I have recenly switched from EQS to CFP D+ as calssical HIPS on my system. I have tried almost all classical HIPS in the past, maily for fun. I have especially used EQS, NG and SSM free for a singinificant period of time as a classical HIPS protection on my system. While playing with malware, I had even run more than one classical HIPS at a time in real time, just to compare their popups and thus knowing what they are monitoring.

I have more or less similar popups with all these classical HIPS, never found a major diffreence of pop up alerts between them.

HOWEVER it is not the case with D+. I have been trying it since alpha and every time I tried it I felt that its popup alerts are a bit different than other HIPS. Not sure why! Also can,t be sure whether it is monitoring more as compraed to other HIPS or less.

I will present a few examples.

I really hate the privilege pop ups from Defence+. For almost every application I get pop ups about System time privilege. Another such popup that appears with almost all applications is "accessing service control manager". Others are system shutdown, debug and backup privilege popups etc.

I wonder why CFP can,t just keep quiet and only warn when some application tries to use this privilege like many other HIPS do. What is the use of a behavior popup that comes with each and every legit application. Its too annoying. I have removed all these( mentioned above) filter from " My protected com interfaces" to get rid of these pop ups.

198019 198021
198022 198020

Two other very common alerts I get on my system are :

- Accessing memory of ThreatFire service( almost every application does it on my system on shut down)
- Accessing memory of CTFmon.exe

NEVER saw such alerts with any other HIPS.

Stranngely that D+ gives very frequent memory access alerts about TFservice and CTFmone.exe on my system, I hardly get any other memory access alerts on my system from D+ while such alerts are common with other HIPS like EQS, SSM and AD. Very strange for me.

Another alert never got from D+ is about remote thread creation. It,s a bit common by other HIPS.

I am not sure but my impression is that on remote thread creatiuon, D+ gives alert about memory access.( Any POC to check this? anyone?).

Another popups. Not sure what is meant by it. I havn,t seen it with other HIPS except with AD.

Another alert is " One application modiying the user interface of other application" Not sure what it means. I don,t remember such an alert from other HIPS. I would have considered it as memory modification but memory modification has its own alert in D+.

-{ Quote: " Another such popup that appears with almost all applications is "accessing service control manager".
" }-

That is the first thing i remove from defense+ when reinstalling Comodo FW. If a popup is too common to differentiate normal from suspicious behavior then it is useless.

I agree with you. But I am not sure how much it compromises security.

I agree Aigle that only AppDefend has such weird alerts. Personally i do keep the Service Control alert, as a means of keeping me "awake" and not doing the happy clicking routine.

As for System, i 've seen a few alerts of that kind too. I am not sure either what they mean by "System". On my case i have decided that they mean the same that the Task Manager means as System. Which is (for my PC),contains the threads:

http://img137.imageshack.us/img137/4702/88199542fv5.png

Now, the ntkrnlpa.exe is obviously related to Windows Kernel.

Inspect.sys as well as the various cmd* are related to Comodo.
Some Nvidia miniport driver files,ACPI etc.

So, i would be very hesitant to let that pokapokaC.exe to touch that area, unless i was sure it is a valid process that should have access to critical areas... By its name alone, personally i would be very hesistant to let it affect anything there.

Of course this is just an educated guess, on what they mean by system. At least this is how i interpret it.


I 've no clue about modification of user interface.

Aigle,

I have posted a way to reducr the alerts. Still I am getting one or two alerts each week. I have decided that when D+ gives one more alert this week I will fall back to EQS again, despite the broader protection of D+.

I have ironically said that the current release is the first real realse (others were advanced beta's sort of gamma's), but last week I got again two pop-ups with mysterious pop-ups.

COnclusion:
Plus side: Heurstics of D+ makes that is sort of more intelligent than normal HIPS

Down side: you will get pop-ups of settings you can not control. That is real frustating, but hey TF, Mamuto, PRSC do it also. Only those Behavir Blockers are silent most of the time.

D+ is a sort of cross over from dumb hips to behavior blocker (see for example which trouble you have to go through to deny avnotify.exe from running). This is good (at relwase 3.2) for the future, but real frustating for now.

regards Kees

-{ Quote: "
So, i would be very hesitant to let that pokapokaC.exe to touch that area, unless i was sure it is a valid process that should have access to critical areas... By its name alone, personally i would be very hesistant to let it affect anything there.
" }-I agree. BTW pokapoka.exe is actually Elitebar malware.

"One application modifying the user interface of other application" means that a process is trying to communicate with another process by sending a windows message. One reason that Defense+ monitors this is because, if your web browser is already open, it is possible for a program to leak information by merely sending a windows message to your web browser. Another reason that Defense+ monitors this is because of the possibility of shatter attacks - see http://en.wikipedia.org/wiki/Shatter_attack.

For 'All Files' in Defense+ Computer Security Policy, I allow interprocess memory access for TFService.exe (part of ThreatFire).

Alerts about remote thread creation in other HIPS will show up in Defense+ as 'memory access' alerts, if I am not mistaken.

I think that CFP would be way over my head to ever use.

-{ Quote: "For 'All Files' in Defense+ Computer Security Policy, I allow interprocess memory access for TFService.exe (part of ThreatFire).
" }-
Thanks Brian. Can u explain it a bit?

@ aigle,

This is exactly the reason why I don´t like CFP. You get so many useless popups that you won´t even know how to respond to. The guys over at Comodo missed the point I think. They seem to believe that the "ultimate HIPS" should alert about everything. While to me it only makes sense to alert about stuff that´s not triggered by almost every app, and about stuff that you can actually make a good decision about.

@ MrBrian,

Welcome to WSF, I assume you´re the same guy as on the Comodo forum? I hope I will be able to make CMF BO protection work, with the POC you gave me. 8)

Rasheed! After removing few COM filters as I posted, CFP is working very well in learn Safe mode. Not much pop ups!

Comodo is a very powerfull firewall if you have patients and understanding of how it works. Also having 2 HIPS conflicts. TF and OA conflict and TF and Comodo conflict. I see no reason to run 2 HIPS as it is. Either run TF alone. OA alone or Comodo alone. I am currently using Comodo with D+ active and my trusty NOD32. I installed Comodo at default vavles. Firewall is set to "train with safe mode" and D+ is set to "clean pc mode".

-{ Quote: "Thanks Brian. Can u explain it a bit?" }-

In Computer Security Policy, find the entry for 'All Files' and edit it. Click on 'Access Rights'. Click the Modify button next to 'Interprocess Memory Access'. Click Add, Browse to TFService.exe and add it. Then Apply, Apply, Apply, Apply, Apply. You can also do the same for the other process you named that is accessing memory of a lot of other processes.

-{ Quote: "Welcome to WSF, I assume you´re the same guy as on the Comodo forum? I hope I will be able to make CMF BO protection work, with the POC you gave me" }-

I am the same one :) Thanks for the welcome. Let me know if it works for you or not.

Many of the popups are easily dealt with by scanning the system deciding that it is clean enough and then move all content to Your "Own Safe Files" where you can still address issues there. This will reduce the chatter and allow you to monitor new incoming files and keep a hermetic environment. The idea is to monitor each subsystems as it is being modified... I personally like the idea of the granular control it provides... I just wish the controls would be more directly accessible within the GUI instead of having to create rules to manage change... It is too cryptic for most users...

-{ Quote: "@ aigle,

This is exactly the reason why I don´t like CFP. You get so many useless popups that you won´t even know how to respond to. The guys over at Comodo missed the point I think. They seem to believe that the "ultimate HIPS" should alert about everything.
" }-

Funny, I thought that was your view?

The more you monitor the safer you are obviously. Sure you can turn off stuff like what some guys are telling you to do, what this is done WITHOUT understanding what you are giving up.

Chances are you have opened a big gapping hole! How do you know?

-{ Quote: "Funny, I thought that was your view?

The more you monitor the safer you are obviously. Sure you can turn off stuff like what some guys are telling you to do, what this is done WITHOUT understanding what you are giving up.

Chances are you have opened a big gapping hole! How do you know?" }-

I have never understood the drive some users have to secure the system, then complain about it being too secured... :)
If users don't want pop ups, all they need to do is use the base firewall with virtualisation... Just don't hope to manage change easily...

-{ Quote: "I have never understood the drive some users have to secure the system, then complain about it being too secured... :)
" }-

Personally I think by following the advise of some of the others above and turn off some of the HIPS features, you risk failing some tests (leak test, or whatever).

And as we all know failing such tests is a big no no.

-{ Quote: "In Computer Security Policy, find the entry for 'All Files' and edit it. Click on 'Access Rights'. Click the Modify button next to 'Interprocess Memory Access'. Click Add, Browse to TFService.exe and add it. Then Apply, Apply, Apply, Apply, Apply. You can also do the same for the other process you named that is accessing memory of a lot of other processes.
" }-

I do understand that. Question is that whether all these processes are accessing TFservice in memory or TFsrvice is accessing all these processes in memory( I assume both are not same).

I will make a global allow rule if TFservice was accessing the processes but it,s not the case here. Acc to CFP, these are actuaslly the other processes who are accessing TFservice in memory. In that case a global allow rule can allow a malicious process to modify memory of TFservice without any pop ups.

I am not sure if I am understanding it correct or not.

I posted exactly same thread over their forums.

-{ Quote: "I do understand that. Question is that whether all these processes are accessing TFservice in memory or TFsrvice is accessing all these processes in memory( I assume both are not same).

I will make a global allow rule if TFservice was accessing the processes but it,s not the case here. Acc to CFP, these are actuaslly the other processes who are accessing TFservice in memory. In that case a global allow rule can allow a malicious process to modify memory of TFservice without any pop ups.
" }-

It is the other processes that access TFService in memory. My guess is that ThreatFire has modified all the processes in memory on purpose, and these alerts are happening when the modified processes are calling back to TFService with information. I could be wrong though. It's true that this does open a hole for malicious processes to modify TFService, but on the other hand, if you deny all or some processes memory access to TFService, then perhaps you are not allowing ThreatFire to do its job correctly.

-{ Quote: "It is the other processes that access TFService in memory. My guess is that ThreatFire has modified all the processes in memory on purpose, and these alerts are happening when the modified processes are calling back to TFService with information. I could be wrong though. It's true that this does open a hole for malicious processes to modify TFService, but on the other hand, if you deny all or some processes memory access to TFService, then perhaps you are not allowing ThreatFire to do its job correctly." }-
You seem to be right but if "ThreatFire has modified all the processes in memory on purpose", no alert about that. Also no alert by other HIPS about TFservice modifying memory of other processers( not sure though). It might be related to very nature of TF itself though.

Anyway I have seens exmples where CFP gives pop up about application X accessing memory of application Y while other HIPS instead give an opposite alert about application Y modifying memory of application X. That,s weired.

I will make an allow rule for TFservice I think.

-{ Quote: "You seem to be right but if "ThreatFire has modified all the processes in memory on purpose", no alert about that. Also no alert by other HIPS about TFservice modifying memory of other processers( not sure though). It might be related to very nature of TF itself though.
" }-

Another guess - maybe it's the code in the drivers of ThreatFire that modifies the processes, in which case you would get no alerts.

Ok, I have done some testing with CFP D+, AppDefend and EQSecure. My observations are interesting.

I guess that when Defence Plus gives a pop up that " Application A is trying to access memory of application B", it means one of the three( or more?) things:

1- Application A is trying to modify the memory of application B or
2- Applications A is trying to create remote thread in application B or
3- Application A is trying to terminate/ suspend thread in application B

Now see the alerts given by CFP Defence Plus, AppDefend and EQSecure about behaviour no. 1 and 2( Modify memory and Create remote thread). They are exactly same.

In case of Memory Modification, current( active) application is Explorer.exe while target application is Iexplore.exe. See Pic

In case of Create Remote Thread, current( active) application is PokapokaC.exe while target application is Services.exe. See Pic

198060
198061

Now until this point everything is as expected atleast for me. Confusion arises when whe see the popup alerts about Terminate/ Susppend thread- behaviour no.2.

EQSecure and AppDEfend show that current( active) application is TFservice and target applications are Explorer.exe and Iexplorer.exe.

CFP on the other hand shows that current( active) application is Explorer.exe and Iexplore.exe and target application is Tfservice.exe. See Pics.

It,s a thing I can,t understand. I guess CFP may be wrong here. I almost remember the alerts by System Safety Monitor to be also same as those of EQS and AD.

198062
198063

-{ Quote: "Funny, I thought that was your view?" }-

Funny, but you thought wrong. In other posts I have already explained my view on this. Do I really need to explain it to you again? :wacko:

-{ Quote: "
Chances are you have opened a big gapping hole! How do you know?" }-

I already have enough holes in my setup, but the question is how big the chance is that I will ever execute malware who will take advantage of this. :shifty:

-{ Quote: "
I already have enough holes in my setup, but the question is how big the chance is that I will ever execute malware who will take advantage of this. :shifty:" }-

Typically the odds are in your favor.... However, have you eard of Murphy's law? :)

Aigle check the comodo forum. Egemen replied and according to him comodo is smarter than app defend and eqsecure by putting alerts by higher priorities.

Yes I checked it. For any one interested, here is the discusssion on their forums.

http://forums.comodo.com/empty-t20249.0.html

-{ Quote: "Funny, but you thought wrong. In other posts I have already explained my view on this. Do I really need to explain it to you again?" }-

Yes, please do. I must have missed it.

I personally feel if you are a big fan of "dumb hips", the more alerts and the more things you monitor the safer you are. Do you disagree?


-{ Quote: "
I already have enough holes in my setup, but the question is how big the chance is that I will ever execute malware who will take advantage of this. :shifty:" }-

How big?

Simple. It's 50-50.

Either you get hit by something that exploits this, or you don't.

Hello Rasheed and Lusher! with due respect, I think u are way off topic. I personally don,t mind OT but ur discussion seems to be of no interest to any one. It semms more of a personal 'war'.