has cis problems under windows vista/7 64bit??



i have read this and i wonder ,has cis the same problems under 64bit systems? ???

has cis really full control over the kernel in 64bit windows?

CIS does not hook the kernel in Vista 64bit, its a security program by MS that prevents hooking of the kernel by anyone.

thx ,but then is cis less secure on 64bit windows :frowning:

security software is useless on 64bit windows ,many malware can deactivate user-mode (ring3) drivers…

microsoft is thinking at all? i think not… microsoft blocked the only way to make windows secure with other programs


I would say CIS protects you without a problem.

And scince when does MS think about security. :wink: :smiley:

They added patch Gaurd to prevent malware from hooking the kernel…

:smiley: :wink:

yes but patchguard is an inadequate protection… is too weak

and prevents other programs in their work ,nice microsoft 88) 88)

Stop talking nonsense.

  1. From the link, it appears that the Sandboxie author(s) do not want to get a driver signing certificate. COMODO already has one (obviously).
  2. PatchGuard doesn’t prevent security software from working. Sandboxie hooks system calls by modifying the SSDT, and this is protected against by PatchGuard. The MS endorsed way to hook is to use the system supplied callbacks - minifilters, registry callbacks, process/thread callbacks. This way CIS can protect itself without having to do anything special.

Now obviously, CIS might not actually use the callbacks - I don’t know - but it seems like the most likely thing to do, because otherwise CIS would be vulnerable to all kinds of attacks.

hm… interesting :a0

i understand. i was not aware until now :wink:

thank you for explain this :-TU

That’s good to know, however is there any test on Win 64bit? AFAIK matousec makes test on 32bit systems, so I think that the OP raised a legitimate question here.

CIS, On Vista SP1 64x and later, Hooks in the kernel as much as possible - Comodo were also in the technical discussions with Microsoft and other Vendors of Patch Guard on Vista 64bit. However, CIS still protects 64bit enough. Comodo would NOT leave you vulnerable knowingly. As for Sandboxing, Yes, CIS 4 is coming and the Sandboxing in that will work on 64bit. For software like Sandboxie to work on 64bit, it seems to me the developer (Tzuk) would have to re-write Sandboxie from scratch.


OK thanks very much for the information.

sounds good :-TU

But it’s wrong. Comodo partially uses unsecured ring 3 hooks which can be avoided by Matousec SSTS.
Global hooks (injecting code into all processes), keyloggers and if I recall correctly also window messages don’t get intercepted in kernel mode by Comodo.

Outpost FW passes some more tests of SSTS on x64 than Comodo, maybe they use secured user mode hooks. Comodo should do the same. I don’t think that it won’t be useful if Agnitum goes this way.

agnitum say to me outpost fw has ring0 control over the windows 64bit kernel ???

I would like to know if there are further improvements planned for the x64 version :frowning: (at egemen :wink: )
Also the self defense could be a bit better.

Let me translate. There are some Protection Features that are disabled in CIS on 64 bit?

Or to speak “leaktest”: Many matousec-tests won’t be passed on 64bit.



They aren’t disabled, they are implemented via a weak way.

Indeed :frowning:

Any evidence? I know I didn’t give any for my case, but you have made quite a big statement. Also, what do you mean by “unsecured”?

window messages don't get intercepted in kernel mode by Comodo.

And impossible to do correctly (i.e. in kernel-mode) due to the fact that the shadow SSDT is protected by PatchGuard and MS doesn’t provide any callbacks for win32k.

Outpost FW passes some more tests of SSTS on x64 than Comodo, maybe they use secured user mode hooks. Comodo should do the same. I don't think that it won't be useful if Agnitum goes this way.

What do you mean by “secured”, and how secure can they get? Are they secure from people directly using the “syscall” instruction?

egemen said so (indirectly) and SSTS proves that. For the original non SSTS leaktests Comodo gives warnings, but the SSTS ones with ring 3 unhooker are failed by Comodo, for example keyloggers.

That the unhooker of SSTS can unhook them.

However, KIS catches the window message handles of SSTS on x64. So what?

I don’t know, ask the Outpost developers, hopefully they will share their secret with Comodo 88)

You are the expert, not me :wink:
Maybe you should look into the SC of SSTS and get your own impressions of how several products score on x64.

However, KIS catches the window message handles of SSTS on x64. So what?

Then it uses user-mode hooks. Unlike kernel-mode hooks, user-mode hooks can always be bypassed, no matter what protection you try to set up.