Can cmdagent.exe be deleted on reboot via Unlocker???
drumroll…Yes. In no (preset at least) configuration is CIS safe!!!
radio: krrt Houston… we have a problem. krrt
I also did this with Online Armor Firewall (oaui.exe -interface, and oasrv.exe -service) because I had it installed for testing. With its own HIPS [Program Guard] on it blocks Unlocker from indexing files and it therefore survives but take off Program Guard and OA falls…and the computer will fail to boot, even into Safe Mode lol.
Very true. It would be interesting to see what alerts Defense+ alerted to while installing locker. I’d assume it’s some driver. Even still, It would be nice if Comodo could make an attempt (if possible) to protect from this…
Thats great! But I can’t understand a word ;D I’m putting CIS on tonight and will post english Screen shots.
Ok so I did some looking into things,
What happens is that unlocker.exe loads HKLM\System\ControlSet001\Services\UnlockerDriver5
Unlocker.exe Accesses all applications running in memory.
Finally, From there unlocker.exe loads a Device Driver, UnlockerDriver5.sys to do it’s bidding.
In English, Unlocker installs a driver deep into windows where this driver is allowed basically anything it wants, Including defeating MSE’s Self protection.
So, If you rely solely on an MSE you’d be ■■■■■■■ against anything thats not on it’s black list that loads a driver.
Here I tried to update a copy of a2 Free inside my virtual machine by copy-pasting over that install with an install on the host machine. Conveniently I had to try and kill a2service.exe with Unlocker to finish the “update.”
1: Unlocker’s trying to load its driver.
2: It’s allowed. I proceed as planned to deal with a2service.exe.
3: This is what Kyle (and the rest of us involved) needs to see.
4: Normal reaction with or without OA’s itervention. a2service.exe does not die easy (via Task Manager).
I assume that OA is preventing Unlocker from perusing its directories and hence from listing any file inside that may be targeted, i.e. [i]Unlocker can’t look inside and “confirm” its target so Unlocker will “go its merry way.”
You don’t need anyone to tell you that this is indeed a fatal vulnerability. Imagine if a malware the likes of Conficker showed up and targeted every PC that’s “protected” by CIS and/or any other brand of IS whose product also has this weakness. Factor in that most windows users are always logged in with admin privileges and their novice selves likely allow everything if a HIPS is present…
It would spell doomsday for Comodo and/or the other vendor(s). Trust, reputation and (consequently) income would do like a sky-diver who forgot his parachute…
Or imagine that you allow some “safe/trusted system-looking” program to run… Defense+ alerts you, yes, but the alert doesn’t tell you that the program is targeting CIS’ (or non-CIS critical) components. Whatever’s done is done in the background and you go about your merry way… come back… turn off the PC and catch a sleep.
Then the next morning you turn on your PC and realize either immediately… or too late (after, let’s say, the program’s trojan horse strikes/has struck) that CIS. No. Longer. Works. Then what?
According to eXPerience it seems all the program’s actions would be sandboxed to begin with, which results in no harm… now there’s a little concern of the novice user being able (or not) to prior mark programs as trusted too easily.