Possible bypass screencapture by malware?

bypass CIS V6, real malware, screen capturer

1.I turned off all AV related components.

2.I modified the protected files.

%windir%*| -------> %windir%*

3.I double clicked on the malware.

4.It is sandboxed as “partially limited”

5.It captured a screen and saved the file to the location.
C:\WINDOWS\屏幕显示.jpg

6.Mine was captured by it.

7.environment:
XP SP3 32bit

8.CIMA:
http://camas.comodo.com/cgi-bin/submit?file=daf544c10757a1cc9d2def697e215f27c5c1582752a03b0c774abf96f6d1ef2e

9.It can make a window, but it is a real malware.

There is supposed to be new protection that allows foregound programs that the user is using to keylog and screen capture.

Can see how this applies to keylogging, not sure re screencapture and Egemen was less explicit about that. Maybe if the prog is invoked from explorer by the user it can grab, if not, or if invoked from startup key, it cannot.

Mouse

It just showed a window, and then CIS v6 was deceived by this action.

[/quote]
Sorry - screen grabber showing a bank window is OK?

Not sure what you mean by ‘deceived by this action’

Probably being dumb…

Mouse

try this in limited or higher, I think this is a known limitation of partially limited.

+1 (:WIN)

Hi Languy, discussed above, think this is Egemen’s new smart protection in action.

https://forums.comodo.com/beta-corner-cis/my-clt-test-result-300340-t87310.0.html
Reply #9

1.Maybe this is the reason why CIS V6 was deceived.

2.The malware showed a foreground window.

Yes as I said earlier, but I think another requirement may be for the process not to be directly started by the user.

Using a autorun batch file might be a good test?

Just a speculation.

Mouse

I replaced the parent process with the iexplore.exe.

The result is the same.

→ Mine was captured.

http://i.imgur.com/TzE80.png

Hope egemen give some explain or confirmation

Yes as I said earlier, but I think another requirement may be for the process not to be directly started by the user.

Using a autorun batch file might be a good test?

Just a speculation.

That is not a valid point. If I download malicious file and run it then this is my fault and Comodo will not protect me?

I just ran SpyShelter’s test http://www.spyshelter.com/download/AntiTest.zip and it was able to take screenshots. Privatefirewall for example warns me and allows me to block the screen capture, but CIS allows it even with HIPS set to Paranoid and the application partially sandboxed as Untrusted.

I wasn’t able to test the application in the background, but like the example given in this topic I think allowing screen capture for any foreground application is a security concern.

Topic Locked.

Please note the Beta board is closed.

Thank you

Dennis