CIS 4: Low scores in Comodo Leaktests

[Guest]

[Marcelius]

Hello! I just installed CIS 4 and I'm getting very poor scores in the Comodo Leaktests tool. I've installed only the firewall but I'm also using Defense+ and the Sandbox.

When I run clt.exe I get a Defense+ popup asking for permission to run the file with elevated privileges, if I chose Block the test doesn't open so I guess that's not the point. But if I grant elevated privileges then I get a very poor score of 50/340.





Any help will be appreciated. I have both the firewall and Defense+ in Safe Mode and I'm running Windows XP SP3.

[Endymion]

When I run clt.exe I get a Defense+ popup asking for permission to run the file with elevated privileges, if I chose Block the test doesn't open so I guess that's not the point. But if I grant elevated privileges then I get a very poor score of 50/340.

Guess not allowing D+ elevation alert for untrusted executables could be considered a point  

Overall you could use different ways to run/test CLT

eg:

• Testing automated sandboxing (virtualization disabled) by invoking Clt.exe from the command prompt (or a .bat file).
• Testing sandboxing with virtualization by right-clicking clt.exe file and choosing "Run in Comodo Sandbox"
• Testing Full D+ by disabling sandbox (right click on CIS tray icon\Sandbox security level\disabled)  and running clt.exe

PS: I attached an archive containing a .bat file. Once clt.bat is extracted and placed in the same folder of clt.exe it could be used to run clt like described at point 1

[Marcelius]

Guess not allowing D+ elevation alert for untrusted executables could be considered a point  

Hahaha I know , but I just wanted to run the test anyway, I wouldn't do that with a really unknown file.

But something strange happened now running the leaktest in the three ways you suggested: this time I did not receive the alert asking for elevated privileges. Any possible explanation for this behavior? Of course I got much better scores this way.

Here is my summary:

• I got a nice improvement with this method: 310/340. But it seems that my system is still vulnerable to Invasion: PhysicalMemory, Impersonation: DDE and Impersonation: Coat.
• Using "Run in Comodo Sandbox" gave me a 230/340. Being vulnerable in Invasion: PhysicalMemory, , Invasion: FileDrop, Impersonation: DDE, Impersonation: Coat, Hijacking: WinlogonNotify, Hijacking: Userinit, Hijacking: UIHost, Hijacking: SupersedeServiceDll, Hijacking: Startup Programs, Hijacking: ChangeDebuggerPath and ijacking: ActiveDesktop.
• I did not expect this : 330/340 with the Sandbox disabled. Only vulnerable to Impersonation: Coat.

Should I disable the sandbox permanently? Where should I look to fix the Impersonation: Coat vulnerability?

Thanks a lot for your answer and the .bat file.

[Endymion]

But something strange happened now running the leaktest in the three ways you suggested: this time I did not receive the alert asking for elevated privileges. Any possible explanation for this behavior?

Elevation alerts won't be displayed when sandbox is disabled (point 3).
Elevation alert did not appear on point 1 and 2 because those ways forced clt.exe to run sandboxed.

Point 1 reproduce a general scenario where an unrecognized/untrusted file (cmd.exe\clt.bat) run another executable (clt.exe). In such case the latter executable (clt.exe) will be automatically sandboxed without virtualization (automatic sandoxing would happen even if the latter was an application on Comodo's list of safe files )

Point 2 force sandboxing using context menu. In such case file/registry virtualization is enabled as well. (Thus some tests did incorrectly appear as vulnerable )

Point 3 use D+ and should be able to pass all CLT tests  but I too had Coat occasionally fail on V4 without apparent reason.  Rebooting windows and testing CLT with sandbox disabled increase the chance yo pass Coat as well but finger crossed this glitch will be solved in time.



About PhysicalMemory: perhaps you got onto another glitch. (2nd run cause failed Leaktests in sandbox if the 1s run was elevated) You could take that test again after a reboot.

About DDE: Not sure if sandbox is meant to block it.You could try to reboot and test it again.



You can find additional information about the sandbox in Introduction to the Sandbox and more in How the Comodo Sandbox works.

ATM I'm running CIS with sandbox enabled but I still undecided.

[Marcelius]

Thanks a lot for your detailed explanation and the links, Endymion. You have been of tremendous help .

[Endymion]

You're welcome. 

[Tags:]