Another bypass of Cis?.

Hi Guys. Just did some more testing today 13/05/2010, via the malware domain list and a malware from 12/05/2010.I set up Cis in proactive mode with the sandbox disabled and d+ enabled to check for all executables, and Av in low heuristics. The Firewall was in safe mode.I executed an exploit i found on the site and nothing popped up to notify me of intrusion, except a box with what looks like russian writing. I then checked the view active process list and there it was running.

Using shadow defender i sent it packing, but i want to know if anyone can test this and see if they get the same result as me.I understand we should not post links to malware, but would want this one checked out and wonder how i can give details of the malware without breaking forum rules?.


I suppose you are allowed to quote the malware you tested with only its references from MDL, as MDL only reports malwares in strict text format, and thus no one is actually able to download the said malware from a direct link accident.

Hi Dave.

The malware might of been able to DROP files - But not do anything that causes system malfunction. Remember that automatic virtualization is NOT enabled by default. However, Automatic sandboxed applications can not modify (i.e infect) any protected registry keys or files. They also can’t do any Administrative actions.

So you may see a GUI, or a process, but really, it can’t do anything. If you reboot, the malware should be gone from processes and system should remain stable. It’s not a typical bypass.

“So you may see a GUI, or a process, but really, it can’t do anything”

Ahem, yes it can, it can take screenshots, switch on your webcam and microphone and log keys…whilst sandboxed with all CIS settings in default mode. I tried the antitest.exe and keyboard.exe tests discussed on a nother thread. That’s bad. I managed to fix this by disabling the waste of time sandbox and switching on pro-active security but sounds like there are more issues as per dave1234

A link to Virustotal report along with links to CIMA and other online sandboxes’ reports (anubis, cwsandbox, threatexpert, etc) would provide a whole deal of informations while subscribing to these forums Malware research group would provide a board to attach a live malware sample (providing a chance for tests by members of that group)

I assume its ok to name this nasty then?.Its, Het of eleonore exploits pack currently calc.exe.Its there on the site to test guys 12/05/2010.Please report back and if Cis detects it then what do you think may be wrong with my set up to cause this.

If i should not have posted this then mods please remove it.


meaningless… windows has more holes as any software can fix/secure. the architecture of windows is bloated and outdated ,any fix will only produce more holes =/

Is it still there? ??? would you empty your browser cache and try to download it again?

Hello Endymion.Oops!. Just tried to download it and no good anymore, dead and buried.I have seen infections get in 3 times recently in testing. i just download lots of malware into shadow defender and execute. Some malware is picked up by d+ and some by av. Some simply end up where they should not be, ie showing up in active process list.

I think if testing was done continously then based on my experiences, others would find out that certain malware IS bypassing Cis but would love to be proved otherwise.


Yep Dave and everybody would appreciate to see links to virustotal reports and to online sanbox reports in case what you “would love to be proved otherwise” will happen (I was attempting to do just this)

If you wish you can still join the malware research group in these forums to share your experiences with the rest of them :-La