A badjoke program with a bad name (:SHY)
CFP can block it just when it is executed , if it begins to work , it will shutdown system , CFP can do nothing . ProSecurity can block it , I wish CFP to add this protection .
[attachment deleted by admin]
How is it that v3 cannot block it? If the program cannot shut down the system until it is allowed to run, and CFP can prevent it from executing, then…
Can you please explain more about what you are experiencing when you test this with v3?
Tnx,
LM
Some information about the program:
(ntdll.ZwShutdownSystem)
nRet=RtlAdjustPrivilege(0x13,1,1,&en);
if(nRet==0x0C000007C)
nRet = RtlAdjustPrivilege(0x13,1,0,&en);
nRet=ZwShutdownSystem(2);
Those are found by using OllyDbg .
[attachment deleted by admin]
Yes , CFP can block it when it is executed , then it cann’t run and shutdown system . In this opinion , all bad programs cann’t do bad things if they are blocked when they are executed . But if I don’t know that this program is a bad one , then I will allow it to run . When the “fuck.exe” is executed , I allow it , then my system is shut down , and there is no alerts .
One more , CFP can block it when it is executed , if it runs , it will restart system , CFP cann’t deny it , ProSecurity and SSM can deny it .
[attachment deleted by admin]
If you’re allowing it to execute using CFP, then I don’t think CFP has missed it; it’s doing what you told it you wanted to do. That would qualify under “user” error, rather than “program” error… 
Wouldn’t the same be true of ProSecurity? If you allowed this application to execute in PS, wouldn’t ****.exe do the same thing and shut down the system? Or does PS somehow block it even tho you say to allow it?
LM
PS can block the program when it is executed , then I allow , the program will try to shutdown system , at this time , PS will alarm me that the program wants to shutdown system , I can deny it and the system wouldn’t be shuttn down . But CFP cann’t , it only can block the program when it is executed , CFP cann’t find and block the program want to shutdown system , but PS and SSM can . As I said , if I don’t know this program is a bad one or virus , I will allow when it is executed , CFP cann’t block the operation after the program runs , I think CFP fails .
There is a program which uses “BlockInput” , after it runs ,click “start” in its interface , then the mouse and keyboard will not work . Because the program only blocks the keyboard and mouse once , you can press ctrl+alt+del , they will work again , if the program blocks the keyboard and mouse all the time , I think they will never work until you reboot . After clicking “start” (when keyboard and mouse are being blocked), the program will modify the registry , but there is no alert about that . I don’t know what reg link is , the author said the program would create reg link .
[attachment deleted by admin]
I MUST DISAGREE, because if the program is sth you don’t know it’s bad, then Comodo should block it’s BAD actions for your protection… if other HIPS can do it then Comodo is in need of a new function, despite what you say, it is not human error but a program error if Comodo doesn’t have the ability to block a kill function in a program…
I would like to know is there any other hips that block a dangerous exploit like shutdown -s or RUNDLL32.EXE user.exe,exitwindows :P?
You’re missing the point.
It’s two different things.
One is a user initiated shut down, the other is a software initiated shutdown, without any input from the user.
Some malware will cause a system shutdown, the exitwindows trojan for eg. (useful for loading rootkits, drivers, etc I imagine)
SSM will ask about any process trying to shut down windows, CPF3 should do the same.
I am sorry , I have read your post twice , but I don’t know what you want to say , although I know the meaning of every sentence you said , I couldn’t understand your meaning . You disagree what and agree what ?
I just hope CFP becomes stronger and it has all functions which other hips has .
Yes , I agree .
Not only SSM can do that , but also EQScure and ProSecurity can .
Geez ;D I think not. That was exactly my point and you falled for it
In terms of functions there is NO difference. So you say the user initiated shutdown because you KNOW what these commands do.
This means that a HIPS that is not blindly acting should KNOW these as well and don’t act or CFP execution blocker will have the same outcome (If the rule was not marked for remember) in terms of functionality.
These commands could be written in a bat file as well or the shutdown command could be changed to notepad.exe or added to the registry run keys. The user might not know these as well so from his perspective those acts like viruses :o
Isn’t there a way to block those programs with V3 once you know what they will do?
Since these are legit functions they could be used by many legit softwares as well so this protection only adds another popup that will interferes with these programs. Is this really an issue that requires a new whole batch of alerts?
Yep, I already know your answer ;D
I believe that argument is that (which it does bother me at times), even though CFP intercepted a bad program and asked user whether to allow execution or not, the user may not be knowledgeable enough to make the right decision, well, “is it a bad guy or not?”. And what a he would say “yes”, CPF would have a built-in mechanism to stop this program from doing harmful thing, say, hey! that’s where stuffs like boclean comes in, isn’t it? (:KWL)
I beg to differ: there is a HUGE difference!
It comes down to this: blocking the execution of a process is just a fraction of what a modern HIPS does. There are many malware delivery and infection mechanisms that can easily defeat execution blocking.
Is Defense+ is a full blown HIPS? Does it measure up to other HIPS on the market?
IMHO, the answer is NO, at least not yet.
(Here is a good comparative: http://membres.lycos.fr/nicmtests/Unhookers/unhooking_tests.htm )
Will Defense+ catch up to the other HIPS out there?
I sure do hope so, and would love to hear from Melih and the Comodo team 8)
I see, but that comparative its about unhooking and doesn’t mention V3. Did yoy actually ran those tests against V3?
This point is a bit undeveloped too, I beg you to add just that tiny bit of details so yours will not appear as a groundless statement. 
I agree that a popup would be a nice, user-friendly thing to have, to warn that some application is trying to shut down the system.
However, I think this is something that v3 can indeed handle at the moment (in a not-so-user-friendly kind of way). Think thru the process - what has to happen in order for the system to be shut down? Processes must be terminated, yes? So without process termination, there is no unauthorized shutdown. Use Protection Settings with defined exclusions for the required system processes and what can shut them down. Then Protect those files that are authorized to perform system shutdown.
Not so user-friendly, I agree, but I think can be done…
LM
No, I did not run any of these tests. I added the link above just to show that there are many features that are missing in Defense+ compared to other HIPS.
The point, again, is this:
Defense+ is far behind other HIPS like EqSecure, Neoava Guard, SSM, ProSecurity, etc …
The original poster gave you proof of concept.
And, speaking of groundless statement, here is your statement:
In terms of functions there is NO difference. So you say the user initiated shutdown because you KNOW what these commands do. This means that a HIPS that is not blindly acting should KNOW these as well and don't act or CFP execution blocker will have the same outcome (If the rule was not marked for remember) in terms of functionality.
Please tell me that you actually tested SSM ,EqSecure, or any other HIPS before making that statement, did you? On what grounds did you boldly state that there is no difference?
I’m not sure what you are trying to accomplish here, but you come across as an apologist for Comodo. I hope some one from the development team adds some comments on this topic.
That being said, I have nothing more to add to this thread.
Peace, out.
thanks for all the discussions guys.
ok
Is it a feature that is missing in CFP or a default configuration? (there is an important differenc here)
If its a feature what is that feature you want adding?
if its a configuration, then what is that configuration?
thanks
Melih