Why was Defense+ unable to catch this

I got infected yesterday when I visited a malicious website(on purpose). I don’t understand how I did not get any alerts from Defense+. I have given the link below, visit it to see for yourself.

As soon as I visit the website the web browser executes my .pdf reader (I have set “Run an executable” to block for all my web browsers, but have added exceptions - one of which is Foxit Reader), and Foxit opens with a blank page.

The malware disables the windows firewall. After every restart I get alerts about svchost.exe trying to load the drivers ipnat.sys and svr.sys. I get those alerts also when I try to enable my Windows Firewall. Now, I cannot even access the Windows Firewall interface because the malware stops the Windows Firewall/Internet Connection Sharing Service. I cannot manually restart the service as it seems that the malware is not allowing me to do it.

I ran a scan with Malwarebytes’, Prevx and Hitman Pro. All three found anything. I couldn’t find anything suspicious running in COMODO Active Process list, nor could I find anything with Process Explorer.

mod edit: malicious website removed for security purposes of other users and guests who visit the forum. Website link and forum link sent to Egemen.

Okay, I have tested again. This time I changed my configuration to proactive and set the security level too paranoid, set the image execution level to aggressive, and added the “executables” file group to the “List of Executables”. Even removed the “trust digitally signed applications”.

And as expected I got a lot of alerts, but none seemed suspicious. Just bunch of windows .dll files were being executed by Foxit.

I did not know that I was running both the firewalls at the time I was testing CIS against the drive-by download.

And yes, it is still disabled. I running an infected PC right now…I think, as I can’t find any traces of malware on my system. I ran a scan with GMER, but I did not understood much of what it was showing. Yet I am pretty sure that it too didn’t find anything suspicious.

I know all about Sandboxie, I have even used it before. It is a wonderful security software that is not susceptible to user’s slip-ups. But, personally, I prefer HIPS-type programs because they give the user total control over the system. I believe that if configured properly, it will provide as close to 100% protection as you can get with any security software .

Does this happen because foxit is trusted and already has rules to allow it to install device drivers etc? I have always thought trusted programs are given to much trust.

When I got infected the first time, I was running in Clean PC Mode with everything set to ask for Foxit Reader. Trusted Software Vendors option was enabled.

Afterward I tested twice with the Trusted Software Vendors option unchecked and D+ in paranoid mode, once with Foxit Reader set to all ask, next time without an entry for it in Computer Security Policy

Yes I was thinking that too. A good reason Defense+ didn’t catch anything could well be that there was nothing to catch.

Yes, ipnat.sys is the driver that runs my firewall service, and blocking it might be the reason I’m unable to start the firewall service. But the question is that how did it disable all by itself, and why have I never received these alerts before?

I do not know the cause of it, but the problem started only after I visited that website. So I am suspecting that the malware was the cause.

Maybe someone else can test and find out?

Sure, PM the link! :smiley: :-TU

And to me also, please 8)

Me me… me too ;D

Nothing special after following the link. First the prompt either to save or to open pdf file. If i choose to open then D+ (in paranoid mode) warning “firefox.exe tries to execute foxit.exe(?)”, if allowed Foxit reader opens and blank pdf is shown (Firefox and Foxit reader have custom D+ policies which are sufficient to allow normal activities of these applications). No more D+ alerts. Seems no bad consequences either :-X

I want to see this site too! ;D PM me the link!!! >:-D I could use the VMware. :P0l

PM it to me Also please.


When somethig unexpected happens, the first thing I check is CIS log’s. Didn’t D+ reported anything there?
Another easy way to check what is happening is tracking all suspicious app’s activities with Sysinternals ProcMon…

Just my 2 cents.

Thank you for testing… :-TU

Can you send me a PM with the link please?

P.S. Now I’ve the link.