So what do I do to defend those network analysis tools?

I agree, why doesn't Matousec test all of those firewalls with real malware and than we will who's the winner (both inbound and oubound).

 

Hany... All I have seen is a bunch of useless words from you about how Comodo firewall doesn't protect from:

1-fragmented IGMP
2-RPC DCOM attack
3-my address attack
4-overlapped fragements
5-winnuke attack
6-teardrop attack
7-nestea attack
8-iceping attack
9-opentear attack
10-Nuke attack
11-IGMP ttack
12-malformed ip attack ...

There has also been a thread about the various tests on TCP/filtering,etc...
I don't see any screenshots proving anything. I don't even see any posts from a real firewall expert here (Unlike yourself). So Hany, Pleaeese Proooove it with something else besides your words.

PS: If I missed a post somewhere (here/Comodo forums) Update me ... Enlighten me.

Thx

 

Could you than give us any link where it was discussed about Comodo's inbound protection, if possible?
Thanks in advance.

 

all i said is a personal experience with many firewalls including comodo
so i'm not a security expert or even matousec to repeat the tests again and to give u screen shots about how camodo fails the above attacks , arp poisoing and spoofing

so
1-i'm free to say my opinion in any security product
2-i don't have prove
3-and u don't have to believe


but i advice u not to depend on one review for ur firewall
try to read something else other than matousec
to know how it really fights the real trojans and not just the predefined well know bunch of stupid useless leak tests

a real firewall expert , huh
here in the wilders , all of us provide our personal experience to help each other concerning security subjects
but if u wanna talk to a firewall expert , u can find one in the university

but being a 27 years old young renal dialysis doctor , i can only give u screen shots about how the kidneys does its job to filter the urea , salts and extra water outside the body

but screen shots about how the comodo does not able to do its job to filter arp poisoning and other above mentioned attacks , sorry


finally
i hope u r happy with ur firewall whatever it is

best regard

 

It may well be not because database is different, but because it is configured differently. There is interesting file "verdicts.ini" in KAV database forlder where you can setup (as I understand) its "sensitivity" in very many ways. By default it is configured to detect everything, including "informational" level, which detects the things that are not really dangerous, though they may theoretically compromize your privacy in this or other way (for example leaktests). But engine user may tune it to avoid extra alerts. I don't think that KAV went this way you say, because this would affect negatively their reputation.

 

IMO Comodo is a POS.

it needs constant babysitting OMFG I MOVED THE MOUSE Lets pop up 30 ad's and ask if its OK. its like a retarded computer program, That I have to watch more then where I surf. there is no chance of anything attacking me and noticing im to busy messing with the 4 million popup's as my computer is being hacked!.

Comodo is for people that have nothing better do to with there day but screw with a firewall.

ok /rant off

 

By the way, this was a bug in an old ZA build... fixed by now

Cheers,
Fax

 

i remember i funny comment i heard from someone here in the wilders

https://www.wilderssecurity.com/showthread.php?p=1255050&highlight=comodo+wife#post1255050

he said "Comodo Firewall - too many questions (if I want to be continuously nagged I can just go downstairs & talk to my wife! )"

 

Yeah, Actually I could. Theres one thread that leads to some chinese sites that the poster seems to think would be an "Inbound test". Well I danced all over them and Can't find much. I'm behind router/Nat, but perhaps Comodos toolbar is doing ok for IE. (Tho I hardly use IE.) Perhaps The files/js Could be looked at more closely. I didn't see much tho.

 

BTW, I have installed 2009 Outpost today to check if it really protects from ARP-spoofing. Unfortunately, Outpost doesn't protect from ARP-spoofing. Machine with Outpost was cut from internet, ICQ disconnected. It was possible to load some pages using IE, but with a huge lags. I tried to download Another ICQ client and download started, but never ended. Other pages were completely unaccessible. So a claim about Outpost protecting from ARP-spoofing is not correct, sorry.

 

have u really tested it against netcut , sniffers and spoofers ?!
i doubt

what made u think that the internet disconnection is due to a spoofing attack
have u spoofed ur pc from another machine on local network
i think u didn't coz u did not mention any thing about that

start of download and loading of webpages means that u were not disconnected completely " which means that u were not under spoofing attack , it was only in ur imagination

more over , we did not said that outpost is bug free
outpost esp. latest versions 2008 , 2009 have many problems with downloading and surfing becoz of content filtering
so for download applications u should edit their rule and disable content filtering if u experience downloading problems and this is not related to its antispoofing functionality

if the disconnection is as u claim is due to spoofing of ur mac or ip ?
are u used to be disconnected from internet usually , or ur OA protect u from internet disconnection . while OA contains no functions related to spoofing



in fact the internet disconnection that u faced with outpost is NOT due to spoofing because

1-if there is spoofing in reality inside local network, u will be warned instantly about the spoofing mac

2-u were not inder spoofing attack , because the download of icq started in fact , and webpages loaded slowly , so u were not under complete disconnection , so that there was not a real spoofing or arp poisoning

3-to be will protected from spoofing , u should set the attack detection plugin in outpost to optimal or high "the default is set to low "

4- u did not test spoofing ur self
u had to install netcut , winarpspoofer , switch sniffer on another pc on the local network and try to generate a DOS attack against ur pc , b4 u claim that u have disconnected due to spoofing attack .
in fact from what u said above and from ur claims i'm sure now that u know nothing about arp poisoning and spoofing


i can summarize ur comment in
"someone installed a new firewall and disconnected from the internet then he imagined in his dreams that this is due to a spoofing attack "

and the funny result of what u said is

because outpost has anti-spoofing functionality it failed to protect from spoofing so that u was be disconnected instantly , as if the hacker wited u to install outpost and in the same moment u was spoofed from someone inside ur lan

but 90% of firewalls has no antispoofing properties "including OA" --does this mean that with all these firewalls u will be always disconnected due to spoofing ??

as an advice , if u really installed outpost toto check if it really protects from ARP-spoofing , u must test it by spoofing ur self from another pc on the same lan and also u must set the attack detection function to high


finally
from all ur caims i realized that , u were unfair , u claimed alot of things which are not true , just coz u wanted to prove something

sorry i'll walk out of this discussion completely
no more replies on this subject

 

You may doubt, of course, but I tested it with well-known netcut in a LAN with ~30 computers. I can add TCPdump was set on gateway to watch all the straffic from the involved machines. There is no problem to send you the logs or to show them here.

This is plain simple. The same operations from the not attacked computer in the same time passed as they should do -- normally. netcut was activated disactivated several times to reproduce issue and it was reproduced several times in line.

ohh, Gosh .. all the traffic was sniffed including the spoofed arp packets. netcut sends broadcast arp requests very often (which is indirect way to detect it) to make other computers on the LAN to introduce themselves. And then it sends spoofed arp packets to attacked machine with completely fake MAC address that doesn't fit into IEEE OUI listing and it also changes macaddress very frequently which makes arpwatch (if you know what is it) to go crazy. So there is not just a single reason not to be sure about what did happen.


BTW, Do you really understand what ARP-spoofing is ? There is not just a single source that wouls say ARP-attack can be prevented without involving gateway machine or special network hardware like programmable switches. Can you show me something opposite except groundless FW vendors claims ?

 

LOL Hany wrote a couple of essays....

~off topic comments removed....Bubba~

Back to topic.

Most attacks in the above list are useless today. Various patches and bug fixes for windows have rendered most of the above useless. The list of attacks mentioned earlier mostly applies only to earlier versions of windows like 95.

If someone is serious about testing a firewall's defense against ARP spoofing for example and has a lan with at least 2 computers go here:
http://www.grc.com/nat/arp.htm

Follow the links to download testing apps at bottom of page, namely:

arpoison
dsniff
ettercap
parasite
winarpspoofer

 

Test your firewall against ARP spoofing:

http://www.codeguru.com/Cpp/I-N/network/basicnetworkoperations/article.php/c6861/

 

numerous off topic posts removed.

That being the case, I'd suggest you take this matter up with management since We are not fond of contributing to the bypassing of a companies policies.

That being said and since this thread has long ago deviated from the actual thread starters topic, we'll bring this thread to a close.