Test Your HIPS - Comodos 5 New Security Tests

Discussion in 'other anti-malware software' started by CogitoErgoSum, Apr 18, 2008.

Thread Status:
Not open for further replies.
  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,091
    Location:
    U.S.A. (South)
    Is that so?

    Then i suggest Comodo fashion it to throw all of them at once. Contrary to the jealousy that critics try to enjoy on EQS, they ARE NOT! MISLEADING.

    EQS even in beta 4 stage repels most if not all HIPS tests most formidably and without problems like lock ups and screen freezes that others fall to.
     
  2. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,230
    Location:
    Pennsylvania.
    Passed the first rootkit, failed the rest. This is with Spyware Terminator only. :( With Comodo Defense Plus I got passed first rootkit failed second one, passed 3rd option and failed the rest.
     
  3. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    How did you check? I suspect that, as with ProSecurity, PG is failing in its handling of the odd file extensions (.sys_old, .sys?, .sys_) in the System32\Drivers folder. PG successfully blocks the first two steps of the attack involving beep.sys...hence the flashing icon. Thereafter, PG fails as does ProSecurity with its default rules. There is at least one method of installing drivers (rootkit or otherwise) to which PG is blind.

    In the following sequence, ProSecurity (with my added rule) passes if I allow the first two file writes, but deny everything thereafter. If I deny the first two writes, but allow the others, then ProSecurity fails.

    clt.exe
    [WRITE FILE] 2008.04.20 22:19:23
    [ALLOW] C:\test\clt.exe
    Command Line:"C:\test\clt.exe"
    [ACCESS TO] Folder: C:\WINDOWS\system32\drivers\
    File: beep.sys

    clt.exe
    [WRITE FILE] 2008.04.20 22:19:23
    [ALLOW] C:\test\clt.exe
    Command Line:"C:\test\clt.exe"
    [ACCESS TO] Folder: C:\WINDOWS\system32\drivers\
    File: beep.sys

    clt.exe
    [WRITE FILE] 2008.04.20 22:19:27
    [BLOCK] C:\test\clt.exe
    Command Line:"C:\test\clt.exe"
    [ACCESS TO] Folder: C:\WINDOWS\system32\drivers\
    File: beep.sys_old?

    clt.exe
    [WRITE FILE] 2008.04.20 22:19:27
    [BLOCK] C:\test\clt.exe
    Command Line:"C:\test\clt.exe"
    [ACCESS TO] Folder: C:\WINDOWS\system32\drivers\
    File: beep.sys_old?

    clt.exe
    [WRITE FILE] 2008.04.20 22:19:28
    [BLOCK] C:\test\clt.exe
    Command Line:"C:\test\clt.exe"
    [ACCESS TO] Folder: C:\WINDOWS\system32\drivers\
    File: beep.sys_old?

    clt.exe
    [WRITE FILE] 2008.04.20 22:19:28
    [BLOCK] C:\test\clt.exe
    Command Line:"C:\test\clt.exe"
    [ACCESS TO] Folder: C:\WINDOWS\system32\drivers\
    File: beep.sys

    clt.exe
    [WRITE FILE] 2008.04.20 22:19:29
    [BLOCK] C:\test\clt.exe
    Command Line:"C:\test\clt.exe"
    [ACCESS TO] Folder: C:\WINDOWS\system32\drivers\
    File: beep.sys?

    clt.exe
    [WRITE FILE] 2008.04.20 22:19:29
    [BLOCK] C:\test\clt.exe
    Command Line:"C:\test\clt.exe"
    [ACCESS TO] Folder: C:\WINDOWS\system32\drivers\
    File: beep.sys?

    clt.exe
    [CREATE FILE] 2008.04.20 22:19:30
    [BLOCK] C:\test\clt.exe
    Command Line:"C:\test\clt.exe"
    [ACCESS TO] Folder: C:\WINDOWS\system32\drivers\
    File: beep.sys_

    Nick
     
  4. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Comodo failed it's own test??
     
  5. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,514
    Location:
    Annie's Pub
    Tested it too with TF / Vista-32, same sad, embarrassing results:

    1 test passed, 4 tests failed.

    PC Tools, please revamp TF asap!!!
     
  6. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    If these are all POC, then TF has a false positive to fix.
    TF was built to detect malicious activity, not activity in general.
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,159
    Location:
    UK / Pakistan
    I agree but my concern is only about the driver loading( first test).
     
  8. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    You are right. PG does FAIL Rootkit 2 test. Sorry, I had that wrong earlier.
     
  9. interact

    interact Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    121
    Location:
    Paris
    Just tested with latest copy of Drivesentry

    1, Rootkit 1---------- XP = fail / Vista = protected
    2 ,Rootkit 2---------- protected
    3, DLL1-------------- protected (block extracted DLL)
    4, DLL2-------------- error (method doesn't work)
    5, BITS-------------- protected (DS doesn't have network protection / detects file being written to disk).

    I run PC Tools Firewall plus with Drivesentry on three of my PCs so test 5 would be trapped by PCT. Test 1 is a not a huge concern as I've now switched over to Vista Pro and this undocumented way of loading a driver is now obsolete.

    ~interact
     
  10. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Not a problem :). I confirmed the failure with PG 3.410 (full) this morning. I don't have the later versions that followed after Jason left DCS. PG was an awesome app in its day.

    Nick
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,159
    Location:
    UK / Pakistan
    Good results for DS.
     
  12. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    In case this is Vista with UAC this is rather Vista's result, that anything else.
     
  13. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,514
    Location:
    Annie's Pub
    All credits to DriveSentry: tested DS v3.0.2.16 with Vista-32/deactivated UAC and DS passed all tests.

    So a :thumb: for DS Development too.
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,159
    Location:
    UK / Pakistan
    From his post it apppears that he did test on both Vista n XP.

    Smookey has now cofirmed it.
     
  15. interact

    interact Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    121
    Location:
    Paris
    I don't run UAC on Vista as it's a pain in the ass.

    ~interact
     
  16. InVitroVeritas

    InVitroVeritas Registered Member

    Joined:
    Mar 5, 2008
    Posts:
    64
    for DriveSentry, under XP pro, I've got different results : vulnerable to the first, third and fourth of those so called test. :rolleyes:
     
  17. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Completely agree :)
     
  18. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857

    Why not run LUA in quiet mode with TweakUAC as an alternative? You do noy have the all the elevation pop-ups, still all programs run UAC, registry and file virtualisation work and IE will run in protected modeo_O??

    WHy did you buy Vista in the first place when you are not using its improvements?
     
  19. InfinityAz

    InfinityAz Registered Member

    Joined:
    Jul 23, 2005
    Posts:
    828
    Location:
    Arizona
    I agree and use TweakUAC (it makes a big difference and you get to keep the security UAC provides without the nuisance).
     
  20. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    There is no way not to buy Vista in case you buy new computer or laptop. All of them have Vista preinstalled here.
     
  21. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,330
    Location:
    Hawaii
    You can special order a virgin computer via internet, or -- better yet -- have a computer built for you, set up for dual-boot (to Linux & XP). Or... buy a MAC.
     
  22. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Buy a Dell before June 30. Dell offers a lot of computers with XP Pro. You should check both their Home Division and Small Business Division. You do not have to own a small business to buy from that division. Or have a computer locally built but do it before June 30th which is the date Microsoft will stop OEMs from selling XP on computers and will pull retail XP off the shelves. However, small shops and others who build computers can still obtain XP Pro until next January.

    You can also buy a new OEM computer with Vista Business or Ultimate installed and then invoke your downgrade rights. You can downgrade it to XP Pro. If you already have an XP Pro disk you can use that disk to downgrade. The OEM might provide you a downgrade disk for a modest fee but they are not required to do so. You could also buy an XP Pro OEM disk from New Egg if need be. If you want to invoke downgrade rights you must buy the new computer with Business or Ultimate editions of Vista. The other versions do not come with downgrade rights.
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I saw on the Dell site, you can invoke those download rights, and they will install and ship with XP installed.
     
  24. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    "downgrade" not "download" (I know you meant downgrade but someone might get confused so thought I would point it out).

    I haven't been there in awhile. I didn't realize they were doing that. Supercool! That saves the customer from having to uninstall Vista and install XP. Did you see this at Small Business? I wonder if they are doing that for Home division buyers too?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.