System Shtudown Simulator - 2010

Discussion in 'malware problems & news' started by gambla, Oct 12, 2010.

Thread Status:
Not open for further replies.
  1. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    161
    Location:
    Frankfurt, Germany
    Hi,

    you may remember this leaktest called "system shutdown simulator".
    You can still get it here:

    -http://zeroday-software.110mb.com/sss-final.zip-

    There are already some interesting threads of 2007/08, but what today ?
    I wondered how my security setup Avira Antivir, MSSE, Threatfire, Winpatrol, GesWall and ZoneAlarm will perform. After executing the "shutdown interception call" i started the usual shutdown via the Start-button as intended. I waited until most of the tray icons were gone and then checked the taskmanager. All processes of my apps, except Winpatrol, were still running.

    Actually i got mixed feelings about the result:

    1) The shutdown interception call was not recognized by any app.
    (if possible anyway ?)
    2) The File- and Autostart-test were only "discovered" (isolated) by GesWall, so the test was passed.
    3) ZoneAlarm blocked the download-test and so this one was passed too.


    I'm no expert but i at last would consider Threatfire giving a warning about the actions of the program ? And i can only guess that the shutdown-interception could be discovered too ?

    kind regards,
    gam
     
    Last edited by a moderator: Oct 12, 2010
  2. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    161
    Location:
    Frankfurt, Germany
    What i've learned is that it's a serious leaktest with an interesting approach.
    And even the test is some days old, i guess it's still a good leaktest today.

    Nobody interested or what's the matter ?
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Hi

    It's a been quite a while since i tested it, so i thought i'd give it a whirl ;)

    Avira blocked the Eicar test = :thumb:

    Zemana blocked the registry test = :thumb:

    ZA blocked the FW outbound test = :thumb:

    Shutdown the PC attempted to do that, but was only partially successful. I had to manually reboot. Tested again and this time it didn't actually reboot, but restarted from the log in screen ? Test results same as above = :thumb:

    Same here ?

    Exactly, i presume it's just doing what we would do manually ?

    I guess most decent apps would pass these tests now, but it'd be interesting to see other peoples results with these tests ;)
     
  4. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    I tested it with my current setup (see sig.)

    Shutdown Computer intectepted by Spyshelter
    Create Autostart registry key intercepted by Spyshelter

    I don't have AV so I failed on EICAR :D
    Windows 7 Firewall PASSED
     
  5. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    161
    Location:
    Frankfurt, Germany
    @CloneRanger and Konata : Thank you for testing it again. I too think it's very interesting to see how the various setups perform on this special test. :)
     
  6. SUPERIOR

    SUPERIOR Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    161
    Location:
    Syria
    um... guys i tried it on Comodo ....but all failed except 2 "eicar file" + "autostart registry key"
    though it was set to paranoid mode ..and sandbox was disabled :(
    the version is 5 beta .. and it was tested on vpc

    PS : Sorry i was wrong ..the problem was because i was using "comodo memory guardian" after uninstalling it and tested it again
    all passed except "step 1 n last one firewall remove test file"
    OSSS passed with HIPS and shutdown test ..but step failed


    BTW : i noticed after closing the test file ...most applications were terminated even some HIPS programs themselves ..how could this? is this because of shutdown testing?
     
    Last edited: Oct 19, 2010
  7. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
     
  8. SUPERIOR

    SUPERIOR Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    161
    Location:
    Syria
     
  9. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Maybe 2 :D

    You might want to retry a few times though to be sure, as i mentioned earlier, the shutdown worked differently on several occasions for me !
     
  10. 3GUSER

    3GUSER Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    812
    As soon as the file is started , SONAR in Norton terminates and deletes it with no questions asked. System (Windows 7) seems to be working fine.
     
  11. Rampastein

    Rampastein Registered Member

    Joined:
    Oct 16, 2009
    Posts:
    290
    KIS blocks it partially. When the system is shut down manually (KIS blocks the app from obtaining shutdown priveleges), KIS' GUI closes but the service process which does the actual protection stuff remains.

    When the KIS' GUI is closed, the leaktest is able to create the EICAR test file, but the file cannot be executed (so not an actual bypass?). The test is able to create the autostart registry entry, but the download test is also blocked. 2/3.

    It's also possible to block the autostart registry entry creation by modifying the HIPS settings.
     
  12. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    161
    Location:
    Frankfurt, Germany
    This is really good ! I'd like to see that by CIS or Threatfire. My second result with latest CIS on access / paranoid mode :

    -CIS and Antivir detect the sss.exe on access and prompt, but fail both tests
    -Threatfire fails all

    If this would be real malware running hidden, then i'm happy that at least Geswall, as my last line of defense, would stop it.
     
Loading...
Thread Status:
Not open for further replies.