Leaktest session over Comodo Defense+

Hi, I was curious about the new comodo HIPS and actually I’m quiet impressed by this one :p.

ALL THOSE LEAKTESTS HAVE BEEN DONE WITH DEFAULT SETTINGS!

1. Termination Test:
Process Explorer v10.21: Passed
IceSword v1.20: Passed (but it fails if drivers are loaded)
Rootkit Unhooker v3.31: Passed (but it fails if drivers are loaded)

IF MEMORY ACCESS TO CFP.exe are allowed! Unless it pass all test, I think that Simple Termination test is more representative :slight_smile:
Advanced Termination Test:
TerminateProcess kill method - Passed
WM_Close message kill method - Passed ( /background)
WM_Quit message kill method - Failed
SC_Close message kill method - Passed
TerminateThread kill method - Passed
CreateRemoteThread → ExitProcess - Failed
EndTask kill method - Failed
DebugActiveProcess kill method - Passed
EIP Modification → ExitProcess - Failed
WinStationTerminateProcess → Unknown (I don’t have Terminal Service)
Injects a dll into the process wich calls ExitProcess - Detected but Failed
Injects Killcode - Failed
ZwTerminateThread - Passed
ZwTerminateProcess - Passed
Crash with VirtualProtectEx - Failed
Crash with WriteProcessMemory - Failed

Simple Termination Test:
Standard process termination - Passed
Terminate process by terminating all its threads - Passed
Terminate process using remote thread - Passed
Terminate process by instruction pointer (IP) modification - Passed
Crash process by resetting memory attributes - Passed
Crash process by rewriting critical process data - Passed
Terminate process as part of a job - Passed
Terminate process using debuger - Passed
Terminate process as a task - Failed (not detected)
Terminate process by sending WM_CLOSE - Failed (not detected, but cfp.exe still exist…)
Terminate process by sending WM_SYSCOMMAND - Failed (not detected, but cfp.exe still exist…)
Terminate process using windows station message - Unknown
Terminate process using DLL injection 1 - Passed
Terminate process using DLL injection 2 - Passed
Simulation of normal process exit - Failed
Terminate process by “bruteforce” message posting - Failed

2. KeyLogger Test:
KeyHook: Passed
Anti-KeyLogger Tester (AKLT):
GetKeyState - Passed
GetAsyncKeyState - Passed
DirectX - Passed
(Screenshot 1 Passed, Screenshot 2 Failed but nobody cares!).

Simple KeyLogger Test:
GetKeyState - Passed
GetAsyncKeyState - Passed
Low Level Keyboard Hook - Passed
Journal Record Hook - Passed

3. Registry Test:
Ghost Registry Tester: Test 1 - Failed / Test 2 - Passed

Scoundrel Simulator:
Change Internet Explorer’s Home Page - Passed
Disable Internet Options - Failed
Disable Registry Editor - Failed
Add to Windows Startup - Passed
Add to Windows Startup (Start menu group) - Failed

Spycar:
AlterHostsFile.exe - Passed
HKCU_Run.exe - Passed
HKCU_RunOnce.exe - Passed
HKCU_RunOnceEx.exe - Passed
HKLM_Run.exe - Passed
HKLM_RunOnce.exe - Passed
HKLM_RunOnceEx.exe - Passed
IE-HomePageLock.exe - Passed
IE-KillAdvancedTab.exe - Passed
IE-KillConnectionsTab.exe - Passed
IE-KillContentTab.exe - Passed
IE-KillGeneralTab.exe - Passed
IE-KillPrivacyTab.exe - Passed
IE-KillProgramsTab.exe - Passed
IE-KillSecurityTab.exe - Passed
IE-SetHomePage.exe - Passed
IE-SetSearchPage.exe - Passed

Good:

  • Keyloggers / hooks
  • Termination protection is quiet good but it can be better against LeakTests :wink:
  • Registry Protection is good
  • It’s really light (14MB on my computer)
  • Global opinion: IMPRESSIVE HIPS will it stay free?!

Bad:

  • The registry protection isn’t enough complete: It allows or disallows a program to write over a bunch of registry keys but we can’t view wich keys in the alerts and we can’t allow writing operations separately …
  • Trusted application don’t working on my test.
  • Global: There isn’t enough details in the alerts

With simple additon of protected registry keys in the GUI, all registry tests could be passed. We have not included a default configuration which provides a maximum defense right now. But in the final release, without any doubt, all will be included.

As I mentioned before, the architecture is designed so that you can simply add registry keys for protection and they will be protected.

We haven’t had time to add all the security… we will in the final version :slight_smile:

Melih

Thank you for your answer melih, this alpha is really promising :p.

It’s right for the registry settings, I only wanted to use default settings :wink:

Thanks for your tests songo, saved me a lot of time ;D

It seems that CFP3 will be great security solution when it will be finished, which cost you a lot of hard work for sure. Will CFP 3.xx Full License still be for free and lifetime (freeware) ?

Yes!

(V)

I’ve just been over in Wilders and the response there is very positive. It seems ike a really nice piece of work. I’m so looking forward to the final release.

Agree, at the moment Comodo 3 looks like one of the most exciting security applications surfaced in a long time. Really looking forward to the production version.

@sogno

Great post.
Thankyou for doing that stuff, lots of time there.

CPF looking hard to beat: remerkable. 8)