Phide.exe rootkit bypassed Defence Plus [Reason found]

I think we should end this discussion now, or at least stay at the very topic.

LA

Sigh, I beg your pardon but splitting a topic which turned out to be the very cause of the issue discussed here is rather unfortunate and confusing like hell. >:(

Aigle himself said he will not turn off Geswall which means extra layers of security better yet overlapping security is giving him false results.

AI might conclude here how can we know what is truth and what is not. Aigle has made 2 threads stating that D+ is not doing its job when I have shown with proof and screen shots that it is. I am only using Comodo with D+ and NOD32. No other security software running. Aigle is running other security programs on top of Comodo then making posts. Now if he can show us a screen shot of running process and D+ failing then I believe him. Point being screen shots do not lie.

Then say that normally. Here’s what a normal person would say:

‘Hello aigle. After trying your sample, i have different results.
CFP passes on my machine. My guess is GeSwall or TF is conflicting with CFP on your machine.’

Simple, polite and to the point. No ‘look at Wilders’ (??), ‘this is why ’.

Hi guys! calm down pls. Thanks for your contribution. I am not attacking any one. Pls note:

1- I tested all this in a fresh snapshot of XP Home SP2. Totally clean. No security software except CFP. Even no Antivirus( I did use SahdowSurfer).

2- Seems atleast on my system CFP is missing detection of some behaviors.

3- Strangely when i run physical memory access POC SDTRrestore.exe, CFP does give me pop up alert about Physical memory access. I don,t understand why it does not give alert with phide.exe.

4- The only problem I can guess may be Eaz-Fix or ShadowSurferr that I use for testing. OK, I will test without shadowuser and see how it goes. Will report back. Unfortunately I have no VM or test PC.

5- @ Vettetech! Do u have XP Home SP2 also? Ok, I will send u another malware bypassing CFP on my system. Let,s see how it does on urs? BTW how did u get higuys alerts? Can u explain it please? Thanks a lot

6- I will be happy if my findings are wrong. It,s a good sign for my seciruty that is based laregely on CFP.

Thanks all of you

I got the Hi Guys by simply running Phide.exe. I first got an alert about explorer.exe trying to run Phide which I aloud. Then D+ started giving me atleast 10 pop ups. I blocked them and had to reboot. Once back up I ran the test from a command line and as soon as I did BAM. D+ kicked in and gave me the alert you see. I am also using safe mode for both the firewall and D+. Both my machines aree XP SP3. You need to uninstall Geswall also for accuracy. I also deleted all entires of the test and ran it again with the same results.

Seems you don,t care to read my posts.

I wrote very clear that there was no GesWall, No TF, NO av, nothing else except CFP. It was only CFP( with ShadowSurfer) I do use Eaz-Fix also.

I also asked u have XP Home or Pro?

Thanks

I have XP Home SP3 on both machines. I wrote it to you. I didnt include Home. Sorry. Also tell your buddies at Wilders I am on XP.

Here is what happens when I tried to use that trojan dropper you sent me. My NOD32 picks it right up and deletes it. So I guess you do not believe in using an av either and you only use HIPS for your protection.

[attachment deleted by admin]

Vettetech, see why it’s important to stick with facts, and be polite? Aigle is using CFP + ShadowSurfer.

And this means you haven’t progressed much since the “you have to allow the execution” part.

You are testing CFP, not NOD32…

Read Pedro Read.

https://forums.comodo.com/leak_testingattacksvulnerability_research/d_give_a_great_alert_about_dns_trojan_dropper_test-t25570.0.html

I replied. It is my conviction you do not know how to test.

At least ask questions. It’s not wrong not to know things. No one knows everything. But you should ask when you don’t understand.
Like “what’s this supposed to do?”. Alternatively, disassemble the malware/POC…

Lets try and keep things friendly here guys.

This only highlights the difficulties of accurately testing protection software and correctly interpreting the results.IMHO a 'clean’VM is probably the best method since it avoids the results being clouded by other running applications.If the OP was only running D+ and nothing else,then it’d be interesting to compare configurations in order to determine the different results.Were they both using the default configuration and at the same level setting?

Ok, I tried it with CFP( safe mode) without ShadowSurfer or any other security software. I don,t get physical memory access alert at all. Acc to Vettetech , he gets the alert. I am confused.

Can anyone test it with CFP? Thanks

Is everything stock on your install of Comodo? Did you tweak anything? Last month I did a fresh install of Comodo and the only thing I change is D+ to safe mode. Everything else is how it comes. Did you get an explorer.exe message first?

No I used default settings in safe mode. I did get execution alert by explorer.exe.

I wish some body can try it as well. Can it be stardock that is acusing difference? Or SP3 in ur case?

What…Stardock is a company that makes WindowBlinds and Icon Packager. I doesn’t run a back round service and has nothing to do with security. SP3 was very small service pack.

It,s quiet possible due to the very nature of stardock product.

I’ve just run this test and I get no physical memory access warning from Comodo.

I trully hope you will fix this issue.