I honestly never knew that malware can be so intelligent.
But is there a way to protect CFP from this fake mouse clicks attack?
I honestly don’t see why anyone would consider the fake mouse clicking (in the context of the article) an actual threat. The test that was done was done under the assumption that such a script was run autonomously from within the firewall. Since any properly configured firewall should block unknown programs from accessing the Internet to begin with, there is no way for a remote user to “control” the script to click precisely on the spots where it needs to click. Granted, it is still possible to get there just by sheer luck, but it’s easy to imagine that truly random clicking would cause other things to happen rather than actually going through the series of menus to turn off the firewall.
Now if you’re talking about an intelligent program that polls the screen and then performs tasks based on that, then having your firewall disabled is probably the least of your problems.
It would be more probable if it was over the internet. It is unlikely that if he is asking the question, that any1 could of accessed his computer. It is possible but its more likely an internet attack.
What’s so intelligent about a script?
No No, No.!!!.. Does anyone read what i write?
The actual real examples of such use is not via a remote user as everyone in this thread is assuming.
It is via a trojan… No remote user is involved (at least not at first).
A normal trojan would be defeated by HIPS (or at least defeated in the sense that a prompt would occur, and you have a chance to be protected if you respond correctly), but a trojan specifically designed such that it can answer the prompt automatically will bypass the hips…
Seriously, there’s nothing “intelligent” about it. The actual problem with these fake mouse clickers is actually already mentioned in the article, different resolutions, different layouts etc… This can be worked around but at the cost of complexity.
An assertation based on what exactly? Might I remind you that the real examples of such attacks (rare as they are, they do exist) involve trojans that people choose to run, not “over the internet” remote attacks…
It is unlikely that if he is asking the question, that any1 could of accessed his computer. It is possible but its more likely an internet attack.
Again, you state something, without giving an argument why something is more likely…
And once again I am answering not elaborating because no one asked me to elaborate.
Im here to help not confuse those who do not wish for me to elaborate. (if they arent savvy)
if you played with Defence+ a little more you would find this impossible. the reason is simple. a program asks for something - and it is locked out until you allow or deny. it just can’t use fake mouse clicks while locked. the workaround would be creating separate executable for faking mouse clicks which would also generate an alert about creation, then alert about execution. if this is not enough - then the user is just plain moron and the most advanced firewall will not help him.
Than how did Neil Rubenking (tester as he described in PC Magazine) managed to disable CFP even with the Defense+?
erm you see… his executable was already on the computer and he launched it, he knew he wanted to launch it and thus allowed it to be run. but if he weren’t, if this was a hypothetic trojan instead - it surely would generate at least two alerts - one while creating executable and the other when launching it. i think since this technique is pretty hard to implement correctly it is no big deal that CFP don’t protect from fake mouse clicks, but it SHOULD be there anyway. also, that “mouseclicking” module would have to either hook CFP (another bunch of alerts) or screen capture (still alerts, alerts…) to determine where should it click… and to be able to analyze screen captures - it should be pretty advanced… to be able to answer alerts for CFP via hooking - it must be even more advanced… CFP is bulletproof :-))))
PS why screen capture? this “mouseclicking” technique requires pixel perfect accuracy, as stated in the article, and there’s now way to automate this process without either direct hooking CFP (to know it’s controls positions etc) or screen capture and then analyze screenshot for known elements… but then - if it uses basic pixel-matching - a simple theme change would nullify this type of screen capture analisys… if it uses more advanced algorithms - wouldn’t it be too large then?
EDIT: as i remember, CFP protects itself against direct hooking :-))))
EDIT2: well, not by default… so we can say it doesn’t :-))))
so how do i enable it? ???
D+ settings → policy → Comodo apps → protection settings → enable and disable what you want :-)))
PS Warning! A malicious fraudster janitor detected on COMODO forums!
you mean this ? :
Defense+/comp security policy/advanced/defense+ setting/monitor setting
i have them all checked (by default i guess) ??? or is there anything else?
;D i’m the mysterious TC. trash controller ;D
no i mean open GUI, go to Defence+ tab, there go to Advanced tab, then computer security policy and find there a group called COMODO Apps, open it’s properties (properties of a group) and go to protection settings :-)))
to me trash collector sounds better :-))))
i only see comodo firewall pro ??? . allright, i’ve change the Windows/Winevent hooks protection settings to “yes”. is that correct? hey, if it’s so important, why didn’t comodo make it a default setting ???
Burillo >:( i was gonna tell you Melih’s & Egemen’s forum password, nevermind then >:(
the truth is that isn’t as important as termination and memory access :-))))) there’s very little possibility of unnoticeable exploitation of these “vulnerabilities”, but still, if you’re paranoid about new meta-poly-giga-ubermorphic viruses - go ahead and change it :-)))))) too much of a caution isn’t bad, it’s inconvinient :-))))
i knew you a supa-k00l hax0r!
I seen this on another forum and could not make any thing of it sounded like a debunking post but as i can see comodo has this covered and i would have to agree it would take some very exceptional thing to take place before any of it could take place thanks Burillo for the incite and for the settings never knew they was there
isn’t this why it’s called support forums? :-)))))
well, i’ve changed it.why take chances ;D