Defence Plus failed this ineteresting HIPS leak test

http://rapidshare.com/files/179482638/Project1.exe

Detailed thread is here.

Can it be fixed?

Thanks

Malware Defender and to some extent OnlineArmor seem to intercept it.

Any response form the developers?

Thanks

Hey Aigle, How was xmas and new years for you? :slight_smile:
I will install Comodo to see what happens and get back to you.

EDIT:: All this does is hide a selected window. Can this cause any harm to the pc? I don’t think so sorry :frowning:

If you cant operate with GUI… of course it is bad, what should I do with process which needs GUI to operate when I don’t have a GUI for instructions, Photoshop without GUI ???

Thanks, New year was fine. Both Islamic and Grogorian new years almost together here. Hope you enjoyed. Best of wishes form me.

I am told that same method can be used to kill a process though this utility only hides GUI. If it is true then sure it is a leak test otherwise just a bad joke type of program.

Thanks
Take care

wouldnt it be possible to make a similar application targeting random or all windows and hide them?
Or one that hides comodo(s) windows?

Does comodo selfdefence mechanism protect itself(its own windows) from this?

What if you design a look-like a legitimate program while it in fact is a trojan horse and calls it “something.exe”.
And you allow it in software in D+ and to connect to the Internet, then it starts hiding comodos windows after a while (due to a timer built in).

Bam, you got no possibility to change the settings set for “something.exe”.
It will be connecting internet and you cant really say no to it since its already got that access right. Am I wrong? (you need the GUI to change computer policy(firewall, d+))?
Also You would have a hell to install new softwares and make them connect to internet, since D+ will block all new applications and put them in review since you cant allow anything. Your computer will be (almost) unusable…

Anyway I guess this is not a security threat compared to what some softwares may do if you allow them to run.
And I guess if D+ was to notice every window resize then it would be more popups…

Let’s wait for a response from a DEV.

ah ok i finally got it worked…
ok i did it over the comodo windows and it disapear, and i cant get it back.
i used process explorer to bring it back but it says no visible windows found for this process.
u can only use comodo with the icon in the taskbar,
interesting tool.
is there any prog able to block this thing?

Malware Defender (complete), OA (partially, for more info go to wilders)

it’s some intelligent way opened,
now is it possible to really do something on the OS, cause changing the windows dimension to some bad value so u don’t see it anymore is not that dangerous.
apps that are locked sized windows like KAV disapear too?
i’m going to test over my laptop on vista X64 with KAV and post the result.

ok the KAV UI disapears too.

hé hé i deleted anything on the desktop, the prob is u must reboot, even when i restart explorer, i cannot still access the KAV ui, or maybe i’m going to exit it and it will come back…
ok if i exit KAV and restart it the UI is available again.

How do you attach files (images)?
I just run the test from the link provided by aigle.

D+ Blocked this for me and killed the application. UAC (due to it beeing a new file and all) responded too, but I clicked ALLOW, just to see D+ in action.
you get a lot of popups…

First it tries to run ntdll then kernel32.dll then Project1.exe tries to execute Project1.exe then open advapi32.dll then rpcrt4.dll then comctl32.dll then imm32.dll then duard32.dll then fltLib.dll then winsta.dll then cmfdll32.dll then uxtheme.dll then comctl.dll THEN you see the app. If you allow all that THEN THE SOFTWARE STARTS TO RUN. Anyway.

I allowed everything and tried this movearound thing on different application but it really didn’t successfully hide anything, I did restarts of it and set it as trusted app. I will test this on my *** machine later, to see if the comodo can intercept this SC_CLOSE message. Guess not.
But the application feels kinda pale now, If you allow all that access it could as well has done something worse.

to run this little exploit, open something u want to hide
then launch the .exe and press button 1
then put the mouse cursor into the windows u want to hide
then press enter
the windows is gone :slight_smile:

My system is not affected or Iam doing the testing wrong.
I does as you say, or I does according to how you should do at wielders (the screen shot).

I will try on a other computer later that got “no” security, if I fails to hide windows there then I guess I did the testing wrong. But now Iam going to the gym. cheers!

Hi, this dll execution interception is rubbish thing in CFP. I disabled it and allowed all dll executions without any pop up. No one can live with literally hundreds of legit dll execution alerts. You will get similar dll execution alerts with many applications. Are not all these dlls legit and part of windows itself?

After u allow to run the POC, CFP is blind to the action of this POC.

Hmmm… press SHIFT I think.

Yes thats true, but new files are always started in custom policy mode with many popups here since I don’t trust the safe mode.

Anyway, I succeeded with the test on the other computer, and found out that I did a embarrassing error in my testing (I wont say what). But I got it to work here too (both computers), but this file could be blocked when started, I dubt any legit program would try this.
hm.

But there is no specific popup about the fact that the program tries to alter the gui of an other program here.
And its sad that this gets missed.

Comodo fails this test.
Luckily I haven’t heard of this being widely exploited, I just hope comodo fixes this, anyway, since GUI is important.

EDIT: Maby this should be submitted as a BUG? :):slight_smile:

I also use Custom policy mode with paranoid settings but i made an allow rule for any appliaction to execute any dll. It makes my life easy. I hate the hundreds of useless pop ups for dll execution.

Make a rule like this and enjoy. U are still protected as any dll injection( hooking) will still be intercepted and reported by CFP.

[attachment deleted by admin]

Hi Guys,

This and many more others are handled by CIS and will be available with CIS 3.9 around april. There is no need to get alerted for this technique until that time because it can disable nothing.

GLAD TO HEAR THAT EGEMEN!

KEEP UP THE GOOD WORK! :wink: :slight_smile: