Hello guys. I’ve been testing CIS 5.3, especially D+, against some malware. An example it’s a trojan found in a keygen (CAV doesn’t detect, but it’s a trojan detected by several AVs). When i try to open this keygen, CIS alerts me with a popup (I set D+ in Safe mode with option Restricted for unrecognized files), but i can execute without problem this keygen ???, so i’m not sure if this behavior of D+ is correct and my computer is safe and not infected. Maybe “blocked” is the only safe option for Defense… I’ve read the Help about D+ and “restricted” (Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights), but it’s not very informative.
I would like to know what program we are talking about. Restricts means that the program will run very limited that migh result that it would run at all.
By restricting it’s access to core operating system files and registry, it cannot do a thing.
All he can do is generating key combinations for a program…
Now, what D+ can do is:
1: Completely restrict EVERYTHING so that program cannot run
2: Partially restrict so it does what he is supposed to do and nothing fancy behind the scenes
3: Highly restrict, does not guarantee keygen would even work. Very few do…
4: Grant full access to the system by your decision [button Allow instead of Sandbox]
Keygens/cracks/patches are NOT necessarily a bad thing, UNLESS they hide a trojan/virus than can infect your pc when run. Shady P2P and warez sites that are not popular try to host them, but respectable warez sites really do the job of cleaning because they need the reputation to keep and thousands and thousands of visitors daily. Also, ads, as their source of revenue and upkeep bills for the server/bandwidth and some quick cash for the family. :-TU
Thanks. I put this example because i want to try his efficacy and i read an useful guide here (i think is from Chiron user), and he recommend to set D+ in restricted for unrecognized files. If this keygen will have really a trojan, my question was if i set D+ in restricted mode it blocks really the malware attack… I don’t know where i can found some real malware for testing…
Thing is, if you go with sandbox mode, it is under lockdown.
IF D+ asks you something like “keygen.exe is an unknown programs and wants to access Protected COM Interface”, then you have to make a decision whether to allow or deny such a program that access.
Common sense would suggest that you would deny because of security reasons, but that might deny legitimate operation if keygen is safe.
This is my understanding, though. Without a sample of a keygen with trojan inside, It’s hard to explain…
Thanks for your support. If you like to “play” a bit with this suspicious trojan, you can download it from here:
link removed by moderator.
Please do not post direct links to malware. It is against the forum policy. It is not a problem to send the url to users who request to receive it by PM.
;D