Some test ;)

[MagisDing]

Original thread:https://forums.comodo.com/leak_testi...-t38189.0.html

Try your HIPS

[Kees1958]

Sorry,

All Chinese to me, can't find download link. Please state which tests Comodo failed

[MagisDing]

Quote:

Originally Posted by Kees1958

Sorry,

All Chinese to me, can't find download link. Please state which tests Comodo failed

Here is the direct download link <link removed>
Comodo almost failed to pass all of them(process is terminated,mouse is locked),but I think the protection was not penetrated.

[Kees1958]

GeSWall results

HTAAA stopped with HTAAA showing error messages unreadable characters
HTAAAB causes a massive amount of logs, tries to access all resident software, services or something, nothing happening
HTAAC isolated without something happening
Stop2 isolated without something happening, Risings PC doctor icon disappears and can't be restarted (via programs)
Stop was also isolated according the logs, was denied access to explorer, but hung the system (so this could be the explorer stop)

I see you describtions are about right, but not exactly in the Comodo forum, did you really test it?

PM Ilya of DefenseWall, he will be intrested in this/

[MagisDing]

Yeah， I‘ve tested them with GW, however, HTAAC (start with isolated) kills the exprlorer.exe....
Stop.exe lock the mouse without any LOG....

[Creer]

Quote:

Originally Posted by MagisDing

Yeah, I‘ve tested them with GW, however, HTAAC (start with isolated) kills the exprlorer.exe....
Stop.exe lock the mouse without any LOG....

I wonder what results will reach DW in these tests.

[Ilya Rabinovich]

The only problem test for DW is the "stop2". I fixed it up, will be released with the next, 2.54 version.

[Creer]

Quote:

Originally Posted by Ilya Rabinovich

The only problem test for DW is the "stop2". I fixed it up, will be released with the next, 2.54 version.

Great news! Thanks a lot Ilya

[cruchot]

The download via rapidshare link posted in Comodo board isn't possible anymore - download limit (10) reached.

[1000db]

Quote:

Originally Posted by MagisDing

Yeah， I‘ve tested them with GW, however, HTAAC (start with isolated) kills the exprlorer.exe....
Stop.exe lock the mouse without any LOG....

Have you contacted GW and sent them any samples?

[Boost]

Quote:

Originally Posted by ssj100

6. This proves that a black-listing component (Antivirus or similar) would be of great benefit, especially if the user tries to execute unknown .exe files willy nilly.



Anyone else like to comment on their findings?

Just on one of your comments. I like Sandboxie and regarding the blacklisting,Drive Sentry has this,kinda a reason I'm thinking about trying drivesentry,but haven't really seen many people running it

[Ed_H]

Quote:

Originally Posted by ssj100

By the way, for programs like DefenseWall, how are these manual tests relevant? If you run unknown .exe files as untrusted, you obviously don't want them to work properly anyway, so why run it in the first place? You would run them as trusted right?

My point is this:
1. You install DefenseWall
2. You download a .exe program from the internet
3. You decide to run it as untrusted, just in case it has malware
4. You notice nothing unusual, and Defensewall doesn't give any pop-ups, since it's so user friendly etc (but in actual fact, a hidden trojan or what not is trying to install on the registry etc and you miss this in the logs etc)
5. You are satisfied the .exe file is safe (because you are a novice user which might be the reason why you're using Defensewall in the first place), and run the program as trusted, and the hidden trojan etc leaks out on to your system!

Obviously a black-listing component might pick up the program or the trojan and quarantine it before it can cause any harm.

But my point is as above. This is the same issue as with any other HIPS, except classical HIPS programs may give a pop-up and suggest that the .exe file is performing like malware. Check my post (#32) for what I believe are other ways around it in this thread: http://www.wilderssecurity.com/showt...=233634&page=2

Doesn't this all boil down to don't install anything unless you know and trust the site it is coming from? If you run everything as trusted in DefenseWall or answer Yes to all pop-ups from a classical HIPS without knowing what you are installing, I don't know of any application, other than image backup / restore, than can protect you.

[Ed_H]

Quote:

Originally Posted by ssj100

Exactly! But at least with a classical HIPS, it gives you a chance to recognise that there is malware behavior going on with relevant pop-ups.

True, but if you know what you are installing and trust where it came from you won't have a problem. Users who will install anything without investigation should probably be using a suite that makes decisions for them or have someone else more knowledgeable determine what to install.

[MagisDing]

Quote:

Originally Posted by 1000db

Have you contacted GW and sent them any samples?

Not yet since I don't know how to submit those samples.....ashamed
So far as I know, CIS pop-ups but can't intercept the behaviors(both locking mouse and terminating processes) actually though the programmes don't penetrate the protection even they are malicious indeed.
BTW:except for stop2.exe, S3（netchina)，MD，DW seem like they can block the other behaviors correctly.

[Kees1958]

Quote:

Originally Posted by ssj100

By the way, for programs like DefenseWall, how are these manual tests relevant? If you run unknown .exe files as untrusted, you obviously don't want them to work properly anyway, so why run it in the first place? You would run them as trusted right?

SSJ100,

You did not fully grasp the concept of policy management.

Idea behind is

a) you do not care which program runs on your system, because exectuables AND files originating from untrusted sources are kept in a safe containment

b) you do not care where those files and programs are, because the sandbox is completely transparent, let them harmlessly reside between your trusted files and programs, they are paralissed anyway (see 1)

c) when you do want to install something explicitely and with your full awareness and agreement, THEN, you have to set the status to trusted. From then on you will give them the full rights of the current user.

So a policy sandbox is a kind of resversed HIPS: it does not bother you with pop-ups for known or unknown programs, for legitemate or malicious actions, it only requires 1 action (set to trusted) when you want to install it.

Regards Kees

[Longboard]

Quote:

1. Sandboxie (running the programs in "DefaultBox") does not prevent the malware behavior at all.

Has this been repeated and confirmed?
Is tzuk aware ?

[PROROOTECT]

Hi,

Someone could test the defensive behavior of System Shield usec.at: http://www.usec.at/ushields.html in these cases?

Thanks, PROROOTECT

[Kees1958]

Tzuk, Ilya, Xiaolin are the one man band eager beavers, so I should not worry about it very much.

[Kees1958]

Quote:

Originally Posted by ssj100

Yes, I completely agree with all those points. However, once again, there is a mis-understanding as to the point I was trying to make.

1. I want to install the application completely so it runs correctly. Thus I run it as trusted.
2. Therefore, the protection I get from Defensewall is gone. Therefore, this is out of Defensewall's protection scope (and unfortunately out of all main-stream scopes except for virtualisation and rollback)
3. I thought that Sandboxie could create a "virtual" environment on my system for me to test programs (that is, run them as trusted etc) without damaging my "real" environment. As we all know now from the above malwares, this is not the case.

Kees, I sent you a PM asking if there was a way to setup Sandboxie so that you can still test unknown programs and fully install them in a virtual environment, but could also prevent malwares like that above from damaging the "real" environment. Thanks for any comments from anyone else.

Helas SSJ, can't help you with this

As said earlier the most secure way of testing windows software is with Virtual Machine type of application on a different host OS (e.g. linux distro).