Test Your HIPS - Comodos 5 New Security Tests

Discussion in 'other anti-malware software' started by CogitoErgoSum, Apr 18, 2008.

Thread Status:
Not open for further replies.
  1. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    On 4-16-08, Comodo released 5 new security tests.

    ht tp://download.comodo.com/securitytests/CLT.zip
    http://forums.comodo.com/leak_testi...do_release_5_new_security_tests-t21917.0.html

    Under Vista 32 SP1 with DefenseWall v2.40 beta, I got the following results.

    Rootkit Installation 1........Protected/Blocked
    Rootkit Installation 2........Protected/Blocked
    DLL Injection 1.................Tentative Block*(*Note: This test(3 of 5) hangs and apparently does not complete.)
    DLL Injection 2.................Protected/Blocked
    BITS Hijack.......................Protected/Blocked


    Peace & Gratitude,

    CogitoErgoSum
     
    Last edited by a moderator: Apr 18, 2008
  2. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    EQS Alcyon's ruleset

    Rootkit 1----------protected
    Rootkit 2----------vulnerable
    DLL1--------------error
    DLL2--------------error
    BITS--------------vulnerable

    anyone can confirm this?

    win xp sp2
     
  3. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Running sandboxed with SBIE (EQS disabled)

    Rootkit1-----protected
    Rootkit2-----protected
    DLL1--------some kind of loop, frozen in "testing"
    DLL2--------protected
    BITS--------leaktest crashes...I asume "protected"?


    hhhmmm strange...I chose to test again sandboxed, now with "Run all tests" checked, and I got this:

    Rootkit1-----protected
    Rootkit2-----vulnerable
    DLL1--------some kind of loop, frozen in "testing"
    DLL2--------protected
    BITS--------vulnerable
     
  4. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
  5. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    In Vista 32 Bit without any HIPS (SRP though but I allowed the execution):

    Rootkit installation 1 - Protected
    Rootkit installation 2- error
    DLL injection1 - error
    Dll injection 2 - error
    BITS Hijack - vulnerable

    I guess this BITS Hijack doesnt actually download anything, it looks in the svchost and sees the vulnerability? coz I ran it without any internet connection too and it still says Vulnerable.
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Same with XP and DefenseWall 2.4 beta. Incredible new feature resource protection. GeSWall always was a little less easy to use for noobs, but had more freak options. With 2.4 DefenseWall offers a strong easy HIPS for noobs and an opton where freaks can fine tune isolated environments.
     
  7. soccerfan

    soccerfan Registered Member

    Joined:
    Oct 15, 2007
    Posts:
    167
    Sandboxie 3.25.12, with a lot of bug fixes and some security fixes has just been released.
    Perhaps you could try the tests again on this new version and let us know how it fares.
     
  8. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    When I run the tests, the first thing that happens is ZoneAlarmPro produces a security alert that clt.exe is trying to load the driver: CLT\driver.sys. Choices are Allow or Deny. At this point I get very different (and unexpected) results depending on what I tell ZAP to do.

    If I choose Deny in ZAP, ThreatFire is silent (not a peep) and I get:

    Rootkit installation 1 - Protected
    Rootkit installation 2- Vulnerable
    DLL injection1 - Hangs on "Testing"
    Dll injection 2 - Protected
    BITS Hijack - Vulnerable

    If I choose Allow in ZAP, ThreatFire alerts right away on a HIGH risk and potentially malicious action and offers either Allow or Quarantine.

    Choosing to Quarantine, TF places the executable, .dll & .zip file all in quarantine.

    If I allow ZAP and have TF protection suspended, a-squared with Malware-IDS enabled just sits there silently.

    --> Edit: After seeing aigle's post, I realize I made a mistake in running all tests at once, as this made it difficult for me to see that ThreatFire was actually NOT blocking all malicious behavior. TF only blocked one test. I concur with aigle, as below:

    Rootkit installation 1 - Vulnerable
    Rootkit installation 2- Vulnerable
    DLL injection1 - Vulnerable
    Dll injection 2 - Protected
    BITS Hijack - Vulnerable
     
    Last edited: Apr 19, 2008
  9. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    I only find SBIE 3.24 (my current version) on the website...

    when I click update on SBIE it reports no updates available...
     
  10. Henk1956

    Henk1956 Registered Member

    Joined:
    Dec 3, 2007
    Posts:
    55
    GesWall under Windows XP Home:

    Rootkit Installation 1.....Protected
    Rootkit Installation 2.....Error.........Read only access to SERVICE OBJECT\Beep
    DLL Injection 1.............Error.........Access to C:\WINDOWS\system32\dll.dll denied
    DLL Injection 2.............Protected
    BITS Hijack..................Protected
     
  11. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    EQS (modified Alcyon's ruleset)
    =======================
    Rootkit Installation 1.....Vulnerable
    Rootkit Installation 2.....Protected
    DLL Injection 1.............Error
    DLL Injection 2.............Error
    BITS Hijack..................Vulnerable

    OA (Run Safer)
    ===========
    Rootkit Installation 1.....Protected
    Rootkit Installation 2.....Error
    DLL Injection 1.............Error
    DLL Injection 2.............Error
    BITS Hijack..................Protected

    OA (not Run Safer)
    ==============
    Rootkit Installation 1.....Vulnerable
    Rootkit Installation 2.....Vulnerable
    DLL Injection 1.............Vulnerable
    DLL Injection 2.............Protected
    BITS Hijack..................Protected
     
  12. soccerfan

    soccerfan Registered Member

    Joined:
    Oct 15, 2007
    Posts:
    167
    Sorry, I should have provided a link. Here it is
    http://sandboxie.com/phpbb/viewtopic.php?t=3178
    Thanks for testing this!
     
  13. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    SBIE 3.25
    XP SP2

    Rootkit1: Protected
    Rootkit2: Vulnerable
    DLL1: Loop
    DLL2: Protected
    BITS: Vulnerable
     
  14. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    GesWall Free......
     

    Attached Files:

    Last edited: Apr 18, 2008
  15. curious george

    curious george Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    218
    What i dont get is the difference between the PRO version and the free versions. Anyway, Comodo has come a long way from V2...
     
  16. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Well the pro versions usually cost money and the free versions are usually free :rolleyes: (Just Kidding) :D
    More features in the pro.

    As far as GesWall is concerned........
     

    Attached Files:

    • 123.png
      123.png
      File size:
      8 KB
      Views:
      1,385
  17. curious george

    curious george Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    218
    Haha true. Very true. Is it worth getting the pro version though?
     
  18. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Absolutly, much more configurable.
    When my tax check gets here i'm gettin mine. :D
    But the free works great. Great protection. :thumb:
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    SafeSpace .....:thumb:
     

    Attached Files:

  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    ThreatFire
     

    Attached Files:

  21. Coolio10

    Coolio10 Registered Member

    Joined:
    Sep 1, 2006
    Posts:
    1,124
    I am guessing error means protected :D.
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Yes, ofcourse.
     
  23. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Can't even unrar the tests here with Sandboxie set to block all except defined.

    Under [GlobalSettings]:
    ProcessGroup=<restricted>,firefox.exe,Start.exe,SandboxieDcomLaunch.exe,SandboxieRpcSs.exe

    Under [DefaultBox]:
    ClosedFilePath=!<restricted>,*
    ClosedIpcPath=!<restricted>,*
     
  24. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Today my tests with EQSecure 4.0 Beta on this "PASSED!" all of them except the very last one. Using of course Alcyon's Rulesets.

    The BITS didn't make it but i'm sure i could adjust EQS to cover that one too.
     
  25. ink

    ink Registered Member

    Joined:
    May 20, 2006
    Posts:
    185
    vista sp1 with DEP enabled on all application, run under user mode
    rookit 1 protected
    rookit 2 error
    dll 1 error
    dll 2 error
    BITS vulnerable
     
Loading...
Thread Status:
Not open for further replies.