Comodo passes all leak tests

Hi, Melih-Comodo

I am not Comodo user, I am Jetico user. Jetico with Olap rule pass this test bei default!


olap

 

Hi, Melih-Comodo
Or this with instruction how to from see (below)

Jetico not and adjourned a whole year, thin now!
How you see Comodo is not the only firewall to pass this leak test!

Have Fun...

 

Olap

Please read what I said in my previous posting:

"Comodo now passes the BITS leak test. (I think the only firewall to pass this leak test fresh out of box) "
"Comodo protects agains this leak test out of box, with no messing around with settings ) "

Fresh out of box: means you install and it protects you without you having to write rules.

Does jetico protect against this leak test out of box without having to write rules?

thanks
Melih

 

Yes,... As svchost is not allowed any default outbound connections to any IP. It will not actually allow "windows update" without additional rules (the user would be asked to allow)

================================================================================================

olap
from post#26,.. the blocked IP`s are part of/required for "windows update"

 

thanks for the info Stem

It would be great to see the difference in the way CPF and Jetico report this if anyone has it. It will be important to report the alerts intelligently in a way that the user understands I believe.

thanks
Melih

 

Hi Melih-Comodo,
From the default ruleset within Jetico, there are, by default, 2 rules for "windows updates"
Allow TCP outbound remote IP 207.46.0.0/16 remote port 80
Allow TCP outbound remote IP 207.46.0.0/16 remote port 443

I have just gone to "windows update" and was given these 3 alerts/popups (attached)
(I only went as far as "Download and Install now", as I dont perform auto updates from microsoft)

EDIT:
I decided to complete the windows updates, in total I was given 24 alerts (you can possibly understand why a lot of users dont like Jetico due to all the popups)

 

Hi Melih-Comodo,
I have just installed your latest firewall (beta) to see what alerts are given.
From the default installation, I see that "svchost" is allowed any remote IP/Port TCP/UDP in/out (pic attached (made after win update connection),... yes I know these are application rules and inbound will be blocked by the network rules,.. but what about outbound restrictions? Is svchost allowed by default to connect to any remote IP/Port? (as the rule implies?)
The only Alerts given where for IE listen / DNS / outbound to 207.46.225.221:80. There was no prompt for svchost? (and then I was prompted for Clpconfig to listen / DNS / , ... but then I disconnected.

 

Hi Stem,

This is not how leak testing works. To pass the leak test, the firewall must capture the *application that is using the svchost.exe*.
If you play with IP addresses, ports etc, ofcourse every firewall has some sort of filtering.

While testing the leak tests, assumption is svchost.exe must have FULL access rights to any IP address(as firewallleaktester.com puts this as the criteria before leak testing).

Then while testing, say thermite leak test, if you dont have internet explorer allowed access to Internet, all firewalls will ask this. Does this passing the leak test? No. For such a thing, you dont even need a application based firewall.

So without restricting IP addresses ports etc... no firewall except Comodo passes this sort of test.

So what Melih says is wuite correct in mt opinion.

J

 

While using Comodo, if Monitor DNS Requests option is enabled, svchost does not make DNS queries. Instead all applications make DNS by themselves, thus Comodo passes DNSTester leak test with full success. Actually, if you disable that option, Comodo stil reports svchost.exe hijacking.

J

 

Hi Olap,

If you dont give internet explorer full IP/Port access rights, all other firewalls also pass all of the leak tests in the firwallleaktester.com site. This is not leak testing...

The same is valid for BITSTester and PCFlank as well... What you say is, if I dont use the leak test according to the criteria, i wont fail the leak test.

J

 

Hi neonSurge, misunderstanding then on my part from the reply made by Melih-Comodo to olap and to myself (and I obviously need to re-read the test,.... but unable to connect to firewall leaktester site at the moment) So will re-check,....

EDIT,..
The Firewall leaktester site is down,... Have you got an alert from Comodo concerning this you can post?

 

Hi Stem,

As I remember, the firewallleaktester.com does not call this BITSTester as a leak test. The "application that is using" criteria was written in the general paper that leak tester site presented.

But i remember this is shown to be a very efficient leak point because of the exploitability of the technique by malware. An example is Microsoft's WGATray application that everybody is talking about. It connects to microsoft servers and no firewall reports WGATray's activity.

Actually the leak concept is exactly the same as DNSTester leak test. Hijacking of svchost.exe.

J

 

While I was doing the windows updates,WGAtray attemped outbound connection, but was intercepted by Jetico,.. so are you sure about this?

 

No I am not sure. I think I saw this in a forum. Or WgaTray acts differently according to the OS configuration.

J

 

Jetico does alert on this test, reporting network access attempts by DNStester

 

Here it sometimes raise alerts sometimes not. I think Jetico passes DNSTester leak test but it has a bug in this.

About WGATray(I dont have it installed but at Comodo forums it is said that it uses svchost.exe)

http://forums.comodo.com/index.php/topic,554.msg4199.html#msg4199

 

Yes I have seen this reported,.. maybe system config?,.. I know every time I have run this, Jetico Alerts

I will have another play with Svchost given full access. (I dont have WGAtray installed now, but will windows update again to check) [EDIT, Have perform windows update 4 times, after each update, Jetico intercepts WGATray as attempting "network access" I block this, and when I go back to windows update, I am informed I do not have this update installed]

I will let you know the results, (once firewall leaktester is back up, and I can re-check the BITS leak)

SteM

 

Jetico with "Olap rule" pass this test bei default!
All Browser with "FullAccess" and "svchost.exe" with "AccesToNetworkOnly" rule
With no other messing around with settings! Test first then come with comment!
You can see this!

 

And this:

 

I am not Comodo user, can somebody explain Stem "Attached Image" in post #32
if Browser have (any) IP/port and (any) TCP/UDP In/Out permission and
"svchost.exe" have too (any) IP/port and (any) TCP/UDP In/Out permission and non alert nothing, have Comodo predefined rule for this test?
About PCFlankLeaktest, try to change "name" and "Hash" from "PCFlankLeaktest.exe" and run test with Comodo?

 

Well with that rule, wndows updates are also disabled. At least here or Am I doing something wrong?

J

 

updates are enable!

 

When you install Comodo and select Automatic configuration, it does not even create any rule and passes safe requests/applications automatically.
With this configuration it passes all tests.

If you select manual, it will create some default rules in which svchost and iexplore have full rights if you select known application scanning.
It will still still pass all the tests.

When i change the name of PCFlank, it catched the attempt. It keeps signatures of each application (afaik), so i believe it will catch if hash of pcflank changes.

J

 

Can you tell me exactly what I should do to add your rule? I think i am doing something wrong.

J

 

Download "Olap.bcf.txt" rule from "Jetico for everyone! thread post #40" is basic,
with no other settings!
When your browser start apply with "Handle as..."FullAccess" then go to "Ask User" table and "svchost.exe" rule change from "TrustedZoneOnly" to "AccesToNetworkOnly" and test!

This is not correctly answer to my question! post #45

I grant with Stem, Jetico pass every time "WGATray attempting" and "DNSTester" leak test!