Comodo Firewall Test Suite

Discussion in 'other firewalls' started by Coolio10, Nov 7, 2008.

Thread Status:
Not open for further replies.
  1. chris1341

    chris1341 Guest

    I'm not skilled enough to know how real the threats are contained in this testing app but ran it for some form of validation (however flawed) of my set-up. Results were interesting.

    First Avira's heuristics on the web scanner kicked in as soon as I started the download. Under normal circumstances that would have been the end of it, download denied, move on. I let it download though and Avira again warned on write.

    Tried to execute but as I had the browser sandboxed with sandboxie set to restrict all but trusted apps executing in the sandbox it would not run. So even if I had downloaded inadvertantly and AV had not warned it could not execute.

    I let it out of the sandbox, again write and execute warnings kicked in from Avira. Then OA asked if wanted to allow execution. No way I would normally click Allow without knowing the app was safe. Anyway did for this. I've set OA to automatically run unknown apps as 'run safer' so as others have poined out got 330 out of 340.

    Decent result for OA but also some comfort that if this was real world malware it would not have got that far.

    Pleased OA did well but even more convinced layered protection is the way!

    Cheers
     
  2. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    With OA free v3 and Rising antivirus (no HIPS enabled on rising except rootkit/driver/service install), on XP Pro SP3 admin account, I got 320/340 on the test. OA3 seems to stop most of it, and even with OA3 disabled I still pass the driver loading from RAV.
     
  3. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    this is very good score:thumb:
     
  4. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    OA v3 with CLT set to Run Safer produces 340/340 score.
     
  5. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    Without any security software...

    XP SP3 32bit
    Admin, Windows Firewall deactivated
    RootkitInstallation: MissingDriverLoad Protected

    Vista SP1 32bit
    Admin, Windows Firewall, Windows Defender and UAC deactivated
    32. RootkitInstallation: DriverSupersede Protected
    33. RootkitInstallation: LoadAndCallImage Protected

    Nasty rootkits :rolleyes:

    Cheers
     
  6. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    RunSafer looks like not too impressive feature, but actually it is very powerful. I switched to "run safer unknown programs by default" and "do not prompt on unknown programs" setup. With installers detection implemented in recent betas it gives "low popups" but very safe setup. I tried 10 different malwares in line from my "bad mail" folder, and all of them failed (and which is important KAV part of my AV+ version kept silence, which does mean those were likely "zero-day" malwares.
     
  7. 3xist

    3xist Guest

    Seems to be an unfortunate bug. :(
     
  8. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    Let's hope it will be fixed in the next release.

    Apart from that there are these strange results with different OS without any protection.
    XP32 ~20/340, Vista32 ~100/340, Vista64 ~170/340.

    If you know, that a naked OS can block some tests, just don't execute them on this platform.
    Therefore the maximum result for Vista64 should be about 170/170.

    Cheers
     
  9. guest

    guest Guest

    Them Jetico and Comodo are the best for Comodo Firewall Test Suite.
    Any other useful conclusion??
     
  10. tlu

    tlu Guest

    I performed 4 tests with the newest version of the test suite under Windows XP with SP3 (fully patched) in a Virtualbox VM.

    1. Admin account: Score 30/340
    2. Admin account + SSM 2.4.0.621: Score 260/340
    3. Limited account + SRP (as described here): Score 250/340
    4. Limited account + SRP + SSM: Score 320/340 (vulnerable for tests 22 and 25).

    Important note: For tests 3 and 4 I created a folder for which I created a New Path Rule in SRP. Otherwise I wouldn't have been able to even start the test suite -> score 340/340 :thumb:

    So these tests show again that malware must be executed in order to do any harm. LUA + SRP prevents that. Now, tests 2 and 4 seem to prove that a HIPS improves your security if you install a software - provided that you denied all requests by your HIPS. But are you sure that you would have done that for a software you deemed trustworthy? And if you didn't deem it trustworthy - why did you install it after all?
     
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Thanks for a another tests
     
  12. wat0114

    wat0114 Guest

    I agree and what I was alluding to earlier in this thread.
     
  13. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Hi Easter,

    Would you be willing to share the adjustments needed in EQS 3.41 rules in order to pass these leak tests? Using Alcyon's rules (albeit an old set), EQS fails the following tests.

    AdvancedProcessTermination
    DupHandle
    KnownDLL's
    RawDisk
     
  14. _ab

    _ab Registered Member

    Joined:
    Aug 2, 2007
    Posts:
    74
    Yeah, ok, very nice. Everyone is comparing their scores, but how do we fix the vulnerabilities? Here´s what didn´t pass on my machine:


    Hijacking: ActiveDesktop
    Impersonation: ExplorerAsParent
    Impersonation: OLE automation
    Injection: SetThreadContext
    Injection: SetWindowsHookEx
    Injection: SetWinEventHook
    Invasion: Runner

    I have to say, that ActiveDesktop isn´t active, so the result is questionable for this item. All browsers are running in SandboxIE, this also has to be taken in account. I tried to change the settings for IE in the Comodo controls, but the "ExplorerAsParent" thing didn´t change at all.

    Has anyone an idea, how to fix the security holes listed above in CPF?
     
  15. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Starting this way you will end in requesting new rules for every new malware. And you will always be a step back after new malware. Don't you think there is something wrong with your security ?
     
  16. _ab

    _ab Registered Member

    Joined:
    Aug 2, 2007
    Posts:
    74
    So exactly what is your suggestion then? I assumed there is a way to block those items for any known or unknown application in CFP.
     
  17. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    I'm afraid you will not like my suggestion, this is why I prefer you to make your own conclusions. In general I think security must work without any special user interaction. If your security works in "some cases" with "some rules", this is not security, but temporary workaround.
     
  18. 3xist

    3xist Guest

  19. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Tested OA V3 (190) with new CLT version. Still scores 340/340 when Run Safer selected. :thumb::thumb:

    When Run Safer not selected, results are inconsistent. 1st run through test gives score of 290/340. 2nd run gives 330/340 (same score as previous version). Again, DupHandles is the test that fails.

    More at
    http://support.tallemu.com/vbforum/showthread.php?p=62607#post62607
     
    Last edited: Nov 16, 2008
  20. IceCube1010

    IceCube1010 Registered Member

    Joined:
    Apr 26, 2008
    Posts:
    963
    Location:
    Earth
    How did you get the perfect score. I am running OA V3 (190) and CLT is Run Safer but I get 330/340, ActiveDesktop fails. XP Pro (sp3).

    Ice
     
  21. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Are you running the latest CLT version with ActiveDesktop being the last test now rather than the first?
     
  22. IceCube1010

    IceCube1010 Registered Member

    Joined:
    Apr 26, 2008
    Posts:
    963
    Location:
    Earth
    No. I spoke to soon. I guess with the old test the score was 330/340? I'll try again tonight with the latest & greatest.

    thanks
    Ice
     
  23. country2

    country2 Registered Member

    Joined:
    Sep 13, 2008
    Posts:
    169
    Why is it running Vista 64 in admin with Comodo set at proactive security, D&S at paranoid and firewall security level at custom policy I'm only getting 170 but if I change "only" proactive security to firewall security I get 300? I thought proactive was stronger.

    oops..I figured it out.
     
    Last edited: Nov 17, 2008
  24. TrojanHunter

    TrojanHunter Registered Member

    Joined:
    Jul 8, 2007
    Posts:
    151
    Location:
    United Kingdom
    Webroot desktop Firewall 5.8 blocked around half of tests under Windows Vista 32Bit. My Firewall leak test performance sucked, but in fairness Kaspersky 2009 and Sana security primary response could of stopped it long before.
     
  25. SamSpade

    SamSpade Registered Member

    Joined:
    Oct 22, 2006
    Posts:
    415
    Guess this test has played out for the most part, but it was new to me two days ago, so I ran it. I'm using OA AV+, latest beta, 3.x.203, running under "run safer all unknown programs".

    On my first run my Firefox browser was already open and I didn't think about that, so my results were: 20/340; plus Firefox was disconnected from the web connection, couldn't use it at all, nothing came in or went out; Opera & IE worked normally. So I went (eventually) into the OA "Firewall" tab to see what was what, and saw that suddenly my Firefox had been switched from "Allow" to "Deny". Hm-m. So, I changed that OA setting back to "Allow", closed Ffox, and re-started the computer.

    On re-boot, and with all browsers closed, I ran the CLT again: this time I got pop-ups from OA for starting CLT -- I allowed it -- and then I got a pop-up for each one of the tests as it tried to run. I simply blocked each attempt by the test to run whatever baddie it was trying to run, and I passed all of the tests. Easy. 340/340. OA works!!

    Does this make me a "fanboy" o_O

    :rolleyes:


    //
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.