Firewall bypassed and keystrokes logged - CIS 4.1 on 64-bit Windows 7

While Matousec’s Security Software Testing Suite is designed for 32-bit Windows XP, some of the tests work also on 64-bit Windows 7. I gave them a try and got some troubling results:

Level 4 keylog1 - Failed and CIS didn’t prompt for keyboard access

Level 5 keylog2 - Failed and no prompt

Level 5 breakout1 - Failed (While in console the test reports it passed, IE does browse to the Matousec site and receives the failure message.)

Level 6 ddetest - Passed actually, but only if IE is disallowed to execute its own image iexplore.exe - which IE requires allowing atleast once. No alert about Window Message which I assume there should have been.

Level 6 firehole - Failed and no prompt

Level 7 keylog5 - Failed and no prompt

So it seems keyboard logging is possible and the firewall can be bypassed by taking control of a browser.

Settings used: New installation with Maximum Proactive configuration, Sandbox disabled, Defense+ in Safe Mode and tests repeated in Paranoid Mode, signed applications not trusted. CIS version 4.1.150349.920.

So, bugs or limitations on 64-bit platform? Developers, any comment?

I hope for a reply and clarification on this since I am using windows 7 64 bit also. ???

I would not worry too much, every time someone comes in here saying comodo has been bypassed I test it and it has not. I would test these too but I don’t have windows 64 bit to try it out with.

If somebody bear with me and explain me as for dummies how the heck I can use that suite I’ll happily test those bypassed tests. Weekend is started here and I’m bored to death. ;D
Before you laugh at me I’ve downloaded that suite and run exe’s from folders but a brief cmd windows appears and disappears. :o

It’s worth mentioning:

Quote “SSTS is designed for Windows XP Service Pack 3 with Internet Explorer 8.Various tests may be compatible with other Windows versions and browsers too,but the functionality is not guaranteed there.”

I’d be hesitant to put too much trust in the accuracy of results in a different OS.

Thanks, I am not worried about it at all…

I didnt even notice it was xp sp3 ooops …

The tests that do work and CIS fails to catch are what matter. They leave observable evidence, not hiding behind a gui that only gives a fail/pass result for each or clean up after themselves including repairing anything they may break. (The particular tests mentioned shouldn’t be damaging but some in the test suite can be.)

You won’t be able to use the test suite to create a full evaluation a la Matousec for Windows 7 64-bit but that’s not the point here. We don’t usually get a chance to ask for a “Windows 7 Ready” sticker from malware either.

Did you run the tests in compatibility mode for XP SP3?
Not all XP software runs properly unless either in a XP VM or using compatibility mode.



Warning: This software is used for testing of security products and should never be used on production machines. Using this software may damage or erase your data. This software is provided “as is” and without warranty of any kind. More information about each test can be found in its source code file and in the shared source code files of the whole suite.

By using SSTS you agree with its licence that is included in the archive in licence.txt.

Download SSTS.

System requirements

SSTS is designed for Windows XP Service Pack 3 with Internet Explorer 8. Various tests may be compatible with other Windows versions and browsers too, but the functionality is not guaranteed there.

It would be interesting to get Dave Matousec’s opinion about these tests being used on Win 7 x64, but then maybe he’s already expressed his opinion on the validity of these tests in this excerpt from his website.


I’ve run the mentioned tests again on 32-bit Windows 7, on which CIS successfully intercepted them, so these issues seem specific to 64-bit CIS and WoW64.

It would be interesting to get Dave Matousec's opinion about these tests being used on Win 7 x64, but then maybe he's already expressed his opinion on the validity of these tests in this excerpt from his website.

Some of them cannot run or work properly because they attempt to load 32-bit drivers or use other too platform specific methods, others can. On 32-bit XP and Win 7, CIS can successfully intercept those methods of DLL hooking, DDE, window messaging and keylogging so something’s amiss. I think that much is valid.

Don’t forget that there are still a few hooks that CIS has not activated on 64bit version…
There must be some post around here, I’ll see if I can find it.

Found it here:
Sad: No progress with the x64 HIPS of CIS

Thanks for the link, either the search has been acting up or I don’t know how I’ve missed that. Do hope that some progress with these issues is made soon.

No prob, It took me some time to find also :wink:

mmm, i have considered a time to switch to CIS because my KIS2010 licence is closed soon BUT since i read there is not full protection on W7/64 i think i’ll buy KIS2011 (safer for me…).

I’m disappointed about security software in 64bit like OArmor witch work not properly, KIS lost somes features (safe run), CIS lost somes protection, Trend micro Web add-on work not etc etc :confused:

And also since i saw the MRG video, i’m very very afraid with CIS… even if i feel CIS is not alone to be vulnerable to an uninstallion attack… (KIS is protected against that i known)

Hi tommymacangel,

Yes Microsoft made it harder for both parties, their patch guard and other new restrictions on 64bit is a new way to turn for both malware writers and security software vendors…

I personally don’t think these hooks pose “high risk” to your system if you know a little bit on how to stay secure, for a program to key-log it first has to get installed on your system so there should have been alerts already on other parts of the program to prevent that.

As said just a personal opinion…

Yes, of course i agree, even for all the gold on the earth i will want to go back on a OS wich is vulnerable to TDL3 and her friends…

The upcoming KIS 2011 CF1 also can block the SSTS tests with global hooks:

So, KIS can, Outpost can, Jetico can… but why Comodo can’t?

Hi evil_religion,

If they can Comodo should be able also :wink: I hope the next version will have this protection re-instated!
I assume you’ll test it once the beta is released? I don’t have a 64bit version at hand…