Can you guys tell me if you had Defense+ in Safe Mode or Clean PC Mode? I would like to test too… 
Cheers,
Josh
My D+ is in Paranoid mode
Can you guys tell me if you had Defense+ in Safe Mode or Clean PC Mode? I would like to test too.. Smiley
Paranoid Mode.
If I put image execution up tol Aggressive, it catches it.
[attachment deleted by admin]
Confirmed
[attachment deleted by admin]
Strange…
I did exactly same thing as you guys: Switched to Paranoid Mode in D+, Parental Control off, Proactive still active, removed test.exe from my Computer Security Policy, Rebooted, Ran notepad, Tried running test.exe But was Alerted.
I’m running XP… I assume all you guys are running Vista? And are you 32/64bit?
Cheers,
Josh
[attachment deleted by admin]
I’m running Windows 7, but I tried it on XP in a Virtualbox and I got the same result, no alerts 
32 bit Vista Home Premium here.
Strange how you were alerted under these conditions, when the only way that I could be alerted (and panic) was to move the image execution monitoring to aggressive - anything below this setting give no alert.
Hi Guys,
The test was running a bit different here
Defense+ is in Safe Mode and I am in Proactive Security
I am always getting Keyboard access Alert
http://h.imagehost.org/t/0308/CISAlert_KeyboardAccess.jpg
and blocking it
As a result I have many events in the log:
http://h.imagehost.org/t/0461/TestBlockedKeyboardAccess.jpg
At the same time after the Blocking I can fill in the input box though
http://h.imagehost.org/t/0859/WillCloseNotepad.jpg
If I am blocking without Remember - that will just shut down the Notepad, but I can ran it again normally after that
But if Remember was checked I can continue working with Notepad
http://h.imagehost.org/t/0817/NotepadWorking.jpg
I can save what was entered in Notepad, call it again etc.
Then I can close the test when I want
That is still not a proper blocking of the Test.exe by CIS but the scenarios are different and I could not emulate the hanging of the Notepad.
My regards
Definitely the Scenario’s are different. :-\ Very strange this one. The only rhetorical question I have in my head is Is there malware out there that does this same behavior? - It’s certainly a huge inconvenience.
I’m looking at threats in the wild.
Cheers,
Josh
Ah’, so I don’t need to use the Proactive Security Configuration? All I need to do is change the Image Execution Control Settings to ‘Aggressive’?
Sweet! Thats even easier. ;D :-TU
Ah', so I don't need to use the Proactive Security Configuration? All I need to do is change the Image Execution Control Settings to 'Aggressive'?
It’s probably going to annoy you for a while :a0 >:-D
All of the Programs I use are already installed. So I don’t think CIS will need to create any more ‘Computer Security Policies’, until I update those Programs of course.
Or do you mean I will get extra Alerts for the Programs which already have ‘Computer Security Policies’ written?
I can manage to crash notepad but not Notepad2 (no alerts are triggered in both cases)
Attempting to crash CIS (cfp.exe) will trigger an windows message alert. Allowing will cause a crash, blocking will prevent the crash.
Enabling D+ win message protection for notepad is not able to prevent the crash nor blocking windows messages in test.exe policy will prevent that.
Enabling D+ win message protection for CIS (it will not be possible to load CIS from the tray icon, using CIS desktop shortcut will work fine) will prevent any alert without resulting in CIS crashes.
Since according to some screenshots on wilders Windows message are involved, it looks like D+ could possibly restrict the number of message trapped to reduce FP and this allow this PoC to work.
AFAIK no product thus far tested detect/set a message/rate to trigger Message flood alerts (eg like firewalls).
More than a termination PoC this looks like a Fuzz testing to exploit windows design and/or application design weakness to cause a crash.
If your systems fairly static i.e. not making continual changes, installing and removing applications, you should be fine.
XP SP2 patched here Josh
Thanks. :-TU
Anyone willing to have an EasyVPN Conversation with me? (Remote Connections too…)
Cheers
Josh
Josh please read the alert D+ gives you. It is not alerting about the process termination at all.
I don’t understand how the exploit works. If it posts too many window messages to a window and its parent process crashes, isn’t that the process’ fault? I can’t imagine that the MS developers of win32k.sys forgot to add buffer overflow checking…
To be honest I haven’t actually tried the thing yet, so could someone tell me what it does?
Kyle
The point is likes of (panic, Quill, tsec) did not receive ANY Alerts - Meaning Language of Alerts is completely irrelevant.
Cheers,
Josh