Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.
Cool, I will send you a link after I zip it up and upload it.
Too late to be Cruelsister, and wrong sex. But Premier League just like her. I have been waiting months for a Nastybrother to appear to complement Meghan.
The alternative is that people are infected.
Developers who are presented with a true bypass, appreciate the hard work it took to figure out a flaw in their software.
Developers, however, are generally annoyed when script kiddies cry wolf and brag... mainly because it is a massive waste of time.
Developers who do not appreciate Meghan's thankless work, should not be developers.
That is my first haiku, so I probably mangled it . Either way, thank you Meghan!
So basically HMP.A is kind of obsolete app while using VS...?
I would not say that . HMP.A is much more focused around blocking the exploit, whereas VS is centered around blocking the payload.
I would be shocked if HMP.A missed this one... I will try it right now and let you know.
i just tried to test, but it did not go so well... it is getting late and I am tired . The last time I tested HMP.A, I remember there was a component that I needed to activate, otherwise the protection was on enabled... something like that? Anyway, I will play with it tomorrow, it has been a long day .
And that is the root of it right there, and if adaptation is not possible relevance becomes a serious issue.
Yep. Everything can be bypassed... just ask Adam with his VS bypass. The funny thing is, Black Cipher demonstrated a lot of bypasses, but no one was shocked until White Cipher did the same .
The question is... are these bypasses something that actually puts you at risk?
Can you test Comodo FW with Cruelsister's settings? I'm curious how it will do. Thanks!
Yeah, can you send me her settings? I tested with default settings and it was not an optimal result . Maybe Comodo should use CS's settings for everyone.
Sent you a PM with the settings.
Discussion and explanantion about Appguard behavior on Dan tests :
Exactly. plus, if this was a test of anti exe's with whitelists, then Appguard isn't that. No whitelist. Dan be sure you really understand the software you are testing, as anything that blocks rundll32.exe would also have it's system protected by appguard.
Note when I did all the testing against malware VS caught everything, so did ERP and so did Appguard. In fact to have anything get to VS, I had to turn off Appguard. Your test results in this case were totally misleading. Be careful how you test.
You have already tested with Comodo default settings & the result was not optimal.
If possible, test with Comodo Cloud Antivirus (Dev say, CCAV defaults are restricted than CIS defaults).
In short -
CIS Defaults - Less restricted than CCAV defaults
CCAV Defaults - More restricted than CIS defaults (CCAV has Defaults only i.e no other configs)
cruelsister Settings - Proactive Config (HIPS Disabled) + AutoSandbox set to "Restricted" + Firewall set to "Block" unknown connections.
CCAV Settings (compared to cruelsister Settings) - By default, Kinda Proactive Config + More Restricted AutoSandbox (defaults are more restricted compared to CIS defaults) + You can "Block" unknown conections (options in the settings to block connections for programs running in the "Sandbox")
You can test CCAV defaults & we can see if it does any better & protects any better compared to CIS defaults
CCAV defaults are More Restricted + You can enable "Block" connections for sandboxed programs in the settings & do a test to see how CCAV by default More Restricted approach + Unknown Connections blocked in the settings fares comparatively with cruelsister settings protection for CFW/CIS.
Thank you Dan!
indeed AG is SRP, mean you don't use it with default settings, you must tailored its policy to the system it is placed in.
It is why SRP (like Appguuard or Applocker) are made principally for corporate environment.
The issue in Dan's test is that he tested the network abuse (aka "1st stage" of the attack), which isn't supposed to be covered by AG (or any anti-exe) but by Firewalls, network IDS, etc...
Let me correct something I said here. I used the word bogus, which imply intentional. that is not the case, and proper wording would be invalid. I do not think there was any intention here, just an invalid conclusion.
No, in the test, the machine was fully pwned... guest and Jeff have everything they need to test.
I was just really tired of everyone speculating on whether this attack would be blocked or not by various security products... so I took the time to perform the tests, so everyone can see.
When someone demonstrates a legitimate bypass of VS, I thank them and fix the issue. When someone brags that they can bypass VS, without demonstrating a proper bypass, then I get irritated because it is a massive waste of time.
There was absolutely nothing misleading about this test at all... if you feel there was, please feel free to explain further. You said "In fact to have anything get to VS, I had to turn off Appguard."... yeah, different security products block at different times (some block before VS and some block after), but this is completely irrelevant, especially when the only thing that matters is if the attack is blocked or not.
Hehehe, guest... this was a worm attack inside the firewall, which is the responsibility of the endpoint software to block.
This was a valid test of a worm attack inside the firewall. Please feel free to test for yourself and demonstrate how I did not perform a proper test.
indeed if the endpoint software was made to protect the network traffic. if you tested Symantec EP and it failed, then you are right , but AG doesn't monitor network exchanges, it only block exe/dll from user-space to modify system space. Appguard is not a suite like SEP made to protect from all attack vectors, it is a specialized tool doing only one thing : lock the system space and it does it perfectly as @Peter2150 demonstrated.