Phide.exe rootkit bypassed Defence Plus [Reason found]

I tied this POC against CFP D Plus and sadly Defence Plus gave no alert about physical memory access. Rootkit was able to start a hidden process.

EQS on the other hand stopped it dead. Can anyone confirm my findings? PM me for the sample.


[attachment deleted by admin]

Send me a link where you downloaded it from. Here you go again. Why dont you try running only Comodo instead of having Geswall and that Shield running in the back round. Your using an Nvidia main board and there firewall is junk. Your tests arent exactly accurate when your running other security software in the back round. I am pretty sure the Shield belongs to your Nvidia mobo. Your also using RootRepeal which is beta software.

Shield is part of Eaz-Fix instant recovery. Nothing from Nividia. I can,t discard GW, it,s much more reliable. Sent u the link. Pls do post ur results here.

Also from your sig at Wilders I see your using Threatfire. Are you running that in real time mode along side Comodo?

Ok now after I reboot I am back. That program made D+ go nuts. I had " Hi Guys" D+ alerts all over the place. Once again I do not see the problem. D+ is doing its job. It must be your set up that is effecting D+ and how it worls. Look at my logs. I had atleast 10 alerts from D+. Too many that I couldnt hit my screen shit button.

[attachment deleted by admin]

Just ran the test again. Here is proof once more that your wrong. D+ is doing its job and doing it well. So sad to say your wrong again.

[attachment deleted by admin]

(B) (J) (L) (M) (R) (S) (V) (CNY) (CWY) (CLY)

Aigle, I have to admit he’s right here. Unless you use multiple virtual machines on which there is instaled only one HIPS software then there is always a risk that it won’t behave as it is supposted to.

I did this test on a real world machine. My desktop. No virtualization on. I only run Comodo and NOD32. Have you ever stop to think for once that maybe Geswall running along side Comodo is screwing up D+. Also why dont you shut off shadow surfer. Until your running any of your tests in a real environment with only Comodo running I will consider your threads like this null envoid.

And as shown here, this speak volumes about using multiple things doing the same task in real time. You actually may end up with your protection being degraded instead of being improved. :wink:

Well if you go into Wilders you will see that aigle is a member there and his sig says "Comodo Firewall,Threatfire and Gewall. If all of these are in real time then BINGO. We found his problem. He keeps making threads stating D+ sucks and is not doing its job but all these other programs are. But I have shown twice that D+ works. Screen shots do not lie.

Congratulations for the wallpaper Vettetech :-TU
Could you please post it 1280*1024 so that I can use it too? :wink:

LOL. I think I got it from wallpaperstock or ewallpapaers. Sorry off topic.

No he doesn’t. He tested CFP, and opened a thread to see if the results are the same for others. He is perfectly aware of possible conflicts, and he asks for others to verify.

He’s been doing this for quite some time, unlike you.
Vettetech, i remember you “testing” Online Armor, saying it passed a test because OA prompted for execution. It took a while for you to sink in the notion that it wasn’t about execution…

Look at this. See here. Duh. With 2 screen shots in 2 different posts I have proved aigle wrong period. I havent used OA in over 6 months.

I think i’m going to have a hard time again, explaining you a simple thing.

This is not “aigle claims CFP failed”, and “aha see you luser CFP passes, i proved you wrong”.

Look at what he said: “Can anyone confirm my findings?”. He is asking for confirmation, he’s not claiming anything.

Aigle came here to see if his results match the results from others.
In future, do not participate. You have the wrong attitude, and you make people not want to post tests.

Get you fanboy hat off. No one is attacking Comodo.

You apparently missed the (original) Wilders Security thread…

I do not care to post at Wilders so can you post my screen there proving the D+ shows the memory block. Thanks.

Well, been already done :wink:

A person, in good faith, having read both threads as you did, will understand that aigle wants feedback, and confirmation.

He may have forgotten to include “Can anyone confirm my findings?” in Wilders, but that is mostly tied to the fact that in Wilders it’s obvious, and long time Wilders members will verify results if possible, have a friendly discussion, purely based on technical issues.