CIS latest version bypassed by TDL3(4). Win XP SP3 32b, up-to-date, [at]VMWare. Default CIS Configuration.
MD5 of the dropper: 041e66945d2531c07245fcd91c57f406
AV enabled but not updated.
Download the video file: http://www.mediafire.com/?e3ly0h3ar0t08gh
File is a self-playing video (done via Screen2Exe).
(mods, move the topic to a more appropriate section if necessary :))
Could you please test with Proactive profile and sandbox set to untrusted. I just want to see if this is a complete bypass or just small glitch at default settings…
yes I’d like to know that too. I have proactive set, files untrusted, and installers checked off. It would be nice to know if I’m protected a little better.
Setting the Sandbox security level to Limited (instead of Partially limited) is sufficient.
Edit: seems I’m not alone: https://forums.comodo.com/news-announcements-feedback-cis/bypass-sandbox-partially-limited-t65062.0.html
Otherwise, if you want to rely on D+, disable sandbox completely and you’ll get popups regarding applications activity. However, there is a peculiarity with D+: if you allow this action (1st popup) ImageShack - Best place for all of your image hosting and image sharing needs you won’t get a popup regarding Direct disk access afterwards.
If you block that action, you’ll get the popup regarding Direct disk access (2nd popup): ImageShack - Best place for all of your image hosting and image sharing needs
Why so? What’s the connection between the two popups. Why does allowing the first one allow (or rather, not prompt for) the second, and denying the first not deny the 2nd?
[attachment deleted by admin]
I think it,s to reduce pop ups if you use basic pop up alerts, but you must get all pop ups if you have More Options clicked on pop up alerts.
but you must get all pop ups if you have More Options clicked on pop up alerts.
I did test with "more options" view and that's what happened... :-\ (unless I block the 1st I don't get the 2nd popup, but I do get a few more misc. popups regarding the malware actions)