Rogue slips right through Comodo!

I guess the 3 million dollar question is, When you re-booted your pc, did this rogue still appear or did it cease to exist? The deny messages might have been startup and service type entries that the rogue was trying to setup.

Ice

 

The rouge did not get through... It only appears as though it has.

The Rouge
1. Can read but cannot modify trusted resources.
2. Cannot read or modify confidential resources.
3. May create new untrusted resources, e.g. files.
4. May read or modify untrusted resources.

You may want to have a look at this start watching at 11:38 minutes into the video. http://www.youtube.com/watch?v=PBKNHBl-yos

Pressing the terminate button will stop it in it's tracks

 

thanks for the update!

 

<Emphasis added>

Thanks for this.

Another member of this forum remarked that CIS does not differentiate between the reads and the writes of critical system resource information in their Defense+ system.

Could this be something that Comodo has actively ignored to the detriment of true security?

 

Actually, I believe that is incorrect. From the D+ help file:

The same is true of any 'critical' resource. That really is the whole point of D+

 

Hi Guys

Defense+ worked as expected, even with this rouge. CIS is a very well designed suite, where the AV, Firewall & Defense+ By default all achieve top notch protection than any "traditional AV" out there. Based on Egemens findings and analyzing this thing with Comodo Instant Malware Analysis, The Rouge doesn't do much at all. It's a SIMPLE application and shows a few warnings. That's it. It does no harm to the system what so ever, Even if it did, You will be Alerted for - It may create a few registry keys, but CIS blocks these and allows the rouge to run BECAUSE it can NOT do any harm further, D+ doesn't stop programs from doing "non-malicious things". It stops the execution of malware behavior, Not simple programs just running on your PC/sitting on your HD and doing no harm at all.

People think about "Proactive" and it offers more security than the default internet security configuration. This is NOT the case, internet security configuration gives acceptable security with acceptable user experience (Both need to be followed for a Security Vendor)... Meaning low on pop ups too. All 3 components (Antivirus, Firewall, Defense+) Work together to PROTECT you and what is IMPORTANT. You can always switch to proactive to get more pop ups, And for the average user, that will be annoying and they will simply boot CIS off the system.

This is not a bypass for CIS at all. Other companies protect differently, So what? But this is how it is for CIS.

Hope this clarifies. Pls let me know if I didn't.

Cheers,
Josh

 

Yes.

Running different security software from different vendors together off course can cause potential incompatible issues like the scenario of your cause with Sandboxie.

Cheers,
Josh

 

LOL, whenever I run malware which is missed by my AV, the files are in the my pending list in comodo. But when i try to run the files which are in pending list they can run

 

No i don't get a execution alert. I'm using proactive mode with defense+ at clean pc mode. i.e. I download a piece of malware onto my desktop, I double click it to run it (the malware is in the my pending list) and the rogue runs with only a alert to access memory and even if blocked it runs. Is there an option to block anything from running if in the my pending list?

 

It's more likely that you have given Sandboxie's start.exe blanket permission to spawn new processes (child applications). You should have your HIPS set to control what start.exe is doing. Malware Defender, with default settings, alerted me when start.exe executed xpdeluxe.exe.

 

I don't get an execution alert. And is there ANY WAY I can block anything from running if it is in the my pending list?
EDIT: actually I don't think I ever got a execution alert.

 

I know they should but again is there any way I can block anything from running if it is in the my pending list?

 

Can some one pls send me this rouge again?

Cheers,
Josh

 

Got the rouge.

Comodo Secure DNS won't let me access it this time.

I'll go to another PC and and put it on there and transfer it on to my PC.

Cheers,
Josh

 

I want to use the zero alerts setup, but the zero alerts thing doesn't block everything in the my pending list files

 

Are you talking about my link in my signature?

Configurng CIS for Max Security with Zero Alerts - Simplified by 3xist.

Cheers,
Josh

 

No and yes. I have already set that up, but it doesn't work like I want it to. Since I don't ever get execution alerts, I was wondering if I can block anything from running, if it is in the my pending files list without any alerts.

EDIT: BTW the spelling is wrong
Configurng CIS
You forgot an I after r.
Configuring CIS

 

Can't you just run www.revouninstaller.com in advanced mode to remove all files and registry traces?

Regarding Hitman Pro, did it identify just the installation file, or detect the file once it was installed and running?

 

the infection was long gone LOL. What are you talking about?

 

I'm late on the scene , was just commenting, rather than an AV scan, if a user has this rogue program running, revouninstaller should remove it thoroughly.

 

I'm a bit confused. You seem to be saying the test didn't work with Sandboxie, and yet Franklin says in post #101 that "Sandboxie contains and deletes it no probs". Is that because he was using Sandboxie in a VM?

 

Tony, only read the thread briefly (at work), but I'm assuming Comodo might not have shown the appropriate alerts as the rogue was also run while sandboxed - meaning, sandboxie limited the way Comodo reacted/performed.

So what I gathered, Comodo on its own, at default settings takes care of this program. Sandboxie on its own contains this program.

 

Well, I'm giving up Comodo for now . Will wait for the v4.
Trying Online Armor, So far so good

 

I really like the huge list of known good and bad softwares in Online Armor

 

And the Zero alerts thing in online armor really works for me. Just disabled the gui from starting, and in the services set oasrv.exe to automatic. It just blocks every unknown exe from starting. Since comodo doesn't have that trusted and untrusted files list, it kept on blocking even legitimate exes.