TDSS Dynamic test -Tacitus Project by XCTeam

It is written in Traditional Chinese.

9 of 30 vendors pass this test.
3 of them partial pass inculding Comodo CIS 4.1 Sanbox
18 of them fail this test.

Detail information please read their report.

Detail information please read their report.
It is written in Traditional Chinese.

How many people on this forum do you assume to be able to read Traditional Chinese?


Here is the translated english version.

Problem here is a failure to communicate.
The report itself is still Chinese, and that, done as a .pdf file, has no translator. (I DL’d the file to look at).

I don’t understand traditional Chinese but what i see from the screens is that all traditional HIPS passed, including very good BB, threatfire.

COMODO 4.1, KIS 2011, and AVAST IS 5.0 partially passed and they all share the same feature - it’s the sandbox.

Can anybody shine a light over the used methodology?

Hi Eric,

As far as I know there are Comodo developers in China

Most likely, as a moderator you can contact them directly :wink:

Sure they will be able to translate the methodology & post it here


p.s. In the past I was able to contact the Ukrainian department (actually the city where I was born :slight_smile: ) and exchange e-mails in Russian… when researching the old bug
So you should not have any issues… I think 88)

Thanks you for the link, nice test.

when i have tried, KIS 2011 can clean an active tdss, AIS and CIS can’t i think, no?

Strange. Paranoid and safe mode fail but sandboxed with unrestricted pass the test.
Is it because of virtualization ?
KIS 2011 also pass the test using sandbox.

The test run a TDSS sample that can be downloaded in the link below;
link removed by moderator
Please don’t post link to live malware in the public part of the boards. It is against Forum Policy to protect less experienced users.

And they use Kaspersky TDSSKiller( to check if the test system get infected by the TDSS sample.

May be someone in Comodo can download the sample and try it out.

(note: the test disabled the AV function and just tested the HIPS and sandbox function)

What configuration did they test the default Internet Security or the Proactive Security?

I don’t noticed the configuration in the report and you may better contact XCTeam to get the details.

I think someone in Comodo can just try it out using Internet Security and Proactive Security to verify the result.

Greetings all.

I still think that what was suggested here is better to be done in the 1st place
in order to find out/translate the methodology

added Well, I forgot to mention that probably the original poster - WinBMY can help … most likely (?) 88)


As I mentioned there is no CIS configuration details in the report and it is just a kind of executive summary.

They may have improper CIS configuration or CIS behave differently in their test system.

When someone show that a malware sample can get through CIS, why someone in Comodo just simply test the sample and verify the result. (using the appropriate configuration that you decide)

added SiberLynx, you are right that Comodo should find their internal resources or WinBMY’s help. I shouldn’t be so pushy here.

Current CIS 5 release asks the user what to do…
And Defense+ heuristics detects it also…

CIS configuration 100% Default settings, AV not updated, No Network connection.
Sample started from Command-box.

[attachment deleted by admin]

CIS Pro-Active, Sandbox DISABLED, AV not updated, No Network connection.
Sample started from Command-box.

[attachment deleted by admin]

Thanks hkjoj ,

Nobody is “pushy”, why?

It is just surprising to hear such questions when there are the developers “from the region”
That is not even an extremely questionable discussion about “the regional malware” that took place recently here
… that is about a simple translation

Thanks for the reply & Cheers!


Sorry for late respond to the post.
I asked the author if he plan to write an English Report, and he reply “No plan at this moment.”

Therefore, maybe I can translate some of it — try my best. My English is not very good.

The following software are test by XCTeam.
Avira AntiVir Premium 10
Agnitum Outpost Firewall 7.0
avast! Free&IS 5.0
AVG Identity Protection 9
BitDefender AntiVirus Pro 2011
BluePoint Security 2010
BufferZone Free 3.31
COMODO Internet Security 4.1
DefenseWall 3.06
DriveSentry Desktop 3.4
Emsisoft Mamutu 3.0
F-Secure Internet Security 2010
Filseclab Twister AntiVirus V7 R3
GDATA AntiVirus 2011
Gentel Security GeSWall 2.9
Immunet Protect 2.0
Kaspersky Internet Security 2011
Norman Security Suite Pro 2010
Norton Power Eraser 1.51
Emsisoft Online Armor Free 4.0
Online Solution Security Suite 1.5
Panda AntiVirus Pro 2011
Privacyware Privatefirewall 7.0
PC Tools ThreatFire 4.7
Sandboxie 3.48
SpyShelter 4.52
Trend Micro Titanium 3.0
Xacti Spyware Terminator 2.7.2
Xacti System Protect 1.0
Zemana AntiLogger 1.9.2

本測試於8/27 至 9/5 間進行,不採用Beta 版。除非官方已釋出為正

T===>The testing was performed from 2010/08/27 to 2010/09/05. All of the software are not beta version, they are all up-to-date release version.

T===>Testing Environment:

於Microsoft Virtual PC 下、Windows 7 專業版(32Bit)
Intel Q6600 2.4Ghz、RAM 2560MB、網路為連網狀態

Software Environment:
Windows 7 Pro(32 bit),
VM: MS Virtual PC
Hardware: CPU Intel Q6600 2.4Ghz,
RAM: 2560MB
Internet Connection: Always connecting

T===>Testing Configuration Detail:

  1. 如果免費版或AntiVirus 已經包含完整的主動防禦(HIPS)功能,則不
    採用付費版或InternetSecurity 甚至更高階的產品。

T===> 1. If The AV is a Free version that has HIPS function, then this test will not test their Pay version.

  1. 除非軟體提示要求重新開機,否則不重新開機。

T===> 2. The test won’t rebooting PC unless it requires to reboot after installation.

  1. 防毒軟體都已停用即時監控以及任何與特徵碼相關的功能。

T===> 3. Realtime Anti-Virus detection function was disabled during this test.

  1. 針對軟體提供的細部設定做變更一再測試。例如:有SandBox 模式
    和非SandBox 模式,則兩者都測試,並均附上結果。

T===> If the software has Sandbox function, then this test will be reported by
a. SanBox enable
b. SanBox disable

  1. 當HIPS 出現詢問是否允許生成TMP 檔時,一律選擇攔截。

T===> 5. The standare answer is “No” to all of the HIPS popup “if allow to generate TMP file?”

  1. 每次測試完成後,還原虛擬機狀態後再進行其他軟體的測試。

T===> 6. The PC will back to original status by VM after one software test.

  1. 細部設定的變更,如果系統沒有被TDSS 感染,則變更設定後繼

T===> 7. I don’t know how to translate this sentence, therefore, I skip translation to this sentence.

  1. 最後以Kaspersky TDSSKiller(掃描來判斷結果。

T===> After execution the testing samples, use Kaspersky TDSSKiller to scann for verifying if the PC affected or not,

  1. TDSS 樣本下載點(請謹慎使用,XC Team 不負感染責任)。

T===> 9. TDSS testing sample can be download from “Here”, XC Team doesl not responsible for any affection.

COMODO Internet Security 4.1
主動防禦元件名稱:Safe Mode、Paranoid Mode、
測試結果:Safe Mode 無法防禦TDSS,系統遭到感染
Paranoid Mode 無法防禦TDSS,系統遭到感染
SandBox(Unrestricted) 成功防禦TDSS,系統安然無恙
備註:Safe Mode 與Paranoid Mode 均沒有跳出任何詢問視窗,直到將
TDSS 加入至SandBox 中執行。

T===> COMODO Internet Security 4.1 Configuration
HIPS setting: (test 3 times of the following mode)

  1. Safe mode,
  2. Paranoid Mode, and
  3. SanBox(Unrestricted)

Anti-Virus: Disable (From the Mothodology mentioned above)
Rest of the others: No further setting after installation.

Testing Result:

  1. Affected under Safe Mode. (fail to protect)
  2. Afftected under Paranoid Mode. (fail to protect)
  3. Success to protect under SanBox enable

Note: In our execution test, no popup for asking allow or disable under Safe mode and Paranoid Mode setting. But it popup and show message that TDSS move to SanBox under SanBox enable.