Leaktest from Gibson Research (GRC) and various firewall results

Re: Online Armor new public beta

Hi Mike,

With ref to your reply with concern to the "Leaktest". This as been checked many times, and there is no problem with the detection of this "Leak"

@All

I would like to point out the main purpose of this test, which is to detect a trusted program which as been changed/compromised, but I have ran the test both as new program and as a possible trojan, my results as shown:-

Test made on OA default settings (build 31)

Ran the "leaktest" as a new program, I allowed it to execute, there was then the alert when the Leak attempted to connect out:-




Now, to use the leaktest correctly, as noted at the leaktest site:-




[I made copies and renamed the leaktest (to various).]

My first check was with Firefox, this had already been allowed outbound (trusted/known), I renamed the leaktest to "firefox" then replaced firefox with the leak, popup shows correct interception. (it also picked up the fact I had a renamed (to iexplorer) Leaktest on my main drive.

 

Re: Online Armor new public beta

Can you show your firewall rules ?

 

Re: Online Armor new public beta

Hey Stem the poster clearly did the test wrong. I ran the test 2 ways. By simply running the leaktest.exe and clicking "Block". Then when you click "test for leaks" it comes up with a message " unable to connect". Hence test passed. Then I did it your way by renaming it and I had the same results as you. This was tested in Online Armor versions = 31,41,47,81 and currently 85. User error is the reason the test fails and the firewall is penetrated.

 

Re: Online Armor new public beta

It is not so clear to myself.

Yes, it is possible the user made error and allowed the leak at some point, and this then allowed the leak to connect out on further checks. But it is also possible there could be corruption in OA installation and/or problems due to ophaned drivers/files from other firewall installations.

It is difficult to know without having access or full logs of users PC.

 

Re: Online Armor new public beta

Well both Mike and I have no problems getting it to pass. The user cannot also get Comodo to pass which tells me he is running the test improperly.

 

Re: Online Armor new public beta

It's not fair to say that. The OP has stated successful blocking of the test with other firewalls, so chances are very good it's being run correctly. There are other possibilities for the failed test, as have already been mentioned, as well as possibly other factors not yet mentioned.

 

Re: Online Armor new public beta

Hi,

I agree with Stem and wat, there is something wrong with this OA installation.
We need more informations from OP about rules created in OA and about previous firewall install.

Regards,

MaB

 

Re: Online Armor new public beta

Look here. The guy cannot get Comodo to pass which means user error.

Tronix74 Tronix74 is offline
Infrequent Poster

Join Date: Feb 2008
Posts: 11
Default Re: COMODO Firewall Pro 3.0.17.304 has been released!
I just wanted to mention that I used Gibson's Research Company's Leaktest program with the latest version of COMODO (3.0.17.304) and the Leaktest program was able to break through. I hope that they do something to fix this problem because if that program is able to get through, the firewall isn't doing anything for you.
Reply With Quote

 

He clearly stated:
1-he allowed the leaktest to run.
2-he expects, which is correct, to see an alert asking leaktest to connect. He does not see this.

From his description, he is doing it correctly, no reason to suspect otherwise.
I agree that this must be a problem in his box. Conflict or something else.

 

I have to agree with the other people here Dieselman. Just because 2 other firewalls failed to pass the leaktest program isn't indicative of user error. Just to give you information on my technical background, I'm a Network Admin and I've been doing this job for a good part of 11 years. I know how a program is supposed to work. Like Pedro stated, the program should have at least popped up and asked me whether or not I wish to give the program internet access. The other firewalls I mentioned earlier work just fine.

While it is true that the program seems to run fine on your computer. The question remains why it doesn't work the same way on my machine. I did manage to find some driver left over from Agnitum that I had to manually remove from my registry however the question is why did the AO program ask me to give internet access for most programs but not the leaktest program.

 

Can you show the OA firewall rules ? What does history say ? What does firewall log show in case all the logging is turned on ? Without this information all we can do is just to speculate.

 

Ahh at this point to show you, I would have to reinstall the program but if you're willing to take my word on it, I will tell you I checked the log and turned on the "Log All" option in the program to see if maybe it was another application that maybe the leaktest was piggybacking on to get access. What I saw was that in the log, no mention of a program gaining access was listed at the time I initiated the leakwall test.

In the firewall section of the program, I can tell you that leakwall was not given access. In fact at one point, I cleared out all allowed programs from the firewall section of the program and even cleared out all programs listed under the program option. The only prompt I would get was if I wish to allow the leaktest program to run. Now normally, if the auto-allow option (which is checked by default) is on, OA would automatically allow the leaktest program to run on my machine.

As I mentioned earlier, other odd behavior from the program was right after the initial reboot after installation. I have a lot of programs that load on start up and what seems to happen is that OA seems to be trying to put its popup permission windows on-screen but for some reason I can't see them.

Here is a list of programs that I load on startup:
NOD32, Trillian, Yahoo! Widgets, Spamihilator, Spampal, The Claw (driver), CleverCache, MSN Messenger, Calendarscope, SB Live! apps, Getright, Evemon (a free app that works with Eve Online), and Powermenu (application that allows transparency controls and Always On Top options).

P.S. The Agnitum miniport driver was unable to load because windows couldn't find the driver so I do not believe that this was the cause of the leaktest failure.

 

Well, All I can say your case is very special. As for me this looks like the firewall drivers were not installed correctly. But this is my guess. Only OA presentative can say more. But I think too many water flew since v31 (current RC is 85), so it is likely this story will stay a mistery forever

 

There was something certainly not correct here with your OA installation.
From my quick check (post 26), OA alerted to the execution and attempted Internet access, this was on default settings. The leaktest is not within the whitelist.

 

I agree that it's very strange...My question is this- if I did have old conflicting drivers on my system, why is it that other programs such as Zone Alarm Pro and Look 'N Stop work just fine and don't have these issues?

 

I suggest finding the instructions to completely uninstall ZA.

 

It would depend on what as been left from previous firewall and then the type of driver(s) being used by the next firewall installation.

As example: with ZA, when you uninstalled this, did you use the "/clean" on the uninstaller?

 

Okay..I just gutted the registry of all known previously installed firewalls and their drivers. I found leftover drivers listed in the registry from previous firewall programs. I'm now in the process of reinstalling the Free version of AO again. I'll keep you all informed of what happens. I would like AO to pass this leaktest - I'll use this program for certain if I can get it to run properly.

 

I went ahead and reinstalled OA. This time at the logon window for my computer, I could read "Protected by OnlineArmor". I thought.something must be working. Unfortunately during my tests, the same thing happened. I did manage to get screenshots as proof. At this time, I'm willing to give access to my desktop via messenger to the developer so they can see for themselves what is happening.
http://img253.imageshack.us/img253/6268/next1td2.png
http://img227.imageshack.us/img227/4041/next2sn7.png
http://img407.imageshack.us/img407/642/next3hf1.png

 

Have you a pic of your firewall log? I want to see if the outbound connection is actually made.(and why)

 

Ah, i just remembered something from the Comodo forums: disconnect the cable! (internet one, ethernet), try the leaktest.

 

Hi Tronix,

Thank you for testing and helping use understand your case

Could you make please a screenshot of the firewall status when you launch the connection ?

Last question : Are you using NOD32 v3 and if the leaktest listed as web browser in NOD32 ?

Regards,

MaB

 

I searched the forums over there, and it seems it was not grc leaktest. It's a worthwhile test anyway

MaB69's question seems pertinent though.

 

I certainly agree.

Or KAV? or other localhost proxy.

 

Hi Stem,

My question was related to Tronix setup only

Regards,

MaB