System Shtudown Simulator - 2010

Hi,

you may remember this leaktest called "system shutdown simulator".
You can still get it here:

-http://zeroday-software.110mb.com/sss-final.zip-

There are already some interesting threads of 2007/08, but what today ?
I wondered how my security setup Avira Antivir, MSSE, Threatfire, Winpatrol, GesWall and ZoneAlarm will perform. After executing the "shutdown interception call" i started the usual shutdown via the Start-button as intended. I waited until most of the tray icons were gone and then checked the taskmanager. All processes of my apps, except Winpatrol, were still running.

Actually i got mixed feelings about the result:

1) The shutdown interception call was not recognized by any app.
(if possible anyway ?)
2) The File- and Autostart-test were only "discovered" (isolated) by GesWall, so the test was passed.
3) ZoneAlarm blocked the download-test and so this one was passed too.

I'm no expert but i at last would consider Threatfire giving a warning about the actions of the program ? And i can only guess that the shutdown-interception could be discovered too ?

kind regards,
gam

 

What i've learned is that it's a serious leaktest with an interesting approach.
And even the test is some days old, i guess it's still a good leaktest today.

Nobody interested or what's the matter ?

 

Hi

It's a been quite a while since i tested it, so i thought i'd give it a whirl

Avira blocked the Eicar test =

Zemana blocked the registry test =

ZA blocked the FW outbound test =

Shutdown the PC attempted to do that, but was only partially successful. I had to manually reboot. Tested again and this time it didn't actually reboot, but restarted from the log in screen ? Test results same as above =

Same here ?

Exactly, i presume it's just doing what we would do manually ?

I guess most decent apps would pass these tests now, but it'd be interesting to see other peoples results with these tests

 

I tested it with my current setup (see sig.)

Shutdown Computer intectepted by Spyshelter
Create Autostart registry key intercepted by Spyshelter

I don't have AV so I failed on EICAR
Windows 7 Firewall PASSED

 

@CloneRanger and Konata : Thank you for testing it again. I too think it's very interesting to see how the various setups perform on this special test.

 

um... guys i tried it on Comodo ....but all failed except 2 "eicar file" + "autostart registry key"
though it was set to paranoid mode ..and sandbox was disabled
the version is 5 beta .. and it was tested on vpc

PS : Sorry i was wrong ..the problem was because i was using "comodo memory guardian" after uninstalling it and tested it again
all passed except "step 1 n last one firewall remove test file"
OSSS passed with HIPS and shutdown test ..but step failed


BTW : i noticed after closing the test file ...most applications were terminated even some HIPS programs themselves ..how could this? is this because of shutdown testing?

 

Maybe 2

You might want to retry a few times though to be sure, as i mentioned earlier, the shutdown worked differently on several occasions for me !

 

As soon as the file is started , SONAR in Norton terminates and deletes it with no questions asked. System (Windows 7) seems to be working fine.

 

KIS blocks it partially. When the system is shut down manually (KIS blocks the app from obtaining shutdown priveleges), KIS' GUI closes but the service process which does the actual protection stuff remains.

When the KIS' GUI is closed, the leaktest is able to create the EICAR test file, but the file cannot be executed (so not an actual bypass?). The test is able to create the autostart registry entry, but the download test is also blocked. 2/3.

It's also possible to block the autostart registry entry creation by modifying the HIPS settings.

 

This is really good ! I'd like to see that by CIS or Threatfire. My second result with latest CIS on access / paranoid mode :

-CIS and Antivir detect the sss.exe on access and prompt, but fail both tests
-Threatfire fails all

If this would be real malware running hidden, then i'm happy that at least Geswall, as my last line of defense, would stop it.