Downadup/ Conficker worm versus HIPS

This is "just-posted" beta. Beta 17 only showed execution alert and if allowed computer was infected.

 

From where I can get it?

Thanks

 

Yes sir it did

 

At the moment I think there are the only 2 options

1.) to ask Mike to provide you a link
2.) to join OA betateam

But I guess the new release is coming soon (the public beta released some time ago is a sign). It also may happen Mike will post another public beta.

I'd like to provide you with the link, but I'm not sure I'm authorized to.

 

Hi, thanks for the replies. I have analyzed it more and it,s very interesting. OA people have intercepted it cleverly now so that user will not be fooled. Actually once malicious dll( vmx) is executed, u can see that all malicious activities are done by svchost.exe that is a legit windows process.

 

Now Q is that who forces a legit application svchost.exe to do all this. I am not an expert but the obvious reason is that it is done by malicious jwgkvsq.vmx via rundll32.exe. Now CFP just intercepts it as an action by rundll32.exe that one will not guess to be malicious( rundll32.exe accessing svchost.exe in memory).
While OA being clever clearly tells user that it is being done infact by jwgkvsq.vmx ( jwgkvsq.vmx accessing svchost.exe in memory).

 

So it,s a closed beta. Ok, I will wait for the public release.

Thanks

 

I'd definitely give this round to OA. I hope the new version fixes some of the bugs.

 

You're assuming correctly, provided that the default permissions aren't tampered - see this post.

 

Malware Defender has same problem as CFP.

 

Do you use XP Pro or Home? If the Home version - have you made sure that SRP works by applying pcwXPProme? (See also this post.)

 

i am on win vista buisiness edition.group policies are at their maximum capabilities and even further developed than on xp pro.

 

yes my friend,but we escape the subject...lets revise.

we popped a thumb drive in a computed environment and we got a warning that a .dll was auto executed and it tries to modify legitimate processes of your OS..now thats just not right,is it?

what i am trying to say is that H.I.P.S is no there to tell you what to do,its there to tell you what the malware does so YOU can decide what you should do.

in the end of the day,the decision is still up to the user. e.g if you run on vista,you are immune to that threat,but if you decide to give elevated privilage to a file that run itself,oh well not anything else will save you,i'll tell you that

OA does that because it overall has a marketing goal contrary to classical hips,thus it uses that great whitelisting database and makes its warnings a little bit more self explainatory for the average user.
Cheers
P.S this is one of the few such informative threads i've seen for a while!

 

Hmmm... only OA,s alert is good. Others alert about rundll32 acessing svchost.exe, both are legit, why one wil stop it. Infact when u are using a HIPS, u will make a permannat allow rule for this behavior very soon after u get this alert few times on benign legit actvities.

OA was same as others but just after they came to know it, they added a way to intercept it in a better way. I want atleast same from others( CFP, MD etc) but I am not sure if I can convince them.

 

Gents,

The new OA beta also protects against raw disk access. I have not used OA for quiet a while, I can remember I needed the run safer option to be protected against raw disk access.

Aigle,

Thanks for these kinds of post.

and chris2busy for being not to busy (and able to participate )

 

my bad,i meant that rundll32 tried to execute and unknown file(see pic)..but even if you didn't you still see svchost.exe writing files to sys restore and modifying a bunch of registry entries

to be honest i didn't use OA before version 2.x.x so i cannot comment on that but at its current state it sure is one of the most friendly h.i.p.s out there!
maybe you should ask xiaolin first,from his posts i see that he pays a lot of attention to what his customers think

 

enjoyed being a part of it mate cheers

P.S:do not watch that moovie in the taskbar >.> was awfull

 

What is a real mistery to me is that OA intercepts intrusions of programs being kept in a policy sandbox of GeSWall. Most other security programs do not notice these interceptions because geSWall contains it first.

Only OA throws pop-ups.

From a security point of view this is a real benefit of OA, for me I kind of dislike it. The whole idea behind policy HIPS/Sandbox is that they are quiet. Now when you use MD together with Dw or GW, it works perfect.


Cheers

 

that is exactly what i have

 

How would the CIS beta handle the request, I wonder? I assume rundll is likely in the whitelist, so would the malicious process ever be seen?

 

Now that Comodo prompt looks better.

 

My screenshots are with latest beta.

 

Can anybody test :

- PS
- DW
- PRSC &
- Mamutu

Thanks

 

Could you elaborate on this?

I thought that with SRP, all folders except C:\Windows and C:\Program Files are prevented from executing programs. I know that since things like browser cache are stored in the user account folder in Documents+Settings so they're typically safe.

Although I could swear seeing the Recycler folder before, I can't seem to find it at the moment.

 

It shouldn't be that hard to convince them, since messages like "rundll32 is trying to..." or "svchost.exe is trying to..." are quite useless to make reasonable decisions. I really was wondering, how all the "experts" do that. I even had a vain look into CIS's proccess manager, if there are more informations about that processes. So I'm glad to see, that I'm not the only one with that problem. Has anyone talked about this in the Comodo Forum or added it to the wishlist?