MRG Rogue Software Test

and thats why i dont use CIS. dont want any rogues connecting out with my fırewall...

 

Well, I don't know why you stated that, and I guess I have to argue this point, as I'm pretty sure it's wrong and could be very mis-leading.

I use CIS so that no rogues connect out with my firewall haha. If anyone can show me and prove to me otherwise, please give me the sample! I've been using CIS for over a year, and the only bypasses I've seen are with POCs (which also bypassed OA, MD, DefenseWall etc).

 

im sure it does work. but if the whitelisting works as its supposed to and if thers more rogues etc. popping up as signed by them. i see a future potential vulnerability popping up. and no im not saying they sign them intentionally. im sure thers some sort of automated process that accidently has done it possibly.

 

Although I don't use Comodo, could it be possible this has been fixed since the test was done so that now you're seeing the alerts?

 

Regarding RegGenie, the download.com link and softpedia link seem to be auto-generated, almost like filling out a template and clicking submit. Both download and softpedia would submit the setup file for scanning, and both would have found it clean so it would have earned the clean award.

Given the mountains of programs on download.com and softpedia, I tend to trust ones where the editor reviews the program, and it's a personal write-up.

And without getting into an argument over HIPS and AVs, I do find Joe's comment interesting. Although HIPS can provide almost impenetrable defence, if you compare the amount of decisions a user would make on a regular basis (that continual reading/mental processing of alerts) to seeing the odd false positive with a scanning type program (and the few seconds googling to see what that FP is), the latter really shouldn't be a concern to users who prefer a HIPS-type program.

 

You could be right, and that would apply to all the security programs tested.

 

Hmm, I see your point, but I still haven't seen CIS being genuinely bypassed yet in over a year of using it. The thing is that even if rogues are signed by Comodo, it will not be placed in Comodo's white-list unless the program is deemed completely safe. That's how I understand it anyway.

 

Hmm, I'm not sure mate. I didn't think Comodo updated its white-listing database in real-time (I thought they only released a new white-listing database with each new program release). I could be wrong though. I'll try asking on their forums.

EDIT:
From the Comodo user manual:
"Comodo Internet Security can now validate digitally signed applications from Trusted Vendors. Trusted Vendors are those companies that digitally sign 3rd party software to verify its authenticity and integrity. This signature is then countersigned by an organization called a Trusted Certificate Authority. By default, Defense+ will detect software that is signed by a software vendor and counter-signed by a Trusted Certificate Authority. It will then automatically add that software to the local users’ Trusted Vendor list. Software companies may be interested to know that they can have their signatures added, free of charge, to the ‘master’ Trusted Vendor List that ships to all users with CIS...".

 

That's the thing - they're not malware. They're frauds/scams/rogues, but not malicious software. They don't do anything malicious and is why those AVs don't as yet list them.

I know KL do list some frauds for example - they have a category called not-a-virus:FraudTool, and the list is growing daily. Admittedly, some of those will contain malware elements; the problem is getting them, and other AVs, to add more non-malicious detections to their bases, but it's not an easy task because there's so many of them, and as you've seen, they appear to exhibit legitimate behaviours, a few get digitally signed by some vendors, and it also involves more time to analyse which they could use in detecting real malware instead.

 

Are rogues prevented by running with limited rights through either methods like LUA or sandboxing/policy (SandboxIE, DW, GW, etc.)?

 

Hmm, I see what you're saying there. But could I argue that these "frauds/scams/rogues" are actually "malicious", in that they have a "malicious" intent? Therefore, since they ultimately have a "malicious" intent, they should still be considered "malware"?

 

As far as I know, LUA will not allow the rogues to even execute.

And with a properly configured Sandboxie, the rogues will not be able to start/run, will not be able to access the internet, and will not be able to access sensitive areas of your computer. Sounds like over-kill haha, but that's how Sandboxie works.

 

Perhaps the reason you get the alerts now is the digital certificate was revoked on those applications you tested.

 

I know what you're saying, and it is a difficult area. Some argue how can AVs/AMs be expected to detect "intent" if they don't do anything untoward to your system except provide a scan list of non-existent errors and urge you to pay to fix said errors. It is indeed a problem, but I think the industry as a whole is trying to play catch up in this arena.

 

Well, the 3 applications that apparently "bypassed" Comodo don't have digital signatures mate. Actually, 2 out of the 3 applications don't have digital signatures. pconpoint.exe has a digital signature that has expired haha.

 

well you now seem to be neck deep in it.................

 

By the way, with regards to whitelist, here's a reply from a Comodo moderator:
"The white list only gets updated with new releases of CIS".

Anyway, TonyW, as far as I'm aware, I've always got alerts from Defense+ for the 3 rogues apparently "bypassing" it.

 

Haha, nah it's cooled down actually. And this is a different matter. We're talking about Defense+ getting bypassed here, not some political issue haha.

 

Littlebits (or Mike L. J.),

The Admin of SSUpdater.com
(a site with links for Cracks, KeyGens, Patches etc.)

whose members have severely criticized WildersSecurity

-under the encouragement/incitement of the SSUpdater Admins/Mods-
,like you,

should Not come to lecture and patronize!

We know very well who you really are…

 

you want to know the sad thing about a thread like, you take some smuck like me, who doesnt understand 90 percent of it, in the end, I dont trust anyone anymore.

thats sad.

 

The next time a New MRG Test is released,
readers must remember that
-Sveta of MRG
and
-GrandCommander of SSUpdater (a site with links to Cracks, Keygens, Patches etc.)
is the same person
(a Serbian VX Collector without any
Computer Studies
and Professional Experience
in the Security software Industry)!

Just search GrandCommander's Posting at SSUpdater:
He wrote against Malwarebytes, CounterSpy, Nod32
and criticized AV-Comparatives, WildersSecurity etc.

Now, he comes here, under the Mask/Hood of MRG, and tries to convince us
that he has No connection with SSUpdater.

Since you play the Malware Researcher, offer us some info:

a) From what Computer Science Department did you graduate?
b) Which Security Software companies had you worked with before you joined MRG?

 

Calderon, thread has moved on chief. Send him a private message if you're requesting that info.

I'm reading ssj100 and TonyW's discussion!

 

Folks,

Let's keep directed comments towards the personal situation of members out of this conversation. Period.

Those out there performing efficiacy testing may or may not trot out their academic qualifications. At times it's germane, at other times less so. However, it's up to the individual member to determine the extent of public disclosure that's right for them. Whether an individual has an alternate name at other sites is not a matter for this board unless that becomes germane to an indirect astroturfing campaign.

Readers need to perform their own due diligence with that reality in mind. Readers also need to be aware that, as illustrated early in this very thread, there are people who will ignore any sense of social or personal responsibility in an effort to forward their personal agenda/grudge/whatever. Eventually, those situations emerge from the shadows. However, that emergence should be based on fact, not idle speculation or innuendo.

Let's get back to matters of a technical nature. In the end, that is what matters.

Blue

 

You're spot on with what you're saying but TonyW has it right.How can any security program judge the intentions behind a software application? There's no heuristic algorhythm to detect human greed alas .

 

Hi,

I think that the test was performed with Comodo default settings, that is, "Comodo Internet Security" and not "Proactive Security"

Try doing the test agin with default settings and let us know what happens.

Thanks.