IMHO this thread should be moved to the Leak Testing forum
[QUOTE]Maybe we need a new checkbox here for monitoring mouse access
[/quote]
No, we need something meaningful. The test is not reading the mouse movements in an unusual way, it’s blocking input from the mouse and the keyboard.
That’s a good point, I’ll do it now.
/LA
yes there’s a problem, i set defense to paranoid mode then launch test.exe :
mouse and keyboard blocked, no alert from the firewall.
i set defense image execution control level to agressive, this time i got an alert so i blocked the test.exe bu i had exactly the same result, mouse and keyboard blocked.
using last comodo 3.0.14.276 on xp pro sp3 rc1.
kaspersky detected the file test.exe on vista.
i can’t run kaspersky and comodo on xp, they are not compatible, got bsod if both runnin.
i’m going to stop kaspersky and comodo then launch test.exe on vista.
if this prob touch vista too, (what i don’t think), i’ll be very disapointed about the last MS OS.
cause i tried SSDT hooks that crashed xp and had no effect on vista, so i hope this file affect only xp.
let’s try now, i post this post before in case test.exe has the same effect on vista.
ok same result on vista , mouse and keyboard locked. with kasper ON, the file is blocked, that’s a good AV.
i think i’m going to reinstall jetico 1.0 on xp, it looks more a FW than comodo.
i’m going to test now comodo on vista with full protection without kasper running with this file test.exe, maybe got better result than xp and block this file.
ok on vista, with defense+ image execution control level set to agressive, test.exe is blocked. got a message saying it’s not a valid win32 app.
ok same result on vista , mouse and keyboard locked. with kasper ON, the file is blocked, that's a good AV.does it block malicious behaviour or just running this test? i mean does it display popup like "test.exe is trying to get low-level access to kbd" or smth like that? or it is just stopped with it's AV engine (which is not fair for HIPS testing)?
Avira also detects it as TR/Agent. Below are the virustotal results.
AntiVir 7.6.0.46 2007.12.25 TR/Agent.dgs
Authentium 4.93.8 2007.12.26 -
Avast 4.7.1098.0 2007.12.25 -
AVG 7.5.0.516 2007.12.25 Agent.MCO
BitDefender 7.2 2007.12.26 -
CAT-QuickHeal 9.00 2007.12.25 -
ClamAV 0.91.2 2007.12.26 -
DrWeb 4.44.0.09170 2007.12.26 -
eSafe 7.0.15.0 2007.12.25 Win32.Agent.dgs
eTrust-Vet 31.3.5400 2007.12.24 -
Ewido 4.0 2007.12.26 -
FileAdvisor 1 2007.12.26 -
Fortinet 3.14.0.0 2007.12.26 W32/Agent.DGS!tr
F-Prot 4.4.2.54 2007.12.25 -
F-Secure 6.70.13030.0 2007.12.26 Trojan.Win32.Agent.dgs
Ikarus T3.1.1.15 2007.12.26 Trojan.Win32.Agent.dgs
Kaspersky 7.0.0.125 2007.12.26 Trojan.Win32.Agent.dgs
McAfee 5192 2007.12.24 -
Microsoft 1.3109 2007.12.26 -
NOD32v2 2747 2007.12.25 -
Norman 5.80.02 2007.12.26 W32/Agent.DRIO
Panda 9.0.0.4 2007.12.25 -
Prevx1 V2 2007.12.26 -
Rising 20.24.21.00 2007.12.26 -
Sophos 4.24.0 2007.12.26 Mal/Generic-A
Sunbelt 2.2.907.0 2007.12.21 -
Symantec 10 2007.12.26 -
TheHacker 6.2.9.168 2007.12.22 -
VBA32 3.12.2.5 2007.12.24 Trojan.Win32.Agent.dgs
VirusBuster 4.3.26:9 2007.12.26 -
Webwasher-Gateway 6.6.2 2007.12.26 Trojan.Agent.dgs
either this is false positive, or you all got infected, my congratulations (:CLP) (:CLP) (:CLP) (:CLP)
LOL
so this test.exe is a REAL malware ??? and defense+ can’t detect the malicious attempt?
:BNC well i’m sticking with comodo 2.4 for now,i think its a false positive,that u are not infected.
i hope this site is smart enough to keep comodo V2.4 as a second choice for people
who dont like the newest comodo V3.0 thats out,
(:TNG) thanks for making a piece of “easy to use” software more complicated to use.
I doubt that jetico 1.0 or comodo 2.4 will block it…
so this test.exe is a REAL malware
The only thing that test.exe seems to do is block the keyboard and the mouse, but it is not trivial to unblock them (killing test.exe using taskmanager took me several minutes), so it’s enough to be called malicious
and defense+ can't detect the malicious attempt?
If a HIPS doesn’t have a hook on the specific function to intercept calls to it then it cannot block the behaviour.
I haven’t tested that test.exe file but from what I read here CFP reacted as it reacts with thousands of executable that are not in the safe list, just an alert for the execution (happens also for safe exe known by CFP btw). And then basically nothing: I mean CFP didn’t detect a malware behavior. Cool…and a bit worrying . How the hell are people supposed to know that there’s gonna be a malware issue before they allow the execution of a program like that: they just can’t. They’re left without any protection from Def+. Remain anti-spyware or anti-virus software to detect that…when they work.
well it could be a false positive as it did not try to create or modify other files just blocked the mouse and keyboard afaik. Yes it is annoying but is should be rather marked as a jokeware than trojan. As it didn’t infect nothing I don’t think that you should be concerned that much. And the fact that it could block the mouse does not mean that it could do any other harm without cfp blocking it. As already stated it is maybe in connection with functions hooked by cfp.
Just a quick question to ggf31416, how do you shut down TEST.exe with Task Manager? I could open Task Manager but did not know how to kill it without my mouse Would like to know in case I need to kill a task in future without use of mouse, I had to reboot to kill TEST.exe!
what worries me is that people who tried the file didn’t even get an alert that it was trying to access the keyboard and mouse settings. Yeah btw mouse settings are also protected; I’ve experienced that with a Logitech mouse buttons while browsing Firefox: got Def+ alerts that Firefox was accessing SetPoint (Logitech drivers and settings).
But indeed, the file did worse: it actually blocked the hardware. Could also be related to USB ports being vulnerable and deactivated. Anybody checked that? I’m not sure Def+ could protect that at all.. OK I just read the MS page about blocking input, just didn’t know how the file managed to block the mouse and keyboard. So it’s a purely software issue between Def+ and Windows, and not between Def+ and USB drivers, and Def+ should have reacted in all cases.
You can move the mouse, althrough slowly, if you hold Ctrl+Alt+Del (or Ctrl+AltGr+Del) but you have to release the keys after 2 or 3 seconds and wait a few seconds or Windows will open more instances of Task Manager than your computer can handle!
You can move the mouse, althrough slowly
So you just used the mouse to shut it down? Task manager opened quick and easy with the usal “Ctrl-Alt-Del” when I tried while running TEST.exe a few days back but, my mouse did not respond at all! Is there a way to terminate a task without using the mouse?
Update: Nevermind - I’ve worked it out, “Up/Down arrow” keyboard buttons to select the task and then “Delete” and finally “Enter” to end it. (Although when I tried the “Up/Down” arrow keys while running TEST.exe they did not seem to respond).
I like the idea of Mouse Access Protection, You got Keyboard and next should be Mouse !
Josh.
with kasper u cant even dl the file or if kasper was off and u dl it, when u load kasper it blocks directly the file.
and as i said comodo 3 alone on vista with defense+ image execution control level set to agressive the file dont work, but on xp even with the setting to agressive, the mouse and keyboard are blocked. so why with vista comodo blocks this exploit but not with xp?
we know vista is more secure than xp but i thought comodo runs the same way on vista or xp.
so if u want to be safe on xp u need an AV that detects this file. or a new comodo is on the way and will block this exploit that is a nice breaktrough, congratulations to people that easely show to FW coders simple ideas can reduce work to zero.
AV can not protect you from behaviours, only from specific files. Anyone with programming knowleadge can do something similar in minutes.
For example the following autoit script will freeze your mouse and keyboard for about 20 seconds:
For $i = 1 to 200
BlockInput(1)
Sleep(100)
Next
An actual programmer would code it in C++ and would take only a few kilobytes, not hundreds.
The password of the zip with the compiled script is “freeze”
[attachment deleted by admin]
why with vista comodo blocks this exploit but not with xp?kinda strange... anyway, i'm trying to get gentoo working :-)))