Comodo firewall bug ?

[henris]

Hi , sorry my english is very weak . My question is on this video .-http://www.youtube.com/watch?v=jfo1KJ2KN0E-
I have Chromium browser and GRC leaktest . Leakstest blocked in Comodo firewall and Chromium allowed , but when leaktest renamed to chrome.exe and replaced , no sound from comodo and leaktest have free way to internet . That behaviour normal from firewall side ?

[blacknight]

You should post it in Comodo Forum.

[Kees1958]

Well, could be a few things

1) You have disabled image execution control

2) It is just one of the "illusive" security protection examples which Comodo uses to make non-paranoid (highest) security settings user friendly. http://www.wilderssecurity.com/showp...6&postcount=20

3) Hash of GRC leaktest has the (one in a million chance) same check value as Chrome (it is started from original directory)

As told by Blacknight, please post on the Comodo forum and let us know what caused this.

Regards Kees

[henris]

Thanks for help , posted same thing on Comodo international/russian forum...

Quote:

Originally Posted by Kees1958

Well, could be a few things

1) You have disabled image execution control

Regards Kees

No , installed with default settings , disabled only antivirus (because he catching my leaktest ) and sandbox .
I think strange thing , if firewall not checking md5...

[Espresso]

Defense+ should notify you if a program attempts to replace chrome. It's likely you have given Explorer permission to modify Protected Files and Folders in its Defense+ rules so it won't raise a peep when you replace it manually.

If you have Defense+ turned off, however, this will be a serious vulnerability for the firewall.

[henris]

I am not change any settings of firewall or hips .
If installed only firewall without defense+ , that mean all roads to web is open ?

[Kees1958]

YUP,

Without D+ no image checking, so you can't blame Comodo for not performing when you did not install that part yourself

RTFM problem

[Espresso]

Just turn on "Protected Files and Folders" in D+ and it can protect against that vulnerability with very little performance hit if any. I have all options turned on except screen and keyboard and I don't notice any slowdown. A couple more basic leak protection features to monitor would be "Interprocess Memory Access" and maybe "Windows Messages".

[henris]

On my configuration defense+ is on safe mode , monitoring settings ALL on and no peep from d+ when renaming and replacing exe's ...
Even Win7 firewall (with outbound control) doing this job better .

[Espresso]

Quote:

Originally Posted by henris

On my configuration defense+ is on safe mode , monitoring settings ALL on and no peep from d+ when renaming and replacing exe's ...
Even Win7 firewall (with outbound control) doing this job better .

How are they being renamed?

Windows 7 firewall doesn't alert on changed executables, except maybe those for system services.

[henris]

No poppups from win7 firewall , it simply do not allow access to the network for renamed or changed exe . Simple task for any program's calling itself firewalls .
So I have always loved this nice firewall (Comodo) and testing it with versions o.X, but do not intend that the emergence of new versions of it will be so weak. I understand that the struggles with popups issues, but not at that price. In Comodo forum guys agree with me and calling this not a bug , but big hole in security ...
Now im restoring clean image where no place for CPF , thanks guys for help trying to find the truth

[blacknight]

henris:

- what about your Image Execution Control settings ? " All " means it too ?
- what about Comodo Forum ? ( did you post there ? )
- did you try in Paranoid Mode ?
- I tried GRC leaktest renaming it in Opera.exe - I don't use Chrome - and Defense+ immediately alerts me.

[henris]

blacknight:
1.yes
2.

Quote:

Originally Posted by henris

Thanks for help , posted same thing on Comodo international/russian forum...

3.no
4.
Sorry now im on clean windows with win firewall with avast and cant anymore test this . And my question was about the firewall , not hips (D+) ...

[blacknight]

Quote:

Originally Posted by henris

Sorry now im on clean windows with win firewall with avast and cant anymore test this . And my question was about the firewall , not hips (D+) ...

I understood that in a further test you used also the HIPS of CIS:

Quote:

Originally Posted by henris

On my configuration defense+ is on safe mode , monitoring settings ALL on and no peep from d+ when renaming and replacing exe's ...
Even Win7 firewall (with outbound control) doing this job better .

[henris]

Yes , i am just not change any settings of firewall or hips , D+ enabled by default ...
On my system hash check not work with D+ or without . I tried set image execution control to aggresive , delete explorer from system trusted programs , check off "trusted vendors" setting and still nothing... More popups about explorer , but leaktest anyway "penetraded" firewall like a chrome...
Or with hips or without , same thing , my "worm" going to net freely...

[Espresso]

Quote:

Originally Posted by henris

No poppups from win7 firewall , it simply do not allow access to the network for renamed or changed exe . Simple task for any program's calling itself firewalls .

Is this a new feature for the Win7 firewall? The Vista firewall doesn't check file hash values.

Comodo doesn't check hash values, but if you had D+ enabled and a program tried to replace another program, it would alert. As I explained, when you replace the file manually, you do it through Explorer which has permissions to change protected files, thus you get no alert.

[henris]

Dont know about vista firewall (i jumped from xp to 7) , but on 7 if i renaming and replacing one exe with other , blocked (renamed) exe still blocked , with no circus when hips raping firewall...
For my needs its enough only firewall , if that firewall have hips - ok , but if hips broke my firewall , sorry , how then this should by named ?
P.S. sorry i am wrong about win7 firewall , no hash checking . Earlier when i checking on my system win7 firewall i tested and MalwareDefender , maybe with this duo i set somewhere mistake . With only microsoft firewall same thing like with Comodo...

[Espresso]

Quote:

Originally Posted by henris

with no circus when hips raping firewall...
For my needs its enough only firewall , if that firewall have hips - ok , but if hips broke my firewall , sorry , how then this should by named ?

I have no idea what you're trying to say.

The fact remains, however, if you enable D+, it will not allow a program to replace your browser without alerting you. If you don't want a lot of popups and just leak protection, you only have to enable a few HIPS protection features.



The more you enable the more protected you are. I have them all checked except Windows Messages, Keyboard and Computer Monitor.

Quote:

P.S. sorry i am wrong about win7 firewall , no hash checking . Earlier when i checking on my system win7 firewall i tested and MalwareDefender , maybe with this duo i set somewhere mistake . With only microsoft firewall same thing like with Comodo...

Yes, I tried it last night under Win 7 and confirmed that the firewall does not check hash values, just as in Vista.

[henris]

Thanks Espresso anyway ...

[blacknight]

Quote:

Originally Posted by Espresso

I have no idea what you're trying to say.

The fact remains, however, if you enable D+, it will not allow a program to replace your browser without alerting you. If you don't want a lot of popups and just leak protection, you only have to enable a few HIPS protection features.

Quote. As I said in a previous post, I tried renaming GRC leaktest t in Opera.exe and Defense+ immediately alerts me

[henris]

blacknight :

My first question was about how BLOCKED program without MY permissions , LEAKING from MY system , not about replaces and renames ...
ok now about D+ , you downloaded and installed some program , that program is trusted , when that program download some part of self (dll or something like that) with renaming and replacing and you have no alert from yours security product , because one part of that program on your system is trusted .

[LostOne]

Quote:

Originally Posted by Espresso

The fact remains, however, if you enable D+, it will not allow a program to replace your browser without alerting you.

But that does mean that D+ will allow you to manually replace the browser. Right?

I replaced the opera executable with the GRC leaktest and whether D+ nor the FW did block anything.
The renamed leaktest did get sandboxed though.
I have all options checked under D+ Monitoring Settings.

[Espresso]

Quote:

Originally Posted by LostOne

But that does mean that D+ will allow you to manually replace the browser. Right?

I replaced the opera executable with the GRC leaktest and whether D+ nor the FW did block anything.
The renamed leaktest did get sandboxed though.
I have all options checked under D+ Monitoring Settings.

That's because you manually replaced it through Explorer which has permission to change protected files. The assumption is that if you replace the file with Explorer, it's something that you want to do. If an untrusted program attempted to replace the file, you would be alerted.

[LostOne]

Thanks Espresso!

That's what I thought.
I just wanted to be sure.

[blacknight]

Anyway,as Espresso said in a former post, enabling Defense+ in the highest and most restricted level henris had no the problem.