CIS Test

khanyash · January 10, 2011, 1:01pm

In this test Fake AV Security Shield was Autosandboxed but it got installed. The tester ended the fake AV with TaskManager. I want to know instead of ending the fake AV if he would have restarted the system the fake AV would have been there or it would have been gone.

Thanxx
Naren

brucine · January 10, 2011, 1:19pm

You can’t submit whatever failure, real or supposed, by the means of a social network video. (As far as i am concerned, i shall make a principle of never watching any).

Why don’t you provide the link to the test so everybody is able to test if he wants to on an independent basis?

Valentinchen · January 10, 2011, 1:35pm

did he even restart to see if comodo deleted those files that were in sandbox? he should have restarted to see if the rogue would still be there. Since he began to modify CIS he should have optimized CIS fully by having limited/restricted/untrested and not having it by default.

Regards,
Valentin N

khanyash · January 10, 2011, 1:42pm

XXXXXXXXXXXXXXXXXX (link to a malware)…pls do not post any link to malware directly…thx

This is the link for the malware. I would like to see how CIS Defaults did. I only have production machine so I can’t test.

Thanxx
Naren

Valentinchen · January 10, 2011, 1:53pm

I will try on my WM machine later today. I hope I don’t get infected since I have never tried any malware on WM machine.

Regards,
Valentin N

khanyash · January 10, 2011, 1:55pm

OK. I will wait for your comments. Plzz do try with CIS Defaults too.

Thanxx
Naren

Valentinchen · January 10, 2011, 2:01pm

okey

siketa · January 10, 2011, 2:22pm

My test:
This rogue is installed also with Limited and Restricted settings.
CIS completely blocks it only with Untrusted option (which I personally always use). :-TU

EDIT: It seems now that CIMA catches it…CloudBehavior.Suspicious…

Valentinchen · January 10, 2011, 2:32pm

Thanks for testing it !ot! do you use WMware’s Wmplayer?

Regards,
Valentin N

khanyash · January 10, 2011, 2:33pm

Did you tried it with CIS Defaults. And did you restarted the system to check if its there or gone.

Thanxx
Naren

siketa · January 10, 2011, 2:46pm

[at]Valentin: Yes, the test was made on VMware Player 3.1.3

[at]naren: Yes, I restarted the system and it was not active. There is a shortcut in Start>Programs but when I launched it, it got caught by CIMA and vtkrxjszr.exe was erased from ApplicationData folder.

deadman · January 10, 2011, 2:47pm

I tested it on VMware Workstation and the fake AV is installed on default settings. I terminated it with KillSwitch and restarted computer. Nothing was there after that. :-TU

[attachment deleted by admin]

Valentinchen · January 10, 2011, 2:51pm

so if someone is installing and it gets sandboxed then it will be away after the restart/reboot?

siketa · January 10, 2011, 2:53pm

I think so.
But anyway, I recommend using Untrusted option at first place.

deadman · January 10, 2011, 2:53pm

Only if he terminates it in Task Manager.

Valentinchen · January 10, 2011, 3:10pm

okey thanks for the answer.

miloszcz · January 10, 2011, 6:07pm

I tested it on my self, and D+ on proactivemode(without sandbox) blocked it well.

Citizen_K · January 10, 2011, 10:54pm

It is installing its executable in a non protected folder c:\users%username%\local\ . That’s how it got past.

Valentinchen · January 11, 2011, 9:31am

and how do I find this? I have tried all combos but no success. Thanks

Regards,
Valentin N

Jacob · January 11, 2011, 9:36am

Start > Run > %userprofile%\Local Settings
or in Vista/7
Start > Run > %userprofile%\Local

Hope this helps

Jake