I have yet to discover a virus, malware and such able to bypass CIS D+..

Well, if symantec can sign their PIFTS ;D https://forums.comodo.com/anti_virusmalware_productsother_security_products/is_symantec_covering_things_up-t36305.0.html

Then Microsoft can sign their own version of PIFTS. If they made one. :slight_smile:
But I do admit I don’t fully understand how they sign stuff…
And that microsoft would do something like that is highly unlikely.
And not worth it for a trusted CO like them… =)

Monkey_Boy=),
don’t forget to set D+ to paranoid mode, uncheck “trust trusted vendors” under D+ settings, make sure other D+ settings are proactive.

You may try following scenario:

  1. Launch cmd.exe, execute command:
    path_to_subinacl\subinacl.exe /keyreg HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo /deny=Administrators
  2. When D+ shows alert: “cmd.exe tries to execute subinacl.exe”, allow it.
    When D+ shows second alert (screenshot in attachment), block it.

After that new group “Administrators” with “deny” entries should be added to
HKLM\SYSTEM\Software\Comodo hive permissions.

Be careful, maybe it’s better not to damage your real installation, but instead try this under virtual machine or at least set a restore point.

[attachment deleted by admin]

hehe that sounds to technical for me… :smiley: Sounds like you already did some testing… :wink:

What result will a lunch like that bring you think? What kind of damage? And do you have image execution to aggressive?

The meaning with this thread was originally to see if I got any samples that totally bypassed D+, but na my PM folder stands empty, =) seems like CIS is pretty bullet proof… Not any samples posted so far that run without popups and the ability to run despite D+ tries to terminate it on execution… That was my plan to test… And only that… =) maby not a fair testing for the baddies, but thats how I threat wierd applications… ;D :slight_smile:

Monkey_Boy=) ,
then no need to test. And yes, i did this kind of test earlier (screenshot+details are from that old test).
You are right - it’s not a malware, just one test D+ failed 4 me once.

You can find such able to bypass CIS D+ here https://forums.comodo.com/feedbackcommentsannouncementsnews_cis/defense_doesnt_intercept_keyloggers-t34317.0.html , or here https://forums.comodo.com/leak_testingattacksvulnerability_research/through_the_eyes_of_a_keylogger_versus_cfp-t36404.0.html or … what else?

Defense+ needs much more improvement!

Can I citate someone ?

We have already added. 3.9 will have it

Xan

I didn’t see any posts from egemen or any dev on my posts.

Only here https://forums.comodo.com/leak_testingattacksvulnerability_research/defence_plus_failed_this_ineteresting_hips_leak_test-t32637.0.html egemen said this.

But, for Monkey_Boy=), my question remains. CIS 3.8 can be bypassed.

Sorry, I can’t remember where I got it, could be a pm… :stuck_out_tongue:

Xan

No, couldn’t. It’s a unknow fact, while many COMODO users think they are really safe with Defense+ when in some occasions they aren’t.

:wink:

The Joker Iam fully aware of those… (the keylogger part thanks to you!) :wink: :slight_smile: Still you can stop them from execution :slight_smile: What Iam unaware of is anything able to run despite D+ tries to block it from execution if D+ is in its strongest mode with CIS in paranoid and so on.

I was interested in finding something that could start despite pressing Block on all D+ alerts… =)
If there was some real smart starting technique out there that any malwares could or are using to lunch itself silently avoiding D+ completely or starting in a resident way to prevent D+ from stopping its installation and or start despite clicking BLOCK to all alerts! :smiley:

Maby a stupid testing…

Still something I find interesting since I have not encountered any such samples myself… =) A baddie can totally avoid a BB, it can avoid a antivirus, it can avoid most stuff, but can it start without alerts and avoid the strongest technology… a powerful HIPS like D+ was my thoughts… :slight_smile: :slight_smile:

I remember that some time ago, with CIS version 3.5 (proactive security mode) while I was surfing the web, I found a virus named “brastk.exe”, or something similar, which was able to close the CIS appllication and reboot the system.
Fortunately, after rebooting, windows regularly worked. Probably CIS partially stopped the activity of the virus.

Will CIS protect against this - Cybersecurity News, Awards, Webinars, eSummits, Research | SC Media

Hello Sammo

From what I understand from this and this

is that the “Virus” must get hold of the firmware in which Defense+ must allow first.
So yes it does protect against that ( I Do Believe)

- Jacob Kilgore
C-O-M-O-D-O Forum Moderator

Hi Monkey_Boy=) :wink:

I’m scared of what is invisible to execution too (see ADS)…
however D+ intercepts them :wink:

IMHO D+ can’t be limitated to an execution control (this is not sufficient/enought for a good program such a CIS)…First of all a good HIPS has to be able to intercept a malicious behaviour (not only execution!): you can obtein a stronger execution control, and much more, only with Software Restriction Policy (that I use :stuck_out_tongue: ) that blocks all the execution by default…

If D+ alerts me only to execution, but not on the other behaviour (malicous or not), the test is failed, IMO.

I hope that it will alert me if the sample try to access in the memory, try to create new file/folders in protected directories, try to create/load dlls, to modify registry keys, to load drivers, to make itself running at every startup silently eccecc…But HIPS has to be able to monitor and STOP them all!

Otherwise it fails miserably, because its control is bypassed…

All IMO, obviously :slight_smile: :-TU

[at kronos]: HI! :wink: :slight_smile:

True, execution tests are not the most impressive… And absolutely a HIPS should prevent more than execution… Still to me they are interesting… As I would feel totally owned if I found something running without my awareness, I want to be in control, and if something is infecting and destroying my comp, it feels better to at least know that it was due to me pushing the trigger and I had a chance to stop it. :slight_smile: :slight_smile:

Too many times a Antivirus has let me down, things gets installed without any confirmation whatsoever…
At least a HIPS gives the option to prevent “svjhs.exe” to run even if its not in the database over baddies…

As for blocking bad programs when they try to harm, Iam really looking forward to BOClean in CIS 3.9, one more layer against baddies that tries to harm the system… =)

As for blocking bad programs when they try to harm, Iam really looking forward to BOClean in CIS 3.9, one more layer against baddies that tries to harm the system… =)

Hay there it’s not one more layer as it’s still a stand alone program and everybody that uses it already has that protection. :slight_smile:

The bottom line is simple: Malware can NOT be executed on your computer without your permission. To give you some more insight, if the AV does not catch a malware for example and Defense+ intercepts it, people say “Hey it’s still in my C:\Program Files” or something along those lines, but the malware is not executed - It is isolated from doing anything.

Defense+ isn’t a cleaning solution it is a HIPS that stops any kind of malware execution over 99% of the time. Then you have an AV to clean up “the scraps” afterwards if you were to send that same malware YOU stopped executing from Defense+, or Comodo System Cleaner can also compliment this as well for cleaning/disinfection purposes.

Also looking forward to v3.9, The BOClean Memory Scanner in CIS iis going to be simply awesome!! Also CIMA like heuristics. :slight_smile:

With Defense+/Firewall being the prevention layer (Firewall will stop malicious network attempts) and BOClean/CAV being the detection layer it will be very hard to bypass this protection, Then with CIS 4.0 you will have a time machine!! You can’t go wrong for a free suite!

Cheers,
Josh

Hi Monkey_Boy=), 3xist :slight_smile:
I know what you mean, but IMO the execution control is not enough, not an “excuse” to justify D+ (eventually) failures…

…I can legitimate the execution of a malicious program (because i don’t know it is a malware), but only the behaviour control will alert me that it’s being a bad behaviour, and so that it’s a bad program, and I had to stop it…
This is the control that a good hips propose to offer…otherwise, if the bottom line is that “Malware can NOT be executed on your computer without your permission”, an hips is dispensable and SRP, or every other execution prevent software (even Fraronics Anti-Executable), is quite good.

This is my point of view :wink:

I care to specify that :ilovecomodo:
for me is (one of?) the best HIPS… ;D

Regards,
Kronos

I do think that you do not have a sense of humor. To me, signed by Microsoft did not mean that a malware would be signed by Microsoft; such a statement was intended as a JOKE, thus your lack of understanding. You just did not get it.

Peace.

I agree. I just hope that when BOClean is integrated, all those advanced cleaning techniques (Hosts File cleanup etc) that are in the current standalone version will be integrated into the AV as well. Anyone have any idea about this?

Thanks,

Beanie :slight_smile: