How CIS HIPS is going to protect against this?

The developers have totally removed the ability to intercept dll loading from CIS. I wish they could add it again so if some body wants can enable it. So many pop up alerts problem can be solved by giving an option to trust digitally signed dlls loading.

I think this is something that would fit a behavior blocker, it needs more then just one single action to alert on, it needs to correlate at least 2 things like “if .lnk and execute load dll” then etc…

Same goes for the .dll search path issue, once a .dll request should load from \remote or \WebDAV it should kick in…

Some form of protection for the later is found here (fix + reg setting) not for the average Joe.
http://support.microsoft.com/kb/2264107

CIS v 4 can do this( though not on default settings) bt CIS v 5 can,t. It,s a downgrade clearly. What a pitty!
Come on Comodo, get a way to control dlls please. We are going to see a huge no of dll exploits in near future indeed.

[attachment deleted by admin]

Sure theoretically it could do it but practically it was useless because there was no proper white list management.

Why removed? Because people were trying to use it exactly like this purpose you are trying to use and then hitting a lot of problems.

We have temporarily removed it. Not permanently. CIS 5.x will be able to be used as an application whitelisting product by everyone with the upcoming minor releases.

Related wishlist item: https://forums.comodo.com/wishlist-cis/ability-to-detect-dlls-when-image-execution-control-level-is-set-to-normal-t60738.0.html.

I’m glad to hear that it won’t be permanently removed :).

Those who want a practical solution that works today can refer to my guide for using CIS as an anti-executable at https://forums.comodo.com/guides-cis/using-comodo-internet-security-as-an-antiexecutable-t60303.0.html.

Thanks for the response. So you mean that dll loading interception with a white listing mechanism will be intercepted in 5.x versions of CIS?

I wish to get this feature as early as possible. HIPS older than CIS like EQS, MD( probabaly) etc already have this feature. I agree that without a white listing mechanism this feature is extremely difficult to be useful.