perfectly bypass comodo partially limited

Man that stinks.
You have a couple of options. Hopefully you have an image and can revert back to that. Try booting into safemode and running a few on-demand scanners like MBAM, emsisoft emergency kit, superantispyware, kaspersky AVP.
If not, then you have to get a boot time CD like avira or kaspersky. You can also try Dr web cureit. Let that do its thing.
Next I would grab GMER, process hacker and unlocker. Make sure that there is nothing else that attached itself to your HDD or Boot.

If none of that helps, for the sake of convenience and security, back everything up, format the drive and start over again.

idk why comodo keeps dismissing this issue. defense + needs modifying and improvement but they keep ignoring it

I guess the AS: “Blocked” or the Manual Sandbox can stop this?
Confirmation?

well of course “blocked” will stop this cause it doesnt even allow the file to run but an average user will most likely have the defaults and they will get infected

Yes, i know. I am just asking this because nothing is 100%, just because it says “blocked” it does not mean that it will be able to block. For example SRP can be bypassed because it does not work at the kernel level.

but an average user will most likely have the defaults and they will get infected

I agree with you and morphiusz 100%

EDIT: It is a targeted attack, but that is because is not economically beneficial to “build” such malware, because most people never heard of SRP much less using it. That is why i love security by diversity 8). Comodo+SRP+SUA

I’d give HitmanPro a try:

Hold the Ctrl button of your keyboard pressed when you start it.

I’m just curious to see if it can clean your infection, but you should do a reinstall after this anyway.

But before, could you please send me the sample, if possible?

Can you please send the sample to me?

I will do that egemen

Thanks

you guys can download the analysis here, this should lead to some clues as to how the infections happens.

http://www.megaupload.com/?d=S9XCARCK

The default rule does not contain this item, “LsaAuthenticationPort”

???

it looks like he turned off the sandbox so he would see the defense + alerts

what is the item, LsaAuthenticationPort ?

tbh i have no idea. iv never seen it

I know, this is part of my analysis to show everything that happens in the background.

sandbox on if you see the alerts

Thanks for the analysis Languy. So it exploits JAVA and drops malware. Then the malware is executed. After the execution, it seems to be copying an executable to adobe plugins folder and
We will need to further anlayze whats going on. It seems it is trying to drop some files to adobe plugins folder and create shell keys. All of these would be blocked by CIS normally.

However there may be something iit is using that we must understand. Once we know what it is doing, i will let you know.

Be assured that if there are any problems in HIPS to lets such an infection, it will be fixed immediately to prevent this threat.

Just another reason that java is not installed on any of my machines, and we (the family) don’t miss a beat.

What is the present status of CIS 5.8.2 latest beta against it?

Why does CIS go with weak defaults? (Partially Limited), if it is clearly known that it is weak. (It does not increase the usability either)

Just out of curiosity,

Why is CIS HIPS not including protection against GPCode or Blackday or any such attacks even after the failure has been brought to their notice many a times.

Is it impossible for CIS to implement protection against such attacks?
or
Just CIS does not want to do that?

if you look at the op screenshots it is 5.8 so with defaults cis is bypassed

this has been discussed a lot in this post. Egemen comes in and explains his view on gpcode and malware alike