any ideas why? I know I’m missing some of the settings from Proactive… I’ve got it configured the way useres of the forum had suggested, yet I need to work it out w/t Proactive since when it is ON I simply cannot acces this file but that’s not the point.
Basically what I did was apply my knowledge gathered during other tests/leaks but it didn’t work this time.
on a side note, still new thing to me so sometimes you guys post assuming I know what you’re talkin about and sometimes I post assuming it’s obvious - but I’m learning thanks to you so dont give up on me lol
Hi korben, see the attached screen shots for what happens when I run zabypass:
The first alert zabypass is making a call to csrss.exe (the client server subsystem) This is not terribly significant in itself, but it would probably make me want to see what happens next.
The second alert has zabypass making a call to firefox (substitute your browser here) Personally, unless I knew specifically what zabypass was, it would be stopped at this point.
The third alert is the most strange, firefox making a call to a COM (Component Object Model) interface. That would definitely set my radar off.
The documentation says zabypass uses the DDE-IPC protocol, well DDE is not COM but IPC messaging is part and parcel of both. Without knowing exactly what zabypass is doing behind the scenes, it’s hard to know how it uses IPC (Inter Process Communication) exactly.
I use Installer_Updater config, I run the zabypass.exe, I change the config to Proactive and… trying to run the test I clearly see that nothing happens, i.e. no popup window appears, which is good, right?
Perhaps in the near future I will find some time to analyze the issue in detail.
Apologies, I’m not sure I follow the first part of your break down. zabypass is just a single executable, there’s nothing to install. That aside, I’m surprised you don’t receive any kind of pop-up when it attempts to access the Internet. What are your security settings for the firewall and D+, aside from running proactive.
I did this test and CIS easily passed it. You said you use ‘installer updater’ configuration do that mean you selected ‘installer’ in the predetermined policy when the alert came up??? If yes, defense+ will definitely give it a clean chit.
When the exe try to inject it into IE block it… but once injected you get the alert that IE (which is safe) try to connect internet, which nobody will doubt for that matter… But blocking it to connect definitely works.
When you use that tutorial you are running the computer in Clean PC Mode. That means it will execute all programs without interfering; it will allow all activity. That’s why you don’t get alerts I guess.
Can you tell us what configuration you are using? Look under Miscellaneous → Manage my configurations. How are Defense + and Image Execution Control settings set?