DDL injection alerts by Comodo FW

Discussion in 'other firewalls' started by aigle, Mar 18, 2007.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I am using Comodo FW since abouta year and I see an option to alert for dll injactions in Comodo but I never got an alert from Comodo about this while SSM gives a lot of such alerts? Can anybody tell what I am misssing here? Are u people getting such alerts? Any screenshots?

    Thanks
     

    Attached Files:

    • c1.jpg
      c1.jpg
      File size:
      41 KB
      Views:
      786
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Any Comodo users?
     
  3. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    My guess would be, that you have set SSM as a trusted app in Comodo.
    Then SSM takes care about DLL injections, so they will not reach Comodo.
    I used to have many alerts in Comodo, so I used to have monitoring disabled.
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I never got any alert even when I was not using SM.
     
  5. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I guess the difference is dll injections related with outbound, as opposed to dll injection in general.o_O
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Sorry, I did not understand it fully? Can u explain it?
     
  7. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    I think Someone referred to DLL injections on processes requesting outbound connection.
    Is Comodo supposed to alert on injections at all? This screenshot is saying "monitoring", right? The slider for adjusting alert frequency seems to deal with network activities only and not with inter-process operations. Well, I see the component monitor is set to "Learn mode" by default, so that explains lack of popups. But even if you put it in "Turn on" mode, alerts don't show up. I suppose that Comodo's HIPS is so rudimentary that it doesn't alert you at all, but rather functions on simple allow/deny principle. You keep Comp Monitor in learning mode for a while, it sets some rules automatically, then you switch it on, and it blocks anything which doesn't have a rule. Without a popup. On the other side, SSM is a dedicated HIPS.
    This is only my opinion, I am not using Comodo right now so I may be wrong here...

    Cheers.
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I am also supecting a bit similar. I think it monitors dll loading but does not warn u about this. Instead u get an alert about unknown components( already injected dlls) when an application wants outbound connection.
     

    Attached Files:

    • c2.jpg
      c2.jpg
      File size:
      43.3 KB
      Views:
      681
  9. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    That's exactly what i meant, thanks The Seer.
    Only when an app. tries to conect, Comodo will warn of what's associated with it.
    CPF3 with HIPS will detect these things in real time, when the dll is injected.

    This is me guessing. But it does make sense, and why leaktests are tricky when you're not at the process level, or whatever it's called.
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Just to make thigs clear. I think Comodo FW alerts u when a there is some global hook on ur system and ur browser tries to connect to internet while hooked. I saw this hooking alert when I tried some keyloggers.
     
  11. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    That's good to hear, Comodo at work.:thumb:
    My "issue" with it, as it stands, it not being able to block that in real time, so that i just use IE7 (for instance) at will, with no "hooks" (and Pan's..)
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It will never block in real time, that,s job of HIPS.
     
  13. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Aigle, exactly..
    V3 should though. I wait to see what comes out.
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ya but I prefer a separate HIPS at least ATM.
     
  15. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    I really don't know about DLL injections. I am past the knowledge on that.
    Many internet using software like browsers add a lots of dll's while browsing. So I keep Comodo component monitor always in learning mode. I had some bad experience with my previous computer when taking off Comodo from learning mode, but it might have been something else that happened like WWDC I did same time.

    I know that SSM tells about a few things about dll's that goes in the context of this thread, mainly some keyboard hooks or whatever I don't really know much about that.

    What I know about Comodo is that sometimes when I ran my netphone program or Trillian sandboxed, that is an instant messenger, that after some session Comodo starts to tell me about 'invicible applications' going to net while running my Firefox inside Sandboxie and surfing to a normal sites. I really don't know how it happens. Usually I just delete Sandboxie content and those prompts from Comodo don't come again.
    But makes me crazy to answer prompts about invicible applications, "possibly trojans", heh.
     
    Last edited: Apr 28, 2007
  16. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yes Aigle

    That was a dissapointment when I tried Comodo. It notifies when a changed program is trying to access outbound traffic. I tried Zapass on Comodo, it failed, I was thinking what did I do wrong in the setup. Turns out Comodo checks CRC hash and when notifies when it is changed.

    Comodo will be a great program (in the release 3?). Online Armour proved that a FW is the ideal combination with an Anti-Executable. Coreforce goes one step further and combines data level protection with it. Hopefully Comodo development will go into that direction.

    Regards K
     
Loading...
Thread Status:
Not open for further replies.