Microsoft Security Essentials - Self protection? quick test.

Well, I usually use this application when ever I have trouble deleting files (Sometimes malware too.)

I thought I’d try deleting MsMpEng.exe (I think thats the right name… I don’t have it now. lol) MSE’s core service.

Unlocker could not delete it straight away, It asked for reboot - I rebooted and windows started up again. MSE is now toast.

lol, Have you tried it against cmdagent.exe or anything else??

Also what happened when you boot does MSE work at all??

Hahaha, i’m unlocker user too, but never tried this, LoL. :smiley:

MSE does start up, Only the GUI though. + No I have not tested is against cmdagent.exe I do not use comodo.

Can cmdagent.exe be deleted on reboot via Unlocker???

drumroll… Yes. In no (preset at least) configuration is CIS safe!!! :smiley:

radio: krrt Houston… we have a problem. krrt

I also did this with Online Armor Firewall (oaui.exe -interface, and oasrv.exe -service) because I had it installed for testing. With its own HIPS [Program Guard] on it blocks Unlocker from indexing files and it therefore survives but take off Program Guard and OA falls…and the computer will fail to boot, even into Safe Mode lol.

Test was conducted in a VM running XP SP3.

I think CIS is vulnerable because Unlocker is already installed. If Unlocker were malware CIS would stop it installing and so would be safe.

Very true. It would be interesting to see what alerts Defense+ alerted to while installing locker. I’d assume it’s some driver. Even still, It would be nice if Comodo could make an attempt (if possible) to protect from this…

Alerts for Unlocker Portable. 8)

[attachment deleted by admin]

Thats great! But I can’t understand a word ;D I’m putting CIS on tonight and will post english Screen shots.


Ok so I did some looking into things,

What happens is that unlocker.exe loads HKLM\System\ControlSet001\Services\UnlockerDriver5
Unlocker.exe Accesses all applications running in memory.
Finally, From there unlocker.exe loads a Device Driver, UnlockerDriver5.sys to do it’s bidding.

In English, Unlocker installs a driver deep into windows where this driver is allowed basically anything it wants, Including defeating MSE’s Self protection.

So, If you rely solely on an MSE you’d be ■■■■■■■ against anything thats not on it’s black list that loads a driver.

[at] AlphaRosea
May you please show us the pop-up that online armor shows when it unlocker attempts to delete? If any?

I’ll Point Egemen to this thread as I think there could be something done about this sort of thing… I mean, Online Armor can do it. Sure Comodo could work something out ^^

Here I tried to update a copy of a2 Free inside my virtual machine by copy-pasting over that install with an install on the host machine. Conveniently I had to try and kill a2service.exe with Unlocker to finish the “update.”

1: Unlocker’s trying to load its driver.
2: It’s allowed. I proceed as planned to deal with a2service.exe.
3: This is what Kyle (and the rest of us involved) needs to see.
4: Normal reaction with or without OA’s itervention. a2service.exe does not die easy (via Task Manager).

I assume that OA is preventing Unlocker from perusing its directories and hence from listing any file inside that may be targeted, i.e. [i]Unlocker can’t look inside and “confirm” its target so Unlocker will “go its merry way.”

[attachment deleted by admin]

I pm’ed Egemen and Umesh about this a while ago… no reply.

Is there going to be any sort of response from Comodo staff?

This seems like an important problem that needs to be addressed. At least let us know if it is a vulnerability.

You don’t need anyone to tell you that this is indeed a fatal vulnerability. :slight_smile: Imagine if a malware the likes of Conficker showed up and targeted every PC that’s “protected” by CIS and/or any other brand of IS whose product also has this weakness. Factor in that most windows users are always logged in with admin privileges and their novice selves likely allow everything if a HIPS is present…

It would spell doomsday for Comodo and/or the other vendor(s). Trust, reputation and (consequently) income would do like a sky-diver who forgot his parachute…

Or imagine that you allow some “safe/trusted system-looking” program to run… Defense+ alerts you, yes, but the alert doesn’t tell you that the program is targeting CIS’ (or non-CIS critical) components. Whatever’s done is done in the background and you go about your merry way… come back… turn off the PC and catch a sleep.

Then the next morning you turn on your PC and realize either immediately… or too late (after, let’s say, the program’s trojan horse strikes/has struck) that CIS. No. Longer. Works. Then what? :slight_smile:

Not sure about this, but I guess CIS V4 will let this malware run in sandbox which will result in no harm.


The process deletion is performed before defense+\comodo has started. I don’t see how v4 will change anything.

According to eXPerience it seems all the program’s actions would be sandboxed to begin with, which results in no harm… now there’s a little concern of the novice user being able (or not) to prior mark programs as trusted too easily.

I don’t see a reboot mentioned between step 3 and 4. Though step 1 mention a driver load alert which does not appear to be involved in the reboot deletion either.

No explanation was provided about how the whole OA test was conveniently carried either though it looks like it was mentioned something else than a driver was blocked.

What anybody is supposed to see?

Hi and yes, I meant that it was sandboxed from the first second.


Good point. I guess the restrictions the sandbox apply’s would not let a driver load. “Duh, Kyle?”

Would be interested in a response from staff about unlocker able to delete cmdagent after reboot.