Terminate the Application once started paritially.

Hi All,

Is it possible to Terminate the application once it started partially…

Here is what i did -

Step 1. ran main.exe (a new undetected variant of waladec) using sandboxie.
Step 2. Allowed D+ alerts 3 times to create startup entries by main.exe.
Step 3. Then selected ‘Isolated Application’ for D+ alert and ‘Blocked Application’ for firewall alert.
Step 4. Now i could able to see main.exe successfully running in memory.

Please Note:

  1. All these above steps can be observed in the attached image.
  2. If i block the request for first D+ alert only, then this application wouldn’t start at all.
    My System Config -
  • CIS 3.8 latest build with NOD32 AV v4.
  • MS XP SP3 updated till date.

Now my questions are -

  1. Isnt possible for Comodo to terminate the process (main.exe) when i executed Step 3.
  2. Why did i get outgoing connection Network alert (as shown in Image 6) even though i selected it as Isolated Application in the previous D+ alert (Image 4)

Please let me know if you need more info.

Thanks,
Harsha

[attachment deleted by admin]

Hello,

Isnt possible for Comodo to terminate the process (main.exe) when i executed Step 3.
I see in the images you have "Rember my answer" uncheck'd, (just want to note to you) If you set it as Isolated Application then it won't matter what you did to the 2 step, Defense+ is going to stop it's "communication" with the registries (You would have to click block this request,

Firewall & Defense+ is two different things, If you set something as blocked applicaton on Firewall it won’t be the same as for Defense+ and vice versa

Did this help?

  • Jacob Kilgore

Hello Jacob,

Thanks for explaining the difference b/w blocked appl. and isolated appl options. And i know, i should click ‘block this request’ at first to stop this malware sample running.

What i want is - Take an example -

  1. User double clicks xyz.exe and clicks ‘allow this request’ to D+ alert and this xyz.exe process starts.
  2. Then when xyz.exe tries to change any protected registry, another D+ (Red Color) alert pops-up. At this point of time user realizes that this is a malware and wants to terminate this process.
    So, i would like to see an option in the alert to terminate the process itself. Which is not happening in the previous image i have attached (Image 5 & Image7) with Isolated/Blocked Application options (I did understand that these option will block any communication, it even stops creating any files onto the hdd). Some new option like ‘Block and Terminate Application’

I believe, i have explained it clearly. If not, then please let me know… :slight_smile:

Cheers,
Harsha.

Hello

If you set as isolated application it basically does terminate the application,
The image below shows more information on “Isolated Application” Policy/Rule

I like your idea of having “Terminate Process” on the Defense+ alerts maybe both Firewall and Defense+ alerts
Please add your idea/wish to Wish List

  • Jacob Kilgore

[attachment deleted by admin]

Thank you very much Jacob for your suggestion. I did post at Wishlist. Here is the link of the same
https://forums.comodo.com/defense_wishlist/terminate_process_option_to_d_and_firewall_alerts-t36837.0.html

I really like to see this option gets implemented.

-Harsha.