Yes, Tested multiple times.
[code=omygosh.py]import os
text = “X5O!P%[at]AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*”
txtfile = open(“\omygosh.com”, “w”)
txtfile.write(text)
txtfile=open(‘\omygosh.com’,‘r’)
print txtfile.readlines()
txtfile.close()
os.remove(‘\omygosh.com’)
Then let me explain.
This code [b]doesn't[/b] actually contain an EICAR payload but it [b]does[/b] write a com file.
[quote="Kyle post:59, topic:253102"]
My point? it's explained in the first post i made.
[/quote]
[quote="Kyle post:53, topic:253102"]
import os #This module is used for deleting after the file has been created\written and read.
#---------------------------------------------------------------------#
text = “Some random text to write in the test file” #txt that will be written
#---------------------------------------------------------------------#
txtfile = open(“\txtfile.txt”, “w”) #Creates a new file for writting
txtfile.write(text) #write the txt
#---------------------------------------------------------------------#
txtfile=open(‘\txtfile.txt’,‘r’) #open the file for reading
print txtfile.readlines()#read lines and output on screen.
txtfile.close() #close the file
#---------------------------------------------------------------------#
os.remove(‘\txtfile.txt’) #This deletes the file
#----------------------------------End--------------------------------#
In English...
File creation,File Writing, File Reading and lastly File Deletion.
No alerts from CIS at all.
[/quote]
Your [i]real[/i] point: There is no alert when a [b]txt[/b] file is written...Just going to quote myself, Pls read it… I don’t think you quite understand whats going on.
I specifically pointed out that u get no alerts from CIS when you do the following things.
File creation,File Writing, File Reading and lastly File Deletion.
EDIT: Had to update post cause endymion updated his and i didnt want to double post.
Yes Kyle I did.
You do understand that the code you provided write a txt file?
all this proves is how intelligent that D+ is. Why bother the user with things that pose no threat? If you want to create, modify and delete a .txt file…whats the harm? Why should users be warned about it?
Melih
It doesn’t matter if it’s a text file. I could read your personal information, I could infect by writting into other files and I could do a very nasty thing which viruses do… delete files.
Can do anything that a virus could do in an exe form, Only without defense+ alerting - I repeat… If I compiled this into an EXE you WOULD get an alert from defense+. if you run it through a trusted process, you WONT get an alert.
No alerts, Zero, Zilch Nada.
Kyle the code you provided doesn’t prove that. It doesn’t read any information. It doesn’t delete any critical file.
And lastly it doesn’t even write an EICAR payload…
What it does? Zero, Zilch Nada.
Endymion… U srsly don’t know what your talking about lol… If u had 5 minutes of python\anylanguage experience you’d understand what its doing, It’s a very simple thing. (I thought the comments in the code was enough, guess not…)
Your saying it’s false when it’s true, There is no maybe’s or sorta’s. It either is or isnt. There is no leeway unfortunately Endymion and I can’t explain it any better to you sorry, Your wrong.
Kyle I hope you do understand that if what you wrote was a Proof of Concept even Notepad (!) would be a virus…
Since Melih and Endymion are either not understanding or are being difficult… Here’s some updated code It doesn’t deal with a txt file now, It deals with executables.
import os #This module is used for deleting after the file has been created\written and read.
#---------------------------------------------------------------------#
text = "Some random text to write in the test file" #text that will be written
#---------------------------------------------------------------------#
testfile = open("\\testfile.exe", "w") #Creates a new file for writting
testfile.write(text) #write the text
#---------------------------------------------------------------------#
testfile=open('\\testfile.exe','r') #open the file for reading
print testfile.readlines()#read lines and output on screen.
txtfile.close() #close the file
#---------------------------------------------------------------------#
os.remove('\\testfile.exe') #This deletes the file
#----------------------------------End--------------------------------#
The above demonstrates File creation,Modification and Deletion. CIS does not alert you.
Compile it, Run it as an exe and you will get alerts.
[attachment deleted by admin]
Some people look at the picture and see nothing…
some people look at the picture and see Mona Lisa…
I see Mona Lisa …the intelligence and sophistication built into CIS…how very beatiful…
what do you see Kyle 
renaming: is done manually…CIS knows…user intended to…don’t bother with alerts…
Exe: unknown…trying to run…alert…
oh Mona CISa :)…
Melih
Melih can you tell me why CIS doesn’t alert me when I run the code raw? and why does it alert me when It’s compiled to an exe? The same actions are being done.
I understood correctly that a txt file is not meant to trigger alerts just like the invalid EICAR signature of the second example (I asked you to explain) won’t
Alas , despite you added many comments, your first example did not mention anywhere that it was not designed to trigger any protected file alert whereas D+ is not explictly configured to warn the user about .txt (!) files ???
It became even more confusing whereas I asked you to clarify the difference with the second version I provided…
…you were apparently sure there were AV alerts for an invalid EICAR text ???
I did ask you to confirm and you mentioned you tested it multiple times. ???
[ol]- The fist example you provided was specifically designed to not trigger any alert (txt files are not added to Protected files by default.)
- The second example (you did not provide) will trigger an alert for .com files when D+ is set to paranoid mode but won’t trigger any AV alert because the EICAR text is invalid (not-an-eicar).
[/ol]
Python is 40+ Mb safelisted software, to have D+ alert about the first example you provided you need to add *.txt to D+ Protected Files (D+ > Common files) and switch D+ to Paranoid mode
Had you not be willing to use D+ paranoid mode, Python entire path can be added to CIS sandbox ( D+ > Sandbox > Add programs to the Sandbox).
Were you not to know, it is also possible to sandbox only Python and use D+ for everything else:
- uncheck Automatically detect the installers/updaters and run them outside the Sandbox (Defense+ Tasks > Sandbox >Sandbox Settings)
- unckeck Automatically run unrecognized programs inside the Sandbox (Defense+ Tasks > Sandbox >Sandbox Settings)
Endymion you did not read post #69
https://forums.comodo.com/news-announcements-feedback-cis/the-good-the-bad-and-the-ugly-ugly-because-its-unknown-t56938.0.html;msg400888#msg400888
I realized that your thoughts were that txt files are not applicable. Thats why I modified the code so that instead of txt files it would Create, Modify and delete executable files.
Still, The point remains; Run that code I made and you will not get any defense+ alerts. Compile the same code into an exe, Run it - you get plenty of alerts. Both ‘items’ perform exactly the same function.
Actually I did not ignore the code you modified but it was not much different from the example I previously provided.
So I summarized all the relevant informations there.
Dude ur a kid so I’ll explain easy.
I-
- Get a free program called AutoIt (its a windows macro programmer. You can do anything with it that you can do in windows. It’s got a lot of options & very powerfull & most exe’s compiled by it are detected as viruses by an AV’s heuristics. grin).
- write some malicious code (pretty easy). Run it. Make Autoit.exe trusted and you’ll see 0 alerts.
- compile the same code into an exe (v.exe). Run v.exe, CIS will alert like a maniac. Get the difference? no?
The executor in point 2 is autoexe.exe, which is trusted (i.e. allowed to do everything. its also a signed executable) whereas in the 2nd case its v.exe (untrusted) so CIS pops like a 10yr old on seeing Cena.
Exactly the same will happen with java, python, c, C#, c+ etc etc in raw code format. But if you compile it into an exe, its a totally different ball game.
Try a thought experiment :-La: Run a .bat file (which writes to system32) when cmd.exe is trusted. Do the same when it is un-trusted. Get it?
II- Malicious code could read your information and transmit it over the web.
1.CIS is designed to protect a pc from virus, malware, badware. etc. not safeguard it from prying eyes. For that there is encryption.
2.mal code would have to bypass the program (firefox/ie/chromes), in the sense exploit a vulnerability in the implementation of javascript/java. Remember no exe’s, is has to be .js, .jar etc. So The code itself has to exploit the programming language’s implementation. Java was designed to block this very thing from happening. In the old days (aahhh) I used to have an ActiveX exploit on my website which would read your directory structure and other sutff (.jpg files he he he) and display it on my webpage. It scared a lot of people. Old days= Ie5. these plugs existed with ActiveX and not the browser or the security app. The same thing is virtually impossible with remotely executed java/java script code.
3. how some piece of code will know that bank.txt is where or whats inside is… guessing game? speculation? Luck? … no malware author knows how to find info on a persons pc. they socially engineer it so that you, yourself type it out and send it to them. :-La
You wanna be a programmer? Write some code? join a company which does that its way more rewarding than fighting/arguing/sparing with some randies on a web-forum not to mention paying. I have a few friends who work for google, microsoft, tcs, infosys etc. 16-20hr workdays, alcohol, fatty foods. its lifestyle. I hardly meet them though… they’r too busy. :-[
V.
Like here; (which gave me the reason to prompt and push comodo for a fix to protect users)
https://forums.comodo.com/news-announcements-feedback-cis/how-to-kill-cis-easily-t56353.0.html
He used Java to incapacitate CIS…
- You can search for file(s) etc and in their contents so yes you can search the pc for what you want, It’s not a matter of luck.
Do I want to be a programmer? That is irrelevant to the issue at hand. Keep personal remarks to your self thanks.
I still don’t know why this is ok -
https://forums.comodo.com/news-announcements-feedback-cis/the-good-the-bad-and-the-ugly-ugly-because-its-unknown-t56938.0.html;msg400888#msg400888
and here…
Thats the main question I have, Why is it ok that raw code has the ability to do things without alerts, yet when compiled defense+ goes nuts (both raw and compiled perform the same actions!)
You act like you’d want to be a programmer. 6 figures; US, its a nice… … i doub’t you’re gonna earn that much (except in banking), unless your dad own’s a business. Anyways, no offense meant. Sorry.
Its ok because in the wild no such thing exists. Or if it exists it’s not wide-spread. Who cares about some threat which is so remote. I think you’re totally missing the point of any security applications. Its only a lock. It can be broken but most of the time it suffices. You act like Comodo Inc should run and fix all problems it finds. Are you kidding? They’ll fix the most important ones and a POC is their last priority. Have you not noticed Microsoft’s Fix-Release schedule or even ubuntu’s? Top priority gets preference. All software’s full of holes. Why except higher standard from Comodo? I think people arguing a moot point …
Anyways, I am done here.
take care.
Comodo 4.1 is still vulnerable to screen capture, audio recording, and webcam capture.
http://www.spyshelter.com/download/AntiTest.exe
If a simple programmer of a security application is able to make a tool able to bypass comodo I dont want to think what a real hacker is able to do.
Reported 1 month and a half ago, still not fixed… but you know? make a post to lose time criticizing Norton is more important than fix a vulnerability.