comodo firewall 3.0 is easily killable via the task manager

after several trials, end result :comodo 3.0 is easily killable

as i don't like the defense++ in comodo 3.0 , and don't like stay on my pc answering alot of questions , also my young brothers don't have more experience to answer such questions , they could allow a malware to run by answering yes to any pop up , so the defence plus don't match my case

i just want a firewall to monitor the traffic

and as comodo give me the choice to install the firewall without the hips
so i did so

but recently i discovered that comodo with the hips disabled is very easily killable by the task manager

so that comodo is useless without the defense plus as any weak trojan can easily terminate the firewall process and get access to outside without my permission

why they give us option to install the firewall without the annoying defense plus , if the firewall in this case will not be able to protect itself from being easily terminated by any malware even the very weak ones

if they allow the option to install the firewall without the defense plus , they must let the firewall to be able to protect itself without the hips


for any one that want to be sure that comodo is easily killable
just disable the defense plus and terminate the cfp.exe process from the task manager

 

I confirmed that on my buddies pc. ~~ snipped off topic comment ~~

 

Dear Doctor,

Comodo has 2 running processes.
1) Cfp.exe which is the graphic interface aka the icon you see on your system tray.
2)Cmdagent.exe, which is the real firewall driver.

You can kill cpf.exe, but you can't kill the driver. Try it out. If you kill cpf.exe, the firewall isn't dead. Using custom policy mode, it blocks any new connection (meaning any connection for which there aren't already rules available).
So , the programs for which you had given permission before killing the graphic interface, will connect. Any new programs, won't. So the trojan won't be able to call home.

The firewall will protect itself,but not the graphic interface. One of the bonuses of Defence plus, is that you can block the termination of cpf.exe too, from a NON TRUSTED application (such as trojan).

I would also suggest to read well the help file, as to discover the various operating mods that will make D+ less noisy.

Kind Regards.
Fuzzfas

 

hii fozfass , thanks for ur valuable reply , and i hoped u r right
but when i searched in the comodo forum
i found the same problem " comodo easily killable without defense plus"
so it seems that it's a know issue in comodo
http://forums.comodo.com/leak_testingattacksvulnerability_research/comodo_firewall_is_easily_killable-t13985.15.html

and when i terminated the cfp.exe by the task manager
new applications that don't have rules before
accessed the internet without any prompting

i can suppose that what is happening here , is exceptional
but is it very difficult for comodo vendor to allow cfp.exe protection without the defense ++ ??
i think if a trojan just can disable graphical interface and icon of comodo it will be a shame for a powerfull firewall like comodo to be overcomed in such way
this is if cfp.exe is only concerned with comodo graphics as u said and don't have in rule in the firewall protection processes
but if it is involved in these processes it will be a fatal mistake

 

I would not go by what is in the task manager. If you have administrative rights there are all sorts of ways to terminate programs using the right programming techniques.

If what goes on in the task manager bothers you its possible to go into services.msc, find the service, choose the recovery tab and make settings to restart it. This works with all sorts of things.

By the way Dr. I have this little problem and need for you to operate...

In that Comodo post cited above it said that a V 2 "like" operating mode is planned for the future. That would be great.

 

@Dr. Samir
Odd, i tried this yesterday with the latest Comodo. Make sure you have the firewall set to "custom policy" and try again.

P.S.: Even if the malware does kill cpf.exe, as long as cmd.exe is running, you can always go to start-programs-comodo and click it. The GUI will reappear. Try it at "custom policy". Maybe you had it in the other modes, where the firewall automatically allows access to trusted programs. In my case, no "new" program would connect.

 

True Fuzz and I retract my last statement. I my new lap top I tried all I can do to terminate cmdagent and I cannot.

 

Though I never tried it when I was running it, I remember reading this PCMag review:

 

Hello,

You're talking about what happens when you get infected. Wrong.
You should talk about what happens before you get infected.

Why should malware try to disable the firewall. There are better methods. Patch the tcpip stack and your firewall will never blink.

Discussing post-infection mitigation is asking how a removed limb can be reattached to the body when you should make sure you don't cut it off in the first place - as a doctor, you might relate.

Like medicine, prevention is the key ...

Mrk

 

Dear Friends
thanks so much for your all precious comments , i appreciate all of them
after many trials here, i can confess now that disabling the cfp.exe not affecting the main job of the firewall , Despite i share Mr. DIVER in his hope to see a version like opertaing mode in version 3 for those who don't like defense ++ ,i just need a limited component control with traffic monitor

 

HI MRKVONIC
sure i agree with you
there 's prevention medicine , which aim at decreasing the disease incidence rate
and therapeutic medicine , which aim at curing diseases that have already occurred

SO
the traditional antivirus , antitrojan , antispyware all target at preventing the infection with know malware
HIPS target at preventing infection with a malware which is not known yet by the antivirus database "zero day attack"

all the above are like the prevention medecine

BUT

a firewall monitiring inbound and outbound connection is supposed to block any trial of the malware "that could escape all the above layers of protection" to connect to outside and not being easily disabled by this malware
so the firewall in this case will be like the medicines which try to decrease the spread of the disease and all its harmfull effects to the body

then the antivirus again will play the rule to cure this malware when its code is being downloaded as AV updates to be included in the AV database

BEST REGARDS

 

i'm very disappointed now
i could easily terminate both processes of comodo through the task manager
cfp.exe
Cmdagent.exe

which means that comodo is liable to complete disable by a malware program , with the defense++ disabled

 

How may I ask you did this. I tried over and over and cannot. I have D+ enabled.

 

it can be done only if the defense plus is disabled
or if u installed comodo without defense plus from the begining

 

Hello Doctor!

I thought you were wrong, but now i see you are right. My default task manager doesn't kill it, but Window's default does. Shame.

 

Has it been reported on their forums?

 

yes there is a topic there about this problem
and i have just made another thread there explaining this problem in details

 

Hello Fuzzfas
thanks for reporting back
both of us wants comodo to be problem free no matter who's right
but i really hope that they fix this issue sooner
best regards

 

Not quite. CFP 3.0 failed to resist fake mouse clicks attack, here it is what it says:
"My wacky attempt to turn off protection using simulated mouse clicks did succeed, but just barely. The little program I wrote can fake a click in any location, but I didn't give it a way to move slider controls. Setting the firewall to Disabled using fake clicks required pixel-perfect accuracy—there's no way a malicious program could automate the process."

 

thanks for this explanation
i red the pcMAG review quickly but i didn't notice these points

 

Did you also notice the settings dialogue was open? It would be almost impossible for a malware to open up the settings and move the slider. Plus you would receive alerts the malware was touching comodo

 

did u read the full thread and replies?? i doubt
what is the main subject of the thread ?? comodo 3.0 without defense+ so u will never recieve alert if comodo is touched by a malware

all facts shown in pcMAG is concerned with comodo with defense+ enabled
so comodo can not protect against fake clicks with the defense+ active

if we can easily terminate
cfp.exe
Cmdagent.exe
when defense+ is disabled
so the fact that its difficult for any malware to terminate comodo without hips is wrong "in fact any weak trojan could do that

 

Hi, Hany, I wanted to ask you something.
If you use only Comodo's basic firewalllease, go see into C:/ProgramFiles/Comodo can you delete all of Comodo's files manually, if yes than this serious vulnerability.
Because for example Jetico 2.0.1.2 processes can be deleted in task manager, but Jetico2's own files are all self-protected.
And besides, look at the results in firewallleatester.com, Jetico2 resisted all of the attempts to disable self-protection.
Here are the criterions:
http://www.firewallleaktester.com/termination_overview.php

And here are the results(only the red X means that firewall's self-protection was disabled):
http://www.firewallleaktester.com/termination.php

 

Hello,

Local security is a field of its own. You are mixing internet security and local security. In Windows, as Admin, local security is nil. As a LUA, it is somewhat improved. But nothing can really protect from physical access and tampering. Not even Linux or anything else is safe from local tampering.

Manually deleting files means nothing. In that regard, why not delete a few system files and render your system unbootable?

Mrk

 

Re: after several trials, end result :comodo 3.0 is easily killable

This is what was requested. The ability to install the base firewall.

The request to make this Base install of the firewall was made with thought that the user would have an HIPS installed, so that would make any protection needed.

I have not looked at if Comodo firewall (just firewall) does protect itself or not, but if it did, it could actually cause problems to other HIPS,.... which is the main reason that the firewall could be installed as basic (without possible conflict to other HIPS).


Maybe a big red warning sign from Comodo,.. or maybe more attention/thoughts from users on installation?

I am no big supporter of comodo (or any other firewall/vendor), but I fully support the fact the user is allowed to install the firewall only (regardless is this is not protected from termination ~ use 3rd party HIPS as intended)

If Comodo if reading. Please leave this possibility, I fully support this. (just some education/need to warn users)