I just wanted to try the ability of CIS built-in TasK Manager to detect hidden rootkit processes. It,s not a test as I don,t have samples. Just found out phide_ex.exe rootkit. It,s a load of BSODs but after multiple tries I managed to run it in a vmware player session without any BSOD.

TaskManager of CIS detected it ( hidden process) very well. :thumb: Hidden process is also dectected by Gmer but not ProcessExplorer.

Just wanted to share it. It was better if they could label the process hidden as well.

222410
222411
222437

-{ Quote: "I just wanted to try the ability of CIS built-in TasK Manager to detect hidden rootkit processes. It,s not a test as I don,t have samples. Just found out phide_ex.exe rootkit. It,s a load of BSODs but after multiple tries I managed to run it in a vmware player session without any BSOD.

TaskManager of CIS detected it ( hidden process) very well. :thumb: Hidden process is also dectected by Gmer but not ProcessExplorer.

Just wanted to share it. It was better if they could label the process hidden as well." }-

The process in Comodo seems to have a little shadow, no? that means that the process is hide.

-{ Quote: "The process in Comodo seems to have a little shadow, no? that means that the process is hide." }-
;D No, it's a simple "overlay" because it's the selected item.
You may think Comodo is strong, but please don't get over-enthusiastic.;)

-{ Quote: ";D No, it's a simple "overlay" because it's the selected item." }-Yes, exactly right. BTW that process was a keylogger and was also a bit hidden, I mean it was hidden from Windows Task Manager but not from Process Explorer. However the rootkit process pgide_ex.exe was hidden from Process Explorer and only detected by ARKs like RoorRepeal, Gmer etc.]-{ Quote: "
You may think Comodo is strong, but please don't get over-enthusiastic.;)" }-
It was a pleasant surprise for me indeed.
This version of Comodo is best version ever IMO. I havn,t seen a major bypass with it so far.

I don,t have time otherwise I would love to post screenshots that how CIS v 5 HIPS and sandbox handle Conficker worm, both at default level and at max settings level. It was really excellent. :thumb: May be I will post about it later some day when I am free.

I was not happy how Defence Plus used to handle Conficker in the past.

-{ Quote: ";D No, it's a simple "overlay" because it's the selected item.
You may think Comodo is strong, but please don't get over-enthusiastic.;)" }-
Maybe you get over-enthusiastic with this kind of things but sorry I dont.

-{ Quote: "

I was not happy how Defence Plus used to handle Conficker in the past." }-

Do you mean Defense+ in 4 versions ? And do you mean Defense+ only or with sandbox ?

I mean: don't using the sandbox, Defense+ in 4v protected from Conficker less than 5v ?

The pop up alerts of Defence Plus in v3 were not so good. I made a long thread about it that time. I did not test v4. Version 5 RC was same, so I posted this as a bug and it was fixed after I provided sample to egemen.

-{ Quote: "The pop up alerts of Defence Plus in v3 were not so good. I made a long thread about it that time. I did not test v4. Version 5 RC was same, so I posted this as a bug and it was fixed after I provided sample to egemen." }-


Thank for your answer aigle. ;)

And just tried another one, historical Hacker Defender.

Good work by CIS. :thumb:

The thing I don't get is they give you a Sandbox, then with the leak test to get the best results, best security you turn off the sandbox, LOL...

I was just curious to know if it can detect a hidden rookit process or not. There was no way to do this without installing a rootkit first and that means one has to disable CIS. If there is any other way to do this, let me know.

-{ Quote: "I was just curious to know if it can detect a hidden rookit process or not. There was no way to do this without installing a rootkit first and that means one has to disable CIS. If there is any other way to do this, let me know." }-


You should find a kernel rootkit that you could install in the kernel ans disable: then you had to install CIS and after the installation enable the hidden rootkit. I don't know where you could find a rootkit like this.

-{ Quote: "The thing I don't get is they give you a Sandbox, then with the leak test to get the best results, best security you turn off the sandbox, LOL..." }-

Thats not true I did leaktest with sandbox enabled and gave me 340/340.

-{ Quote: "You should find a kernel rootkit that you could install in the kernel ans disable: then you had to install CIS and after the installation enable the hidden rootkit. I don't know where you could find a rootkit like this. " }-
Hmm.. sorry as I did not get your point. You think hacker defender and phide_ex are not kernel mode?

-{ Quote: "Hmm.. sorry as I did not get your point. You think hacker defender and phide_ex are not kernel mode?" }-


Sorry, I already woke up when I posted, I misunderstood your post. :-[

That's fine.:) :)