Possible malware bypass of whole suite!.

Hi Guys. Just been doing some testing and i believe that i have found what could be aTotal malware bypass of Cis unless i have it configured wrongly somehow.

First the settings. Firewall was enabled safe mode and create rules for safe apps ticked.all other firewall options ticked protocol ect, except Ndis protocol on list.D+ and sandbox enabled . D+ in safe mode all executables to be checked option ticked. and create rules for safe apps ticked.All other options regards firewall and D+ sandbox enabled default.Anti virus, set high heuristics, set to stateful.All other Anti virus options default.

The file i downloaded on a test machine on windows xp 32 bit, was a Trojan TDSS Load.exe, from Malware Domain list this morning.7/4/2010.

When executed, clicking run…no response from Cis…I then scanned the whole file location, C:Documents and Settings with Malwarebytes on quick scan and also Hitman pro and Cavs,(Cavs proved Negative, after update). Both apps identified Load.exe as malware. Hitman pro said Gdata was only vendor to catch malware.Malware bytes deleted malware after quarantine.Subsequent Malwarebytes, and Hitman Pro scans proved negative.

I then tried same download one by one with just sandbox, just D+, then Firewall and Av with previous settings and still not a peep .

Give it a go guys and see what you get. Not sure whether to have posted pasted link to malware as other forums forbid it, so i did not, but its easily found.

Mods please remove which site malware was obtained from if this is not allowed.I am hoping this is a case of me not having Cis configured properly or there is some sort of corruption going on here causing Cis not to work as it should. Heres Hoping.

Regards
Dave1234.

I must be particularly dumb, but when visiting the domain you are talking of so as to download the trojan and run your test, i found no way to download anything.

Instead of selectively changing the settings could you please set CIS to proactive and try this again. Sorry, I don’t have the ability to check this myself, but I’m curious.

You can copy and paste the URL related to the malware you want. There is no direct download link as this is merely a place to provide information.

As long as no direct links to malware downloads/URLs are posted it’s quite ok to reference a site such as MDL.

Hey Dave can you send me the sample if you still have it?

Thanks mate!

Tooby

Hello Chiron and Tooby.i thought this would grab interest.First [at]Chiron. I had settings on proactive when i ran the test. I did another test straight after with another piece of zero day stuff and both the av and d+ picked it up, giving conclusion that the other one went right through it.

[at]Tooby. The malware was on yesterdays 7/4/2010 Malware Domain list under TDSS TROJAN, the very first one on the list. the executable was load.exe.I am sure you can test it from there. It may be by now on Cavs signature list and show up, but that does not explain how it got past D+, Sandbox no notifications whatsoever?.I would like to get to the bottom of this one and find out whats going on.

Edit. Couldnt resist checking on this one today. The av picked it up as Trojware .Win32 .trojan. Gen . Agent @ 103981738, in C:documents and settings.I disabled av and neither sandbox or d+ peeped up on next test.So culprit must be in that direction.Incidentally Geswall isolated it in same test as browser Firefox was isolated.

Regards
Dave1234.

Here it is.No problems for D+.

http://img200.imageshack.us/img200/1468/80203298.th.png

http://img220.imageshack.us/img220/1441/83135842.th.png

http://img361.imageshack.us/img361/6568/82859244.th.png

[attachment deleted by admin]

Hello Bequick.Was the sample you tested the very same one from yesterday?.I am worried here as my Cis aint picking it up except via av. Yesterday it did not catch it at all. Any suggestions what to do here like re install or something?

Regards
Dave1234.

Well, you can see here:

http://img638.imageshack.us/img638/9256/777p.th.png

Is it?:))

Nothing special, just turn Proactive security on and disable SB.:slight_smile:

[attachment deleted by admin]

@Bequick. Yep, thats the file alright. Hmmmm…puzzled man.Dont know what to do next. Your system blocks it mine did not.Thanks for taking the time my friend.Any suggestions?.

Regards
Dave1234.

Dave1234 do you have any other security software running which may be conflicting with D+ ? It seems strange you haven’t seen a pop-up using pro-active config with sandbox disabled since running any untrusted executable should do so.

Hello Andyman. I did have Geswall installed for a while which isolated the malware, but had Sandbox disabled.Could the confliction be between d+ and Geswall interfering with detection.Dont know if any other members have had similar issues when using these softwares?.I will say the av did not detect yesterday but did today and then tried via d+ no response.Bequick did find malware and it showed on his checks with d+, so i suppose it may be a confliction. I have uninstalled Geswall and will do the check again regards D+ and sandbox, and report back.

Regards
Dave1234.

Well Dave it’d certainly be a possibility that there could be a conflict between Geswall and D+ sometimes more security apps can actually lead to decreased protection.I remember trying Drivesentry alongside D+ a while ago and finding that keylogger protection was completely removed.However in this case I think it may simply be Geswall doing it’s job correctly.

If you think about it Geswall actually operates by an extensive sandboxing/isolation of the registry and system files,etc. Therefore with GW running the malware modifications would be redirected into the protective layer and nothing would actually be written to the real system for D+ to notify you of.

Dave I think that you and I are among the first to have the same problem.
CIS 4 STOPS WORKING PROPERLY AFTER CERTAIN PERIOD
My problem was:
https://forums.comodo.com/news-announcements-feedback-cis/leak-test-results-t30164.255.html

Re installation fixed my problem, but for me this is the time when I have to say goodbye to Comodo.
I have to much important things on my PC, and I can’t allow my self to give CIS 4 another chance.

CIS version 4 is beta software, and it is unpredictable.

My problems include:

  1. Previously mentioned >https://forums.comodo.com/news-announcements-feedback-cis/leak-test-results-t30164.255.html
  2. Incompatibility with Girder 4.0.5.2> https://forums.comodo.com/news-announcements-feedback-cis/comodo-internet-security-4-and-application-incompatibility-problems-reporting-t52466.30.html
    When I uninstall CIS 4 program works perfectly.
  3. False positives reported through scan results 3 weeks ago, some of them returned today when I did re installation. PS: 10 days ago scan results showed me no viruses (I thought it was fixed), today with fresh installation I have 4 viruses (all FP). For my time of using CIS I reported near to a 100 false positives, many of which were fixed, but it is annoying to have to go to virus total all the time just to see what is what.

PS: No other security products where installed on my PC.

Good luck in development of your product. See you when version 5 comes out. :wink:

proactive security + sandbox enalbed , it did nothing to my system … 88)

I got alert from proactive security that the file wants to access a protected COM interface , I blocked it for sure :wink: << , a snadbox alert () which is normal too () and finally a firewall alert which I managed to block it ! the file then terminated itself and gave up :wink: so nothing has been bypassed ;D

Dave1234, you could also try adding every file/every registry/every COM to your My Protected [files/registry keys/COM interfaces] lists and see if the malware triggers Defense+ at that point.