Some test ;)

Discussion in 'other anti-malware software' started by MagisDing, Apr 21, 2009.

Thread Status:
Not open for further replies.
  1. HungJuri

    HungJuri Registered Member

    Joined:
    Nov 23, 2007
    Posts:
    104
    Location:
    USA
    "Help please" with what? The program when running in a sandbox with default settings freezes the mouse, and you need to shut down the computer with a restart by turning the computer off and on. On reboot the computer is as it was before. What do you do when it rains, since the car windshield wipers are turned off by default?
     
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Mouse freezing is not a big problem but Explorer is killed that is a clear cut bypass.
     
  3. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    User initiated is the biggest bypass as is the norm.

    These tests were deliberately tailored to bypass all security apps through obscure methods and it probably won't be the last of em.

    The best way to stop these types of things is to not to let them run at all which Sandboxie does better than any other app through it's run/access control settings.
     
  4. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,405
    This will get patched up soon. At least those who are running returnil or shadow defender, in the event of a freeze or crash, everything in the session is removed upon reboot.
     
  5. HungJuri

    HungJuri Registered Member

    Joined:
    Nov 23, 2007
    Posts:
    104
    Location:
    USA
    That is true, other than this test who has come across this in the wild? There was a changing of the wallpaper thing once if I read it right that everyone made such a fuss over that the dev finally had to block that. Now "Set as Background" doesn't work and my wife wont use the sandboxie anmore. And the image was IN THE SANDBOX, but they still were not happy.
     
  6. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,238
    Location:
    Sydney, Australia
    :)
    General query re bypass of sandboxie or not; and there does seem to be some problem.
    Reboot fixes problem = good.
    Just need to tweak a bit.
    Agree; for me, sandboxie can be so important , that any issue immediately gets taken apart and explanations are very helpful.
    Now: What's a windshield wiper ?
     
  7. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,405
    Be good to see how Malware Defender goes.

    Would ThreatFire and Mamutu be silent during this test?
     
  8. MaB69

    MaB69 Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    540
    Location:
    Paris
    Hi,

    Tested against OA AV+ latest beta (one day old)

    htaaa - after execution i had this message box :

    htaaa.jpg o_O

    htaab - OA intercepted explorer modification

    htaab1.jpg

    htaac - i like this one as he tried first to kill my AV (Twister) then tried to kill explorer. Of course OA notified me for each step that i allowed :eek:

    htaac1.jpg

    htaac2.jpg

    Explorer is killed then he tried again to kill my AV but again Twister survived his attack

    I'm posting stop results in another post as i cannot upload more than 5 files per post
     
  9. MaB69

    MaB69 Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    540
    Location:
    Paris
    Time to play with stop & stop2

    stop - OA intercepted it

    stop.jpg

    Red notification and user is able to kill process

    stop 2 - OA intercepted it too and this one is interesting too as he try to tamper process with an active window after successfully modifying explorer

    stop2.jpg

    Both attacks are intercepted by OA but i could not screenshot the second attack as the target was paint.NET
    After last attack, systray and paint.net was unresponsive

    Regards,

    MaB
     
  10. MaB69

    MaB69 Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    540
    Location:
    Paris
    Hi ssj100,

    Blocking explorer modification stops "malware" action

    MaB
     
  11. MaB69

    MaB69 Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    540
    Location:
    Paris
    I ran them one after one.
    stop.exe could be terminated from the first notification (blocking input) and blocking stop2.exe from modifying explorer.exe leaves him loaded in memory but no more active.

    MaB
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    The solution to this is to keep such filters/ interceptions as optional so any one can enable if he/ she wants.
     
  13. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Here it tried to attack (subsequently) explorer.exe, taskmgr, far and dbgview. None was affected. Though, I always run the latest beta build (which is 3.5.0.11 at the moment). Can't say about .9 (which is official release). Strange thing, I can't make htaaa.exe to work, it always shows error box and terminates (tried on Vista and XP SP3).

    Can anybody explain what does this message mean ?
     

    Attached Files:

    • 1.gif
      1.gif
      File size:
      7 KB
      Views:
      546
  14. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Guys,

    Thx for testing OA. I find it incredible how OA always keeps standing on its feet, while it is such an easy program to use. The competition can throw in every mean availble (ultimately becomes a very good program also), but OA is an example of a well designed application. No copycat can beat that (at the moment :D )

    Regards Kees
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    OA is wonderfull. Reminds me of ProSecurity. OA beats most of tests and POCs while Comodo laggs behind and fixes stuff after it is discovered and sometimes even long after it is not fixed. :doubt:
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    @MaB69

    Thanks for tests with OA.

    Which version of OA you have used BTW?

    Thanks
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    I have posted it on GesWall forums and i will hope them to be fixed, though it will take time due to their slow release cycle now.
     
  18. MaB69

    MaB69 Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    540
    Location:
    Paris
    Hi aigle,

    You are welcome

    I used beta 10 (first beta build after release)

    @ssj100 : I do not think that this build (10) was patched against this POC

    Regards,

    MaB
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    I wish if Mike can confirm it.

    @MaB69

    Can you try this test againt OA?

    http://www.pc-st.com/us/download.htm

    Install, then go to Proof Mode> Test2: Various Actions

    Thanks
     

    Attached Files:

    • 1.jpg
      1.jpg
      File size:
      133.4 KB
      Views:
      4
  20. TheEndX

    TheEndX Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    7
    After testing htaa*.exe in Sandboxie, I think it is important to note that explorer.exe is not killed when htaac.exe is run. Only the taskbar disappears/disabled.
     
  21. Leolas

    Leolas Registered Member

    Joined:
    Jun 18, 2008
    Posts:
    58
    Location:
    Modena, Italy
    OA's beta .11 contains some HIPS enhancements, so I believe that OA .10 wasn't patched against that POC ;)



    And the PC Security Test is not reliable, it gives random results (or at least, it used to give random results).
    I've done the tests 4 times with the same pc and the same configuration, but results were always different.
    It's also owned by AxBx, the same company that owns VirusKeeper: http://www.viruskeeper.com/us/index.htm. I'm not sure you can trust it ;)
     
  22. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    A bit crazy test without good explanation of what does it do. Though, one of tests I liked. It grabbed my mouse and it started to jump over the screen. This needs to be prevented :)
     
  23. Leolas

    Leolas Registered Member

    Joined:
    Jun 18, 2008
    Posts:
    58
    Location:
    Modena, Italy
    really? :D I'll try it again, then.
    edit: the version I tested was different.. weird :/
     
  24. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    A goods HIPS program should allready block it to start with, I personally don't consider a program to be a good HIPS if the Vender has to patch their product after finding out about this. Because this indicates that there would be many other security holes in the HIPS porduct.



    Also can some one please pm me a link for this test, ??
     
  25. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    I agree that hackers can find security holes in individual products if they really wanted to. Unless it was specifically made to bypass a "Certain List" of products or a "single product" which I don't think it was, it is more likely that is was made to bypass all security products. What I am saying is that a Good security product with few security holes would be able to block it straight away without having to add patches later on.

    Regarding the start run access in sandboxie, which prevents it from running in the first place, well most HIPS has the ability to prevent unknown executables from running anyway. the main purpose of this test like many other tests is being able to "control its behavior" after it has been given permission to run.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.