Defence plus does not detect driver/ service install

Discussion in 'other anti-malware software' started by aigle, Jul 20, 2008.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It seems a security hole. I tried this tool

    http://www.iterati.org/Developers/HideProc/Default.aspx

    Very strange that CFP gives no warning about a driver/ service install on my system. I posted it at their forums. And according to a user there:
    Hmmm... I never expected this from a HIPS. It,s a security hole IMO. What do u think about this?

    Thanks
     

    Attached Files:

  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Aigle nice read :thumb:

    Well given the advice of the Chinese poster (assuming Google translate did not fool me) to add a 'real' HIPS to Comodo, because CFP in itself lacks sufficient protection, says enough! Maybe some Chinese speaking member could check and protect us from jumping to the wrong conclusion.

    So you are better of using TF and GW combined (together also provides oubound protection, when disabling DNS Service, DNStester fails also, your modem or ISP will handle DNS name cache look ups) What use does a second safety net has (behind GW) when its mazes are to wide ;)
     
    Last edited: Jul 21, 2008
  3. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975
    It will block the driver install if you block it from accessing the Service Control Manager" (SCM) when you run the program. I think the Chinese poster had a flawed setup.

    comodo_hideproc1.png

    It's worth mentioning, however, that there's no specific indication that a driver is being installed. A lot of programs prompt this SCM warning and it seems to cover a few types of activity. Often, the program will run fine whether you allow it or not, which can be confusing. I'd like to see Comodo offer more granular control over these activities instead of lumping them under SCM access.
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi, no it will not. It,s a useless alert by CFP. driver is installed long before this alert.
     
  5. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975
    Driver is not installed, nor does the program work. If I allow the request, the program runs fine.
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Here is what I get. First I get two alerts when I execute HideProc and hideproc is able to hide any process. I get a third alert about Service Control Manager access only when I try to shut down the GUI of HideProc.

    Obviously whether I allow or deny it, practically it makes no difference.

    1.jpg 2.jpg
    3.jpg
     
  7. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975
    Interesting. I have Execution Control disabled so I don't get the first alert. Nor do I get the Elevated Privilege alert. I'm using Clean PC mode with all of the monitor settings checked.

    I'm using Vista, btw.
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hmmmm.... so different OS gives different reults. I am using XP Home SP2.

    BTW elevaed privilege alert is due to TF on my system, I don,t get such alert without TF.
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Appreciate the test and results.

    I'm gonna try this on EQS 4.0 Beta and see what develops. This appears to be something SSM would easily intercept but waiting for another user of it to chime in with their results since i'm nearly exclusive with EQSecure HIPS now.

    EASTER
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
Loading...
Thread Status:
Not open for further replies.