楼主: syfwxmh
收起左侧

【原创】KIS2010(build 437)HIPS防御能力测试【Kafan Virlist 5.22】【STOP停测】

[复制链接]
syfwxmh
 楼主| 发表于 2009-5-15 20:41:57 | 显示全部楼层

回复 49楼 jefffire 的帖子

所以我说还需要加强FD
jefffire
头像被屏蔽
发表于 2009-5-15 20:46:57 | 显示全部楼层

回复 50楼 syfwxmh 的帖子

。。。没权限进不去。。
syfwxmh
 楼主| 发表于 2009-5-15 20:48:02 | 显示全部楼层

回复 52楼 jefffire 的帖子

貌似不是你说的那个~~上报了~~懒得测试了~~
jefffire
头像被屏蔽
发表于 2009-5-15 20:50:03 | 显示全部楼层

回复 51楼 syfwxmh 的帖子

那还不如AD加强呢,只要不让加驱管你放哪儿呢,如果用FD防那得全局设置。。。
卡巴防加驱我记得有CLT测试里第四changeDrvpath种方法只能提示不能阻止
syfwxmh
 楼主| 发表于 2009-5-15 20:57:22 | 显示全部楼层

回复 54楼 jefffire 的帖子

给你看几个官方其他测试人员对于KIS2010 CLT的测试结果
jefffire
头像被屏蔽
发表于 2009-5-15 20:58:14 | 显示全部楼层

回复 55楼 syfwxmh 的帖子

syfwxmh
 楼主| 发表于 2009-5-15 21:01:02 | 显示全部楼层
Ran the comodo suite on windows vista x86, kis 372 and got the following result:
COMODO Leaktests v.1.1.0.3
Date 7:01:58 PM - 5/5/2009
OS Windows Vista SP1 build 6001
1. RootkitInstallation: MissingDriverLoad Protected
2. RootkitInstallation: LoadAndCallImage Protected
3. RootkitInstallation: DriverSupersede Protected
4. RootkitInstallation: ChangeDrvPath Vulnerable
5. Invasion: Runner Protected
6. Invasion: RawDisk Protected
7. Invasion: PhysicalMemory Protected
8. Invasion: FileDrop Protected
9. Invasion: DebugControl Protected
10. Injection: SetWinEventHook Protected
11. Injection: SetWindowsHookEx Protected
12. Injection: SetThreadContext Vulnerable
13. Injection: Services Protected
14. Injection: ProcessInject Protected
15. Injection: KnownDlls Vulnerable
16. Injection: DupHandles Vulnerable
17. Injection: CreateRemoteThread Protected
18. Injection: APC dll injection Protected
19. Injection: AdvancedProcessTermination Protected
20. InfoSend: ICMP Test Protected
21. InfoSend: DNS Test Protected
22. Impersonation: OLE automation Protected
23. Impersonation: ExplorerAsParent Protected
24. Impersonation: DDE Protected
25. Impersonation: Coat Protected
26. Impersonation: BITS Vulnerable
27. Hijacking: WinlogonNotify Protected
28. Hijacking: Userinit Protected
29. Hijacking: UIHost Protected
30. Hijacking: SupersedeServiceDll Protected
31. Hijacking: StartupPrograms Vulnerable
32. Hijacking: ChangeDebuggerPath Protected
33. Hijacking: AppinitDlls Protected
34. Hijacking: ActiveDesktop Protected
Score 280/340

The protection against some leaktest need to be fixed.


KIS doesn't pass the following leaktests of CLT (For Windows XP 32 the results would be the same):
Hijacking : StartupPrograms
InfoSend : : ICMP Test
Injection : KnownDlls
Rootkit Installation : ChangeDrvPath
Now that Kaspersky claims to have a full HIPS it should also have a good leaktest blocking.

Passed here on XP 32bit. For known dlls uncheck Trust apps with digital sigs./KSN in HIPS.
It seems heuristic application analyzer need some reevaluation regarding DNS client interface, since you removed "disable DNS cache" by default in installation procedure, low restricted is not place where should be placed app. like DNStester, (I have one more file which do not do anything but use DNS program interface, DNSdetour.exe) or put prompt on "using system program interface (DNS)" right in low security program groups


QUOTE(3x0gR13N @ 10.05.2009 19:08)
Passed here on XP 32bit. For known dlls uncheck Trust apps with digital sigs./KSN in HIPS.


hmmm...
EDIT: screenshot related issue is solved in build 401, thanks KLab
Edit2: both "issues" are solved  


可以看到卡巴2010希望通过所有CLT测试
jefffire
头像被屏蔽
发表于 2009-5-15 21:05:02 | 显示全部楼层
RootkitInstallation: ChangeDrvPath Vulnerable就是这个,交互模式高限组下只有提示没法阻止。。
很期待2010啊
PS:突然发现咱们两人版聊了,罪过罪过。。。。此贴转型??
syfwxmh
 楼主| 发表于 2009-5-15 21:08:01 | 显示全部楼层

回复 58楼 jefffire 的帖子

这不算版聊,都是技术问题,又不是XE话题哈哈~~

如果现在排除trust apps group的影响的话,现在还剩下这些过不了
Hijacking : StartupPrograms
Rootkit Installation : ChangeDrvPath

相信他们会修复
6177890618
发表于 2009-5-15 21:08:37 | 显示全部楼层
菜鸟只能看看大大们测试了,辛苦了。
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-1-21 06:15 , Processed in 0.099049 second(s), 14 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表