Comodo firewall bug ?

Discussion in 'other firewalls' started by henris, Mar 23, 2010.

Thread Status:
Not open for further replies.
  1. henris

    henris Registered Member

    Joined:
    Jun 6, 2009
    Posts:
    17
    Hi , sorry my english is very weak . My question is on this video .http://www.youtube.com/watch?v=jfo1KJ2KN0E
    I have Chromium browser and GRC leaktest . Leakstest blocked in Comodo firewall and Chromium allowed , but when leaktest renamed to chrome.exe and replaced , no sound from comodo and leaktest have free way to internet . That behaviour normal from firewall side ?
     
  2. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    You should post it in Comodo Forum.
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well, could be a few things

    1) You have disabled image execution control

    2) It is just one of the "illusive" security protection examples which Comodo uses to make non-paranoid (highest) security settings user friendly. https://www.wilderssecurity.com/showpost.php?p=1639116&postcount=20

    3) Hash of GRC leaktest has the (one in a million chance) same check value as Chrome (it is started from original directory)

    As told by Blacknight, please post on the Comodo forum and let us know what caused this.

    Regards Kees
     
  4. henris

    henris Registered Member

    Joined:
    Jun 6, 2009
    Posts:
    17
    Thanks for help , posted same thing on Comodo international/russian forum...
    No , installed with default settings , disabled only antivirus (because he catching my leaktest :D ) and sandbox .
    I think strange thing , if firewall not checking md5...
     
  5. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975
    Defense+ should notify you if a program attempts to replace chrome. It's likely you have given Explorer permission to modify Protected Files and Folders in its Defense+ rules so it won't raise a peep when you replace it manually.

    If you have Defense+ turned off, however, this will be a serious vulnerability for the firewall.
     
  6. henris

    henris Registered Member

    Joined:
    Jun 6, 2009
    Posts:
    17
    I am not change any settings of firewall or hips .
    If installed only firewall without defense+ , that mean all roads to web is open ?
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    YUP,

    Without D+ no image checking, so you can't blame Comodo for not performing when you did not install that part yourself

    RTFM problem :D
     
  8. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975
    Just turn on "Protected Files and Folders" in D+ and it can protect against that vulnerability with very little performance hit if any. I have all options turned on except screen and keyboard and I don't notice any slowdown. A couple more basic leak protection features to monitor would be "Interprocess Memory Access" and maybe "Windows Messages".
     
  9. henris

    henris Registered Member

    Joined:
    Jun 6, 2009
    Posts:
    17
    On my configuration defense+ is on safe mode , monitoring settings ALL on and no peep from d+ when renaming and replacing exe's ...
    Even Win7 firewall (with outbound control) doing this job better .
     
  10. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975
    How are they being renamed?

    Windows 7 firewall doesn't alert on changed executables, except maybe those for system services.
     
  11. henris

    henris Registered Member

    Joined:
    Jun 6, 2009
    Posts:
    17
    No poppups from win7 firewall :D , it simply do not allow access to the network for renamed or changed exe . Simple task for any program's calling itself firewalls .
    So I have always loved this nice firewall (Comodo) and testing it with versions o.X, but do not intend that the emergence of new versions of it will be so weak. I understand that the struggles with popups issues, but not at that price. In Comodo forum guys agree with me and calling this not a bug , but big hole in security ...
    Now im restoring clean image where no place for CPF , thanks guys for help trying to find the truth :)
     
  12. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    henris:

    - what about your Image Execution Control settings ? " All " means it too ?
    - what about Comodo Forum ? ( did you post there ? )
    - did you try in Paranoid Mode ?
    - I tried GRC leaktest renaming it in Opera.exe - I don't use Chrome - and Defense+ immediately alerts me.

     
  13. henris

    henris Registered Member

    Joined:
    Jun 6, 2009
    Posts:
    17
    blacknight:
    1.yes
    2.
    3.no
    4.:thumb:
    Sorry now im on clean windows with win firewall with avast and cant anymore test this . And my question was about the firewall , not hips (D+) ...
     
  14. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    I understood that in a further test you used also the HIPS of CIS:

     
  15. henris

    henris Registered Member

    Joined:
    Jun 6, 2009
    Posts:
    17
    Yes , i am just not change any settings of firewall or hips , D+ enabled by default ...
    On my system hash check not work with D+ or without . I tried set image execution control to aggresive , delete explorer from system trusted programs , check off "trusted vendors" setting and still nothing... More popups about explorer , but leaktest anyway "penetraded" firewall like a chrome...
    Or with hips or without , same thing , my "worm" going to net freely... :mad:
     
  16. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975
    Is this a new feature for the Win7 firewall? The Vista firewall doesn't check file hash values.

    Comodo doesn't check hash values, but if you had D+ enabled and a program tried to replace another program, it would alert. As I explained, when you replace the file manually, you do it through Explorer which has permissions to change protected files, thus you get no alert.
     
  17. henris

    henris Registered Member

    Joined:
    Jun 6, 2009
    Posts:
    17
    Dont know about vista firewall (i jumped from xp to 7) , but on 7 if i renaming and replacing one exe with other , blocked (renamed) exe still blocked , with no circus when hips raping firewall...
    For my needs its enough only firewall , if that firewall have hips - ok , but if hips broke my firewall , sorry , how then this should by named ?
    P.S. sorry i am wrong about win7 firewall , no hash checking :( . Earlier when i checking on my system win7 firewall i tested and MalwareDefender , maybe with this duo i set somewhere mistake . With only microsoft firewall same thing like with Comodo...
     
    Last edited: Mar 27, 2010
  18. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975
    I have no idea what you're trying to say. o_O

    The fact remains, however, if you enable D+, it will not allow a program to replace your browser without alerting you. If you don't want a lot of popups and just leak protection, you only have to enable a few HIPS protection features.

    2010-03-27_235441.png

    The more you enable the more protected you are. I have them all checked except Windows Messages, Keyboard and Computer Monitor.

    Yes, I tried it last night under Win 7 and confirmed that the firewall does not check hash values, just as in Vista.
     
  19. henris

    henris Registered Member

    Joined:
    Jun 6, 2009
    Posts:
    17
    Thanks Espresso anyway ...
     
  20. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe

    Quote. As I said in a previous post, I tried renaming GRC leaktest t in Opera.exe and Defense+ immediately alerts me :rolleyes:
     
  21. henris

    henris Registered Member

    Joined:
    Jun 6, 2009
    Posts:
    17
    blacknight :

    My first question was about how BLOCKED program without MY permissions , LEAKING from MY system , not about replaces and renames ...
    ok now about D+ , you downloaded and installed some program , that program is trusted , when that program download some part of self (dll or something like that) with renaming and replacing and you have no alert from yours security product , because one part of that program on your system is trusted .
     
  22. LostOne

    LostOne Registered Member

    Joined:
    Mar 29, 2010
    Posts:
    5
    But that does mean that D+ will allow you to manually replace the browser. Right?

    I replaced the opera executable with the GRC leaktest and whether D+ nor the FW did block anything.
    The renamed leaktest did get sandboxed though.
    I have all options checked under D+ Monitoring Settings.
     
  23. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975
    That's because you manually replaced it through Explorer which has permission to change protected files. The assumption is that if you replace the file with Explorer, it's something that you want to do. If an untrusted program attempted to replace the file, you would be alerted.
     
  24. LostOne

    LostOne Registered Member

    Joined:
    Mar 29, 2010
    Posts:
    5
    Thanks Espresso!

    That's what I thought.
    I just wanted to be sure.
     
  25. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    Anyway,as Espresso said in a former post, enabling Defense+ in the highest and most restricted level henris had no the problem.
     
Loading...
Thread Status:
Not open for further replies.