunjie.exe run perfectily (infect the system)… The same with a tdss sample i found…
@tommymacange, I’m glad (well, not really in the end) that someone else is having this problem too. At first I thought it was only on my side but I guess not now.
Any news? A few folks that I have sent the sample to are now seeing alerts from COMODO about this, I’m curious if it was fixed in the recently released beta.
I dont see anything bypassing CIS sandbox. IF you are talking about application starting, thats not bypassing. What do you call a bypass? Can you please be specific about how you test?
Makes no sense to, if V3 protected me just fine in this case, I don’t see why I would need the AV, cloud scanning, and sandbox to keep me as safe, when all I had to do in V3 was set it as “Blocked Application”.
To answer both, I would call a bypass one or more (two in this case) completely different malware samples that are able to install/run and compromise the users system. In this case, the samples did so and compromised the system. Running a default-deny security solution did not protect the user in this case.
For the last question, how do I test. Simple, nothing fancy. I run the latest beta inside of a testing PC (which is reformatted for every test), download 10 or more samples from MalwareDomainList and confirm via VirusTotal that they are marked as a virus by more than one vendor. I then execute each sample one-by-one to test the product’s effectiveness at keeping the computer safe.
Your samples are able to bypass D+ nothing more. Did you used paranoid mode?
I dont know if is worthwhile to fix this in D+, anyway D+ was never designed to block everything.
But if the developers choose to improve D+ would be great but I think that the development of D+ have been stoped for a while due to the sandbox and the other new technologies.
in reality you can’t compare V3 to V4 or V5 reason, well V3 was a hardened HIPS application with some add-ons and goodies but at the core of it, it was HIPS. Now V4 brought along the sandbox, what happened then, well the restrictions placed upon the system by D+ were loosened becasue the sandbox takes up the slack. Now in v5 the D+ restrictions are loosed even more because the sandbox in V5 is even better and so is the AV. So in reality you can’t compare each HIPS to each other becasue they are now acting differently. If you want to compare HIPS v5 to earlier versions, especially v3 you have to put it in paranoid mode becasue now it will basically act just like it did in V3.
