bypass Online Armor Firewall

Discussion in 'other anti-malware software' started by a256886572008, Jul 16, 2010.

Thread Status:
Not open for further replies.
  1. a256886572008

    a256886572008 Registered Member

    Joined:
    Oct 26, 2007
    Posts:
    103
  2. a256886572008

    a256886572008 Registered Member

    Joined:
    Oct 26, 2007
    Posts:
    103
    defensewall hips logs:

    07.16.2010 18:21:00, module C:\Documents and Settings\XPMUser\桌面\vir\Adobe Photoshop CS2 9.0\keygen.exe, Attempt to rename file C:\Documents and Settings\XPMUser\桌面\vir\Adobe Photoshop CS2 9.0\keygen.exe (File )

    07.16.2010 18:21:00, module C:\Documents and Settings\XPMUser\桌面\vir\Adobe Photoshop CS2 9.0\keygen.exe, Attempt to set value PendingFileRenameOperations within the key HKLM\SYSTEM\ControlSet001\Control\Session Manager\ (Registry)

    07.16.2010 18:20:57, module C:\Documents and Settings\XPMUser\桌面\vir\Adobe Photoshop CS2 9.0\keygen.exe, Attempt to add new printer provider (Spooler)
     
  3. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Did you report it to OA tech support as well?
     
  4. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    754
    What's the alert? Execution?

    Anyway, if you block the autorun warning, TDL3 wont infect the driver(s).

    ...which is correct, it loads/infects the driver through spooler.

    Why does that matter if in the end it warns about suspicious action (red popup), i.e a definitive intercept point of malicious behavior.
     
  5. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    to avoid this problem just disable the spoolsv(print spooler service) ;) :)
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Actually to avoid the problem just don't allow it to run in the first place.
     
  7. Nizarawi

    Nizarawi Registered Member

    Joined:
    May 26, 2008
    Posts:
    131
    From alex Developer Of Oa

    Thanks. Next version will handle this :D :D :D
     
  8. pabrate

    pabrate Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    685
    Real question here is was the first alert RED , was virus detected ?
     
  9. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    No, you cannot relay on that :)
     
  10. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    I think that he waited for the subsequent alert describing what the virus was doing in the system, as happens when we install a new, allowed program. He wanted to see " the program is modifying..."
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I think the OP is right. I did not yet test the malware myself as I got no time. OA HIPS is not giving an injection alert that it is expected to give. Same is true of this thread, with another malware.

    https://www.wilderssecurity.com/showthread.php?t=277471

    However one need to re-test it to confirm the findings.
     
  12. a256886572008

    a256886572008 Registered Member

    Joined:
    Oct 26, 2007
    Posts:
    103
    defensewall HIPS logs:

    07.19.2010 12:19:31, module C:\Documents and Settings\Roger\桌面\virus\fw\d.exe, Attempt to set value TabProcGrowth within the key HKCU\Software\Microsoft\Internet Explorer\Main\ (Registry)

    07.19.2010 12:19:31, module C:\Documents and Settings\Roger\桌面\virus\fw\d.exe, Attempt to set value SystemMgr within the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL \ (Registry)

    07.19.2010 12:19:32, module C:\Documents and Settings\Roger\桌面\virus\fw\d.exe, Attempt to open process C:\WINDOWS\explorer.exe (Process)
     
  13. a256886572008

    a256886572008 Registered Member

    Joined:
    Oct 26, 2007
    Posts:
    103
  14. Nizarawi

    Nizarawi Registered Member

    Joined:
    May 26, 2008
    Posts:
    131
    i dont like the rebranded version of oa :mad:
     
  15. icr

    icr Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    1,588
    Location:
    Mumbai
    Upto step 3 everything is fine OA does notify you if some unknown file tries to do execute. And it is obvious that the parent program will be explorer.exe if you are executing any program from desktop or any other place of your computer. Are you sure it didn't gave any other pop ups?
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Can you test with other HIPS and post screen shots, just to compare.

    Thanks
     
  17. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Funny that it solves all these bypass bugs in one sitting:thumb:

    The most effective part of any HIPS solutions and yet to expose bugs you are told to ignore it.

    C'mon guys reguardless of what bugs are exposed once you let new code execute on your machine all bets are off.

    If a boxer kept lowering his guard giving free hits, then no surprises if they get Ko'ed at somepoint:ouch:
     
  18. a256886572008

    a256886572008 Registered Member

    Joined:
    Oct 26, 2007
    Posts:
    103
  19. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    Commenting on the CIS v4 screen shots. Would any self respecting members of wilders accept something called d.exe to be run or allow it. I would hope not. Come on.
     
  20. a256886572008

    a256886572008 Registered Member

    Joined:
    Oct 26, 2007
    Posts:
    103
  21. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    Again why would you be trusting keygen.exe anyway? Comodo does give the option to run it as either a isolated app or low privlerages. Any app can be bypassed if you ignore the warnings.
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Retest OA doing exactly what you did, but do it with Run Safer and see what happens.
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    There is something rather funny here, that makes me question these tests.

    In one of the posts on the Online Armor forum, you stated you are using the Trial version of Build 50.

    Build 50 was never released, it was only a beta version, and since you are not a beta tester, I have to wonder where you got this version.

    Hmmm
     
  24. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    Probably related to the reason that he is also using keygen's.
     
  25. a256886572008

    a256886572008 Registered Member

    Joined:
    Oct 26, 2007
    Posts:
    103
    1.The virus is in the Chinese language path.

    http://i234.photobucket.com/albums/ee153/a256886572008/do/oa6-1.png

    2.The virus is in the English language path.

    http://i234.photobucket.com/albums/ee153/a256886572008/do/oa9.png

    http://i234.photobucket.com/albums/ee153/a256886572008/do/oa10.png

    http://i234.photobucket.com/albums/ee153/a256886572008/do/oa11.png

    Conclusion:
    Online armor does not support Chinese language path.

    OA can not block the malicious behavior of the virus which is in the Chinese language path.

    :'(
     
Loading...
Thread Status:
Not open for further replies.