Icesword 1.20 and cmdmon.sys

I hope ,I am right here and please be patient to a newbie.
I have run (grammatically right?) icesword 1.20 on my computer and it alerts me on
/systemroot/system32/DRIVERS/cmdmon.sys
ntconnectingport
ntcreatefile
ntcreateport
ntcreatesection
ntcreathread
ntdeletekey
ntdelatevaluekey
ntopenprocess
ntopensection
ntsetcontextthread
ntsetinformationfile
ntsetvaluekey
ntshutdownsystem
ntteminateprocess
ntwritefile
ntwritefilegather

I do not know, what these alerts mean.

On http://securitytracker.com/alerts/2007/Feb/1017580.html I found

Comodo Firewall Pro ‘cmdmon.sys’ Driver Lets Local Users Deny Service and Potentially Gain Elevated Privileges

Bitte: Macht eine deutsches Abteil in Eurem Forum auf :slight_smile:
thx

[ at ] soyabeaner
it`d
what does this mean ? incorrregt english questionform?, but in german corregt,sorry.
was bedeutet das ?

Welcome to the forum, petros!%.

cmdmon.sys is CFP’s driver. Without it, well, it’d be no different from disabling the firewall :stuck_out_tongue: ;D.

http://www.matousec.com/projects/windows-personal-firewall-analysis/results.php - Scroll down and you’ll see at the bottom. Click on the Show link on CFP’s SSDT hooks.

The link you provided refers to a vulnerability in CFP 2.3.6.81, the previous major version. Currently 2.4x already fixed this :). This vulnerability was discovered by Matousec here: Learn Bitcoin, buy Bitcoin

Not vulnerable software:
Comodo Firewall Pro 2.4.17.183 and higher

If you want to visit the German section: https://forums.comodo.com/index.php/board,79.0.html

Hi petros! I also have 16 entries for cmdmon.sys in the ‘SSDT’ Function tab of Icesword. I’m sure this is normal since we both have the same results. From what I understand the “hooked” (red) entries to be most concerned with when running Icesword are in the Functions tabs ‘Process’ and ‘Win32 Services’. I hope this helps :slight_smile:

Diagnostic tools like icesword (Whether it be diagnostics for rootkits or other things), will display files and hooks that are innocent as well as those that are not legitimate. One person’s rootkit can be another persons trusted useful tool (Not sure why it would be useful, but it is possible). It all depends on whether you trust the programmer.