CFP Defence Plus - a bit weired HIPS?

Discussion in 'other anti-malware software' started by aigle, Feb 24, 2008.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Another guess - maybe it's the code in the drivers of ThreatFire that modifies the processes, in which case you would get no alerts.
     
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,133
    Location:
    Saudi Arabia/ Pakistan
    Ok, I have done some testing with CFP D+, AppDefend and EQSecure. My observations are interesting.

    I guess that when Defence Plus gives a pop up that " Application A is trying to access memory of application B", it means one of the three( or more?) things:

    1- Application A is trying to modify the memory of application B or
    2- Applications A is trying to create remote thread in application B or
    3- Application A is trying to terminate/ suspend thread in application B

    Now see the alerts given by CFP Defence Plus, AppDefend and EQSecure about behaviour no. 1 and 2( Modify memory and Create remote thread). They are exactly same.

    In case of Memory Modification, current( active) application is Explorer.exe while target application is Iexplore.exe. See Pic

    In case of Create Remote Thread, current( active) application is PokapokaC.exe while target application is Services.exe. See Pic

    mem mod.JPG
    thread.jpg
     
    Last edited: Feb 26, 2008
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,133
    Location:
    Saudi Arabia/ Pakistan
    Now until this point everything is as expected atleast for me. Confusion arises when whe see the popup alerts about Terminate/ Susppend thread- behaviour no.2.

    EQSecure and AppDEfend show that current( active) application is TFservice and target applications are Explorer.exe and Iexplorer.exe.

    CFP on the other hand shows that current( active) application is Explorer.exe and Iexplore.exe and target application is Tfservice.exe. See Pics.

    It,s a thing I can,t understand. I guess CFP may be wrong here. I almost remember the alerts by System Safety Monitor to be also same as those of EQS and AD.

    exp suspend thread.jpg
    IE susp thread.jpg
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,491
    Location:
    The Netherlands
    Funny, but you thought wrong. In other posts I have already explained my view on this. Do I really need to explain it to you again? o_O

    I already have enough holes in my setup, but the question is how big the chance is that I will ever execute malware who will take advantage of this. :shifty:
     
  5. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Typically the odds are in your favor.... However, have you eard of Murphy's law? :)
     
  6. Coolio10

    Coolio10 Registered Member

    Joined:
    Sep 1, 2006
    Posts:
    1,124
    Aigle check the comodo forum. Egemen replied and according to him comodo is smarter than app defend and eqsecure by putting alerts by higher priorities.
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,133
    Location:
    Saudi Arabia/ Pakistan
  8. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Yes, please do. I must have missed it.

    I personally feel if you are a big fan of "dumb hips", the more alerts and the more things you monitor the safer you are. Do you disagree?


    How big?

    Simple. It's 50-50.

    Either you get hit by something that exploits this, or you don't.
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,133
    Location:
    Saudi Arabia/ Pakistan
    Hello Rasheed and Lusher! with due respect, I think u are way off topic. I personally don,t mind OT but ur discussion seems to be of no interest to any one. It semms more of a personal 'war'.
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.