Some test ;)

Original thread:https://forums.comodo.com/leak_testingattacksvulnerability_research/some_tests-t38189.0.html

Try your HIPS

 

Sorry,

All Chinese to me, can't find download link. Please state which tests Comodo failed

 

Here is the direct download link <link removed>
Comodo almost failed to pass all of them(process is terminated,mouse is locked),but I think the protection was not penetrated.

 

GeSWall results

HTAAA stopped with HTAAA showing error messages unreadable characters
HTAAAB causes a massive amount of logs, tries to access all resident software, services or something, nothing happening
HTAAC isolated without something happening
Stop2 isolated without something happening, Risings PC doctor icon disappears and can't be restarted (via programs)
Stop was also isolated according the logs, was denied access to explorer, but hung the system (so this could be the explorer stop)

I see you describtions are about right, but not exactly in the Comodo forum, did you really test it?

PM Ilya of DefenseWall, he will be intrested in this/

 

Yeah， I‘ve tested them with GW, however, HTAAC (start with isolated) kills the exprlorer.exe....
Stop.exe lock the mouse without any LOG....

 

I wonder what results will reach DW in these tests.

 

The only problem test for DW is the "stop2". I fixed it up, will be released with the next, 2.54 version.

 

Great news! Thanks a lot Ilya

 

The download via rapidshare link posted in Comodo board isn't possible anymore - download limit (10) reached.

 

Have you contacted GW and sent them any samples?

 

Just on one of your comments. I like Sandboxie and regarding the blacklisting,Drive Sentry has this,kinda a reason I'm thinking about trying drivesentry,but haven't really seen many people running it

 

Doesn't this all boil down to don't install anything unless you know and trust the site it is coming from? If you run everything as trusted in DefenseWall or answer Yes to all pop-ups from a classical HIPS without knowing what you are installing, I don't know of any application, other than image backup / restore, than can protect you.

 

True, but if you know what you are installing and trust where it came from you won't have a problem. Users who will install anything without investigation should probably be using a suite that makes decisions for them or have someone else more knowledgeable determine what to install.

 

Not yet since I don't know how to submit those samples.....ashamed
So far as I know, CIS pop-ups but can't intercept the behaviors(both locking mouse and terminating processes) actually though the programmes don't penetrate the protection even they are malicious indeed.
BTW:except for stop2.exe, S3（netchina)，MD，DW seem like they can block the other behaviors correctly.

 

SSJ100,

You did not fully grasp the concept of policy management.

Idea behind is

a) you do not care which program runs on your system, because exectuables AND files originating from untrusted sources are kept in a safe containment

b) you do not care where those files and programs are, because the sandbox is completely transparent, let them harmlessly reside between your trusted files and programs, they are paralissed anyway (see 1)

c) when you do want to install something explicitely and with your full awareness and agreement, THEN, you have to set the status to trusted. From then on you will give them the full rights of the current user.

So a policy sandbox is a kind of resversed HIPS: it does not bother you with pop-ups for known or unknown programs, for legitemate or malicious actions, it only requires 1 action (set to trusted) when you want to install it.

Regards Kees

 

Has this been repeated and confirmed?
Is tzuk aware ?

 

Hi,

Someone could test the defensive behavior of System Shield usec.at: http://www.usec.at/ushields.html in these cases?

Thanks, PROROOTECT

 

Tzuk, Ilya, Xiaolin are the one man band eager beavers, so I should not worry about it very much.

 

Helas SSJ, can't help you with this

As said earlier the most secure way of testing windows software is with Virtual Machine type of application on a different host OS (e.g. linux distro).

 

If you are not sure, you always can install the software as untrusted.

 

On XP SP2 with GesWall:

1- htaaa.exe - No effects, even on running it as trusted
2- htaab.exe- explorer killed
3- htaac.exe- explorer killed
4- stop.exe- mouse not working, unsuabel system
5- stop2.exe- mouse frozen, system unusable
Interseting POC.

 

Can anyone try:

ProSecurity
Malware Defender
EQS
OA

Thanks

 

What is the danger here ?cos i get the same with 2 instances of photoshop .
I understand that a classic HIPs should gave some warnings but regarding Geswall,sandboxie personally i'm not concerned about the results.

Just my opinion of course

 

Those are the same as what I get

Well, someone has tried POC with EQS and MD,I will upload the results later.

 

OK, so: have I got this right:
Run these exploits in the default sandbox: it appears to execute with effect; then, delete sandbox, reboot and any changes are gone
??
If so, then is there a failure/bypass in sandboxie ??
Going on the thread @sandboxie forums, there is some problem.
Memory usage, freezes while in the sandbox.
If mouse freezes, how to run sandboxie to delete ?, not sure what effect a reboot might have in that circumstance ??
I feel there might be some element of fanboi-ism at sandboxie forum: " there is no issue here" stuff ??
Help please.