When I run this spoofed jpg image, It starts a hidden window of InternetExplorer. Seems that spoofed jpg then modifies the memory of InternetExplorer( IE) and IE then in turn creates more copies of malicious executabels.
CFP D plus does not give any warning about memory modification. Is it some thing missing?
Any explanation from the developers will be appreciated. I can send the file if asked.
The popup from defense+ asking if malware.exe can access iexplorer.exe in memory was allowed or blocked?
If you allowed it then it is normal behavior that you didn’t received alert for the further actions of iexplorer.exe. This is because iexplorer.exe is considered safe. Try deleting the rules for iexplorer.exe and set defense+ to paranoid mode and disable 'learn automatically applications signed by comodo". In this case you should receive the second alert too…
Oh and the sample…if its malware, I cant test it right now. Im using my VM to test firewalls for testmypcsecurity.com and I haven’t got cfp installed at the moment…Maybe later, but thanks.
I should have added that a malicilously corrpted data file can act as a trigger to a vulnerability in an application and is therefore part of the overall problem, but is still not the root cause of the problem. The vulnerability of the application attempting to read the data file is the core of the problem.