CIS v5- detection of hidden rootkit process seems good!

I just wanted to try the ability of CIS built-in TasK Manager to detect hidden rootkit processes. It,s not a test as I don,t have samples. Just found out phide_ex.exe rootkit. It,s a load of BSODs but after multiple tries I managed to run it in a vmware player session without any BSOD.

TaskManager of CIS detected it ( hidden process) very well. Hidden process is also dectected by Gmer but not ProcessExplorer.

Just wanted to share it. It was better if they could label the process hidden as well.

 

The process in Comodo seems to have a little shadow, no? that means that the process is hide.

 

No, it's a simple "overlay" because it's the selected item.
You may think Comodo is strong, but please don't get over-enthusiastic.

 

Yes, exactly right. BTW that process was a keylogger and was also a bit hidden, I mean it was hidden from Windows Task Manager but not from Process Explorer. However the rootkit process pgide_ex.exe was hidden from Process Explorer and only detected by ARKs like RoorRepeal, Gmer etc.]

It was a pleasant surprise for me indeed.
This version of Comodo is best version ever IMO. I havn,t seen a major bypass with it so far.

I don,t have time otherwise I would love to post screenshots that how CIS v 5 HIPS and sandbox handle Conficker worm, both at default level and at max settings level. It was really excellent. May be I will post about it later some day when I am free.

I was not happy how Defence Plus used to handle Conficker in the past.

 

Maybe you get over-enthusiastic with this kind of things but sorry I dont.

 

Do you mean Defense+ in 4 versions ? And do you mean Defense+ only or with sandbox ?

I mean: don't using the sandbox, Defense+ in 4v protected from Conficker less than 5v ?

 

The pop up alerts of Defence Plus in v3 were not so good. I made a long thread about it that time. I did not test v4. Version 5 RC was same, so I posted this as a bug and it was fixed after I provided sample to egemen.

 

Thank for your answer aigle.

 

And just tried another one, historical Hacker Defender.

Good work by CIS.

 

The thing I don't get is they give you a Sandbox, then with the leak test to get the best results, best security you turn off the sandbox, LOL...

 

I was just curious to know if it can detect a hidden rookit process or not. There was no way to do this without installing a rootkit first and that means one has to disable CIS. If there is any other way to do this, let me know.

 

You should find a kernel rootkit that you could install in the kernel ans disable: then you had to install CIS and after the installation enable the hidden rootkit. I don't know where you could find a rootkit like this.

 

Thats not true I did leaktest with sandbox enabled and gave me 340/340.

 

Hmm.. sorry as I did not get your point. You think hacker defender and phide_ex are not kernel mode?

 

Sorry, I already woke up when I posted, I misunderstood your post.

 

That's fine.