Some test ;)

Discussion in 'other anti-malware software' started by MagisDing, Apr 21, 2009.

Thread Status:
Not open for further replies.
  1. MagisDing

    MagisDing Registered Member

    Joined:
    Jan 6, 2009
    Posts:
    41
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Sorry,

    All Chinese to me, can't find download link. Please state which tests Comodo failed
     
  3. MagisDing

    MagisDing Registered Member

    Joined:
    Jan 6, 2009
    Posts:
    41
    Here is the direct download link <link removed>
    Comodo almost failed to pass all of them(process is terminated,mouse is locked),but I think the protection was not penetrated.
     
    Last edited by a moderator: Apr 21, 2009
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    GeSWall results

    HTAAA stopped with HTAAA showing error messages unreadable characters
    HTAAAB causes a massive amount of logs, tries to access all resident software, services or something, nothing happening
    HTAAC isolated without something happening
    Stop2 isolated without something happening, Risings PC doctor icon disappears and can't be restarted (via programs)
    Stop was also isolated according the logs, was denied access to explorer, but hung the system (so this could be the explorer stop)

    I see you describtions are about right, but not exactly in the Comodo forum, did you really test it?

    PM Ilya of DefenseWall, he will be intrested in this/
     
    Last edited: Apr 21, 2009
  5. MagisDing

    MagisDing Registered Member

    Joined:
    Jan 6, 2009
    Posts:
    41
    Yeah, I‘ve tested them with GW, however, HTAAC (start with isolated) kills the exprlorer.exe....
    Stop.exe lock the mouse without any LOG....
     
  6. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    I wonder what results will reach DW in these tests.
     
  7. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    The only problem test for DW is the "stop2". I fixed it up, will be released with the next, 2.54 version.
     
  8. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    Great news! Thanks a lot Ilya :)
     
  9. cruchot

    cruchot Registered Member

    Joined:
    Apr 20, 2009
    Posts:
    126
    Location:
    Germany
    The download via rapidshare link posted in Comodo board isn't possible anymore - download limit (10) reached.
     
    Last edited: Apr 22, 2009
  10. 1000db

    1000db Registered Member

    Joined:
    Jan 9, 2009
    Posts:
    718
    Location:
    Missouri
    Have you contacted GW and sent them any samples?
     
  11. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,293
    Just on one of your comments. I like Sandboxie and regarding the blacklisting,Drive Sentry has this,kinda a reason I'm thinking about trying drivesentry,but haven't really seen many people running it :doubt:
     
  12. Ed_H

    Ed_H Registered Member

    Joined:
    Nov 10, 2004
    Posts:
    662
    Location:
    Chicago, IL
    Doesn't this all boil down to don't install anything unless you know and trust the site it is coming from? If you run everything as trusted in DefenseWall or answer Yes to all pop-ups from a classical HIPS without knowing what you are installing, I don't know of any application, other than image backup / restore, than can protect you.
     
  13. Ed_H

    Ed_H Registered Member

    Joined:
    Nov 10, 2004
    Posts:
    662
    Location:
    Chicago, IL
    True, but if you know what you are installing and trust where it came from you won't have a problem. Users who will install anything without investigation should probably be using a suite that makes decisions for them or have someone else more knowledgeable determine what to install.
     
  14. MagisDing

    MagisDing Registered Member

    Joined:
    Jan 6, 2009
    Posts:
    41
    Not yet since I don't know how to submit those samples.....ashamed:oops:
    So far as I know, CIS pop-ups but can't intercept the behaviors(both locking mouse and terminating processes) actually though the programmes don't penetrate the protection even they are malicious indeed.
    BTW:except for stop2.exe, S3(netchina),MD,DW seem like they can block the other behaviors correctly.
     
  15. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    SSJ100,

    You did not fully grasp the concept of policy management.

    Idea behind is

    a) you do not care which program runs on your system, because exectuables AND files originating from untrusted sources are kept in a safe containment

    b) you do not care where those files and programs are, because the sandbox is completely transparent, let them harmlessly reside between your trusted files and programs, they are paralissed anyway (see 1)

    c) when you do want to install something explicitely and with your full awareness and agreement, THEN, you have to set the status to trusted. From then on you will give them the full rights of the current user.

    So a policy sandbox is a kind of resversed HIPS: it does not bother you with pop-ups for known or unknown programs, for legitemate or malicious actions, it only requires 1 action (set to trusted) when you want to install it.

    Regards Kees
     
  16. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Has this been repeated and confirmed?
    Is tzuk aware ?
     
  17. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
  18. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Tzuk, Ilya, Xiaolin are the one man band eager beavers, so I should not worry about it very much.
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Helas SSJ, can't help you with this

    As said earlier the most secure way of testing windows software is with Virtual Machine type of application on a different host OS (e.g. linux distro).
     
  20. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    If you are not sure, you always can install the software as untrusted.
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    On XP SP2 with GesWall:

    1- htaaa.exe - No effects, even on running it as trusted
    2- htaab.exe- explorer killed
    3- htaac.exe- explorer killed
    4- stop.exe- mouse not working, unsuabel system
    5- stop2.exe- mouse frozen, system unusable
    Interseting POC. :thumb: :thumb: :thumb:
     
    Last edited: Apr 23, 2009
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Can anyone try:

    ProSecurity
    Malware Defender
    EQS
    OA

    Thanks
     
  23. virtumonde

    virtumonde Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    501
    What is the danger here o_O?cos i get the same with 2 instances of photoshop :) .
    I understand that a classic HIPs should gave some warnings but regarding Geswall,sandboxie personally i'm not concerned about the results.

    Just my opinion of course
     
  24. MagisDing

    MagisDing Registered Member

    Joined:
    Jan 6, 2009
    Posts:
    41
    Those are the same as what I get;)
    Well, someone has tried POC with EQS and MD,I will upload the results later.
     
  25. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    OK, so: have I got this right:
    Run these exploits in the default sandbox: it appears to execute with effect; then, delete sandbox, reboot and any changes are gone
    ??
    If so, then is there a failure/bypass in sandboxie ??
    Going on the thread @sandboxie forums, there is some problem.
    Memory usage, freezes while in the sandbox.
    If mouse freezes, how to run sandboxie to delete ?, not sure what effect a reboot might have in that circumstance ??
    I feel there might be some element of fanboi-ism at sandboxie forum: " there is no issue here" stuff ??
    Help please. :doubt:
     
    Last edited: Apr 23, 2009
Loading...
Thread Status:
Not open for further replies.