Rogue bypass the last release of the AV

Hi,

Testing on VMWARE player on 7 32 bits, The rogue bypass the sandbox

But the trojans, worms détection are in progress…

http://img694.imageshack.us/img694/6302/comodo2c.png

http://img208.imageshack.us/img208/760/comodo.png

3 rogue on the taskbar

http://img408.imageshack.us/img408/9198/comodo3.png

Using version .779?

yep, last release…

Did you restart also?

of course…i don’t make any autorisation in Defense +

Does the rogue installer give you an “elevated privileges” alert to allow/block?

When will Full/auto virtalization come?

Ronny,

would you post a screenshot of what that promt looks like is it just a D+ aert?

thanks
Brock

Sure, here it is

[attachment deleted by admin]

Windows Security Center is in the first screenshot is a fake (whose executable is named fontviewxp.exe) that provide the impression protection has been disabled. Even the tray area notifications are fake (eg shield icons).

It looks like new executables were written in (and executed from) some user profile sub-folder:
Automatically sandboxed app are allowed to do that but shouldn’t be able to change protected registry keys.

The problem is the default level of security of CIS, with D+ in paranoid mode, this rogues are correctly sandboxing.

in proactive security

Sorry, if I understood you correctly, you are saying that the rogue bypasses Comodo in default settings, but not in proactive mode? In my own testing so far with this version, I’ve had no malware penetration.

Comodo has long tried to find a compromise between security and usability - this is the reason why proactive is not the default configuration.

Back in version 3, because proactive gave “too many” pop ups, the defaults were relaxed for non-experienced users, a very sensible decision.

However, now that the sandbox has been implemented, there is good reason for Comodo to change their default to proactive security, since defense pop-ups no longer feature anywhere near as much, and since that would seriously boost the protection level.

The fact that proactive needs to be enabled for better security should be advertised by Comodo much stronger (in my opinion), to the extent that either it should be the default config, or there should be big visible stickies on the forums / help files advocating it.

About 50% of all complaints posted on these forums about leak testing are due to users not realising they need to switch to proactive mode for full protection.

Let’s hope this changes soon!

Hi,

Sorry for my bad english, the rogue bypass with the default settings.

But he was correctly sandboxing with D+ in paranoid mode.

Start on a clean system, install Comodo, right click on the Comodo icon > configuration > proactive security, then redo the test (if you don’t start on a clean system, make sure you wipe any traces of the rogue before retesting), and all should be well.

yes, its the finallity of the test…on a virtual machine to test defaut settings

Can you tell me the difference in Alerts shown in both cases?

In the case of Internet Security + Sandbox enabled you should have gotten an “Elevated privilege” alert, did that show and did you Allow or Block that?

Can you PM me so we can exchange this thing so i can test it also?

It’s important that Egemen takes note of this.

Does the Rogue you test cause System Malfunction (Issues?), Things aren’t working correctly, etc? The way the Sandbox works now is that: Malware can DROP files, But can NOT do admin stuff, infect or modify and protected Registry Keys or Files that Defense+ is protecting, Since automatic virtualization is not yet enabled by default.

If the Rogue is causing System Issues, then it’s important to raise it, and that means Rogues can still muck up Registry Keys and cause issues which should have been fixed in the latest release.

That’s the fix which should of fixed this issue. See my thread from beginning of March here about a similar Rogue bypass which Egemen confirmed it has been fixed in this release:

I hope in your case, The Rogue just drop files and that’s it. I haven’t read the entire of this thread yet.

P. S - BEST THING!! Send the Rogue to Melih so he can get some one appropriate to test the Rogue. Then we can have verification of the fix in this version.

Tooby

Tooby, did u test the rogues that bypassed the previous release with this version???

I haven’t yet installed 4 version, so I need understand his work: the sandbox works with Defense+ or is independent ? I mean: may happen that a malware bypass the sandbox but then it is stopped from Defense+ ( in Paranoid Mode, ya, because: is there another mode ? ;D :smiley: ) or when a file ( malware or not ) is examined from the sandbox it will be not checked from the Defense ?

Hi Please start here for an Introduction to the Sandbox.