I just read this little gem over at the CFW Beta forum

Hi Stem,
With ICS and Comodo the things are a bit complicated and you are right, it is contradected.
1. If you use ICS with the default options of Virtual pc and you select the network card that is connected to the wire, comodo will fail (to a degree) to protect and block the Virtual pc.
2. If you have more than one cards and select as the virtual pcs card the one that is not wired with the router comodo should protect the virtual pc and control the connection. I say should because it did in my old pc (I used virtual pc 2004). My new machine has only 1 network card and I cannot verify it.
3. If you use ICS and you are connected directed with a usb modem, comodo should block and control the virtual pc. (same as above, I no longer have a usb modem and cannot verify it now)
4. If you set a more complicated virtual network with microsoft loopback adapters comodo will control the virtual machines. (I can verify that and on my machine, it does )

 

Hi pandlouk,

I think you are confusing ICS and Network Bridge?

I have just been looking at Various setups.
ICS would be seen as a share from the HOST for the Guest, the Guest being given its own IP, which Comodo intercepts, now if we Bridge from VM directly onto the main NIC, then yes, Comodo is bypassed. (this can also be done by Bridging a VM NIC with Main NIC.).

So yes, if a Bridge is created directly from VM to main(WAN) NIC (both Host and Guest(VM) have same IP), then Comodo will be bypassed even when "Block all" is selected.(I have Comodo 2.4 installed for this test)

 

Yes, you are absolutly correct. I was more than confused when I wrote the above.

Thanks

 

Hi pandlouk,

I have just re-checked Jetico1 and PCtools firewall 3 (beta), both these firewalls intercept these comms over Network Bridge (and block them by default).

.

 

Hi Stem,

Thank you for checking it out. I'll add this info at the thread in the comodo.


For Jetigo1 I confirm. I just checked it too and it does intercept all the packets.

ps. Should I add a sticky in comodo forum and tell the members to activate that option? Do you think that is critical? If yes, I could ask Melih to distribute this info through the "news tab" of the CFP. This way will ensure that everyone that uses Comodo will get the message (member or not member of the comodo forums).

 

Hi pandlouk,

I think users should be aware of this problem. (not to use Network Bridge with Comodo at this time)

I am not sure why anyone would want to run a VM over Network Bridge, simply run VM with NAT, or VM with Host ICS, or even an internal VM network with ICS or local proxy server.

 

Ok, I'll transfer this info at Melih (Comodo CEO) and he will handle it.

Thanks again
Panagiotis

 

Gentlemen:

It is great to see my thread having a positive reception at the CFW forum.

Thanks to Stem (again), pandlouk, Kerodo, herbalist, Mrkvonic, Diver and Climenole who all contributed.


http://forums.comodo.com/leak_testi...asy_to_bypass-t12265.0.html;msg88422#msg88422

The CEO there has forwarded the issue to his developers.

Now we wait.

 

Melih informed me that he already asked his dev. team to respond to the thread on the ceo section/blog, at the comodo forum.


so stay tuned

Panagiotis

 

please explain what ICS is and how does outpost firewall respond in virtual mode....did any one test that also

 

This is not a learning thread, but ICS is short form for internet connection sharing. This network allows one computer to have the internet connection and every other computer on that network shares that connection.

It is a tough security challenge, better met IMO via a router.

The Outpost FW question will have to be asked elsewhere.

 

The actual reported "problem" is due to routed traffic over a "Bridged connection" not being seen/alerted or logged by a firewall, made by a "Virtual machine" (such as vmware etc)

Outpost pro firewall will see/log routed traffic from such as a Bridged connection, but will not block this by default (unless the last update changed this)

Dont worry about this at this time. My (personal) concern of this is the layer2 comms that are allowed, such as ARP without any interception. Outpost pro does intercept ARP, with a number of user options for this.

 

Update:

I have looked at this, with Comodo beta and M$ virtual PC. What I am seeing is a bug in the application of the the global rules to intercept this (the rules are not being applied on first attempt,.. they need to be re-applied). This as been reported (by myself) to thread mentioned, and hope to see this problem resolved. I will of course look at this again after the next release.

 

Stem:

Good, I hope CFW Beta appreciates your work.

I know I do for sure! I'm sure do many posters here on Wilder's really have a high regard for your testing approach. There is no substitute for it.
4 more posts and you will be at 3,000!