CIS + MD5

[thanatos_theos]

A bit OT but since we're talking about HIPS...

When you update an application already listed in Computer Security Policy (as Custom) and run it, you get no prompt that the file has changed? I believe CIS doesn't check the md5 but just remember the paths. Anyone also noticed this with CIS? What Stem reported might be applicable to CIS also.

Take note that my CIS HIPS is in Safe Mode (old config). When I update, I either turn-off CIS HIPS or use install mode. I haven't tested with Paranoid Mode. Do you think the safelist db/trusted certificates has got something to do with this?

[metalforlife]

Quote:

Originally Posted by thanatos_theos

A bit OT but since we're talking about HIPS...

When you update an application already listed in Computer Security Policy (as Custom) and run it, you get no prompt that the file has changed? I believe CIS doesn't check the md5 but just remember the paths. Anyone also noticed this with CIS? What Stem reported might be applicable to CIS also.

Take note that my CIS HIPS is in Safe Mode (old config). When I update, I either turn-off CIS HIPS or use install mode. I haven't tested with Paranoid Mode. Do you think the safelist db/trusted certificates has got something to do with this?

The Image Execution Control monitors file changes in CIS. According to the help file (when Image Execution Control is enabled) CIS calculates the hash-value of a file before it loads into the memory. Going by it, file alterations - such as updates - should be detected by D+.

[thanatos_theos]

Quote:

Originally Posted by metalforlife

The Image Execution Control monitors file changes in CIS. According to the help file (when Image Execution Control is enabled) CIS calculates the hash-value of a file before it loads into the memory. Going by it, file alterations - such as updates - should be detected by D+.

Forgot about that. I'll have to check that out when I'm on the rig with CIS. It must depend on the settings set there. Maybe a prompt will appear during update but at those times I have the HIPS disabled or in install mode. Will try with HIPS on, next time. I turn-on the HIPS after the update, run the updated program I get no prompts unfortunately.

As a test, turn-on install mode or turn-off HIPS, update your Realtek HD Audio. After startup, turn-on HIPS and click Realtek systray icon. CIS should prompt you that RTHDCPL.exe has changed right? *I didn't try this yet*

[metalforlife]

Quote:

Originally Posted by thanatos_theos

Forgot about that. I'll have to check that out when I'm on the rig with CIS. It must depend on the settings set there. Maybe a prompt will appear during update but at those times I have the HIPS disabled or in install mode. Will try with HIPS on, next time. I turn-on the HIPS after the update, run the updated program I get no prompts unfortunately.

As a test, turn-on install mode or turn-off HIPS, update your Realtek HD Audio. After startup, turn-on HIPS and click Realtek systray icon. CIS should prompt you that RTHDCPL.exe has changed right? *I didn't try this yet*

There was a discussion on this somewhere on the COMODO forums. I had read it, but don't recollect much of what was said there. But I do remember - vaguely though - the cheif developer of CIS (egemen) stating that CIS does not verify hashes of executables which are modified by the user himself, or something of that like.

You can search for threads on topics related to this in the COMODO forums.

[thanatos_theos]

I guess that was intended to make CIS user friendly and lessen alerts. Well, I think CIS will alert the user anyway if ever some malprocess tries to change/hijack/infect/tamper an application or it's integrity.

[aigle]

As I know CIS doesn,t check for hashes, as it has real time file defence. Same is true of MD.

[thanatos_theos]

Thank you aigle.

I just skimmed on their forums and read that Image Execution depends on the extensions set and only checks for hashes in 'real-time'. But it disregards those found in/matching those in the safelist db. Maybe in the future they can do that on-demand, on-next execution of the updated file or during start-up. I think this on-demand hash scan (for new exes) occurs in start-up when using Clean PC mode.