Comodo v 8 on windows 8.1, proactive config with even paranoid mode.
It doesn’t detect dll injection by MalwareBytes Antiexploit and EMET( mbae.dll and emet.dll) into browsers or any other protected process. I am disappointed.
There is some interception for MBAE on XP by Comodo Defence Plus v 5 but here also alert is rather strange.
Hmmm… I don’t think these are trusted. I tested with paranoid settings and trusted files feature off.
I am just testing it as if my findings are correct, same thing can be done by a malware without interception by Comodo. I might be wrong some where though.
It depends on whether the files are safe or not. If these files are trusted, you are right, CIS won’t monitor them and it’s a normal behavior. So to do a
perfect test you need to set the File Rating Settings according to what you see in the attached picture. It will make the same situation for the files to see what the defense reactions are against an unknown program that it injects arbitrary code into arbitrary processes. Please make sure the files are not in the Trusted Files list before testing as well.
Just wondering, could it be possible there were rules currently in place in the HIPS rules that would allow said application to access memory of other applications?
I’m not sure if we understand the process or motive, actually. Why are such kind of tests marked as “trusted” if these originate from a “trusted vendor” ? I’ve noticed that whitelisting requests are processed (with mentioned scenario).
Similarly, malware tests such as eicar ones are not “trusted”. The problem might lie in the process.
Thanks egemen. Seems somthing wrong in my settings. I tested on windows 8.1. Need to test it again. Are you able to get an alert about EMET.dll injection as well? I don’t get that alert with any of the HIPS.
BTW I am too confused about thev . Comodo alert has been since long like this. Here actually dll is injected by MBAE into test.exe but alert is showing the opposite. I have seen same sort of confusing alert in case of ThreatFire in the past. On the other hand some HIPS like EQsecure show the dll injection by MBAE into the test.exe.
Emet.dll is not injected in traditional sense hence you wont see any alerts. MBAE does injection through its kernel component and hence we do not interfere with it(It has stability implications). This is a method used by many other security software including CIS.