Screen capture protection

Jaspion · May 13, 2013, 6:32pm

I just ran SpyShelter’s test http://www.spyshelter.com/download/AntiTest.zip and it was able to take screenshots. Privatefirewall for example warns me and allows me to block the screen capture, but CIS allows it even with HIPS set to Paranoid and the application partially sandboxed as Untrusted.

I wasn’t able to test the application in the background (I read somewhere that CIS blocks screen capture only if they are requested by background apps), but I think allowing screen capture for any foreground application is a security concern.

Citizen_K · May 13, 2013, 9:37pm

I have the BB set to Restricted and it blocked all of the attempts. I then disabled BB, removed Antitest from the Unrecognised Files list and ran with D+ in Safe Mode. It blocked all screen capture attempts.

I am on Windows 8. What OS are you using?

Jaspion · May 13, 2013, 10:20pm

Ok, I just did some additional tests and the results are… well, see for yourself:

BB enabled as Untrusted + HIPS enabled in Safe Mode —> screen successfully captured
BB enabled as Untrusted without HIPS —> screen successfully captured
BB enabled as Restricted without HIPS —> screen capture failed
BB disabled + HIPS Safe Mode —> screen capture failed (HIPS warned and allowed me to block it)

So I don’t know what is happening, if more people could reproduce this test to see if it’s my installation or a generalised bug, please do! Shouldn’t Untrusted be more strict than Restricted? For the moment, I’m disabling the BB and sticking to HIPS only.

Results observed on a Win7x64 machine.

Citizen_K · May 13, 2013, 10:34pm

Untrusted is more restricted than Restricted.

I forgot to tell that I am running Proactive Security Configuration. If you are running in Internet Security please try again in Proactive.

May be your configuration got corrupted somehow. Try importing a factory default configuration from the CIS installation folder. When importing give it an applicable name like CIS - Proactive Security Test Profile. Let us know if that makes a difference.

Jaspion · May 13, 2013, 10:43pm

I wasn’t running Proactive Security config, but a heavily tuned Internet Security. Anyway, enabled Proactive, same results. Restricted BB blocks screen captures but Untrusted BB doesn’t.

Tried importing Proactive from the installation folder as you said, same results again.

Have you tested it with BB as Untrusted?

Seany007 · May 13, 2013, 10:52pm

BB enabled as Untrusted + HIPS enabled in Safe Mode —> failed to capture any screen. CIS blocked them all.

Windows 7 64-Bit. Proactive security.

Citizen_K · May 13, 2013, 10:55pm

I tested with BB at Untrusted and odd enough it allowed captures 1a, 2a and 3a. It blocked the rest.

Can you test with BB set to Untrusted and see what happens?

We may be looking at a bug as we would expect CIS to block all like when using Restricted.

liosant · May 13, 2013, 10:55pm

HIPs ( mode proctive)
BB assets and treat as not untrusted:
only test1a, test2a testa3 and are not blocked.

Note: BB restricted everything is blocked

Jaspion · May 13, 2013, 11:10pm

If you’re asking me, I already did (see above).

You probably meant BB set to Untrusted (Not trusted, or Não Confiável in Pt-BR), right?

Citizen_K · May 13, 2013, 11:34pm

I am sorry. I meant to ask to test with the BB set to Restricted.

Jaspion · May 13, 2013, 11:49pm

Which I did too. BB set to Restricted blocks the screen capture. See:

BB Restricted works (successfully blocks screen capture) with or without HIPS. Untrusted doesn’t work with or without HIPS.

Seany007 · May 14, 2013, 8:25am

Untrusted works for me. So I have no idea why it don’t work for the rest of you.

What’s even more strange is that I recall that in the past CIS didn’t block screen capture at all in this testing application. Go figure ???

TonyChipper911 · May 14, 2013, 10:27am

SO the screen capture is blocked using restricted but is not blocked using untrusted ???

fashisti · May 14, 2013, 11:15am

hey people and can you block the keylogging? i am having this problem since i first time installed comodo (4-5 years or more) it can’t block keyloggers

no meter what i do when i test REFOG keylogger (or few others) and when i am blocking access to keystrokes it can log it anyway

wanted to report that but i am too lazy to do all that stuff

Seany007 · May 14, 2013, 1:58pm

The only way to know is to test it for yourself. Untrusted don’t work for them but it works for me.

So test it: http://www.spyshelter.com/download/AntiTest.zip

mhl6493 · May 14, 2013, 8:38pm

I did a quick search on the forum, and for what it’s worth, it looks like the issue with this test is nothing new. A poster back in 2010 said that on “limited” and “restricted” CIS passed, but not on “untrusted,” so the results were not consistent. Three years later, here we are…

Citizen_K · May 14, 2013, 11:03pm

Jaspion. Could you file a bug report about this in the bug report section? Please follow the reporting protocol closely. That way you’ll be sure the bug gets seen by Comodo staff.

Chiron494 · May 15, 2013, 12:04am

I agree with EricJH. Please file a bug report for this. Also, please test to see if it bypasses the FV sandbox as well.

Thanks.

Jahn · May 16, 2013, 1:52am

My tests are consistent with Jaspion’s, but on a XP32 SP3: Untrusted is less aggressive than Restricted. I am running full CIS in Proactive mode.

TonyChipper911 · May 16, 2013, 2:40pm

I’m using 8x64 system and yes:

Test with Proactive, BB untrusted, no HIPS - capture successfull
Test with Proactive, BB restricted, no HIPS - capture failed

How comes untrusted setting(s) failed

!ot! CAN I USE HIPS’s WITH THE BB, OR DOES HIP’s HAVE TO BE DISABLED TO USE BB