POC of Terminating Processes

Test methods:
1.run one programme,such as notepad.exe,mspaint.exe or SREng,ISword etc.;
2.run the test executable, type the title of the former window in the blank;

Now wait for the results that the running programme crashes.

Try this POC, check out which HIPS can intercept the behaivor( send interprocesses message flood) and prevent the crash.

Download it <Snip>

 

there is no way i can download from rapidshare, I don't think i'll ever be able to. Can you please put it on a different host or tell me how i can download it using the free option?

 

Got past Threatfire at highest settings.

 

Nothing crashed with GesWall.
Geswall simply blocked the messages that test.exe tried to send to the applications.

 

I can,t download it. Can u upload it again. It says limit of ten times reached.

 

Thanks for testing it.

Try this link:<snip>

 

I get this window. What does it mean?"

 

I get this: (right after this - notepad closes)

 

CFP bypassed. Notepad is killed.

 

Unable to download:

 

Can some one please PM me the program or post a working link here? The above links are dead.

Cheers
Josh

 

Well you could use the skill set you advocated against MSMVPS/Donna.
If you are up to it.

 

GesWall stopped it.

 

<SNIP>

 

Malware Defender 2.3.0 beta 1 also fails to control this POC's behavior (Vista SP2).

 

No problem with ZA (ZAAV 9 beta)
Deny and test is passed

Fax

 

Thanks aigle

 

Is notepad usable after you deny WerFault.exe? WerFault usually shows up after applications crash...in this instance, notepad.exe.

 

That's odd. I wonder if this is a bug in Outpost firewall. Anyone test Online Armor vs this POC?

 

Run a program such as Notepad.
Then run the Test, Type in the box The Title of Notepad (I believe it's Untitled-Notepad). Hit the first ?? box after.

CIS for sure doesn't intercept by default configuration (Internet Security). Proactive Security obviously prevents this too. Interesting to see that CIS does protect it self however (See Screen Shot). Notepad froze for a while.

I sent an Email to Egemen (Lead CIS Developer). CIS Team are working on version 4 but let's see what happens.

Thx MagisDing for bringing this up. There are obviously other vendors out that also fail this one.

Cheers,
Josh

 

Thanks for the instructions Josh - you saved me the trouble of posting a screenie and asking what the hell is going on here

BTW, I have CIS cranked up pretty high as far as protection and alerts go, but I received no alert from CIS, only a Vista one stating that Notepad had stopped working.

 

The POC fails to close Malware Defender's UI as well. It also fails against other window titles ("cmd" for example). Not sure what the common denominator is. It will crash "Sandboxie Control". Sandboxie's protection, however remains enforced.

 

I'm not too sure to be honest, I didn't run this test in a Sandbox. Since CIS and Sandboxie aren't designed to work together, Different protections or the way Notepad performs behavior wise may vary (wild wild guess). I haven't had any conflicts with CIS and Sandboxie btw.

No worries. No Alerts from CIS?

I'm personally running CIS in Proactive Security with Parental Control Enabled, and Defense+, Firewall Alerts Suppressed - Defense+ being in "Clean PC Mode" so my applications currently on the PC can run with zero Alerts. (So some one running this way with CIS, will just get an error before even executing this test).

Anyway, I'll wait for a response from Egemen, Or if he posts over at the forums with the default configuration, If this is a real threat in the wild or not (Malware Related).

EDIT: Saw this: http://forums.comodo.com/leak_testi...do_bypassed-t43061.0.html;msg312464#msg312464

If I'm right, You and panic (Other Moderator at Comodo Forums), Ran this test, switched to poactive, Typed title in, pressed enter, and still got no Alerts? Or Am I wrong? (Proactive stops execution in first place for me). But while its running that's obviously not the case.

Qutie funny. So, So far, CIS and Malware Defender can PROTECT them selves so far by protecting their own GUI, But not other applications. This is obviously not a one-vendor issue we are dealing with!

Cheers,
Josh

 

@3xist

I executed the test while Proactive was running. It then hung the notepad. No Alerts.

Edit: I just ran the test again to make sure - same result - notepad nerfed, test.exe to be able to be closed via second radio button - no alert from CIS, despite everything in ultra-paranoid mode.

 

Dynamic Security Agent was the only App to detect it. When i tried again i got the other 2 alerts.

I've kept DSA because even though there is a lot of overlap with for eg TF, on occasion it does jump in and detect things other stuff doesn't. This being a very good example.

I also had Threatfire & OA free & Antivir free all running at the same time too.