I have yet to discover a virus, malware and such able to bypass CIS D+..

I have yet to discover a virus, malware and such able to bypass CIS so I would like a sample of such an baddie if there is one?

I would double click and let it run to that extent but after that I would click no to the alerts raised by D+… Is there anything bad able to run even if you tries to block it with D+ in proactive`??

So far my experience has been that D+ is bullet proof if you play it safe and block the alerts… While many others (AV’s and similar) have failed me in this area letting stuff install… =/

Maby someone in the maleware group maby has one such baddie… that can install itself despite D+?? =) And don’t worry by the potential harm it might course, its an old PC running XP sp3 that never gets used anyway. I would find it cool if it bypassed D+…
even if the comp gets unusable =) (hehe)… :slight_smile: :slight_smile:

Are you going to run the malware on an administrator account, or limited user account? Just wondering… :slight_smile:

ADmin. :slight_smile: to really put pressure on D+. :slight_smile: But if anyone sends a maleware that they says bypasses D+ but needs nonadmin login, then I could do that as well! =) I just would want to see for my own eyes if CIS is or is not as bullet proof against new executions as I think!

Well…maybe it is not about D+ but check it out http://www.firewallleaktester.com/leaktest26.htm
This is leak test that can bypass lot of firewalls, even Comodo 88)

Yep, I’ve never encounted anything either that either CAV or D+ didn’t flag allowing me to kill it in the bud for the rare times it occured, isn’t great though? Gotta love the protection CIS offers!
I’m sold ;D :slight_smile:
Cheers :-TU :-TU

Well, i know at least 1 variant of Virut can bypass Defense+ completelly (it was set to Safe mode).

hehe na… It modyfies the “trusted” ;D :smiley: ;D file csrss.exe (Client Server Runtime Process) application and open a lot of dlls belonging to the browser to make it look like its a trusted action from the browser… :o Seems like the kind of leak/action impossible to detect by a firewall and something you block with D+ not the firewall! (= Good thing that D+ warns of malicious behaivior upon execution also (in proactive)…

I also noted how changing proactive a bit and adding “executables” in “image execution controll” will give even more popups… :open_mouth: + setting it to aggressive… (my default setting really… but not here at my GF’s house)

Was it signed by microsoft? :smiley: :wink: Since I think Safe proactive would not be a problem compared to Paranoid unless the file happend to be signed? Got the sample? If so please pm a link =)

Me 2 always has been since I started using CIS! =)

lol yeah but apparently not the antivirus

Yes its nice the AV picks it up. :-TU O0

Still detecting this single tests shows nothing about how good a av is… This test is there to see if the firewall/HIPS anti leak capabilities are good and should be runned against those components. For AV tests you do that against MANY thousands of samples to draw a conclusion of how good the detection ratio is… :wink: ^^ ^^ :slight_smile:

What happens if you allow a program you thought was safe in D+, but it was actually a malware of somesort. Would CIS still be able to stop it?

It seems that D+ is the heart and soul of CIS. If you allow a potentially harmful program to run using D+ then you are not protected at all. Its all or nothing.

For example I used the comodo leak test. If I allowed the exe to run using D+ I was not protected against anything, but if I blocked the exe I was completely safe. With CIS, one slip up by allowing a harmful exe in D+ means you have no protection at all.

That was done in 2006 with comodo 1.1.005. For that to mean anything at all it must be redone with 3.8

As for now, you got the prevention… D+, the Firewall + Buffer overflow protection protects diffrent areas of your system and all will help preventing various attacks… And on top on that there is comodos antivirus, that detect potential baddies on read write actions… You still have a chance to close down most baddies even if you let them run… :slight_smile: :slight_smile:

Check D+ > Active Process list… From here you can terminate & block stuff that runs in the memmory… Also you can check Firewall > advanced > network security policy if you accidentally did a allow rule in the firewall and simply add a block rule instead, making it possible to roll back a allow… CIS is usually very stable against shutdowns and you will most likely be able to terminate a badde with CIS even if you by accident let it run… :slight_smile:

Still it could have made harm to your system… :-\ That is something CIS can’t heal (yet)… But CIS 4.0 will have a healing module making the whole system run in a sandbox, If I understood it correctly…

Others stuff CIS will add to improve security is A memmory scanner, one additional layer that could detect some baddies once allowed by D+ and the AV to start running! https://forums.comodo.com/feedbackcommentsannouncementsnews_cis/comodo_antivirus_just_reached_2_million_signatures-t36121.0.html;msg259648#msg259648

Microsoft utility called subinacl.exe could modify protected registry keys permissions, bypassing D+ once it was allowed to run. This was approx 1 year ago.

Did something change since then and D+ now can block such activities? If not, then some malware that could use same technique as subinacl to modify registry keys permissions then it (malware) could bypass D+ once it was allowed to run.

Btw, subinacl.exe was treated as completely hostile executable: no trusted software vendors in the list, no safe files, D+ in paranoid mode.

Someone doesn’t understand what i’m saying.
Virut is a file infector and you cannot have an infected executable that is also signed by Microsoft at the same time. It’s just impossible.

In which way does it bypass D+? Did u try out proactive config profile?

Well i don’t know hw it infected. There were some warnings that i denied but it got infected anyway.

I managed in 3.0 to completely destroy D+ by simply write crap to the memory D+ uses. Since 3.8 (Haven’t tested 3.5 though) this doesn’t work anymore, still haven’t found any way to get rid of D+ anymore. Must be good now ;D

Good… :slight_smile: But if you find a new way to crash it, then it won’t hurt posting it in this section:

And if its a likely method (eg not pressing allow 20 times to bad behaviour warnings) then Comodo could patch it before any hackers or viruses starts taking advantage of a potential weakness in CIS! :o :slight_smile: :slight_smile:

I will try and see what alerts it brings up once I get home on the dummy computer! Unless someone else tests it before me. =)