Then Microsoft can sign their own version of PIFTS. If they made one.
But I do admit I donât fully understand how they sign stuffâŚ
And that microsoft would do something like that is highly unlikely.
And not worth it for a trusted CO like them⌠=)
Monkey_Boy=),
donât forget to set D+ to paranoid mode, uncheck âtrust trusted vendorsâ under D+ settings, make sure other D+ settings are proactive.
hehe that sounds to technical for me⌠Sounds like you already did some testingâŚ
What result will a lunch like that bring you think? What kind of damage? And do you have image execution to aggressive?
The meaning with this thread was originally to see if I got any samples that totally bypassed D+, but na my PM folder stands empty, =) seems like CIS is pretty bullet proof⌠Not any samples posted so far that run without popups and the ability to run despite D+ tries to terminate it on execution⌠That was my plan to test⌠And only that⌠=) maby not a fair testing for the baddies, but thats how I threat wierd applications⌠;D
Monkey_Boy=) ,
then no need to test. And yes, i did this kind of test earlier (screenshot+details are from that old test).
You are right - itâs not a malware, just one test D+ failed 4 me once.
The Joker Iam fully aware of those⌠(the keylogger part thanks to you!) Still you can stop them from execution What Iam unaware of is anything able to run despite D+ tries to block it from execution if D+ is in its strongest mode with CIS in paranoid and so on.
I was interested in finding something that could start despite pressing Block on all D+ alerts⌠=)
If there was some real smart starting technique out there that any malwares could or are using to lunch itself silently avoiding D+ completely or starting in a resident way to prevent D+ from stopping its installation and or start despite clicking BLOCK to all alerts!
Maby a stupid testingâŚ
Still something I find interesting since I have not encountered any such samples myself⌠=) A baddie can totally avoid a BB, it can avoid a antivirus, it can avoid most stuff, but can it start without alerts and avoid the strongest technology⌠a powerful HIPS like D+ was my thoughtsâŚ
I remember that some time ago, with CIS version 3.5 (proactive security mode) while I was surfing the web, I found a virus named âbrastk.exeâ, or something similar, which was able to close the CIS appllication and reboot the system.
Fortunately, after rebooting, windows regularly worked. Probably CIS partially stopped the activity of the virus.
Iâm scared of what is invisible to execution too (see ADS)âŚ
however D+ intercepts them
IMHO D+ canât be limitated to an execution control (this is not sufficient/enought for a good program such a CIS)âŚFirst of all a good HIPS has to be able to intercept a malicious behaviour (not only execution!): you can obtein a stronger execution control, and much more, only with Software Restriction Policy (that I use ) that blocks all the execution by defaultâŚ
If D+ alerts me only to execution, but not on the other behaviour (malicous or not), the test is failed, IMO.
I hope that it will alert me if the sample try to access in the memory, try to create new file/folders in protected directories, try to create/load dlls, to modify registry keys, to load drivers, to make itself running at every startup silently ecceccâŚBut HIPS has to be able to monitor and STOP them all!
Otherwise it fails miserably, because its control is bypassedâŚ
True, execution tests are not the most impressive⌠And absolutely a HIPS should prevent more than execution⌠Still to me they are interesting⌠As I would feel totally owned if I found something running without my awareness, I want to be in control, and if something is infecting and destroying my comp, it feels better to at least know that it was due to me pushing the trigger and I had a chance to stop it.
Too many times a Antivirus has let me down, things gets installed without any confirmation whatsoeverâŚ
At least a HIPS gives the option to prevent âsvjhs.exeâ to run even if its not in the database over baddiesâŚ
As for blocking bad programs when they try to harm, Iam really looking forward to BOClean in CIS 3.9, one more layer against baddies that tries to harm the system⌠=)
As for blocking bad programs when they try to harm, Iam really looking forward to BOClean in CIS 3.9, one more layer against baddies that tries to harm the system⌠=)
Hay there itâs not one more layer as itâs still a stand alone program and everybody that uses it already has that protection.
The bottom line is simple: Malware can NOT be executed on your computer without your permission. To give you some more insight, if the AV does not catch a malware for example and Defense+ intercepts it, people say âHey itâs still in my C:\Program Filesâ or something along those lines, but the malware is not executed - It is isolated from doing anything.
Defense+ isnât a cleaning solution it is a HIPS that stops any kind of malware execution over 99% of the time. Then you have an AV to clean up âthe scrapsâ afterwards if you were to send that same malware YOU stopped executing from Defense+, or Comodo System Cleaner can also compliment this as well for cleaning/disinfection purposes.
Also looking forward to v3.9, The BOClean Memory Scanner in CIS iis going to be simply awesome!! Also CIMA like heuristics.
With Defense+/Firewall being the prevention layer (Firewall will stop malicious network attempts) and BOClean/CAV being the detection layer it will be very hard to bypass this protection, Then with CIS 4.0 you will have a time machine!! You canât go wrong for a free suite!
Hi Monkey_Boy=), 3xist
I know what you mean, but IMO the execution control is not enough, not an âexcuseâ to justify D+ (eventually) failuresâŚ
âŚI can legitimate the execution of a malicious program (because i donât know it is a malware), but only the behaviour control will alert me that itâs being a bad behaviour, and so that itâs a bad program, and I had to stop itâŚ
This is the control that a good hips propose to offerâŚotherwise, if the bottom line is that âMalware can NOT be executed on your computer without your permissionâ, an hips is dispensable and SRP, or every other execution prevent software (even Fraronics Anti-Executable), is quite good.
This is my point of view
I care to specify that :ilovecomodo:
for me is (one of?) the best HIPS⌠;D
I do think that you do not have a sense of humor. To me, signed by Microsoft did not mean that a malware would be signed by Microsoft; such a statement was intended as a JOKE, thus your lack of understanding. You just did not get it.
I agree. I just hope that when BOClean is integrated, all those advanced cleaning techniques (Hosts File cleanup etc) that are in the current standalone version will be integrated into the AV as well. Anyone have any idea about this?