Is this a part of Killswitch, benefiting the user or Killswitch got infected?

bit_trace · January 2, 2014, 10:39pm

If you are a user of Comodo IS Premium on Windows: Do you observe a similar behavior as described below on your system?

If you are a developer of Comodo IS Premium for Windows: Is the behavior described below a direct or indirect danger to the security and privacy of the system OR a direct or indirect contribution to the security and privacy of the system? Is the behavior described below intended by the developers of Comodo for the purpose of protecting the system or this behavior has been added to Comodo for purposes other than protecting the security and privacy of the system?

On every WinXP reboot or on every launch of Comodo Killswitch, Comodo Killswitch registers and launches (see the screenshot) this boot start driver with a new random 6-letter name.

This is where you can see the driver:

Comodo IS Premium on Windows XP SP3 > Tasks > Advanced Tasks > Watch Activity > Comodo Killswitch

System tab, Services section. Click Start Type column to sort by it. Look at the drivers with Boot Start as Start Type.

This is how the driver looks like:

Name - 6 random lowercase letters (e.g. ywilru or xqlakn)
Display Name - the same 6 random lowercase letters as in Name
Type - Driver
Status - Running
Start Type - Boot Start
PID - (empty)
Binary Path - (empty)
Error Control - Ignore
Group - (empty)
Load Order - (empty)

[attachment deleted by admin]

Citizen_K · January 2, 2014, 10:44pm

That’s intended behaviour.

bit_trace · January 3, 2014, 12:58pm

Thank you for the reply. Please, refine the answer:

Is this intended behaviour there to directly/indirectly improve OR to directly/indirectly harm the security/the privacy/the anonymity of Comodo user?

Citizen_K · January 3, 2014, 5:39pm

It is not harmful because we know and trust KS.

A HIPS/Sandbox creature like CIS keeps an eye on what is happening underneath the hood of Windows. The programming techniques it monitors are used by both normal and malicious programs. From the fact that D+ flags a program we cannot conclude that a program is therefor malicious.

Also CIS will protect executables from being tampered with by unknown programs.

bit_trace · January 3, 2014, 7:40pm

Thank you for your opinion. Still, this is only one personal opinion of unknown accuracy. Other visitors are very welcome to express their observations and knowledge on the subject, for the sake of objectivity.

Users: have you observed a similar behavior?
Developers: is this behavior harmful? (see above for details)

Citizen_K · January 3, 2014, 11:18pm

Tools like this rely on a service or driver to function. You will see tools like Processhacker and Process Explorer do the same thing.

bit_trace · January 4, 2014, 2:31pm

Thanks, Eric. For the sake of objectivity and facts on the subject, there is a clear and relevant to the channel need for comments by more people on this matter.

Will more people comment, please?
Comodo users, Comodo developers, comment, please.