RST antivirus 2010. rogue av bypassed CIS

Installed a rogue called RST antivirus 2010 without any warnings from CIS att all. It was not placed in the sandbox either.

Pretty strange you don’t even received and elevation alert?
Can you export your Defense+ log to us please?

Tested on my Vmware and I had the same result as you. The rogue completely bypassed comodo.
The funny thing is that the unninstaler is sandboxed by comodo.

try to uncheck “Automatic detect installers/updaters …” in Sandbox Settings.

Windows Installer…

SetupRSTAV2010.msi (VirusTotal) never runs. Only msiexec.exe runs, with this command line:

“C:\WINDOWS\System32\msiexec.exe” /i “[path]\SetupRSTAV2010.msi”

The installed files are automatically added to My Own Safe Files

Personally i think sanbox is quite useless at the moment, or more specifically it gives a false sense of security.

I have disabled it, config chosen is pro-active security, Defense + on safe mode and it seems to block everything nasty…at least so far.

the sandbox doesn’t block threat it does something better , it makes the threat handicapped !! maybe a rogue or fake can run once however terminating it is just a matter of clicks on the task manager , if you wanna C the real impact of this rogue try to run it without sandbox and enjoy the dozen of alerts or if you want to see what it actually does on the computer, try throwing it into a virtual machine and then try to stay with that computer for an hour , you will commit suicide :stuck_out_tongue:

I think f you choose pro-active mode and the first alert is whether to allow the exe to run and you choose no, then i think there should not be any further alerts? I have not personally tested this rogue, but recently tested some test spyware that bypassed easily the sandbox but then when i changed settings and disabled sandbox this software was all immediately blocked and no further alerts. You can see the other thread for more information on this …

D+ sandbox is not a panacea and IMHO understanding the limits of each protection approach contributes to each user security-sense (as much important as the feaures a tool provides) thus provides a way to select the best approach (whereas available) fit to address a specific scenario (whenever possible).

As Jowa pointed out this threat rely on a msi (Windows Installer) file.

Sandboxing won’t be applied whereas double-clicking on the msi file implicitly cause “C:\WINDOWS\System32\msiexec.exe” /i “[path]\SetupRSTAV2010.msi” command to run the installer (no elevation alert will occur a well for .msi files)

Automated sanboxing for msi files would be applied only in case (AFAIK) an unrecognized application/batch directly spawn “C:\WINDOWS\System32\msiexec.exe” /i “[path]\SetupRSTAV2010.msi” process (eg a batch file with such msiexec.exe command).

In theory it would be possible to configure msiexec.exe to get always sandboxed (D+ > Sandbox >“Add programs to the sandbox”) but whereas this rule is active even legitimate msi installers will be thwarted.

AFAIK Proactive/D+ safe mode won’t apply to (double-clicked) .msi installers as well:
msiexec.exe (MS executabe esponsible for interpreting .msi files and carrying installations for them) is part of “Windows Updater Applications” group with an installer/updater policy and msiexec.exe is a safelisted Microsoft executable.

IIRC in Proactive/D+ safe mode, execution will be silently granted without alert if both the parent and child apps are safelisted (eg explorer → msiexec.exe) but an Execution alert will occur whereas an unrecognized application attempt to run a safelisted one (though the previous batch file example won’t apply)

To get D+ alerts for installations carried though .msi files it might be necessary to switch D+ to Paranoid mode and remove msiexec.exe from “Windows Updater Applications” group

One last thing might worth mentioning is that according to some of the removal instructions on the interernet, RST antivirus 2010 might be more than rogue (if intended only as fake/fraud) whereas some of the removal instructions might describe traces of [abbr= HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects*]BHO extensions[/abbr], [abbr= HKLM\SYSTEM\CurrentControlSet\Services*]services/drivers[/abbr] or [abbr=HKLM\SYSTEM\CurrentControlSet\Enum\Root*]drivers[/abbr].

In Paranoid Mode, CIS gives one alert for the safe application msiexec.exe. :-TD

Online Armor gives an alert for SetupRSTAV2010.msi. :-TU

[attachment deleted by admin]

To get alers for msiexec.exe as well it would be needed to edit “Windows Updater Applications” group but of course this will not cause msi filename to be mentioned in D+ execution alert.

I tried that (also monitored dlls…). Nothing interesting, only safe applications, and “you can safely allow this request”. :-\ No alerts for anything unknown. :frowning:

As msiexec.exe process might remain active for some time after either installation (or uninstallation) stopping “Windows Installer” service using services.msc might be necessary whereas msiexec.exe was previosly granted installer/updater policy (even using alerts) and would retain such access rights as long it is running.

Thought SetupRSTAV2010.msi would behave the same whenever I did not test this installer (but others .msi), but IIRC removing msiexec.exe from “Windows Updater Applications” policy and switching to paranoid mode will have msiexec.exe trigger D+ alerts eg registry and file ones (whenever msiexec.exe will be mentioned as saflisted in each alert even in paranoid mode)

I got numerous alerts for msiexec.exe, and it seems I answered them too slowly, because I got an error message that Windows Installer service could not be started (after I had allowed msiexec.exe to start msiexec.exe).

But I don’t see the point… No matter what configuration I use, there should be an alert for the unknown SetupRSTAV2010.msi (or any unknown msi, of course). I’m disappointed. :frowning: And why can’t I add it to My Pending Files or My Own Safe Files? (And why can’t CIS read digital signatures from msi files?) :-\

There is lot of issues like this. It comes from safe file. All hips try to by userfriend with this kind of list, but they don’t handle it properly, you can easily execute a code throw a safe file which have all rights.

I think it is what we have here, execute SetupRSTAV2010.msi throw the safe application msiexec.exe

But it’s not the only issue, I try few days ago to use this idea, I can destroy cmdagent easily with sandbox or not. The only way to have an pop up is to use paranoïa mode because CIS didn’t use the safe list. But something strange, for my example, the pop up didn’t mention the real action I made unlike cis 3.

And don’t think CIS is the only one, for example, for Online Armor, it’s the same problem, you can also disable its hips easily, but it’s a little more intelligent than cis.

No doubt there is margin for improvements. Until then I’ll consider all .msi files as unknown and as far I’m concerned I’ll either don’t run them or check them enabling msieexc.exe to trigger alerts