Which Elements of Comodo do You Use?

[Deleted member 65228]

@Sunshine-boy It is because of x64 limitations for kernel-mode interception and ethical requirements. If an AV vendor patches the kernel and it all goes pear shaped, that is on them - they lose customers because of crashes and maybe even have to spend trouble dealing with law-suits if the data-loss was really bad.

Some vendors use the hyper-visor for isolation, like Comodo (for their sandbox). When utilising the hyper-visor you can add support for kernel-mode patching without getting into trouble with PatchGuard - hooking techniques such as MSR (Model Specific Registers) or EPT (Extended Page Table) patching.

Intel have Extended Page Table (EPT) and AMD have Rapid Virtualization Indexing (RVI). You can block kernel-mode operations on 64-bit systems using the above mentioned techniques through virtualisation - you could even use the techniques to actually monitor how PatchGuard itself works - but it is a bit overkill and can be extraordinarily unpredictable in terms of stability in new and creative ways unless the developer doing this line of work has experience.

 

[Sunshine-boy]

Intel have Extended Page Table

Where can I enable it?! does core I3 CPU support this? or need core i5+ CPU?
So av vendors don't patch the bug because they want to make more money?! or they don't want to ##### with costumes? am i right?

 

[AtlBo]

This tool can bypass every next-generation protection xd from hips to... I like it xd i met it 9 months ago! and since then I use it to force secure remove my files.
It doesn't care what protection or security you have! it just removes everything!with 1 click

Well its only delete. I was running in a standard account so I wonder what else someone could so easily put in malware in a standard account.

Thing is with UAC on highest setting "Always Notify", I get a password dialog when trying to delete a folder protected by "File Locker". I think it uses UAC this way or maybe its just because of the limited account, idk. Anyway, I mean the file was just gone period. With File Locker, I was getting the UAC alert and then when I approved that I would get another UAC looking message box saying I dont have "permission rights to delete this file". That was File Locker using UAC I assume.

@Opcode all you have said is validated with this, although I believed you already. Sometimes, I get the dreary feeling that even the best at Microsoft don't know what to do with the ever morphing blob they have created. Kernel security is right at the core of the problem. I mean, it seems like they are saying to each other, "How far do we have to go changing the kernel for Windows to be securable", but then they end up with tons of compromises because of what's there already and from before...idk...

 

[Deleted member 65228]

Where can I enable it?! does core I3 CPU support this? or need core i5+ CPU?
So av vendors don't patch the bug because they want to make more money?! or they don't want to *** with costumes? am i right?

You don't do anything regarding it. You can enable hyper-visor technology which is built-into the processor hardware via the BIOS if it is supported. For example, I have an AMD system and via the BIOS I can enable/disable AMD SVM, which is virtualisation technology which was developed by AMD and is supported by my processor. Virtual Machines will also rely on this technology for virtualisation of an OS environment from the ISO image.

AV vendors don't patch it because it isn't actually a bug. They can't entirely stop attacks from kernel-mode, because kernel-mode is where the OS actually executes from. They can rely on documented kernel-mode callbacks on 64-bit systems to replicate protection mechanisms they may have previously accomplished through kernel-mode patching for older OS versions on 32-bit, but going further than this is just asking for trouble IMO - both genuine and rogue kernel-mode device drivers can bypass these callbacks if the developers know-how. Hyper-visor virtualisation is typically used for safe browsers (e.g. Kaspersky use it for theirs which is related to online banking protection) and sandboxing nowadays (e.g. Comodo use it for their sandbox to isolate sandboxed programs from the Host environment, similar to a Virtual Machine isolating an entire OS environment from the main Host environment).

No matter what happens, if you allow malware to be ran with administrator rights and install a kernel-mode device driver, it is game over. At that point you should just format and re-install Windows unless you can reverse engineer the payload entirely to determine everything that had happened for reversing, or had a good and well-stored backup to revert back with. You can use an on-demand scanner or anti-rootkit tools and the such to identify malware on the system/malicious actions such as hooks and clean them, but how do you know you'll actually be clean after doing all of this? You'll never know for sure unless you know exactly what the infection did on the system - this is generally and not exclusive to just allowing rogue drivers to be installed though.

 

[Sunshine-boy]

Thank you for the information! you are very helpful

 

[klaken]

I have a sandbox to see the unknown applications (the last few times I have a year with secure applications) ..It also gives me an extra layer ..

Comodo virus used in the sanbox to help identify malware in the sandbox.

Many malware has not run in the sandbox, so it has not been made a program (absolutely nothing) for me it is very suspicious and virustotal use ...

Each one is protected as he / she wants .. I prefer that the unrecognized applications stop me

As mentioned before, nothing is 100% safe and even a BB can be violated XD

 

[shmu26]

Found the Same problem with Eset hips! because they don't care about the hash(they only consider the PATH or name)! but Rehips care about the hash!this is the strong point with Rehips
P.S ESET hips won't react at this but the Eset firewall can detect the application modification! so the change can happen but that file cant reach the internet(still better than nothing).

ReHIPS notifies about file modifications only in expert mode. Otherwise, it goes by path.