has cis problems under windows vista/7 64bit??

system · October 4, 2009, 4:29pm

hello

http://www.sandboxie.com/index.php?WindowsVista64

i have read this and i wonder ,has cis the same problems under 64bit systems? ???

has cis really full control over the kernel in 64bit windows?

OmeletGuy · October 4, 2009, 7:55pm

CIS does not hook the kernel in Vista 64bit, its a security program by MS that prevents hooking of the kernel by anyone.

system · October 4, 2009, 11:55pm

thx ,but then is cis less secure on 64bit windows

security software is useless on 64bit windows ,many malware can deactivate user-mode (ring3) drivers…

microsoft is thinking at all? i think not… microsoft blocked the only way to make windows secure with other programs

system · October 6, 2009, 1:52pm

push

OmeletGuy · October 6, 2009, 8:48pm

I would say CIS protects you without a problem.

And scince when does MS think about security.

They added patch Gaurd to prevent malware from hooking the kernel…

system · October 7, 2009, 12:32am

yes but patchguard is an inadequate protection… is too weak

and prevents other programs in their work ,nice microsoft 88) 88)

wj32 · October 7, 2009, 10:22am

Stop talking nonsense.

From the link, it appears that the Sandboxie author(s) do not want to get a driver signing certificate. COMODO already has one (obviously).
PatchGuard doesn’t prevent security software from working. Sandboxie hooks system calls by modifying the SSDT, and this is protected against by PatchGuard. The MS endorsed way to hook is to use the system supplied callbacks - minifilters, registry callbacks, process/thread callbacks. This way CIS can protect itself without having to do anything special.

Now obviously, CIS might not actually use the callbacks - I don’t know - but it seems like the most likely thing to do, because otherwise CIS would be vulnerable to all kinds of attacks.

system · October 7, 2009, 12:26pm

hm… interesting :a0

i understand. i was not aware until now

thank you for explain this :-TU

Rambaldi · October 8, 2009, 12:00pm

That’s good to know, however is there any test on Win 64bit? AFAIK matousec makes test on 32bit systems, so I think that the OP raised a legitimate question here.

system · October 8, 2009, 12:06pm

CIS, On Vista SP1 64x and later, Hooks in the kernel as much as possible - Comodo were also in the technical discussions with Microsoft and other Vendors of Patch Guard on Vista 64bit. However, CIS still protects 64bit enough. Comodo would NOT leave you vulnerable knowingly. As for Sandboxing, Yes, CIS 4 is coming and the Sandboxing in that will work on 64bit. For software like Sandboxie to work on 64bit, it seems to me the developer (Tzuk) would have to re-write Sandboxie from scratch.

Cheers,
Josh

Rambaldi · October 8, 2009, 12:47pm

OK thanks very much for the information.

system · October 8, 2009, 3:05pm

sounds good :-TU

evil_religion · October 10, 2009, 6:32pm

But it’s wrong. Comodo partially uses unsecured ring 3 hooks which can be avoided by Matousec SSTS.
Global hooks (injecting code into all processes), keyloggers and if I recall correctly also window messages don’t get intercepted in kernel mode by Comodo.

Outpost FW passes some more tests of SSTS on x64 than Comodo, maybe they use secured user mode hooks. Comodo should do the same. I don’t think that it won’t be useful if Agnitum goes this way.

system · October 10, 2009, 8:06pm

agnitum say to me outpost fw has ring0 control over the windows 64bit kernel ???

evil_religion · October 11, 2009, 5:43pm

I would like to know if there are further improvements planned for the x64 version (at egemen )
Also the self defense could be a bit better.

Timo_Schmidt · October 12, 2009, 11:06am

Let me translate. There are some Protection Features that are disabled in CIS on 64 bit?

Or to speak “leaktest”: Many matousec-tests won’t be passed on 64bit.

Greetings

Timo

evil_religion · October 12, 2009, 7:33pm

They aren’t disabled, they are implemented via a weak way.

Indeed

wj32 · October 13, 2009, 5:45am

Any evidence? I know I didn’t give any for my case, but you have made quite a big statement. Also, what do you mean by “unsecured”?

window messages don't get intercepted in kernel mode by Comodo.

And impossible to do correctly (i.e. in kernel-mode) due to the fact that the shadow SSDT is protected by PatchGuard and MS doesn’t provide any callbacks for win32k.

Outpost FW passes some more tests of SSTS on x64 than Comodo, maybe they use secured user mode hooks. Comodo should do the same. I don't think that it won't be useful if Agnitum goes this way.

What do you mean by “secured”, and how secure can they get? Are they secure from people directly using the “syscall” instruction?

evil_religion · October 13, 2009, 1:49pm

egemen said so (indirectly) and SSTS proves that. For the original non SSTS leaktests Comodo gives warnings, but the SSTS ones with ring 3 unhooker are failed by Comodo, for example keyloggers.

That the unhooker of SSTS can unhook them.

However, KIS catches the window message handles of SSTS on x64. So what?

I don’t know, ask the Outpost developers, hopefully they will share their secret with Comodo 88)

You are the expert, not me
Maybe you should look into the SC of SSTS and get your own impressions of how several products score on x64.

wj32 · October 13, 2009, 8:59pm

However, KIS catches the window message handles of SSTS on x64. So what?

Then it uses user-mode hooks. Unlike kernel-mode hooks, user-mode hooks can always be bypassed, no matter what protection you try to set up.