D+ defence against a fake trusted .exe

hello all.
here is a scenario i would like to ask about D+ defence:
antivirus off
sandbox off
ventors deleted so no white list !
so only D+ in paranoid mode and max firewall alerts.
i set the windows calc.exe as a trusted application.
so can a malware with a same name calc.exe to bypass D+ ? or D+ can recognize that is different file?
cos i noticed something strange ,i had the antirootkit TDSSkiller and i set it as a trusted application
but after an update to a new version of TDSSkiller, D+ without any alert ran it
this new updated modified TDSSkiller could be a malware !
but those 2 TDSSkiller files are not the same cos they have different SHA and MD5 signatures
how D+ can see the difference from SHA MD5 etc ?
soon a new firefox update will come,so the D+ will warn me that its a modified-updated-new firefox?

bad news !!!
i just did an experiment to see if D+ hips can understand 2 different files with the same name and extension
so: here is the test u can try

  1. open a new folder to desktop and put a safe file .exe ,example.exe,then set that file as trusted to D+
    to all alerts allow and remember my choice.
  2. now delete that file example.exe and put other file to that folder with a name malware.exe but rename it to example .exe
    and now the shock: u can run it without any alert !!, D+ hips will see that the name is example.exe and remembered its a trusted file !!! the fake “example.exe” will work ! and the malware will bypass the D+
    so D+ hips rules are based on files names only ??? can a malware with a fake trusted name like explorer.exe
    fools comodo ? i know that online armor has a hips module about that scenario and warns about a tamper attempt-update-modification with a MD5.

Defense+ compares the file hash for trusted applications, unless you select the option to use file names instead of file hashes.

ops…how can i make hash comparison instead file name are there some tips? tnx in advance

Hash comparison is the default method.

Unless you manually add a file to your trusted files list and select the option to compare by file names instead of file hashes, file hashes will be the way Defense+ recognizes your files, not by file name.

This feature was added because applications that are frequently updated, or change in some way with every run, or applications you compile yourself, could be problematic with D+ due to hash comparisons. Any time these types of files are used, D+ will sandbox them because they are unrecognized.

i see…but i have it on defualt i have never changed it to file names…i have one folder in my desktop to save antimalware utilities including TDSSkiller(trusted), but when i downloaded the new update of TDSSkiller and replaced the old one, D+ didnt show any alert when i run it :frowning:
i set unknown files as untrusted and i have sandbox dissabled cos i have sandboxie and i need only hips
firewall without sandbox til the new CIS 6 sandbox.

just out curiosity did you upgrade your cis install from a previous version or is it a clean install?

Do you have the cloud functions active? CIS could have done a lookup and found the new version was safe.

i was thinking the same thing but doesnt CIS exclude the cloud whitelist while in paranoid mode?

its a clean install…after many experiments iam frustrated :frowning:
D+ cant compare MD5 or SHA hash but onlly file names
i will try to make it more simple
i have a desktop folder with some utilities
one of the files is the coretemp.exe (cpu temp monitor),the other is the prime95.exe (cpu stress) so
i run coretemp.exe and i answer to all alerts allow and trusted,so from now every time i run coretemp
i dont receive any alert cos its trusted and i had checked “remember my choice” etc…witch is normal.
note pls that i didnt run til now the prime95.exe so comodo doesnt know it yet.
now i remove the coretemp.exe from that folder to desktop and rename the prime95(in the folder) as coretemp.exe, then i run the fake coretemp.exe(prime95.exe) the program start without any alert.the real coretemp is outside of the folder on desktop area ,the fake coretemp.exe(prime95.exe) is in the folder.the D+ (paranoid) saw the same file name(coretemp) and didnt give any alert.

settings:
i have sandbox off , enhanded protection mode (i have 64bit win 7) max alerts and vendors deleted.antivirus off cloud off

ps. i have deleted the coretemp.exe and now the fake coretemp in the folder(witch is the prime95) runs without alerts >:(

It should.

I still think you’re encountering the whitelist in some way.

I have an application that I compile sometimes several times a day. If I don’t use the option to trust by file name instead of file hash, I get an alert each time I run a new compilation because the new version is unrecognized. The file name for each compilation is the same.

but i have the vendors deleted and any cloud off,so i dont have white list. i did this on purpose to try a pure
hips plan: trust nothing with max alerts

No, it can’t.

cos i noticed something strange ,i had the antirootkit TDSSkiller and i set it as a trusted application but after an update to a new version of TDSSkiller, D+ without any alert ran it this new updated modified TDSSkiller could be a malware ! but those 2 TDSSkiller files are not the same cos they have different SHA and MD5 signatures how D+ can see the difference from SHA MD5 etc ? soon a new firefox update will come,so the D+ will warn me that its a modified-updated-new firefox?
CIS allows the user to change applications like you did. However unknown applications are not allowed because .exe files are protected files. Try making a simple batch script and try to change one file for another file. Or let the batch script delete a file. You will get alerted.

I think because you changed TDSSkiller CIS will not notify.

Again it is CIS allowing the user to make changes.

Again it is CIS allowing the user to make changes.

CIS is the Nanny of program behaviour. It is not the Nanny of user behaviour. The user can make all changes he wants including stupid and dangerous changes. When running an unknown program, or running a program in Paranoid Mode, CIS will alert the user that the program is trying to change another program.

Given the above; if you want to test CIS you need to make a batch file to do all the actions you performed and try again. You will get vastly different results then when you make the changes.

i got it…so do u mean that CIS would prevent a possible drive-by trojan with a name calc.exe to fool it
even if the real calc.exe is in trusted list.so CIS just allowed user for some changes, good ;D
so any firefox auto update CIS will warn that…and yes i did a test with a batch file trying to fool CIS and i got
a royal alert from CIS ;D
thank u very much and gongrats to CIS team (waiting for the CIS 6) >:-D

Big :-TU to EricJH for a clear, concise explanation. Well done Eric!

Where can i find this option?

If default isnt the “path detection”, why dont we get notifications when a file changes?

Recognition by path has changed to recognition by hash.

What scenarios are you referring to where you don’t get alerted when a file changes?

Defense+ → Trusted Files → Add → Browse files. Look at the options near the bottom of the window.

You do get a notification when a file changes. This is why you see so many people making posts that even if they’ve trusted a file, CIS keeps saying it’s unrecognized. It’s because the file has changed, and the file hash is no longer the same as the trusted files hash.

I saw this box for the first time now.
While this may protect the choices made for trusted files (somehow, but read “another point”),
we dont get notifications after changes in safe mode without sandbox.

Example: Firefox got self made rules in defense+ and firewall. Update firefox. Rules are valid for the “changed” firefox too.
This is path based.

The hash based protection is not a general behaviour then.

Another point:
I inserted avast myself into the trusted files list. As i never saw the box, i have not changed the hash based protection. When avast gets updated, the rules are still valid for the “changed” avast.

Thats why i ask: What exactly is protected hash based, and what not?

well finaly bad news :frowning: the CIS cant compare the files from hash
i have coretemp 1.00 version(the exe is as coretemp.exe) and i download coretemp 0.99 version
i set coretemp 1.00 as a trusted file
i delete coretemp 1.00
then i run coretemp 0.99(the exe is coretemp.exe) and CIS ran it without any alert
CIS compare only file names and see these 2 different files as one cos of the file name coretemp.exe
i try to give a huge feedback to help CIS cos its the most promising hips firewall that i have tried so far.