Malware bypassing Instant Recovery Software- testing with CFP?

There is malware that bypasses instant recovery software like ShadowDefender, Returnil, ShadowUSer etc.

I have few samples of such malware, some of these try to access disk directly. Can anybody test if these malware can bypass the direct disk access filter of CFP Defence Plus. Just PM me and I will send the files. Pls post ur replies here with screenshots.


u can send that to me, i will tell u what happens and if defense+ is able to block it.
i’ll post screenshots if i can, cause if i launch it and my sytem is ■■■■■■ immediatly, i could not make screenshots.
maybe u can up it to some place so i can get it. if u can up a rar passworded archive, just tell me.
or if u cant up it, i will pm u to tell u where to send me the thing. but no rar without a password please.

Comodo DiskShield will soon be able to prevent this. Beta1 allows raw disk access, but this will be prohibited in Beta3 (due soon-ish)

Ewen :slight_smile:

ok so no need to test it with defense+, it will bypass it?
maybe kaspersky 8.0 will prevent my system from that thing.
need some tests.

Thanks. I sent to you.

thanks i got the thing.
ah, kaspersky detected the all stuff…
hmm i need some alone HD, not sure my second partition will not be affected by those things.

got an idea, i will backup the second partition and place it on some external HD in case all went wrong :slight_smile:

Hmmm… seems you are not well prepared. In that case I will suggest not to test them unless you are prepared enough.

Wise advice - destructiv testing should only be done on a segmented PC with no retainable data. Anything else and you’re asking for it!

Ewen :slight_smile:

…or why not on some virtual environment (e.g. vmware, ms virtualPC etc.)…

Can I get a confirmation here that the Rootkit sample in this collection is Denied low disk access by Comodo ? Thats the only one I really looked at. Is it this one that you said bypasses some IRS Aigle ? Unless there is a problem with Comodo D+ like you had with a botnet malware sample, Where it said system 32 file was blocked from modification but there actually was modification, Then D+ blocked Low lvl Disk access. Don’t have the screenshots but basically cs.exe called cmd.exe, then cacls.exe, which I allowed, but then I denied the LLDA When prompted. I have checked with various tools afterwards, and don’t see a problem but someone more knowledgable may see something I miss of course.

Guess you can’t say Robodogs bark is worse than bite. lol

So nobody is well prepared to take the challenge? (CNY)

You can also send me the samples.

sorry, bit late…
but can i have the samples too pls :slight_smile:

u can zip and email me pls.

thank you very much


@ 3xist & Melih PMed both of you.

@ Melih- I ahve no e-mail address of yours so I just PMed you.


aigle, can you pm them to me also ?


I’m getting Alerts for these tests.