CIS 6.1.x.x Releases!

Discussion in 'other anti-malware software' started by guest, Apr 17, 2013.

Thread Status:
Not open for further replies.
  1. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    I just hope that the developers are a little more serious than some of the Mods on the Comodo forum. A few weeks ago we detected a few novel Zeroaccess rootkits. These samples when run spawned Control which resided in the Recycle bin as well as co-opting legitimate system files in order to get out of the local system undetected. These samples were of the Click-Fraud variety.

    When the samples were run on a test system, they bypassed CIS even under Paranoid Mode. The trojan took up residence in the Bin, and a Network sniffer showed svchost constantly connecting to various sites doing what the malware developers intended. Needless to say as this particular svchost was subverted no firewall alert was forthcoming, and as svchost is System (even when subverted) it will load on every startup and do what it does.

    I was troubled by the lack of any substantive concern at Comodo after I supplied the samples to them, but did get a chuckle at a Mods response of "It was able to drop some files in the recycle bin but the rootkit never runs in memory and isn't allowed to create a registry key to run at boot so the files are sitting there harmless".

    Hopefully the developers are a tad more thorough in their forensics.
     
  2. KelvinW4

    KelvinW4 Registered Member

    Joined:
    Oct 11, 2011
    Posts:
    1,199
    Location:
    Los Angeles, California
    Well that's just them- it takes quite some time to "fix" problems.
     
  3. a256886572008

    a256886572008 Registered Member

    Joined:
    Oct 26, 2007
    Posts:
    103
    Did you check the registry key?

    CLSID o_O

    http://camas.comodo.com/cgi-bin/sub...c9e083b0839461f9d4adf16225279b9688b9f1367d36d
     
  4. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,349
    Did you set all the setting to highest and detection to highest and choose both hips and behavior blocker and used proactive protection? Also did you set sandbox to untrusted or block. Did you follow the tips of how strengthening it and then test it. When you do all these, then I suggest you test again.

    YOU HAVE TO MAXIMIZE THE PROTECTION. DEFAULT IS NOT GOOD.

    With these maximum setting I have yet not found any malware able to pass CIS-6 in my tests, specially if it is set to "BLOCK" mode. To make sure the protection and firewall is set right, try using comodo leak test and other leak tests to see a 100% result and mean you are set.
     
  5. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,101
    The irony in this statement is quite incredible.
    Cis6 is apparently designed so that the hips are not required and yet this test just proves they are.

    Im sorry my view on this version darkens the more i see of it.I distictly remember that the comodo moderator by the name of languy99 who is also a youtube tester insists on testing at default.

    Should the paranoid setting not detect these malwares?

    It seems comodo v6 at default settings simply does not cut the mustard.
     
  6. Circe

    Circe Registered Member

    Joined:
    May 10, 2011
    Posts:
    144
    Location:
    Cheshire, England
    +1 Chiron's set up & guide is excellent. http://www.techsupportalert.com/content/how-install-comodo-firewall.htm
     
  7. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    It's not uncommon that default settings for security software do not provide optimal protection. Often the vendor decides on a compromise between security and usability. By "usability" I mean reducing the need for user input, which also reduces the effectiveness of the product. Both HIPS (Defense+) and the Behavior Blocker (auto-sandox) are OFF by default in the CIS v6 firewall. Those of us that know better just need to go in and turn ON the additional features understanding that we will receive more alerts and have to make more decisions.
     
  8. ZeroDay

    ZeroDay Registered Member

    Joined:
    Jul 9, 2011
    Posts:
    716
    Location:
    UK
    This post really concerns me, is it true that Comodo doesn't notify about cmd.exe etc...? I'd assume it would notify if another process was trying to interfere with said trusted processes?
     
  9. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,101
    Those processes could be added to the protected files and folders.
     
  10. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    Just to be clear by default HIPS is not ON at all. When you first enable it it will be in SAFE mode and it definitely gives alerts. I have it in SAFE mode and I regularly get alerts, typically when programs want to update. I don't can't say more specifically though how Defense+ protects trusted processes in SAFE mode.
     
  11. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,204
    Location:
    Virginia - Appalachian Mtns
    Don't you do an install with Proactive Defense enabled? I do. And if I recall correctly Hips was enabled.

    Not if the Parent process is trusted as well, like explorer.exe. There's a thread over at Comodo Forums...

    http://forums.comodo.com/news-annou...lware-delete-digital-signatures-t92017.0.html

    where a malicious file bypassed the Behavior Blocker in partially, limited, restricted, and untrusted. It then injected code into explorer.exe and off it went doing its misdeeds. It could have easily called cmd.exe, msiexec.exe, rundll32.exe, or regsvr32.exe and you would not have received a notification.

    In my long struggle with CIS I tried totally disabling trusted vendors, put Hips on Paranoid, made rules for cmd.exe, msiexec,exe, rundll32.exe, and regsvr32.exe (from both System32 and SysWOW64 folders) and still no Hips notifications for those processes.

    Try this, with Hips in Safe Mode, trusted vendors enabled, go down and change explorer.exe to Custom Rules. Your first Hips popup about explorer.exe that you allow will change all the subsettings of your Custom Rules from ask to allow.

    I never could get CIS to act in a manner I wished with reference to how a true Hips should perform. I eventually just gave up trying. It's just too flawed. I've been told that way older versions actually could be configured to alert on these vulnerable Microsoft processes but no longer. I tried CIS 5.12, the one compatible with Win 8, and in my opinion it's better than the 6 version but I could not get it to alert on these vulnerable MS processes.

    Later...
     
  12. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,718
    Location:
    Gaia
    1) In v6, HIPS is always off, no matter which config you are running. You have to manually enable it.
    2) Regarding popups problem...did you try to:
    a) disable cloud checking
    b) add them to the protected files?
     
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Well here i go again. With the complete absence of what some considered the most configurable and feather lite but iron strong classical HIPS as in EqSysecure and System Safety Monitor (& perhaps MD) , i'm having another go with Comodo FW/D+ . I simply cannot shake off the complete satisfaction realized with HIPS when confronted with the unknowns factor.

    Those minute few developers who introduced this unconventional different method of intercepting badware deserve nothing less then complete respect and admiration for making it such a huge success that most all the big AV players now include it within their own security products.

    Comodo. is no exception. I just wish they could fine tune it to a point where accessing the rules and settings were much more fluid and snappier then the drag delay you experience when moving about in those settings. A GUI issue is very evident in this newest release 6.1 from what my experience is been so far.

    Still it's a vital security agent which compliments very well other security apps provided they are reasonably compatible
    working in combo together.

    With very few if indeed any other alternatives as has to do with a single configurable HIPS program, looks like this one is the only one of it's like on the shelf.

    Like i mentioned a few posts ago, i just hope they get around finally to "trimming the fat" and thus make it a lot lighter as well as quicker. It has a tendency to "float" and "delay" on alerts and that's enough milliseconds in my opinion for rapid acting droppers or viruses to outrun it's protection range.

    Any thoughts? Additional opinions? Suggestions?

    Regards Easter
     
  14. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    I wonder what is better.. CIS 5 vs CIS 6 :/
     
  15. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    2,015
    I would advise to use 6 unless there are problems with it on your PC.
     
  16. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,204
    Location:
    Virginia - Appalachian Mtns
    Since I'm in an experimenting mood, siketa, I'll try your two suggestions here shortly, but I'll have to uninstall ERP first since the two of them can not coexist together (be running at the same time). I'll check that Hips being either on or off after choosing Proactive Defense during the install.

    Later...
     
  17. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,101
    They are both solid programs.
    Personally i prefer v5 for the pure ease of use and configurability.

    Version 6 simply has stuff i dont need.
     
  18. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,204
    Location:
    Virginia - Appalachian Mtns
    I'm sorry, siketa, but that statement is just not true. I just did an install of CIS 6.1 (the latest), chose Maximum Proactive Defense, and after the install Hips was enabled (just as I thought). If you choose the default settings during install then possibly Hips might not be enabled, but I always choose Maximum Proactive Defense.

    OK, I've applied your two suggestions but I'll give them some time to see if they produce the desired alerts on cmd.exe, msiexec.exe, regsvr32.exe, and rundll32.exe. So far, nothing.

    Later...
     
  19. mhl6493

    mhl6493 Registered Member

    Joined:
    Apr 20, 2010
    Posts:
    230
    Location:
    Tennessee
    From my experience, if you leave it on the default "internet security" setting, HIPS is indeed disabled. But if you change it to "proactive" security" setting, HIPS is then enabled.
     
  20. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,718
    Location:
    Gaia
    Yes, you guys are right...my bad.
     
  21. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    Well, don't feel too bad. I'm installed the v6 Firewall only, that doesn't offer a Proactive Defense option during installation IIRC. Is there a custom install that offers additional choices?
     
  22. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,101
    Does the v6 firewall only come with kiosk and all that jazz or can the firewall alone be just installed ?

    Thanks.
     
  23. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,204
    Location:
    Virginia - Appalachian Mtns
    No point in adding cmd.exe, msiexec.exe, regsvr32.exe, or rundll32.exe to Protected Files because under Protected Files there's a folder named Executables which includes an entry labeled *.exe that would cover all files with the extension exe. In other words all ".exe" files are already suppose to be protected.

    Later...
     
  24. mhl6493

    mhl6493 Registered Member

    Joined:
    Apr 20, 2010
    Posts:
    230
    Location:
    Tennessee
    I'm not sure about during installation, but I believe you can change to the "proactive" setting after the firewall is installed. Under "Advanced Tasks," you can go to "Configuration," and you should be able to change it there. It requires a reboot when the change is made.
     
  25. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,204
    Location:
    Virginia - Appalachian Mtns
    As the old saying goes..."One man's poison is another man's pie". I can't really fault you CIS believers, you like what you like, but for me it useless from a security standpoint. I perceive too many holes in it to take it seriously.

    Enough said.

    Later...
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.