did it pass products like malware defender 2.71 ?
Hi Dax123, very nice work indeed. Thanks for that.
When you are going to complete the tests:
- TDSS2 versus virtualization software and
- Safesys/ TDSS! & 2 versus Sandboxes
I think, there is also TDL3? AM I right?
Thanks again
Interested in this myself. The second tier of apps appear to be untested unless I’m mis-reading the results
I think he’s busy setting up his new “testing environment”?
Ah, we have the same info there. I’d much rather read it on your forum. I’ve mentioned here before, the mechanics of this forum is extremely slow. Just typing this in takes about two minutes. Also if there’s enough text in the reply box to warrant scroll bars, I can forget it. I end up typing blind because what I type appears below the reply box where I can’t see it.
Any idea when a new version patching this vulnerability will be released?
CTM is now updated to 2.8
I’m going to check it.
Many thanks dax123.
pleasure ;D
PS: a Quick Test, with XP mode VPC, SafeSys triggered 0x50 STOP bugcheck.
After reboot, the system is not infected
and again: TDSS triggered 0x50 bugcheck, it seems that COMODO implemented a general protection.
I’m doing a further test to confirm this
CTM could not protect the MBR.
after executing WYH disk killler, system’s removed permanently.
I think we might need a security software, cause CTM can’t deal with MBR alone.
after second attempt comodo restored the system successfully. System is safe against WYH Disk Killer.
WYH Disk Killer: safe
Ghost’s shadow: safe. but after a rollback, CTM uninstalls self.
SysAnti: INFECTED!!!
[attachment deleted by admin]
Well… Should it be CTM’s job? Should it block any MBR change?
We have enough troubles trying to restore Windows MBR in case of CTM failure.
Would we be blocked to do such changes?
CTM uninstall itself? ???
if you use recovery media(like CD, hypervising boot) you can easily change the MBR in case of corruption.(unless you have BIOS MBR protection enabled)
but COMODO should protect the MBR change when the protected system is loaded,
and should prevent any permanent filesystem changes as far as I think. that’s what protection means. 88)
and because XueTr can recover that corruption, CTM can make it too
Yes. I think CTM recognizes MBR change and removes self if so.
And not only CTM fails to protect the MBR, it also fails to protect the filesystem. as shown below.
maybe the security feature is incomplete.
edit: I’m now testing Shadow defender.
edit2: I was wrong, the test result against TDSS/Safesys was contaminated.
edit3: I think this is just a maintenance release. security feature is not yet supported.
[attachment deleted by admin]
If possible, I fully agree with you.
If MBR is changed, the console can’t load properly.
So, nothing to celebrate 
Hi dax123,
Interesting tests, but you need to take into account that RVS is not just a simple boot-to-restore solution so you need to activate all the features to take advantage of the layered security. Each component part is designed to cover the potential weaknesses of the other components to achieve a truly integrated, but layered approach which has been shown to be effective against the malware types you are testing in this discussion (ref: various related Wilders threads in the Virtualization and Sandboxing forum).
This means that to really test RVS, you need to turn on the Anti-execute and antimalware features. You should also try the tests in the same way with the new 3.2 series (RSS Pro 2011 - be sure to review the changes as the AE and AM features have been upgraded as well as a great deal more over the RVS 2010 series).
Kind regards
Mike
To me, this is basically further proof that light virtualisation isn’t particularly a strong “layer” of defense (relatively to say, Sandboxie or SRP, both of which I’m struggling to find current real-world malware to bypass them). Returnil have obviously recognised this (for quite a while too), hence the reason for implementing other “layers” of defense.
For me, CTM is not a defense layer but a system restore feature. If it can works in common infections, well, another advantage.
I will send you on PM a malware that bypasses sandboxie.
Thanks for the feedback. my opinion is this.
- Even though Returnil provides an additional security layer, it’s still a legacy AV and it can be bypassed.
only HIPS can appropriately cover that weakness if not fixed. (and HIPS is chatty) - I don’t buy an anti-executable things(unless it’s highly customizable and automated). Imagine a gamer.
A normal (or business) user can’t(or won’t) use it because it may be irritating. - you need more security layer to cover the weakness, if you want to leave it unfixed.
anyway, it will be interesting to test new RVS 2011.
Regards
I can’t find any evidence that it bypasses Sandboxie, but will verify/confirm it with Buster and tzuk himself etc.
By the way, the malware can’t even run with Sandboxie’s start/run restrictions.
Please keep us updated on SBIE issue. Thanks