CIS + MD5

Discussion in 'other firewalls' started by thanatos_theos, Oct 16, 2009.

Thread Status:
Not open for further replies.
  1. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    Re: PCT firewall + Leaktests

    A bit OT but since we're talking about HIPS...

    When you update an application already listed in Computer Security Policy (as Custom) and run it, you get no prompt that the file has changed? I believe CIS doesn't check the md5 but just remember the paths. Anyone also noticed this with CIS? What Stem reported might be applicable to CIS also.

    Take note that my CIS HIPS is in Safe Mode (old config). When I update, I either turn-off CIS HIPS or use install mode. I haven't tested with Paranoid Mode. Do you think the safelist db/trusted certificates has got something to do with this?
     
    Last edited: Oct 16, 2009
  2. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    Re: PCT firewall + Leaktests

    The Image Execution Control monitors file changes in CIS. According to the help file (when Image Execution Control is enabled) CIS calculates the hash-value of a file before it loads into the memory. Going by it, file alterations - such as updates - should be detected by D+.
     
  3. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    Re: PCT firewall + Leaktests

    Forgot about that. I'll have to check that out when I'm on the rig with CIS. It must depend on the settings set there. Maybe a prompt will appear during update but at those times I have the HIPS disabled or in install mode. Will try with HIPS on, next time. I turn-on the HIPS after the update, run the updated program I get no prompts unfortunately.

    As a test, turn-on install mode or turn-off HIPS, update your Realtek HD Audio. After startup, turn-on HIPS and click Realtek systray icon. CIS should prompt you that RTHDCPL.exe has changed right? *I didn't try this yet*
     
    Last edited: Oct 16, 2009
  4. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    Re: PCT firewall + Leaktests

    There was a discussion on this somewhere on the COMODO forums. I had read it, but don't recollect much of what was said there. But I do remember - vaguely though - the cheif developer of CIS (egemen) stating that CIS does not verify hashes of executables which are modified by the user himself, or something of that like.

    You can search for threads on topics related to this in the COMODO forums.
     
  5. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    Re: PCT firewall + Leaktests

    I guess that was intended to make CIS user friendly and lessen alerts. Well, I think CIS will alert the user anyway if ever some malprocess tries to change/hijack/infect/tamper an application or it's integrity.
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: PCT firewall + Leaktests

    As I know CIS doesn,t check for hashes, as it has real time file defence. Same is true of MD.
     
  7. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    Thank you aigle.

    I just skimmed on their forums and read that Image Execution depends on the extensions set and only checks for hashes in 'real-time'. But it disregards those found in/matching those in the safelist db. Maybe in the future they can do that on-demand, on-next execution of the updated file or during start-up. I think this on-demand hash scan (for new exes) occurs in start-up when using Clean PC mode. :doubt:
     
    Last edited: Oct 16, 2009
Loading...
Thread Status:
Not open for further replies.