CFP Defence Plus - a bit weired HIPS?

Discussion in 'other anti-malware software' started by aigle, Feb 24, 2008.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I have recenly switched from EQS to CFP D+ as calssical HIPS on my system. I have tried almost all classical HIPS in the past, maily for fun. I have especially used EQS, NG and SSM free for a singinificant period of time as a classical HIPS protection on my system. While playing with malware, I had even run more than one classical HIPS at a time in real time, just to compare their popups and thus knowing what they are monitoring.

    I have more or less similar popups with all these classical HIPS, never found a major diffreence of pop up alerts between them.

    HOWEVER it is not the case with D+. I have been trying it since alpha and every time I tried it I felt that its popup alerts are a bit different than other HIPS. Not sure why! Also can,t be sure whether it is monitoring more as compraed to other HIPS or less.

    I will present a few examples.

    I really hate the privilege pop ups from Defence+. For almost every application I get pop ups about System time privilege. Another such popup that appears with almost all applications is "accessing service control manager". Others are system shutdown, debug and backup privilege popups etc.

    I wonder why CFP can,t just keep quiet and only warn when some application tries to use this privilege like many other HIPS do. What is the use of a behavior popup that comes with each and every legit application. Its too annoying. I have removed all these( mentioned above) filter from " My protected com interfaces" to get rid of these pop ups.

    debug.jpg service.jpg
    time.jpg backup.jpg
     
    Last edited: Feb 24, 2008
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Two other very common alerts I get on my system are :

    - Accessing memory of ThreatFire service( almost every application does it on my system on shut down)
    - Accessing memory of CTFmon.exe

    NEVER saw such alerts with any other HIPS.
     

    Attached Files:

  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Stranngely that D+ gives very frequent memory access alerts about TFservice and CTFmone.exe on my system, I hardly get any other memory access alerts on my system from D+ while such alerts are common with other HIPS like EQS, SSM and AD. Very strange for me.
     

    Attached Files:

    • mem.jpg
      mem.jpg
      File size:
      51.7 KB
      Views:
      566
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Another alert never got from D+ is about remote thread creation. It,s a bit common by other HIPS.

    I am not sure but my impression is that on remote thread creatiuon, D+ gives alert about memory access.( Any POC to check this? anyone?).
     

    Attached Files:

  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Another popups. Not sure what is meant by it. I havn,t seen it with other HIPS except with AD.

    Another alert is " One application modiying the user interface of other application" Not sure what it means. I don,t remember such an alert from other HIPS. I would have considered it as memory modification but memory modification has its own alert in D+.
     

    Attached Files:

  6. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    That is the first thing i remove from defense+ when reinstalling Comodo FW. If a popup is too common to differentiate normal from suspicious behavior then it is useless.
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I agree with you. But I am not sure how much it compromises security.
     
  8. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    I agree Aigle that only AppDefend has such weird alerts. Personally i do keep the Service Control alert, as a means of keeping me "awake" and not doing the happy clicking routine.

    As for System, i 've seen a few alerts of that kind too. I am not sure either what they mean by "System". On my case i have decided that they mean the same that the Task Manager means as System. Which is (for my PC),contains the threads:

    http://img137.imageshack.us/img137/4702/88199542fv5.png

    Now, the ntkrnlpa.exe is obviously related to Windows Kernel.

    Inspect.sys as well as the various cmd* are related to Comodo.
    Some Nvidia miniport driver files,ACPI etc.

    So, i would be very hesitant to let that pokapokaC.exe to touch that area, unless i was sure it is a valid process that should have access to critical areas... By its name alone, personally i would be very hesistant to let it affect anything there.

    Of course this is just an educated guess, on what they mean by system. At least this is how i interpret it.


    I 've no clue about modification of user interface.
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Aigle,

    I have posted a way to reducr the alerts. Still I am getting one or two alerts each week. I have decided that when D+ gives one more alert this week I will fall back to EQS again, despite the broader protection of D+.

    I have ironically said that the current release is the first real realse (others were advanced beta's sort of gamma's), but last week I got again two pop-ups with mysterious pop-ups.

    COnclusion:
    Plus side: Heurstics of D+ makes that is sort of more intelligent than normal HIPS

    Down side: you will get pop-ups of settings you can not control. That is real frustating, but hey TF, Mamuto, PRSC do it also. Only those Behavir Blockers are silent most of the time.

    D+ is a sort of cross over from dumb hips to behavior blocker (see for example which trouble you have to go through to deny avnotify.exe from running). This is good (at relwase 3.2) for the future, but real frustating for now.

    regards Kees
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I agree. BTW pokapoka.exe is actually Elitebar malware.
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    "One application modifying the user interface of other application" means that a process is trying to communicate with another process by sending a windows message. One reason that Defense+ monitors this is because, if your web browser is already open, it is possible for a program to leak information by merely sending a windows message to your web browser. Another reason that Defense+ monitors this is because of the possibility of shatter attacks - see http://en.wikipedia.org/wiki/Shatter_attack.

    For 'All Files' in Defense+ Computer Security Policy, I allow interprocess memory access for TFService.exe (part of ThreatFire).

    Alerts about remote thread creation in other HIPS will show up in Defense+ as 'memory access' alerts, if I am not mistaken.
     
  12. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
    I think that CFP would be way over my head to ever use.
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks Brian. Can u explain it a bit?
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    @ aigle,

    This is exactly the reason why I don´t like CFP. You get so many useless popups that you won´t even know how to respond to. The guys over at Comodo missed the point I think. They seem to believe that the "ultimate HIPS" should alert about everything. While to me it only makes sense to alert about stuff that´s not triggered by almost every app, and about stuff that you can actually make a good decision about.

    @ MrBrian,

    Welcome to WSF, I assume you´re the same guy as on the Comodo forum? I hope I will be able to make CMF BO protection work, with the POC you gave me. :cool:
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Rasheed! After removing few COM filters as I posted, CFP is working very well in learn Safe mode. Not much pop ups!
     
  16. Dieselman

    Dieselman Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    795
    Comodo is a very powerfull firewall if you have patients and understanding of how it works. Also having 2 HIPS conflicts. TF and OA conflict and TF and Comodo conflict. I see no reason to run 2 HIPS as it is. Either run TF alone. OA alone or Comodo alone. I am currently using Comodo with D+ active and my trusty NOD32. I installed Comodo at default vavles. Firewall is set to "train with safe mode" and D+ is set to "clean pc mode".
     
  17. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    In Computer Security Policy, find the entry for 'All Files' and edit it. Click on 'Access Rights'. Click the Modify button next to 'Interprocess Memory Access'. Click Add, Browse to TFService.exe and add it. Then Apply, Apply, Apply, Apply, Apply. You can also do the same for the other process you named that is accessing memory of a lot of other processes.

    I am the same one :) Thanks for the welcome. Let me know if it works for you or not.
     
  18. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Many of the popups are easily dealt with by scanning the system deciding that it is clean enough and then move all content to Your "Own Safe Files" where you can still address issues there. This will reduce the chatter and allow you to monitor new incoming files and keep a hermetic environment. The idea is to monitor each subsystems as it is being modified... I personally like the idea of the granular control it provides... I just wish the controls would be more directly accessible within the GUI instead of having to create rules to manage change... It is too cryptic for most users...
     
  19. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Funny, I thought that was your view?

    The more you monitor the safer you are obviously. Sure you can turn off stuff like what some guys are telling you to do, what this is done WITHOUT understanding what you are giving up.

    Chances are you have opened a big gapping hole! How do you know?
     
  20. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    I have never understood the drive some users have to secure the system, then complain about it being too secured... :)
    If users don't want pop ups, all they need to do is use the base firewall with virtualisation... Just don't hope to manage change easily...
     
    Last edited: Feb 25, 2008
  21. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Personally I think by following the advise of some of the others above and turn off some of the HIPS features, you risk failing some tests (leak test, or whatever).

    And as we all know failing such tests is a big no no.
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I do understand that. Question is that whether all these processes are accessing TFservice in memory or TFsrvice is accessing all these processes in memory( I assume both are not same).

    I will make a global allow rule if TFservice was accessing the processes but it,s not the case here. Acc to CFP, these are actuaslly the other processes who are accessing TFservice in memory. In that case a global allow rule can allow a malicious process to modify memory of TFservice without any pop ups.

    I am not sure if I am understanding it correct or not.
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I posted exactly same thread over their forums.
     
  24. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    It is the other processes that access TFService in memory. My guess is that ThreatFire has modified all the processes in memory on purpose, and these alerts are happening when the modified processes are calling back to TFService with information. I could be wrong though. It's true that this does open a hole for malicious processes to modify TFService, but on the other hand, if you deny all or some processes memory access to TFService, then perhaps you are not allowing ThreatFire to do its job correctly.
     
  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    You seem to be right but if "ThreatFire has modified all the processes in memory on purpose", no alert about that. Also no alert by other HIPS about TFservice modifying memory of other processers( not sure though). It might be related to very nature of TF itself though.

    Anyway I have seens exmples where CFP gives pop up about application X accessing memory of application Y while other HIPS instead give an opposite alert about application Y modifying memory of application X. That,s weired.

    I will make an allow rule for TFservice I think.
     
Loading...
Thread Status:
Not open for further replies.