Hi Thanks, it was not a comparison thread between GesWall and CFP as both are different type of software. I use both of them together so I tested both. Whether GW fails or passes, doesn,t affect CFP. However i wil be happy to compare CFP with OA and MD but I have not tested OA and MD( though other testers did).
1- GW configuration was altered as by default it is not protecting against malware spreading via USB sticks etc. There was no other way for me to run malware inside GesWall except to make a rule to isolate USB stick.
2- Default- Proactive with paranoid mode
3- I explained it above. No rule was actually changed in GW. GW applies its default sandboxing policy rules to all ISOLATED applications/ potential infection vectors like browsers, e-mail clients, messengers etc. It,s upto user that which applications he wants to protect( isolate) via GW. I just added USB memory sticks to the list of vectors against which GW protects.
4- Lot of and I can,t analyze all, out of my scope but you can read it anywhere on internet. It,s so common. See more details here.
5- I don,t know as I am not an expert. I was just expecting one or more extra alerts after allowing execution of malicious dll.
6- I did not check that.
I tested CFP with two configurations.
1- Default proactive with paranoid mode
2- My own custom policy with paranoid mode( has many allow rules and some of them liberal may be- to decrease the no of pop ups i get in every day use of my PC).
GW is not related here. I gave two thumbs to GW actually because I was not expecting too much for it to pass the test while I expected more from CFP. Next time I miight use only one thumb. ;D
If u like the sample to try urself, I can PM you.
BTW OA users also complained about just a single execution alert and OA developer has pomised to look into this matter. I want just same from CFP developers( if something more can be done here).
Thanks
Yep it is not enabled by default. I’m currently waiting a reply from evil_religion to know if KIS does enable that by default.
KIS just inherits restrictions. For example if malware.exe executes explorer.exe (what is allowed with default settings) explorer.exe isn’t allowed to change autorun entries, at least not if malware.exe is in the high restricted group.
Dunno, but if Conficker uses autorun entries to start inheriting restrictions would be useless, then I was wrong there. Well, then everything stands and falls with the correct autoruns protection. If D+ or KIS can block that they pass IMO.
Thx.
A friendly appeal to aigle: Does D+ prevent Conficker to create the autorun entries?
Yes please report back if ever OA devs change the default behavior. I’m sure this will likely worth more than any related conjecture. :-TU
Thanks for providing more info about this.
CIS permission inheritance is triggered by Installation Mode (which is different for Treat As Installer/Executable) and D+ warns the user to disable it as soon as possible.
Using this mode the parent restiction are usually applied also to the spawned executables (at least if the’ve got no policy).
No need for me to test it :-TU once you filled in the missing bits. 
(or either it wasn’t a test ;D)
D+ has such Sandboxing policiy rules too. There are two: ISOLATED and LIMITED and it can run those sandboxing policies for USB memory sticks too.
So if you prefer to neglect the heuristic warning and say that one alert is not too much and the users will be likely carelessly allow it whereas configuring Geswall is assumed to be a piece of cake, this doesn’t really address the point whatever D+ can additionally prevent the malware in a similar fashion.
If it was a test about alerts I gather that geswall would get :-TD :-TD (but it would be misleading as Geswall is not supposed to be able to do that)
If it was a test about stopping cold the malware a similar D+ sandboxing policy could be applyed to USB keys. (D+ can do that or even more)
It turned out than it was mix of the two not really a comparison as you finally pointed out but nevertheless while you exposed the good points of geswall you unwillingly omitted to do the same about the whole extent of D+ protection.
OA, with the new build 3.1.0.18, is able to intercept some memory tampering attempts that, evidently, are not covered again by D+ proactive defense…
I notice that the OA beta still doesn’t have heuristic analysis…
http://www.wilderssecurity.com/attachment.php?attachmentid=205644&stc=1&d=1232541018
Likwise I guess that the same memory tampering attempts are detected by Defense+ abeit in the context of rundll32.exe privileges
BTW I hope that sample has been submitted to Comodo or to any of the malware research usergroup members of these forums, which are not unlikely to test this sample to eventually gather other downloaded samples and may as well provide some additional screenshots in regards to D+ coverage.
in the light of the first post of Aigle, however, it doesn’t seem true:
I think this is being ■■■■■■ about nothing and getting way of topic, all products seems very well capable of catching this worm, except one. D+ obviously found it, and I still have a hard time understanding if aigle did the test with his custom rules implanted to give D+ less popups.
The concern here seems to be if the user should have gotten more alerts? :o
Since the risk of users clicking accept?
Of course D+ would have gotten more pop ups with custom rules implanted.
As much as OA got, since there is no major differences except D+ relay a little on heuristic now.
D+ gave a very strong alert of “malware behavior” while all OA did was pointing out “it does this and that”.
I think a user more likely press “yes” on those alerts of OA since they are harder to understand.
But the thing is, and I somewhat agree, Secure by default should be the thing, I think CIS should always start in a VERY STRONG SECURITY MODE, and I don’t understand why a lot of D+ futures are set to off upon installation.
EG the monitor keyboard thing.
Or Image execution. :-\
Malware Defender is also able to successfully intercept the malware behaviour that follow the mere execution…
(To use the words of Egemen), another “rare bug” which could happend on some systems?
I have analyzed it more and it,s very interesting. OA people have intercepted it cleverly now so that user will not be fooled. Actually once malicious dll( vmx) is executed, u can see that all malicious activities are done by svchost.exe that is a legit windows process.
[attachment deleted by admin]
Now Q is that who forces a legit application svchost.exe to do all this. I am not an expert but the obvious reason is that it is done by malicious jwgkvsq.vmx via rundll32.exe. Now CFP just intercepts it as an action by rundll32.exe that one will not guess to be malicious( rundll32.exe accessing svchost.exe in memory).
While OA being clever clearly tells user that it is being done infact by jwgkvsq.vmx. Now I am not sure how good is this trick by OA. I will test it once they release out this version in public.
[attachment deleted by admin]
Malware Defender has same problem as CFP
[attachment deleted by admin]
This are some very good ideas, :-TU I too think that the alert windows is a bit too similar and a little text suggestion is a good way to go… ThreatCast is a shot at the right direction, but the more parameters the less risk of a user making the wrong decision.
The Popups needs some reworking. :-\
You really should post this in the BUG section since I think the developers are there and check the most, if it are as you say and that comodo label the popup in a wrong manner. Then its absolutely a bug and sould be fixed!! thanks for pointing it out. :):-TU
I gather that not every D+ alert mention heuristics. So what you are seemingly stating would be that heuristic counts nothing (something rather couterintuitive) and besides that test did not state it was only about alerts (otherwise Geswall would have failed).