130/340

[Guest]

[Valentin N]

Hey All

I guess I have wrong settings which made me get 130 of 340. Any help would be appreciated.

OS:Win7 pro 32bit
Security: CIS 5 with proactive security settings on

Antivirus
AV settings: Realtime protection is on ON Access, scan memory on start is on, auto updates are on, Don't scan files that are bigger than 50Mb with heuristics on hight. Manual scanning has heuristics on high, scan archive files and don't scan files that are more than 200MB.

Firewall
The firewall is on Safe mode, Alart settings is on High and on Advance settings all options are marked besides Monitor NDIS protocols other than TCP/IP. In Stealth Ports Wizard i have selected "Block all incoming connections and make my ports stealth for everyone

Defense+
Defense+ is on safe mode. In General Settings everything is as it is from the factory. In Execution Control Settings the Imagee Execution Control Level is enabled, Treat unrecognized files as Restricted and all of other options are marked. Everything is as it is from the factory but I have unmarked Automatically trust files from trusted installers. Everything is marked in Monitoring Settings.

Here is the list

LIST
Date   11:27:47 - 2010-11-25
OS   Windows Vista SP0 build 7600 (strange that is says Win Vista)
1. RootkitInstallation: MissingDriverLoad   Vulnerable
2. RootkitInstallation: LoadAndCallImage   Vulnerable
3. RootkitInstallation: DriverSupersede   Protected
4. RootkitInstallation: ChangeDrvPath   Vulnerable
5. Invasion: Runner   Protected
6. Invasion: RawDisk   Vulnerable
7. Invasion: PhysicalMemory   Protected
8. Invasion: FileDrop   Vulnerable
9. Invasion: DebugControl   Protected
10. Injection: SetWinEventHook   Vulnerable
11. Injection: SetWindowsHookEx   Vulnerable
12. Injection: SetThreadContext   Vulnerable
13. Injection: Services   Vulnerable
14. Injection: ProcessInject   Protected
15. Injection: KnownDlls   Vulnerable
16. Injection: DupHandles   Protected
17. Injection: CreateRemoteThread   Protected
18. Injection: APC dll injection   Vulnerable
19. Injection: AdvancedProcessTermination   Vulnerable
20. InfoSend: ICMP Test   Protected
21. InfoSend: DNS Test   Vulnerable
22. Impersonation: OLE automation   Protected
23. Impersonation: ExplorerAsParent   Protected
24. Impersonation: DDE   Vulnerable
25. Impersonation: Coat   Vulnerable
26. Impersonation: BITS   Vulnerable
27. Hijacking: WinlogonNotify   Protected
28. Hijacking: Userinit   Vulnerable
29. Hijacking: UIHost   Protected
30. Hijacking: SupersedeServiceDll   Vulnerable
31. Hijacking: StartupPrograms   Vulnerable
32. Hijacking: ChangeDebuggerPath   Vulnerable
33. Hijacking: AppinitDlls   Vulnerable
34. Hijacking: ActiveDesktop   Protected
Score   130/340

Thanks in advance

Regards,
            Valentin

[L.A.R. Grizzly]

Hey All

I guess I have wrong settings which made me get 130 of 340. Any help would be appreciated.

OS:Win7 pro 32bit
Security: CIS 5 with proactive security settings on

https://forums.comodo.com/leak-testingattacksvulnerability-research/comodo-leak-test-suite-updated-version-t30110.0.html;msg443168#msg443168

[Valentin N]

Thanks for the link L.A.R.

I have followed the instructs that you  link to be but that won't help.

Regards,
            Valentin

[clockwork]

is the test running in the comodo sandbox?

do you allow on questions from defense+ after the test is started? your answers are part of the test. you can answer no, or dont answer at all.

[L.A.R. Grizzly]

Thanks for the link L.A.R.

I have followed the instructs that you  link to be but that won't help.

Regards,
            Valentin

It wasn't referred as instruction, it was referred because Leak Tests wasn't designed to work with a sandbox. You will get erroneous results. The Leak Test program needs to be updated to work properly with the new CIS.

[Valentin N]

okey I will wait for the updated version; i know I a clean system (so I think ) since I make regularly scans with different scanners and I control if something seems abnormal.

Regards,
            Valentin

[L.A.R. Grizzly]

okey I will wait for the updated version; i know I a clean system (so I think ) since I make regularly scans with different scanners and I control if something seems abnormal.

Regards,
            Valentin

Rest assured, you are perfectly protected. I have CIS as my only security program and I feel no need to worry! With DACS coming in future versions, CIS will be even more powerful.

[Valentin N]

I feel secure and I have the highest settings someone can have.

[BoredNow]

I also got bad results the first time I ran this test as well, but if you search the forum for...

....  Getting Accurate Leak Test Results  ....

and follow the instructions, you will get accurate results.

The first 5 sections are very important.
Basically, you need to make sure any rules that were made while you ran the test the first time need to be removed, and you need to delete the Internet Explorer (IE) browsing history cache.
And then reboot.  

[L.A.R. Grizzly]

I also got bad results the first time I ran this test as well, but if you search the forum for...

....  Getting Accurate Leak Test Results  ....

and follow the instructions, you will get accurate results.

The first 5 sections are very important.
Basically, you need to make sure any rules that were made while you ran the test the first time need to be removed, and you need to delete the Internet Explorer (IE) browsing history cache.
And then reboot.  

Sounds like quite a hassle just to get a program to say everything's OK.

[clockwork]

what should be changed in the test to work with the comodo sandbox? do you just want that the "testresult" looks good, or do you want to test your program? hey, all products would get 100% results if it was usual to modify tests to get good results

the test shows that the sandbox allows things to be done automatically which you dont want to be done.
yes, a reboot will remove some of the happened threats.... but the threats worked until that (keyloggers for example).

when a TEST has to be changed to get good results.... LOL?

the test shows that there is a design problem with an "automatic allowing sandbox". in other words: automatic sandboxing is meaning much more, that the threats are allowed to run automatically, even without any question from defense+.

[JoWa]

Virtualisation allows files to be dropped and changes to be made in the registry, but in a special “virtual” folder and registry. CLT doesn't understand that they are virtual, and says Vulnerable. That's why CLT should be updated.

But if you run CLT and click on Sandbox in the unlimited access alert, virtualisation is not applied, and you can get 340/340, with default settings!

[Valentin N]

I just wanted to see but since the program is more or less quite old i will wait and I know that my system is clean.

Regards,
            Valentin

[BoredNow]

The point is, the test was designed to test the HIPS side of CIS -- not the sandbox.

And once you run the test, CIS makes rules for the leak test which have to be cleaned up, otherwise it will let the same leaks through the next time you run it.

Following the clean-up procedure is no big deal. I am a computer noob and I did it in about 5 minutes.
 

[salaficall]

Virtualisation allows files to be dropped and changes to be made in the registry, but in a special “virtual” folder and registry. CLT doesn't understand that they are virtual, and says Vulnerable. That's why CLT should be updated.

But if you run CLT and click on Sandbox in the unlimited access alert, virtualisation is not applied, and you can get 340/340, with default settings!

this is not true

Automatic sandboxing does not virtualise software Files and registry keys created by the software are NOT stored in a separate place on your hard disk. (Instead, to protect system integrity, the sandboxed program is prevented from writing to protected folders, pre-existing files, and registry keys ).

https://forums.comodo.com/defense-sandbox-help-cis/introduction-to-the-5x-sandbox-under-construction-t61169.0.html;msg430226#msg430226


anyway , even if I disabled the file system and the registry virtualisation completely , still one can never get full score with the sanbox option on !!!

I only get full score if I disabled the sandbox option ...

since we all now agree that Automatic sandboxing does not virtualise software Files and registry keys created by the software , and it only prevents the sanboxed program from writing to protected folders, pre-existing files, and registry keys

so why CLT results when ran with S/B disabled are not equal to CLT ran with S/B enabled???!!!

since the automatic sandboxing is only more restrictions , i assume the CLT results are supposed to be better not worse !!!! like the case we have here !!

CIS 5 is a very powerful software but I guess the sandbox is bugged ! 

[Tags:]