If we installed Comodo Firewall on 100% clean brand new windows 7, then restart, then turn the firewall to custom policy, then disable Comodo firewall until the next restart, then got infected with a “Kernel mode rootkit (ring 0)” then restart.
Now comodo firewall enabled on custom policy (with rootkit infection) then we start dragon.
-Will the rootkit be able to send, receive data directly alone or by using dragon?
-At what ring, comodo firewall operate?
-As you can see we run into as will, if defense+ can even detect dragon being used by this kind of rootkits?
please review these links, if don’t know some words:
What rootkit are you infected with according to what scanner?
Now comodo firewall enabled on custom policy (with rootkit infection) then we start dragon.
-Will the rootkit be able to send, receive data directly alone or by using dragon?
Once a rootkit is on your system CIS Firewall or D+ won’t be able to see it. With Behaviour Blocker or D+ you would likely have prevented it getting installed. However if it got past BB or D+ you are at the mercy of signature based solutions to find it.
-At what ring, comodo firewall operate?[
-As you can see we run into as will, if defense+ can even detect dragon being used by this kind of rootkits?
Ring 0. However, once an application has kernel access it is basically end of exercise for a security program because the rootkit operates with the same rights. With kernel access a rootkit can unhook any security program.
-it was a hypothetical question, I’m not infected with a rootkit according to many AVs:
comodo av and rescue disk, kaspersky av and cd, norton and many others.
But you never know for sure, those kernel rootkits are very nasty.
Once a rootkit is on your system CIS Firewall or D+ won't be able to see it. With Behaviour Blocker or D+ you would likely have prevented it getting installed. However if it got past BB or D+ you are at the mercy of signature based solutions to find it.
-I was afraid so. BTW, didn't tell at which ring comodo firewall operate? also someone told me that killswitch insert a kernel drive to detect process and connections, if so, can it detect the rootkit connections? and is it better in detecting connection than cis firewall? or they are in the same level.
sorry for the extra questions but they’re related to the subject.
regards…
Mod edit: Added quote tags, Captainsticks.
I fixed the quote structure in my previous post and added some information.
CIS operates at Ring 0 level in the kernel. But when a rootkit also runs there it can cloak everything. CIS won’t see it there. CIS will prevent giving unknown files kernel access (load driver or create a service).
Still if CIS and the rootkit operate at the same privilege, why the rootkit can unhook CIS operation but CIS cannot unhook the rootkit, not make sense, as they should be equal ???
I looked up a relevant quote by egemen, the head developer, on this:
CIS once started as a firewall with HIPS (Comodo Firewall) and has always been about preventing an infection happening in the first place(Hence why a Host Intrusions Prevention System is part of CFP). When properly used solutions like CFP empower the use to stop malware getting installed in the first place.
Later an AV was added making Comodo Internet Security suite. The av is not designed to be the ultimate cleaning tool after the fact or getting infected.Iit will stop rootkit installation if it has a signature for it. For the purpose of cleaning Comodo created Comodo Cleaning Essentials.
I hope the above clears things up more for you.
Edit:
found something, does it apply to CIS?
"www.sans.org/reading_room/whitepapers/threats/kernel-rootkits_449"
you may add ".pdf" to it to work.
It did not allow a direct link to that pdf. What is the question you have after reading this article?
Thank you very much for taking time to elaborate all of this to me, many thanks…
“It did not allow a direct link to that pdf. What is the question you have after reading this article?”
it is a direct link but the file will be downloaded without any extension. all my questions got answered.
I’m very clear now about this topic thank you very much. I found in my way of searching “link below” may be interesting to you or to anyone who will read this topic.
