Rogue slips right through Comodo!

are u serious with that kind of response? nobody forced u to try it, besides, its a rogue, not some crazy file infector or MBR rootkit, a simple scan with mbam SHOULD get rid of it.

 

As long as you don't get taken in by it's impressive GUI and decide to pay for it you should be just fine.

 

Don't worry lol. All i'm afraid of is that if comodo keeps on doing this, i'll get owned by malware.

 

Don't worry lol. All i'm afraid of is that if comodo keeps on doing this, i'll get owned by malware.

 

These rogues are a massive issue at the moment,especially the ones which aren't actually malware at all,just Scamware.The difficulty IMO is for HIPS to provide meaningful alerts that average users will understand for these non-malicious rogues.

 

I restarted my pc into normal mode without any shadow mode
I disabled NOD32
then played with malware Sure you'll get owned...

 

Tried this against Zemana Antilogger first - sailed right by and started running (Zemana failed)
Then ran it against Prevx 3.0. Prevx allowed the download but detected it as soon as I scanned it or tried to open it.

 

I checked the defense+ events log and xpdeluxe installed a hook called msctf.dll, I uploaded it to virustotal, and no av detects it.
Should i manually delete it?

 

yup zemana does nothing

I think Prevx scans only on execution not real time

 

This post is all about how it got through Comodo... so your post should be more like "this is why I don't use traditional signature based AV".

heuristic/behavioral AV analysis is still the best out there.

 

When Prevx alerted did it stop the rogue from running? Or does Prevx allow the rogue to run and just notify that it is on the system?

 

Prevx detects and blocks / prevents it running and or installing.

I have emailed Zemana to notify them this rogue evades detection.

Puss

 

Prevx stopped it from running. Downloaded the .exe and scanned it from right click > scan with Prevx and then rebooted (using Shadow Defender) and then downloaded the .exe again and tried to run it. Both times Prevx popped up the same 'cloaked malware' as in my screen shot. Clicked 'Cleanup Now' and Prevx wiped it off the desktop. Never gave it a chance to run

Will see if I can find time to try it against GeSWall later

Edit: Puss posted while I was typing - will have to learn to type faster

 

Well this could have the same system impact(Registry modification) as installing Cc Cleaner for example ,so i'm not sure what Zemana should detect.
This is the job of an traditional antimalware application to detect it IMO.
As pointed out by andyman this is quite a challenge as it doesn't seem to exibit traditional malware behaviour(strictly from registry impact/modification point of view).It's a GUI meant to trick average users.

 

again, Should i manually delete it?

 

msctf.dll...see here.....http://www.processlibrary.com/directory/files/msctf/20709

 

Well Defense+ shows me that xp deluxe installed this hook. Should I remove it?

 

I just tried it againat Mamutu - installed and ran undetected.

Hitman Pro detects it and removes it.

 

well hamzah95 run a scan of mbam/sas or both see if they detect it and you have a2 free in your sig. scan with it too if you want if all report clean relax and go to sleep....but don't try this experiment of your's with virut/sality

 

OK guys. The people at comodo forums helped me fiqure this out. I was running in Proactive mode updated updated which means i changed some settings, so if i go to the default proactive security mode, i get execution alerts and so on.

 

Have now tried this against GeSWall free
Just managed to get a screen shot as the policy notifications were fading in the first shot - note the deny messages at the bottom.
This rogue ran as though there was nothing there to stop it.
Would like to see a full time GeSWall user try it as I may have made a mistake
Also ran this rogue with Executable Lockdown on - stopped it dead, as you would expect it to.

 

That's it! I'm going back to Sandboxie!
Ice

 

Could anyone PM me the exe they have as it may be a morph?

MBAM hits the installer I have.

Sandboxie contains and deletes it no probs.

 

Lol.Probably no one read my post or that of andyman 35,to figure out what this is .So all you guys dissapointed with your HIPS,behaviour blocker,or whatever please think again .
This program doesn't do nothing malicious against the system unless HIpS will add OCR technology (sound S.F. i know) you won't be properly notified.It's the job of antimalware products,or antispyware products to detect this.

 

with free version pretty sure it doesnt terminate malware, u go into the program and manually terminate, the "isolated session" or w/e its called (i think) but all those deny messages probably meant denied from writing to the actuall system or something.

and to all the people saying BB's and Zemana wont block it, well what do u expect lol, a rogue program that does nothing malicious, BB's arent ther to alert u whenever a program installs (which is all this rogue does really) and neither is Zemana designed for this, they detect malicious actions (which ther werent any), only HIPS will and blacklist signatures, and ofcourse sandboxing, those are the only way to catch a rogue that isnt bundled with malware.