CIS v5- detection of hidden rootkit process seems good!

Discussion in 'other anti-malware software' started by aigle, Oct 7, 2010.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I just wanted to try the ability of CIS built-in TasK Manager to detect hidden rootkit processes. It,s not a test as I don,t have samples. Just found out phide_ex.exe rootkit. It,s a load of BSODs but after multiple tries I managed to run it in a vmware player session without any BSOD.

    TaskManager of CIS detected it ( hidden process) very well. :thumb: Hidden process is also dectected by Gmer but not ProcessExplorer.

    Just wanted to share it. It was better if they could label the process hidden as well.

    2.jpg
    3.jpg
    1.jpg
     
    Last edited: Oct 11, 2010
  2. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,068
    The process in Comodo seems to have a little shadow, no? that means that the process is hide.
     
  3. DOSawaits

    DOSawaits Registered Member

    Joined:
    Dec 11, 2008
    Posts:
    415
    Location:
    Belgium
    :D No, it's a simple "overlay" because it's the selected item.
    You may think Comodo is strong, but please don't get over-enthusiastic.;)
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Yes, exactly right. BTW that process was a keylogger and was also a bit hidden, I mean it was hidden from Windows Task Manager but not from Process Explorer. However the rootkit process pgide_ex.exe was hidden from Process Explorer and only detected by ARKs like RoorRepeal, Gmer etc.]
    It was a pleasant surprise for me indeed.
    This version of Comodo is best version ever IMO. I havn,t seen a major bypass with it so far.

    I don,t have time otherwise I would love to post screenshots that how CIS v 5 HIPS and sandbox handle Conficker worm, both at default level and at max settings level. It was really excellent. :thumb: May be I will post about it later some day when I am free.

    I was not happy how Defence Plus used to handle Conficker in the past.
     
  5. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,068
    Maybe you get over-enthusiastic with this kind of things but sorry I dont.
     
  6. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    Do you mean Defense+ in 4 versions ? And do you mean Defense+ only or with sandbox ?

    I mean: don't using the sandbox, Defense+ in 4v protected from Conficker less than 5v ?


     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    The pop up alerts of Defence Plus in v3 were not so good. I made a long thread about it that time. I did not test v4. Version 5 RC was same, so I posted this as a bug and it was fixed after I provided sample to egemen.
     
  8. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe

    Thank for your answer aigle. ;)
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    And just tried another one, historical Hacker Defender.

    Good work by CIS. :thumb:
     

    Attached Files:

    • x.jpg
      x.jpg
      File size:
      101.9 KB
      Views:
      574
  10. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    The thing I don't get is they give you a Sandbox, then with the leak test to get the best results, best security you turn off the sandbox, LOL...
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I was just curious to know if it can detect a hidden rookit process or not. There was no way to do this without installing a rootkit first and that means one has to disable CIS. If there is any other way to do this, let me know.
     
  12. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe

    You should find a kernel rootkit that you could install in the kernel ans disable: then you had to install CIS and after the installation enable the hidden rootkit. I don't know where you could find a rootkit like this.
     
  13. syk69

    syk69 Registered Member

    Joined:
    Feb 7, 2010
    Posts:
    183
    Thats not true I did leaktest with sandbox enabled and gave me 340/340.
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hmm.. sorry as I did not get your point. You think hacker defender and phide_ex are not kernel mode?
     
  15. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe

    Sorry, I already woke up when I posted, I misunderstood your post. :oops:



     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    That's fine.:) :)
     
Loading...
Thread Status:
Not open for further replies.