It,s a real interesting POC.

CFP Defence Plus- Failed >:(
EQS-- Pass
GesWall- Pass
SBIE- Pass

I don,t get direct memory access pop up on my system from CFP. ??? Others do get. I need more users to test pls.

OA free- Same as CFP, no direct memory access pop up. ??? Any one pls?

aigle- You said CFP D+ failed. However your screenshot for D+ shows...
{QUOTE-> cmd.exe is trying to execute phide.exe. What would you like to do?

Security Considerations
Defense+ malware heuristic analysis has detected possible malware behavior in C:\phide.exe <-QUOTE}It looks to me like D+ DID alert to the nasty. Am I mis-interpreting?

Good ole Sandboxie.

As Bellegamin said, It looks like comodo heuristic of a possiable malware. It looks to have passed and as with hips leaving the final decision to the user.:-\From the screenies it looks like EQsecure show no warning of a possiable virus/malware.One other thing just Noticed EQsecure says allow after 28 seconds in the bottom of screen shot does this mean if the user does not respond in the time frame it will be allow auto to run?.

Well, sorry if I sound harsh - but damn get a clue before making claims about "failed". CPF D+ alerts you about possible malware and asks what to do. Fail?! EQS gives some fuzzy blurb about admin privs and will autoallow (WTF?!) it in ~30 seconds. Success?!

:thumbd: ::)

{QUOTE-> Well, sorry if I sound harsh - but damn get a clue before making claims about "failed". CPF D+ alerts you about possible malware and asks what to do. Fail?! EQS gives some fuzzy blurb about admin privs and will autoallow (WTF?!) it in ~30 seconds. Success?!

:thumbd: ::) <-QUOTE}
I think aigle just mixed up his words for his claims and meant EQSecure failed and FYI aigle does have a clue.Aigle has been doing some extensive testing with real malware with numerous products. you may want to search his threads, you will see for your self which products he has tested that passed and failed.

{QUOTE-> One other thing just Noticed EQsecure says allow after 28 seconds in the bottom of screen shot does this mean if the user does not respond in the time frame it will be allow auto to run?. <-QUOTE}

You can configure it to block prompts after 30 secs instead of allow.

~~~~

Once again, SBIE kicking some butts! ;D

{QUOTE-> I think aigle just mixed up his words for his claims and meant EQSecure failed <-QUOTE}

Apparently he really meant CPF failed... (http://forums.comodo.com/leak_testingattacksvulnerability_research/phideexe_rootkit_bypassed_defence_plus-t25537.0.html). Not to mention CFP's D+ actually doesn't even let it execute when properly used (http://forums.comodo.com/index.php?action=dlattach;topic=25537.0;attach=18686;image) and provides a verbose, simple language warning.

So, to get infected by this requires ignoring two huge warnings about the malware... the only "fail" here is between chair and keyboard apparently. :P

Hi,

IMO, aigle is right : D+ notified about an executable (any) launched through command line so it's potentially a threat but D+ did not warn about any step of the process cloaking itself (Direct Memory Access ) like EQS did

regards,

MaB

{QUOTE-> Hi,
IMO, aigle is right : D+ notified about an executable (any) launched through command line so it's potentially a threat but D+ did not warn about any step of the process cloaking itself (Direct Memory Access ) like EQS did
<-QUOTE}

Wrong. May I suggest reading my previous post right above (http://www.wilderssecurity.com/showpost.php?p=1288545&postcount=8)? Failure to use a tool properly is certainly a "fail", but not one in software. ;)

{QUOTE->

So, to get infected by this requires ignoring two huge warnings about the malware... the only "fail" here is between chair and keyboard apparently. :P <-QUOTE}

Exactly, but I would consider that a failure. This is the problem with all classical HIPS. It warns of behavior, but leaves it to the user to make a choice. As Prevx discovered a few years back given that choice over 50% of the time, users make a wrong choice.

To me, the good software would protect you even if you allow something to run. Like for example Sandboxie does.

Pete

{QUOTE->
To me, the good software would protect you even if you allow something to run. Like for example Sandboxie does.
<-QUOTE}

What's good software for someone is bad one for someone else... IMO, good software respects that the user is the finally the one who should decide what action to take. There may be legitimate reasons why users wants to allow the (alleged) malware to run. Be it false positives, or research and testing purposes, or whatever else.

See, making it impossible for the user to decide would make actual testing of the HIPS behavior very difficult. As you see here, even if you decide to allow the rootkit run in the first place, you still get additional warning in the next phase - so you can see that multiple types of behavior trigger the warning and can change your decision later... If you still allow this in the second step, it makes it possible to check whether another layer of your protection will pick that up (like, AV rootkit detection or whatever). I personally strongly dislike applications that make it impossible for the users to have full control over their computer.

Finally, software is no replacement for using ones brain. People that routinely make wrong decisions about malware warnings should switch from Windows to a different OS which won't require any such decisions and will protect them much more.

(Sandboxes are completely different type of thing here.)

{QUOTE-> Well, sorry if I sound harsh - but damn get a clue before making claims about "failed". CPF D+ alerts you about possible malware and asks what to do. Fail?! EQS gives some fuzzy blurb about admin privs and will autoallow (WTF?!) it in ~30 seconds. Success?!

:thumbd: ::) <-QUOTE}

When accusing somebody of clueless claims be sure to check your own claim

About EQS
You can choose wthin EQS how to handle an intrusion: ASK + Allow, ASK + Dent, Deny and Allow. Aigle has chosen ASK + Allow as respond.

About the fuzzy blurb
Acquiring admin privileges is asking for the keys of your house, please Google on Limited User and LUA to understand this concept (or google on improvements of Vista compared to XP) and Google on for instance rootkits to get an idea of the consequences of acquiring highest privileges.

Comodo's D+
Comodo's heuristics is problably triggered because 60% of the leaktest uses cmd.exe to bypass firewall protection. So it could have bypassed the com protection available withing D+ (D+ also warns you for sme privelidge elevation of pseudo com commands). When this is the case, it is a disappointing respond of D+. I would have called this a conditional or partial pass

@Aigle two questions
What I would like to know whether you enabled this (pseudo com protection) on D+?

What are the series of (intrusion) events of this malware, to understand your evaluating this D+ respond a complete failure?


Regards Kees

{QUOTE->
About the fuzzy blurb
Acquiring admin privileges is asking for the keys of your house, please Google on Limited User and LUA to understand this concept (or google on improvements of Vista compared to XP) and Google on for instance rootkits to get an idea of the consequences of acquiring highest privileges.
<-QUOTE}

The blurb provided by EQS actually gives rather poor information to users, compared to the warnings provided by D+. And if you want highest privileges on Windows, you actually want the thing to run as SYSTEM, not as Administrator.

{QUOTE->
Comodo's D+
Comodo's heuristics is problably triggered because 60% of the leaktest uses cmd.exe to bypass firewall protection. So it could have bypassed the com protection available withing D+ (D+ also warns you for sme privelidge elevation of pseudo com commands). When this is the case, it is a disappointing respond of D+. I would have called this a conditional or partial pass
<-QUOTE}

May I suggest reading the thread @ Comodo forums, referred to here? It included screenshots that shows lack of proper testing of the application on OP side, resulting in this completely unsubstantiated claims about "fail".

{QUOTE-> Exactly, but I would consider that a failure. This is the problem with all classical HIPS. It warns of behavior, but leaves it to the user to make a choice. As Prevx discovered a few years back given that choice over 50% of the time, users make a wrong choice.

To me, the good software would protect you even if you allow something to run. Like for example Sandboxie does.

Pete <-QUOTE}
Hello peter,I think I see your point know.What I think your saying because Comodo warns clearly of a possiable malware But will still allow the user to run It If the user ignores the warnings it Failed.If it had the warning of malware and blocked the user from any possiable choices it would have passed.please correct me If My thinking is Incorrect.Thanks

What I see from the screen shots With warning such as comodo just seeing the words malware my answer would always be deny even the chance of a FP.EQSecure gives No Information So The chances are greater the user may make a wrong choice.

{QUOTE-> With warning such as comodo just seeing the words malware my answer would always be deny even the chance of a FP.EQSecure gives No Information So The chances are greater the user may make a wrong choice. <-QUOTE}

Thanks, exactly my point. When majority of users use an account that belongs to Administrators group for everyday normal work, warning users that "application will obtain some administrator privileges" is just plain useless (a.k.a. fuzzy blurb), bound to be ignored by most people who'll quickly allow it to get rid of the popup window.

{QUOTE-> Hello peter,I think I see your point know.What I think your saying because Comodo warns clearly of a possiable malware But will still allow the user to run It If the user ignores the warnings it Failed.If it had the warning of malware and blocked the user from any possiable choices it would have passed.please correct me If My thinking is Incorrect.Thanks <-QUOTE}

First I am not pointing fingers at comodo, but let me give you an example, using the latest Online Armor beta and a Killdisk which we've played with a lot.

If I run OA as a standard HIPS, and try to run it I get two warnings, first is that it wants to run, so how do I know. Second now is low level disk access, but again how do I know, so If I allow then it destroy's the disk. Problem is I may not know it's legitimate, and also legitimate programs need low level disk access. So if the program is good I may screw it up, or if it's bad I may let it run. So I call this a failure.

But what I can now do with OA, is once I have my system setup, I can set OA to a mode where it won't even ask, but will run any unknown program at lower rights, thus prevening Killdisk from doing anything. That to me is a success.

When I test my setup against stuff i do either allow everything or turn hips off. I consider the Pop up's informational and as was pointed out can be useful to see what malware actually is doing, but I assume under normal use I am likely to answer wrong.

Pete

{QUOTE-> Thanks, exactly my point. When majority of users use an account that belongs to Administrators group for everyday normal work, warning users that "application will obtain some administrator privileges" is just plain useless (a.k.a. fuzzy blurb), bound to be ignored by most people who'll quickly allow it to get rid of the popup window. <-QUOTE}
Absolutely agree.

{QUOTE-> So if the program is good I may screw it up, or if it's bad I may let it run. So I call this a failure. <-QUOTE}I call this success :P

What is HIPS really? Is it sth that will point you to the right direction by using heuristics, signatures and behavior analysis or sth that will just inform you of ANY action and wait for accept/deny?

I thought it was the latter, but maybe it is sth in between. I don't know really if there is an objective point of view about HIPS.

{QUOTE-> First I am not pointing fingers at comodo, but let me give you an example, using the latest Online Armor beta and a Killdisk which we've played with a lot.

If I run OA as a standard HIPS, and try to run it I get two warnings, first is that it wants to run, so how do I know. Second now is low level disk access, but again how do I know, so If I allow then it destroy's the disk. Problem is I may not know it's legitimate, and also legitimate programs need low level disk access. So if the program is good I may screw it up, or if it's bad I may let it run. So I call this a failure.

But what I can now do with OA, is once I have my system setup, I can set OA to a mode where it won't even ask, but will run any unknown program at lower rights, thus prevening Killdisk from doing anything. That to me is a success.

When I test my setup against stuff i do either allow everything or turn hips off. I consider the Pop up's informational and as was pointed out can be useful to see what malware actually is doing, but I assume under normal use I am likely to answer wrong.

Pete <-QUOTE}Hey peter, Thanks for the clear answer I understand some what better know.:thumb:

{QUOTE-> What I see from the screen shots With warning such as comodo just seeing the words malware my answer would always be deny even the chance of a FP.EQSecure gives No Information So The chances are greater the user may make a wrong choice. <-QUOTE}

This is the only thing that really bothered me with EQS when I used it. Some popups are totally blank, no info at all.

{QUOTE-> This is the only thing that really bothered me with EQS when I used it. Some popups are totally blank, no info at all. <-QUOTE}
I agree hurst and IMO is like playing russian rulett with 5 bullets in a six shooter.:o

{QUOTE-> The blurb provided by EQS actually gives rather poor information to users, compared to the warnings provided by D+. <-QUOTE}

{QUOTE-> Thanks, exactly my point. When majority of users use an account that belongs to Administrators group for everyday normal work, warning users that "application will obtain some administrator privileges" is just plain useless (a.k.a. fuzzy blurb), bound to be ignored by most people who'll quickly allow it to get rid of the popup window.
<-QUOTE}

Please make up your mind: is it EQS compared to D+ (first quote) or the text of EQS itself (second quote). Also, EQS advised to block, so what "exactly is your point"?

{QUOTE->
And if you want highest privileges on Windows, you actually want the thing to run as SYSTEM, not as Administrator. <-QUOTE}
In this sentence {QUOTE-> . . .and Google on for instance rootkits to get an idea of the consequences of acquiring highest privileges. <-QUOTE} Rootkits try to acquire this (ring-0/system) highest privelige. I do not disagree on that, so again what is your point?


{QUOTE->
May I suggest reading the thread @ Comodo forums, referred to here? It included screenshots that shows lack of proper testing of the application on OP side, resulting in this completely unsubstantiated claims about "fail". <-QUOTE}

You may, please provide a link, I asked Aigle with what settings he had tested D+ and what the supposed the flow of events of this intrusion would be (to assess on which points D+ might fail). WHen Aigle's testing was correct I would have labelled it a conditional pass. So again what is your point?

{QUOTE-> Please make up your mind: is it EQS compared to D+ (first quote) or the text of EQS itself (second quote). Also, EQS advised to block, so what is "exactly your point"?

In this sentence Rootkits try to acquire this (ring-0) highest privelige. I do not disagree on that, so again what is your point?
<-QUOTE}.

I've already commented on this (http://www.wilderssecurity.com/showpost.php?p=1288745&postcount=17), please read this thread a bit more carefully.

{QUOTE->
You may, please provide a link, I asked Aigle with what settings he had tested D+ and what the supposed the flow of events of this intrusion would be (to assess on which points D+ might fail). WHen Aigle's testing was correct I would have labelled it a conditional pass. So again what is your point?

Bottem line
Why not simply repond by posting a link to the Comodo forum? <-QUOTE}

Ditto, I've already done this (http://www.wilderssecurity.com/showpost.php?p=1288545&postcount=8).

Doktornotor

I found the link and the other claim of Vettetech that Aigle's tests are worthelss because he uses several (overlapping) aps.

The proof of Vettetech (on Vista) shows a pop-up of D+ advising

"If HideProc is one of your everyday applications, you can allow this request"

Questions of an innocent user What to do when it is not my everyday application, because I have more than two options:
a) Allow this request
B) Block this request
C) Threat this application as (several choices in drop down list)

So should I block it or treat it as an installer (which is the shown prompt) + remember, Don't mind me preferring the EQS advise "Block is advised unless you trust it, with only two options (Allow or Block)

Bottom line
Since you do not defend your statement and the above sample does not proove your point, I rest my case. :thumbd:

{QUOTE-> Doktornotor
"If HideProc is one of your everyday applications, you can allow this request"

Questions of an innocent user What to do when it is not my everyday application, because I have more than two options:
a) Allow this request
B) Block this request
C) Threat this application as (several choices in drop down list)
<-QUOTE}

Huh?! Where did you invent the above?! Actual screenshot here. (http://forums.comodo.com/index.php?action=dlattach;topic=25537.0;attach=18686;image)

Now may I suggest that you compare the above detailed, plain language description of the possible malware behavior with the "Oh, %foo wants to get some administrative privileges" in somewhat more objective manner? ??? >:(

{QUOTE->
Bottom line
Since you do defend your statement (it is easy trowing the second or third rock) and the above sample does not proove your point, I rest my case. :thumbd: <-QUOTE}

Please, don't misquote application warnings we are debating here, that'd be a good start at least. Until then, no point in debating this further indeed.

{QUOTE-> Huh?! Where did you invent the above?! Actual screenshot here. (http://forums.comodo.com/index.php?action=dlattach;topic=25537.0;attach=18686;image)
<-QUOTE}

As I said in the (other) claim of Vettetech (Aigle's tests are worthless) in the same thread, see http://forums.comodo.com/index.php?action=dlattach;topic=25349.0;attach=18543;image

Please open the link to see thay my quote is quite accurate.

{QUOTE-> As I said in the (other) claim of Vettetech (Aigle's tests are worthless) in the same thread, see http://forums.comodo.com/index.php?action=dlattach;topic=25349.0;attach=18543;image <-QUOTE}

This clearly doesn't go anywhere on-topic. See this message on Comodo forums (http://forums.comodo.com/leak_testingattacksvulnerability_research/phideexe_rootkit_bypassed_defence_plus-t25537.0.html;msg183893#msg183893) and please answer there. Unless you are able to reproduce your "failure" issue on a sane setup without using a bunch of clearly conflicting on-access applications, I consider this debate over.

Have a nice day.

Sorry to cut in, I'm not familiar with D+. Does D+ give same or different alert if cmd.exe wants to execute a harmless app like notepad or calc, but with their respective .exe renamed or at diff location?

Here is some background for this phide sample used by Aigle:thumb:

{QUOTE-> "Phide" (process hide) is the engine for the low level process manipulating on kernel level, designed to be used by a userland process. It supports only nt-based systems (NT4, 2k, XP, 2k3). Process management is done through the playing with EPROCESS structures. Thread that calls engine MUST have read/write access to \Device\PhysicalMemory, otherwise engine will fail.

Features

The engine main features are:

get EPROCESS offset for a given pid.
hide the selected process by excluding its EPROCESS from the most low-level kernel process list, which starts from PsActiveProcessHead symbol.
change selected process image name in run-time.
patch UniqueProcess field in all ETHREADs that belong to the selected process to hide it from klister-like tools.
process can be selected by pid or directly by its EPROCESS structure. This is useful when process is already hidden and you have to hide new thread from klister, because even one thread with a real pid of its process-creator will compromise the whole process.
Process hiding technique is the same, as in the 'fu' rootkit, but my goal was to make a small engine callable from r3. For now it's the only tool, which hides processes from klister (i have version 0.3 of this brilliant software).

Engine code doesn't rely on the hardcoded ntoskrnl offsets, that may vary from one servicepack to another. It only relays on the offsets of the needed EPROCESS and EHTREADS fields, because these structs are different in 4 types of nt-based oses.

Filename Size Desc Date MD5
phide.zip 29541 PHIDE 1.0 Jan 2004 ae4d3e4081b67680aaafc5f6ce077026

<-QUOTE}

Just to clarify as is not to be confused with phide_ex POC released by PE386 on 24 October 2006.

{QUOTE-> He contains in itself hidden process and hidden driver.
This example creates the file c:\phide_ex.log and writes in it each 5 seconds line.
<-QUOTE}

You gotta hate those fanboys...::) :isay:
Thanks aigle for another test.:thumb:

{QUOTE-> This clearly doesn't go anywhere on-topic. See this message on Comodo forums (http://forums.comodo.com/leak_testingattacksvulnerability_research/phideexe_rootkit_bypassed_defence_plus-t25537.0.html;msg183893#msg183893) and please answer there. Unless you are able to reproduce your "failure" issue on a sane setup without using a bunch of clearly conflicting on-access applications, I consider this debate over.

Have a nice day. <-QUOTE}

That is an easy answer, I am not using a bunch of clearly conflicting on-access applications. You and Vettetech claimed that Aigle did (hence all his tests are worthless).

It is about the claimed clear langauage of D+ (your claim) while one screen prompt proves that at least in one situation D+ advise is not clear. This does not make me a Comodo basher or Comodo a bad application (to quote one of my statements "I think on Vista64 Comodo is still the best/free power user HIPS+FW combo available".)

Have a nice day to 8)

{QUOTE-> That is an easy answer, I am not using a bunch of clearly conflicting on-access applications. You and Vettetech claimed that Aigle did (hence all his tests are worthless).
<-QUOTE}

By "you" I apparently meant either the OP, or anyone here who actually tested this piece of malware. The OP here uses CFP with Defence Plus GesWall and ThreatFire all at the same time, so yeah, so tests are really not useful. No response so far to that request.

And please avoid dragging this debate off-topic stuff like your "unclear advise" screenshot. (That information is still a whole lot more useful than "some administrative privileges" popup one. I actually doubt most users would even see that one - simply since they already are logged on under administrators group account, so there are no privs that the malware would try to "obtain". it'd already have those privs.)

{QUOTE-> By "you" I apparently meant either the OP, or anyone here who actually tested this piece of malware. The OP here uses CFP with Defence Plus GesWall and ThreatFire all at the same time, so yeah, so tests are really not useful. No response so far to that request.
<-QUOTE}

Okay it is clear now: ??? you is not me but Aigle or anyone else testing this piece of malware

{QUOTE-> And please avoid dragging this debate off-topic stuff like your "unclear advise" screenshot. <-QUOTE}
You added this in post 5 yourself (clueless pop up), now it is off topic? :doubt:

{QUOTE->
That information is still a whole lot more useful than "some administrative privileges" popup one. <-QUOTE}
Common make up your mind, a sentence ago this was off topic, now you are starting on it again. ;D

:thumb:
:thumb:
:thumb:
:thumb:
:thumb: :thumb: :thumb:

Hmmmmmmmm... lot of discussion. I just came back after a very busy day. I will take time to read all stuff. Pls be patient.

Seems CFP behaving strange on my system. I neeed to investigate. Users on CFP forums get alert about memory access, I don,t. Pls see my reply there also. Post no.25.

http://forums.comodo.com/leak_testingattacksvulnerability_research/phideexe_rootkit_bypassed_defence_plus-t25537.0.html

About the discussion that what is failure and what is pass-- I just tested the ability of CFP HIPS to detect a malware behaviour if it is allowed to execute! One can disagree for sure. I have no problem at all. :)

I have replied the PMs. Also edited my first post.

{QUOTE-> (Sandboxes are completely different type of thing here.) <-QUOTE}2 2 true. Sandboxes are padded cells for computer illiterates, old ladies with tennis shoes, couch potatos too lazy to do a bit of thinking, etc. I'm not quite sure which category I fit into, but I use Sandboxie for browsing.

Even that is not total protection, however -- for instance, Sony's spyware that was built in to "reputable software" until a public furor made them cease & desist. Plus, a fellow was caught shop lifting at OfficeDeport the other day. In reviewing the store's video from its "eye in the sky" it turned out that the shoplifter replaced a certain antivirus (boxed & shrink-wrapped) with an identical box -- BUT the replacement box contained a poisoned copy of the antivirus.

Moral #1: Not everyone will run their new programs (shrink-wrapped or otherwise) inside a Sandbox.

Moral #2: Sandboxes are not the be-all and end-all of security. (The closest thing to "perfect security" is an imaging program, assiduously employed.)

It is utter nonsense to fault a HIPS on behalf of "innocent users"/doofuses who are not able to discriminate between safe and dangerous actions, &/or too lazy to do a bit of research.

The HIPS job is to alert the user about potentially dangerous situations. It is the user's job to decide what action to take in response to that alert.

As yet, there is NO HIPS with a broadbased AI that can totally take such decisions out of the user's hands. Those that try get FPs.

So the amateur reviewers of HIPS will squawk if a user decision is required because of weak AI. Then they will squawk if an FP ensues because of aggressive AI. They should stay home & read a book, watch TV, or whatever -- & stop erroneously faulting the work of programmers who are light-years more proficient than they are.

Those who can do, DO. Those who cannot do, CRITICIZE.

off topic post removed and a reminder We do not condone attaching or sharing of malware on this site, publically or privately.

Having read both treads at Wilders and Comodo, I did not know security is such a big thing.

Seems Kees enjoys teasing the Comodo fans, reading his initial post he did not disagree with the posters, suppose their tone of voice got him triggered.

I agree with Someone (Pedro) on the COmodo forum, tone of voice really makes a difference

CognitoErgoSum should have joined in to add some love and peace ;)

{QUOTE-> Here is some background for this phide sample used by Aigle:thumb:

Just to clarify as is not to be confused with phide_ex POC released by PE386 on 24 October 2006. <-QUOTE}

I strongly hope there isn't any public ark that still doesn't detect this old phide PoC ;)

phide_ex is far more advanced, though easily detectable.

IMO a good hips program should give as much information as possiable of whats about to execute as comodo did with the possiable heuristic detection of a malware.this helps a user make a more informed desicion to allow or not, good or bad.In the case here EQS with a Blank of information there is no informed desicion to make its a total gamble.SO yes a hips is in the hands of the user to make that wright choice but with no information its almost useless.

{QUOTE-> Sorry to cut in, I'm not familiar with D+. Does D+ give same or different alert if cmd.exe wants to execute a harmless app like notepad or calc, but with their respective .exe renamed or at diff location? <-QUOTE}
No it does not. CFP is not dumb. ;D :thumb:

{QUOTE->
Comodo's heuristics is problably triggered because 60% of the leaktest uses cmd.exe to bypass firewall protection. <-QUOTE}No I think, it,s not the case. These seem to be file heuristics( heuristics for static files) of CAVS engine newer version that is yet to be released. They are aggressive but good. :thumb: These are not heuristics of behaviour I think. It,s just my guess but I am very much confident about this guess.
{QUOTE->
@Aigle two questions
What I would like to know whether you enabled this (pseudo com protection) on D+?

What are the series of (intrusion) events of this malware, to understand your evaluating this D+ respond a complete failure?

<-QUOTE}
1- Yes
2- Execution alert and that,s all.

But as u noted Vettetech at Comodo forums is geting physical memory alert, so I need to investiagte it.

Well after reading this thread, I can't wait to try Comodo with Defense+, it's really what I was looking for. I hope it'll play right with my Vista system.

i orginally agreed with myself to stay out of this discussion, but here i go. i will preface my comment with, yes i know SafeSpace is not Geswall and vice versa.

i have been evaluating security software set-up on different snapshots on my pc for the last couple of days. one of the set-ups has Returnil, SafeSpace, Threatfire, Avira Free & Comodo with D+. the other is Returnil, SafeSpace, A2 Antimalware, EQS 3.41 (with Alycon Ruleset). part of that evaluation was to see how the BB apps would respond to real malicious code. i would test one set-up, then boot to another snapshot and run the malware on that set-up.

i noticed Threatfire would alert on actions taken by the malware and A2 would not. i was very close to uninstalling A2 when i decided to run the malware outside of SafeSpace protection and rely on Returnil to shield my system only. i reran the malware after rebooting and using AVZ and Process Explorer to ensure the malware was flushed, and A2 then 'saw' the code and in fact alerted on 4-5 behaviours of the code as opposed to Threatfires single alert or 2 at the most.

my point? it seems some software is able to beter interact with isolated files than others. Threatfire alerted in the same fashion to malicious code whether it was sandboxed or not. A2 seemed not to see the same code when it was sandboxed, that it alerted on without the sandbox. perhaps the lack of D+ giving Aigle the same detections that whoever did get was influenced by Aigle running the code through Geswall. btw EQS & D+ both did an admirable job in alerting to the malware, were they the same alerts, i don't know as that was not really my focus.

the how's and why's of this, i can't say. but my personal observation was that A2 went from being a disappointing nearly dumped security app with sandboxed malware running, to an absolute hero, and a keeper, at the very least on that snapshot, with the malware unsandboxed.


Mike

{QUOTE-> it seems some software is able to beter interact with isolated files than others. Threatfire alerted in the same fashion to malicious code whether it was sandboxed or not. A2 seemed not to see the same code when it was sandboxed, that it alerted on without the sandbox. perhaps the lack of D+ giving Aigle the same detections that whoever did get was influenced by Aigle running the code through Geswall. btw EQS & D+ both did an admirable job in alerting to the malware, were they the same alerts, i don't know as that was not really my focus.

the how's and why's of this, i can't say. but my personal observation was that A2 went from being a disappointing nearly dumped security app with sandboxed malware running, to an absolute hero, and a keeper, at the very least on that snapshot, with the malware unsandboxed.
<-QUOTE}
When u run malware in a sandbox, ur behav blocker might not work.

In case of TF, malware file usually accesses TFservice in memory and the u get a TF prompt. when u run a malwre inside GW or other sandbox, this memory access is stopped and TF seems blind, though it is not.

Wait and I will make a thread about this with screenshots. ;D

{QUOTE-> 2 2 true. Sandboxes are padded cells for computer illiterates, old ladies with tennis shoes, couch potatos too lazy to do a bit of thinking, etc. I'm not quite sure which category I fit into, but I use Sandboxie for browsing. <-QUOTE}
I'm not sure if the above quote was tongue-in-cheek or seriously intended or perhaps a bit of both. I can tell you (with great risk of being slammed I'm sure) that some months ago I tried a popular firewall with HIPS mentioned in this thread and found it an awful experience.

I'm neither computer illiterate, nor an old lady with tennis shoes (wrong gender and age factor) or couch potato too lazy to think. What I am is someone who is very busy trying to successfully manage and care for my family and personal life. Those are the things most important to me. And, during those initial weeks using HIPS and finding myself being confounded by all the pop-up HIPS alerts and spending hours trying to investigate what this message meant and that message meant, I had a Eureka moment and realized "this is a stupid waste of time for me". "Why should I be hassled with all this? Computers shouldn't be this troublesome for me to use."

So I dumped that firewall and HIPS program and a little while thereafter discovered Sandboxie. I couldn't be happier.

I have a car. I get into my car. I drive it. I make sure it has routine maintenance done on it so it operates reasonably well. But other than that, I know nothing about its workings and I'm not interested in learning. That doesn't make me lazy; it just means my priorities right now lie elsewhere. I don't fault those who prefer to tinker under the hood themselves. Nor do I want to be criticized for not wanting to get my hands greasy. Likewise with my computer. I have one. I want to turn it on and use it. I have a few anti-malware programs to try to protect it. I defrag it regularly and use CCleaner to get rid of most junk. But that's the extent of it. That's all I have time for.

I find nothing wrong with those who have the time or inclination or curiosity to want to be alerted everytime something unexpected happens with their computers so they can explore the issue in great depth. HIPS is a good fit for them. Likewise, the simplicity and effectiveness of Sandboxie is a good fit for me. It keeps my pc clean and I don't care how it does it.

{QUOTE-> I have a car. I get into my car. I drive it. I make sure it has routine maintenance done on it so it operates reasonably well. But other than that, I know nothing about its workings and I'm not interested in learning. That doesn't make me lazy; it just means my priorities right now lie elsewhere. I don't fault those who prefer to tinker under the hood themselves. Nor do I want to be criticized for not wanting to get my hands greasy. Likewise with my computer. I have one. I want to turn it on and use it. I have a few anti-malware programs to try to protect it. I defrag it regularly and use CCleaner to get rid of most junk. But that's the extent of it. That's all I have time for. <-QUOTE}



nice!


Mike

{QUOTE-> No it des not. CFP is not dumb. ;D :thumb: <-QUOTE}Thanks for the screenshot :). Just to clarify, the alert will be same if calc.exe was renamed & at different location? I only ask so I can understand better why u initially said D+ failed altho it mentioned "malware behavior" in ur test.

THANKS so much.

{QUOTE-> When u run malware in a sandbox, ur behav blocker might not work.

;D <-QUOTE}

It's not that they might now work, but they might not give an indication.

For example OA's run safer puts a green border around stuff you use it on. Run it in the sandbox and the green border is not there, but the program is still running at lower rights. Just that sandboxie blocks the indication back from the system.

{QUOTE-> I'm not sure if the above quote was tongue-in-cheek or seriously intended or perhaps a bit of both. I can tell you (with great risk of being slammed I'm sure) that some months ago I tried a popular firewall with HIPS mentioned in this thread and found it an awful experience.

I'm neither computer illiterate, nor an old lady with tennis shoes (wrong gender and age factor) or couch potato too lazy to think. What I am is someone who is very busy trying to successfully manage and care for my family and personal life. Those are the things most important to me. And, during those initial weeks using HIPS and finding myself being confounded by all the pop-up HIPS alerts and spending hours trying to investigate what this message meant and that message meant, I had a Eureka moment and realized "this is a stupid waste of time for me". "Why should I be hassled with all this? Computers shouldn't be this troublesome for me to use."

So I dumped that firewall and HIPS program and a little while thereafter discovered Sandboxie. I couldn't be happier.

I have a car. I get into my car. I drive it. I make sure it has routine maintenance done on it so it operates reasonably well. But other than that, I know nothing about its workings and I'm not interested in learning. That doesn't make me lazy; it just means my priorities right now lie elsewhere. I don't fault those who prefer to tinker under the hood themselves. Nor do I want to be criticized for not wanting to get my hands greasy. Likewise with my computer. I have one. I want to turn it on and use it. I have a few anti-malware programs to try to protect it. I defrag it regularly and use CCleaner to get rid of most junk. But that's the extent of it. That's all I have time for.

I find nothing wrong with those who have the time or inclination or curiosity to want to be alerted everytime something unexpected happens with their computers so they can explore the issue in great depth. HIPS is a good fit for them. Likewise, the simplicity and effectiveness of Sandboxie is a good fit for me. It keeps my pc clean and I don't care how it does it. <-QUOTE}
@Doodler,Good for you and your discovery of sanboxie. It indeed is a nice and quiet state of the art security product.:thumb:

{QUOTE-> i
my point? it seems some software is able to beter interact with isolated files than others. <-QUOTE}

Mike,

What is helpfull to assess the way two programs theoretically work together is using a rootkit detector (e.g. avz) to see what the hooks each individual program is setting. So run AVZ with only program A and only program B. The more overlap the bigger the chance of conflicts (and lacking protection).

So what you are saying is true in general.

Regards Kees

{QUOTE-> Sandboxes are padded cells for computer illiterates, old ladies with tennis shoes, couch potatos too lazy to do a bit of thinking, etc.
<-QUOTE}

LOL, interesting definition. May I quote you somewhere? ;D As a side note, Gentoo Linux is using a sandbox where all the compilation and pre-install stuff takes place, and only then the files are installed/upgraded on the real OS. Makes it really easy to spot botched makefiles, ebuilds etc. It also makes it easy to spot design bugs, such as trying to read/write configuration to stupid places etc. But definitely, sandbox != HIPS.

{QUOTE->
It is utter nonsense to fault a HIPS on behalf of "innocent users"/doofuses who are not able to discriminate between safe and dangerous actions, &/or too lazy to do a bit of research.

The HIPS job is to alert the user about potentially dangerous situations. It is the user's job to decide what action to take in response to that alert.
<-QUOTE}

Amen to that... ;) :thumb:

Both Bellgamin's comment and the reply might fit here, but are flawed to the general population.

I am interested in security, so I kind of understand the HIPS language. But the average user who wants to be secure, doesn't understand and probably doesn't want to have to spend hours learning.

Would you guys want to have to be certified mechanic's just to drive your car(to continue that analogy). Probably not.

If I had to teach a novice any program that would be totally protective without fear of a mistake, it would be Sandboxie, and not any of the other programs we love to talk about here.

Pete

For those who are interested,

I can personally confirm that DefenseWall successfully blocks the Phide rootkit.


Peace & Gratitude,

CogitoErgoSum

{QUOTE-> For those who are interested,

I can personally confirm that DefenseWall successfully blocks the Phide rootkit.


Peace & Gratitude,

CogitoErgoSum <-QUOTE}

Thanks for that CogitoErgoSum.:)

{QUOTE-> Thanks for that CogitoErgoSum.:) <-QUOTE}

Hello Antarctica,

You are very welcome.


Peace & Gratitude,

CogitoErgoSum

{QUOTE->
If I had to teach a novice any program that would be totally protective without fear of a mistake, it would be Sandboxie, and not any of the other programs we love to talk about here.

Pete <-QUOTE}

I agree, because you added "teach a novice". ThreatFire, PRSC, Mamutu. GeSwall and DefenseWall can do without the teaching. ;)

{QUOTE-> I agree, because you added "teach a novice". ThreatFire, PRSC, Mamutu. GeSwall and DefenseWall can do without the teaching. ;) <-QUOTE}

We'll see about that. I was at a friends house last week and I saw he had ThreatFire installed. I was really susprized, since TF is absolutely unknown in my country. I asked him why he had that and he said "I went to download.com looking for an antivirus and I found that". (Needless to say, he is 100% non-geek). He didn't even know that sometimes TF could prompt and ask for an action.

To make the long story short, and stop with this off topic rant, I decided to do a little experiment. I didn't tought him anything about TF or security. In a few weeks I'll visit him and see how well a newbie can handle TF.

{QUOTE-> Would you guys want to have to be certified mechanic's just to drive your car(to continue that analogy). Probably not. <-QUOTE}First of all, my 9-year-old granddaughter is quite proficient at using HIPS & making good decisions based on alerts.

The analogy of needing a mechanic is imperfect. A better analogy to "effectively using HIPS" is "safely driving a car."

To safely drive a car, one must learn the rules of the road, and what is required by the various traffic control signs found alongside the road. One must understand what to do when hearing/seeing an emergency vehicle's approach. What to do when certain red lights appear on the instrument panel -- keep going, or stop & call for roadside assist?

Those who complain that safe use of the internet requires a bit of thinking & learning are like a person who wants to drive a car but refuses to learn how to drive and how to pass the license test. I call these sort of folks "aggressively ignorant". If those folks viewed learning to drive a car in the same way they view learning to use HIPS, here is the sort of conversation that might ensue...

{QUOTE-> * GM Tech Support: "General Motors Help Line, how can I help you?"
* Customer: "Hi! I just bought my first car, and I chose a Chevrolet because it has automatic transmission, cruise control, power steering,power brakes, and power door locks."
* GM Tech Support: "Thanks for buying our car. How can I help you?"
* Customer: "How do I work it?"
* GM Tech Support: "Uhhh... do you know how to drive?"
* Customer: "Do I know how to WHAT?"
* GM Tech Support: "Do you know how to drive?"
* Customer: "Now see here -- I'm not a technical person! I just want to go places in my car!" <-QUOTE} :D :) ;D ;)

{QUOTE-> First of all, my 9-year-old granddaughter is quite proficient at using HIPS & making good decisions based on alerts.

The analogy of needing a mechanic is imperfect. A better analogy to "effectively using HIPS" is "safely driving a car."

To safely drive a car, one must learn the rules of the road, and what is required by the various traffic control signs found alongside the road. One must understand what to do when hearing/seeing an emergency vehicle's approach. What to do when certain red lights appear on the instrument panel -- keep going, or stop & call for roadside assist?

Those who complain that safe use of the internet requires a bit of thinking & learning are like a person who wants to drive a car but refuses to learn how to drive and how to pass the license test. I call these sort of folks "aggressively ignorant". If those folks viewed learning to drive a car in the same way they view learning to use HIPS, here is the sort of conversation that might ensue...

:D :) ;D ;) <-QUOTE}

I think your analogy is flawed, but such debates seldom lead to a meeting of the minds. We'll have to respect one another's positions and agree to disagree, agreeably.;)

{QUOTE-> We'll have to respect one another's positions and agree to disagree, agreeably.;) <-QUOTE}I agree (to disagree).

All analogies aside, my granddaughter & all the other kids in her elementary school computer class use HIPS with aplomb. Not only are HIPS readily learnable, the HIPS are, themselves, grrreat little teacher's aides. To be hip, use HIPS. :thumb:

In some future age, we will have computer's like unto Star Trek's. For now, it behooves us to learn a bit.

{QUOTE-> It's not that they might now work, but they might not give an indication.

For example OA's run safer puts a green border around stuff you use it on. Run it in the sandbox and the green border is not there, but the program is still running at lower rights. Just that sandboxie blocks the indication back from the system. <-QUOTE}That may be true of OA. But in case of TF it becomes blind of SOME behaviors( not ALL of course).

{QUOTE-> Thanks for the screenshot :). Just to clarify, the alert will be same if calc.exe was renamed & at different location? <-QUOTE}
Yes, same. :thumb:

Ok, I tried it with CFP( safe mode) without ShadowSurfer. No other security software as well. I don,t get physical memory access alert at all. Acc to Vettetech on Comodo forums, he gets the alert. I am confused. ???

Can anyone test it with CFP? Thanks

is it a virus aigle? if not send it to me and i'll test it.

It,s POC rootkit i think. Anyway i will not suggest to run it on a working machine without reliable recovery in hand. BTW just a reminder, ur sample was well contained by GW.

{QUOTE-> is it a virus aigle? if not send it to me and i'll test it. <-QUOTE}

Please do not make these requests for these programs. It is against forum policy. Period.

Pete

@aigle

ok

@Peter2150

i'm aware of the rule that we aren't supposed to ask for malware on the boards or even trade malware through PMs. that's why i stated "if it's not a virus". it's now against board policy to ask for non-destructive/non-virus proof of concepts?

{QUOTE-> @aigle

ok

@Peter2150

i'm aware of the rule that we aren't supposed to ask for malware on the boards or even trade malware through PMs. that's why i stated "if it's not a virus". it's now against board policy to ask for non-destructive/non-virus proof of concepts? <-QUOTE}

Even POC's can be destructive, so the answer is yes.

{QUOTE-> {QUOTE-> @aigle

ok

@Peter2150

i'm aware of the rule that we aren't supposed to ask for malware on the boards or even trade malware through PMs. that's why i stated "if it's not a virus". it's now against board policy to ask for non-destructive/non-virus proof of concepts? <-QUOTE}Even POC's can be destructive, so the answer is yes. <-QUOTE}

i'm aware of that, i don't have a test pc so any tests i run have to be non-destructive. :shifty:

but i realize i should have made that more clear in my first post to aigle.

{QUOTE-> Even POC's can be destructive, so the answer is yes. <-QUOTE}

Without wishing to split hairs but what would be the difference between say Eicar test,leaktest.exe(or someother HIBS testing POC) and in this topic test.exe(Phide).

Just curious where the cut off point is to stay within forum TOS8)

{QUOTE-> Yes, same. :thumb: <-QUOTE}aigle, much thanks for your time & effort, even if just to educate me.

I see now that it was the lack of "physical memory access alert" (to be confirmed) in ur initial test, and not the lack of clarity in alerting to "malicious behavior", that prompted the initial fail. Thanks.

P.S. Wonder if D+ whitelists the hashes of common safe apps. If yes then renaming or re-locating calc.exe would not have made any difference, and I'd probably wasted ur valuable time (so sorry!).

{QUOTE-> We'll see about that. I was at a friends house last week and I saw he had ThreatFire installed. I was really susprized, since TF is absolutely unknown in my country. I asked him why he had that and he said "I went to download.com looking for an antivirus and I found that". (Needless to say, he is 100% non-geek). He didn't even know that sometimes TF could prompt and ask for an action.

To make the long story short, and stop with this off topic rant, I decided to do a little experiment. I didn't tought him anything about TF or security. In a few weeks I'll visit him and see how well a newbie can handle TF. <-QUOTE}

I always set TF to create a restore point before quarantaining and set the default actions of RED (malware) and GREY PUA(Potenial Unwanted Application or spy/adware) to quarantaine. Tell them to hit learn more about this threat when TF po-ups before deciding. That is all and works with non-geeks well.

{QUOTE-> Without wishing to split hairs but what would be the difference between say Eicar test,leaktest.exe(or someother HIBS testing POC) and in this topic test.exe(Phide).

Just curious where the cut off point is to stay within forum TOS8) <-QUOTE}

:thumb:

{QUOTE-> aigle, much thanks for your time & effort, even if just to educate me.

I see now that it was the lack of "physical memory access alert" (to be confirmed) in ur initial test, and not the lack of clarity in alerting to "malicious behavior", that prompted the initial fail. Thanks.

P.S. Wonder if D+ whitelists the hashes of common safe apps. If yes then renaming or re-locating calc.exe would not have made any difference, and I'd probably wasted ur valuable time (so sorry!). <-QUOTE}
U r welcome.

thanks aigle for testing that malware I sent you. I was told it was really bad, but obviously not to bad for Geswall. What was interesting were the Virus Total hits on both parts, or lack of. Seems Microsot and F-Secure were the only 2 that caught both parts. Microsoft is getting real interesting in detection.

{QUOTE-> Mike,

What is helpfull to assess the way two programs theoretically work together is using a rootkit detector (e.g. avz) to see what the hooks each individual program is setting. So run AVZ with only program A and only program B. The more overlap the bigger the chance of conflicts (and lacking protection).

So what you are saying is true in general.

Regards Kees <-QUOTE}

i agree. SafeSpace is a hooking machine. i have already used AVZ and GMER, Icesword, K-Xray to see all of the hooks. what i do not have the skill/patience to analyze, is what hooks are duplicated (?). thanks for the tip, i had not considered the potential for conflict as the reason A2 was not seeing sandboxed infections.


Mike

Aigle

Tested phide.exe against OA build 131.

When Run Safer selected at execution warning, hidden process NOT created.
If Run Safer not selected, no more pop-up's from OA and hidden process gets created.

{QUOTE->
If Run Safer not selected, no more pop-up's from OA and hidden process gets created. <-QUOTE}
Thanks, I have same findings. So OA fails inspite of the fact that it has a filter to intercept physical memory access.

{QUOTE-> Thanks, I have same findings. So OA fails inspite of the fact that it has a filter to intercept physical memory access. <-QUOTE}
Will try test again with OA as the only security app just in case. I can confirm your findings that EQS gives physical memory access message but OA doesn't.

Will post this at OA forum.

I´ve tested it and SSM Pro and NG both pass the test, both succesfully block direct access to memory. About the discussion, if CFP only gives a warning about "possible malware behavior" (which may be a false positive) and no other alert if you allow to load, it is indeed a failure, so I can understand Aigle.

I would retest OA with the latest Public Beta. Build 131 although the last official release, is totally out of date.

{QUOTE-> thanks aigle for testing that malware I sent you. I was told it was really bad, but obviously not to bad for Geswall. What was interesting were the Virus Total hits on both parts, or lack of. Seems Microsot and F-Secure were the only 2 that caught both parts. Microsoft is getting real interesting in detection. <-QUOTE}
Wow that is just pathetic,all 36 scanners and only 2.:o

{QUOTE-> I´ve tested it and SSM Pro and NG both pass the test, both succesfully block direct access to memory. About the discussion, if CFP only gives a warning about "possible malware behavior" (which may be a false positive) and no other alert if you allow to load, it is indeed a failure, so I can understand Aigle. <-QUOTE}
The bug is confirmed by Comodo people on some XP machines and they will fix it.

A "PURE" and accurate HIPS just doesn't get any better then EQSEcure, provided you were able to install/overwrite 3.41 with the 4.0 Beta.

This is the KING of them all all IMO. A solid lock down HIPS that super-guards every single vector courtesy Alcyon's RulesSets.

It will take a WHOLE brand new group to compete with this HIPS.

EASTER.

{QUOTE-> I would retest OA with the latest Public Beta. Build 131 although the last official release, is totally out of date. <-QUOTE}
Retested with latest OA beta 3.0.0.162. Still a fail.

{QUOTE-> Retested with latest OA beta 3.0.0.162. Still a fail. <-QUOTE}
Does it allow to hidden process do something unauthorized ?

{QUOTE-> The bug is confirmed by Comodo people on some XP machines and they will fix it. <-QUOTE}

Seems your thread on Comodo forum generated a lot of interest and a conclusion reached. Cannot say the same for OA. As yet, no confirmation of my test results.

May be because they are much busy due to the latest beta release. I am sure they will notice it. U can PM Mike as well.

I have been informed on OA forum that protection against phide.exe bypassing OA has been included in latest private beta version.

Have since discovered that physmem.exe from SysInternals can also access physical memory with no pop-up from OA (build 131). DW and EQS block the physical memory access. Does anybody know how to set OA rules to stop physmem.exe from accessing physical memory?

Seems OA filter not working OK, so u can,t do it until they release the fixed version.

Any links for physmem.exe? Thanks
What this tool is exactly?

Edit: I got it but don,t know it,s use!

CFP intercepts it.

{QUOTE-> Any links for physmem.exe? Thanks
What this tool is exactly?

Edit: I got it but don,t know it,s use! <-QUOTE}
See below for description of physmem.exe

http://technet.microsoft.com/en-us/sysinternals/bb897446.aspx

Glad to see CFP detects it. This is what I was expecting from OA.

I can't believe that OA physical memory access protection simply does not work. I am expecting somebody to put me right on this (Mike, anybody ....)

Thanks

I believe, after these tests. So is true of CFP. It has same bug but to a much less extent.

Try SDTrestore with CFP. It,s a POC.

{QUOTE-> See below for description of physmem.exe

http://technet.microsoft.com/en-us/sysinternals/bb897446.aspx

Glad to see CFP detects it. This is what I was expecting from OA.

I can't believe that OA physical memory access protection simply does not work. I am expecting somebody to put me right on this (Mike, anybody ....) <-QUOTE}
I'm not sure, on my Vista this tool just doesn't work. But may be OA only alerts on write access, while physmem requests read access ? After all OA was designed to minimize user interaction, so it would be natural not to bother on harmless actions.

That may be one reason. But phide.exe does try for write access.

{QUOTE-> That may be one reason. But phide.exe does try for write access. <-QUOTE}

But phide was reported as fixed already :)

But generally speaking I think Vista will turn most of those tricky tests into a set of useless toys. At least 50% of famous POCs (and also malwares) do not work on Vista even without any special software. So I think it's time to move to Vista for those who really cares about true security.

No it,s time to prepare for windows 7. A better version of Vista. ;D

Hello,

It has been said in this thread that :
{QUOTE->
Thread that calls engine MUST have read/write access to \Device\PhysicalMemory, otherwise engine will fail.
<-QUOTE}

I don't know if it has been mentioned, but this means that running under a restricted user account, as I do, will protect the user no matter the HIPS he uses.

Of course, any HIPS not passing this test under an administrator account should be fixed to detect and block it. I just wanted to highlight a simple protection measure.

Regards,
gkweb.

{QUOTE-> So I think it's time to move to a Limited User Account for those who really cares about true security. <-QUOTE}
I agree :)

{QUOTE-> No it,s time to prepare for windows 7. A better version of Vista. ;D <-QUOTE}

Unfortunately, I cannot wait. There are not XP drivers my new laptop requires ... sigh .. But I should say after two monthes with Vista it doesn't seem so ugly it did from the very beginning :)

And it's really much more secure, even with UAC disabled and under admin account.