Proofs of Concepts Vs. CFP3

Of course , when I start it , there are two or three alerts , but those are not important , if the program begins to work , and you can click “Protect” , if the program shows you “Failed” or your software gives you an alert , that means your software could block it , if it shows you “Done” , that means your softeware cann’t block it . CFP cann’t block it , when I click the “Protect” , there is no alert and the program shows me “done” . After it protects itself , CFP couldn’t terminate it , maybe there is few software can terminate it . The name of the program is “kill.exe” , it is in the “danger.rar” , and the password is “virus” . Another program in “danger.rar” is “cs.exe” , it uses the technology of alternate data streams , it could be found and blocked by CFP .

[attachment deleted by admin]

CFP cann’t block it , maybe because it cann’t block a program oprate the System essence , some other HIPS software can block the “kill.exe” because they can stop and alarm for oprating the system essence .

EQ-Secure V3.4

press “Protect”

press “Deny”

and I can terminate the process “KiLL.exe”

If I press “Allow” ,the process will NOT be terminated!

A suggestion , I wish CFP could block a program changing the system time , many virus will change the system time in my country , because if the time is changed to a long time ago or a long time later , most of AV software will not work normally .

Says who? What did the alerts say? If they are about the application accessing some system functionality, then I’d say they’re reasonably important, wouldn’t you?

Can you post a screenshot of htese allegedly unimportant alert dialogues.

Thanks in advance,
Ewen :slight_smile:

When I start the program , CFP gives me these alerts just like when I start other programs , but when the program begins to work and try to protect itself(when I click “Protect”) , there is no alert for me , I think this is the important point , because if it wants to protect itself , it should operate the system essence , and CFP cann’t block this kind of operation , some other HIPS softwares such as EQ-Sucure can block this operation . If the program protects itself successfully , almost no software can terminate it .

Apologies, I didn’t realise that you hgad attached screenshots of the alerts. :-\

That’s interesting ( ??? >:() that the firewall doesn’t detect escalation of application privelege. I made the mistake of assuming this would be covered by the HIPS component.

Can you please post this in the 32 bit and 64 bit bug reports (assuming that it isn’t detected on both platforms).

Ewen :slight_smile:

Thanks , I post it in the 32bit bug report . But I don’t think this is a bug , maybe it is just that CFP doesn’t have this function . My OS is 32bit , I am sure the 64bit OS must be same to me .

hi everyone here
i have been here because RCBB’s(may be rcbbly?) pm:)

i’m Luzi,who is a member of 0GiNr, and the author of this toy

i’m sorry that i haven’t try Comodo before i post this reply.

if I have understood this topic correctly, it it talking about my little toy at the point of accessing kernel-memory.

have I understood correctly? if yes, well, it just called ZwSystemDebugControl. :slight_smile:

i feel sorry for my poor english, it’s my first post at an english site :slight_smile:

I think you should talk more about your toy :THNK

There is another program which will debug at system level , I post it here , I hope it can help you .

[attachment deleted by admin]

Another problem , when the “cs.exe” create a file , CFP couldn’t show me the file path rightly , it shows me unknow path , as I know the program use the alternate data streams , maybe this is the reason , but other HIPS could show the right file path . I have post it on 32bit bug report.

[attachment deleted by admin]

I test the “prueba.exe” by CPF V3 & EQ-Secure V3.4

We must BLOCK “prueba.exe is trying to execute ntoskrnl.exe”!

Or , the computer could not be controlled!

Can CPF V3 pass the unhookers tests ?

That would be interesting to see. Based on their explanations, it would seem like it should but in reality it might not. Never know, until it’s tested. Seems that would get some good information for Comodo to use to improve the product.

At present, looks like ProSecurity is the leader there…


Another two HIPS ,SSM & EQ-Secure, had passed the unhookers tests !

PS: Direct modify with SCC (System Core Center)

      =  Debug  at  system  level

This virus could modify the system time to the year ,2002!

EQ-Secure v3.4


Moderator’s Edit: Virus attachment removed. Please do not post live viruses in the forums. Thank you.

"\Device\HarddiskVolume3" equal to "D:"

smth more?

ZwSystemDebugControl SysDbgCopyMemoryChucks_0(used to read kernel-memory,SysDbgCopyMemoryChunks_0 = 8) & SysDbgCopyMemoryChucks_1(used to write kernel-memory,SysDbgCopyMemoryChunks_1 = 9)

Good job! Thanks for this.