COMODO Leak Test Suite Updated Version

[Guest]

[JoWa]

PC Tools Firewall Plus 7.0.0.77 Beta 3
VirtualBox

COMODO Leaktests v.1.1.0.3
Date   09:24:53 - 2010-09-08
OS   Windows XP SP3 build 2600
1. RootkitInstallation: MissingDriverLoad   Protected
2. RootkitInstallation: LoadAndCallImage   Vulnerable
3. RootkitInstallation: DriverSupersede   Protected
4. RootkitInstallation: ChangeDrvPath   Protected
5. Invasion: Runner   Protected
6. Invasion: RawDisk   Vulnerable
7. Invasion: PhysicalMemory   Protected
8. Invasion: FileDrop   Vulnerable
9. Invasion: DebugControl   Vulnerable
10. Injection: SetWinEventHook   Protected
11. Injection: SetWindowsHookEx   Protected
12. Injection: SetThreadContext   Protected
13. Injection: Services   Protected
14. Injection: ProcessInject   Protected
15. Injection: KnownDlls   Vulnerable
16. Injection: DupHandles   Protected
17. Injection: CreateRemoteThread   Protected
18. Injection: APC dll injection   Protected
19. Injection: AdvancedProcessTermination   Vulnerable
20. InfoSend: ICMP Test   Protected
21. InfoSend: DNS Test   Protected
22. Impersonation: OLE automation   Protected
23. Impersonation: ExplorerAsParent   Protected
24. Impersonation: DDE   Protected
25. Impersonation: Coat   Protected
26. Impersonation: BITS   Vulnerable
27. Hijacking: WinlogonNotify   Protected
28. Hijacking: Userinit   Protected
29. Hijacking: UIHost   Vulnerable
30. Hijacking: SupersedeServiceDll   Vulnerable
31. Hijacking: StartupPrograms   Vulnerable
32. Hijacking: ChangeDebuggerPath   Vulnerable
33. Hijacking: AppinitDlls   Protected
34. Hijacking: ActiveDesktop   Protected
Score   230/340

[knk2006]

comodo's sandbox is now smarter , how ? I've launched a trusted application using a non trusted application as a portable version  , the non trusted application was ended , however , the trusted application ( same not modified ) still in the sandbox  < I tried to reach the main site " from the about section " the result is : I reached it without any pop up but of course the IE got sandboxed as well , I thought that might be a bug " because i didn't get any alert from the firewall "so I ran the leak test " after letting it through the antivirus  " .. and here is the result

 Date   12:41:34 ã - 17/10/31
OS   Windows XP SP3 build 2600
1. RootkitInstallation: MissingDriverLoad   Protected
2. RootkitInstallation: LoadAndCallImage   Protected
3. RootkitInstallation: DriverSupersede   Protected
4. RootkitInstallation: ChangeDrvPath   Protected
5. Invasion: Runner   Protected
6. Invasion: RawDisk   Protected
7. Invasion: PhysicalMemory   Protected
8. Invasion: FileDrop   Protected
9. Invasion: DebugControl   Protected
10. Injection: SetWinEventHook   Protected
11. Injection: SetWindowsHookEx   Protected
12. Injection: SetThreadContext   Protected
13. Injection: Services   Protected
14. Injection: ProcessInject   Protected
15. Injection: KnownDlls   Protected
16. Injection: DupHandles   Protected
17. Injection: CreateRemoteThread   Protected
18. Injection: APC dll injection   Protected
19. Injection: AdvancedProcessTermination   Protected
20. InfoSend: ICMP Test   Protected
21. InfoSend: DNS Test   Protected
22. Impersonation: OLE automation   Protected
23. Impersonation: ExplorerAsParent   Protected
24. Impersonation: DDE   Protected
25. Impersonation: Coat   Protected
26. Impersonation: BITS   Protected
27. Hijacking: WinlogonNotify   Protected
28. Hijacking: Userinit   Protected
29. Hijacking: UIHost   Protected
30. Hijacking: SupersedeServiceDll   Protected
31. Hijacking: StartupPrograms   Protected
32. Hijacking: ChangeDebuggerPath   Protected
33. Hijacking: AppinitDlls   Protected
34. Hijacking: ActiveDesktop   Protected
Score   340/340

stock configuration of CIS 5 complete 

[cool1007]

I got a 180/340 score with a stock configuration/installation of CIS 5.
Defense+ : Safe Mode
Antivirus: On Access
Firewall: Safe Mode
Sandbox: Safe Mode

Any ideas how to improve the results?

Thanks


COMODO Leaktests v.1.1.0.3
 
Date 12:18:35 PM - 9/29/2010
 
OS Windows Vista SP0 build 7600
 
1. RootkitInstallation: MissingDriverLoad Protected
2. RootkitInstallation: LoadAndCallImage Protected
3. RootkitInstallation: DriverSupersede Protected
4. RootkitInstallation: ChangeDrvPath Vulnerable
5. Invasion: Runner Vulnerable
6. Invasion: RawDisk Vulnerable
7. Invasion: PhysicalMemory Protected
8. Invasion: FileDrop Vulnerable
9. Invasion: DebugControl Protected
10. Injection: SetWinEventHook Vulnerable
11. Injection: SetWindowsHookEx Vulnerable
12. Injection: SetThreadContext Protected
13. Injection: Services Vulnerable
14. Injection: ProcessInject Protected
15. Injection: KnownDlls Vulnerable
16. Injection: DupHandles Protected
17. Injection: CreateRemoteThread Protected
18. Injection: APC dll injection Protected
19. Injection: AdvancedProcessTermination Protected
20. InfoSend: ICMP Test Protected
21. InfoSend: DNS Test Vulnerable
22. Impersonation: OLE automation Protected
23. Impersonation: ExplorerAsParent Vulnerable
24. Impersonation: DDE Vulnerable
25. Impersonation: Coat Vulnerable
26. Impersonation: BITS Protected
27. Hijacking: WinlogonNotify Protected
28. Hijacking: Userinit Vulnerable
29. Hijacking: UIHost Protected
30. Hijacking: SupersedeServiceDll Vulnerable
31. Hijacking: StartupPrograms Vulnerable
32. Hijacking: ChangeDebuggerPath Protected
33. Hijacking: AppinitDlls Vulnerable
34. Hijacking: ActiveDesktop Protected
Score 180/340
 

[John Buchanan]

CLT was not designed to be used in a sandbox.  It was designed to test the firewall and D+/HIPS only
Using it inside a sandbox or with a sandbox gives erroneous results

[cool1007]

I disabled the sanbox entirely (by right clicking the taskbar icon and by going to Defense+ settings), then I reboot the PC, ran CLT again, and gave me almost the same score (+10 points).  

I also followed the instructions for configuring CIS in this post https://forums.comodo.com/leak-testingattacksvulnerability-research/getting-accurate-leak-test-results-t61715.0.html.

Now I'm worried about my computer security with such a low score. Any other ideas?

COMODO Leaktests v.1.1.0.3
 
Date 1:29:39 PM - 9/29/2010
 
OS Windows Vista SP0 build 7600
 
1. RootkitInstallation: MissingDriverLoad Protected
2. RootkitInstallation: LoadAndCallImage Protected
3. RootkitInstallation: DriverSupersede Protected
4. RootkitInstallation: ChangeDrvPath Vulnerable
5. Invasion: Runner Vulnerable
6. Invasion: RawDisk Vulnerable
7. Invasion: PhysicalMemory Protected
8. Invasion: FileDrop Vulnerable
9. Invasion: DebugControl Protected
10. Injection: SetWinEventHook Vulnerable
11. Injection: SetWindowsHookEx Vulnerable
12. Injection: SetThreadContext Protected
13. Injection: Services Vulnerable
14. Injection: ProcessInject Protected
15. Injection: KnownDlls Vulnerable
16. Injection: DupHandles Protected
17. Injection: CreateRemoteThread Protected
18. Injection: APC dll injection Protected
19. Injection: AdvancedProcessTermination Protected
20. InfoSend: ICMP Test Protected
21. InfoSend: DNS Test Protected
22. Impersonation: OLE automation Protected
23. Impersonation: ExplorerAsParent Vulnerable
24. Impersonation: DDE Vulnerable
25. Impersonation: Coat Vulnerable
26. Impersonation: BITS Protected
27. Hijacking: WinlogonNotify Protected
28. Hijacking: Userinit Vulnerable
29. Hijacking: UIHost Protected
30. Hijacking: SupersedeServiceDll Vulnerable
31. Hijacking: StartupPrograms Vulnerable
32. Hijacking: ChangeDebuggerPath Protected
33. Hijacking: AppinitDlls Vulnerable
34. Hijacking: ActiveDesktop Protected
Score 190/340
 

EDIT: after switching to Proactive Configuration, the sandbox was enabled again by default, and I didn't notice. After disabling the sandbox, I ran CLT again and got a perfect score . Thanks, John

COMODO Leaktests v.1.1.0.3
 
Date 1:38:24 PM - 9/29/2010
 
OS Windows Vista SP0 build 7600
 
1. RootkitInstallation: MissingDriverLoad Protected
2. RootkitInstallation: LoadAndCallImage Protected
3. RootkitInstallation: DriverSupersede Protected
4. RootkitInstallation: ChangeDrvPath Protected
5. Invasion: Runner Protected
6. Invasion: RawDisk Protected
7. Invasion: PhysicalMemory Protected
8. Invasion: FileDrop Protected
9. Invasion: DebugControl Protected
10. Injection: SetWinEventHook Protected
11. Injection: SetWindowsHookEx Protected
12. Injection: SetThreadContext Protected
13. Injection: Services Protected
14. Injection: ProcessInject Protected
15. Injection: KnownDlls Protected
16. Injection: DupHandles Protected
17. Injection: CreateRemoteThread Protected
18. Injection: APC dll injection Protected
19. Injection: AdvancedProcessTermination Protected
20. InfoSend: ICMP Test Protected
21. InfoSend: DNS Test Protected
22. Impersonation: OLE automation Protected
23. Impersonation: ExplorerAsParent Protected
24. Impersonation: DDE Protected
25. Impersonation: Coat Protected
26. Impersonation: BITS Protected
27. Hijacking: WinlogonNotify Protected
28. Hijacking: Userinit Protected
29. Hijacking: UIHost Protected
30. Hijacking: SupersedeServiceDll Protected
31. Hijacking: StartupPrograms Protected
32. Hijacking: ChangeDebuggerPath Protected
33. Hijacking: AppinitDlls Protected
34. Hijacking: ActiveDesktop Protected
Score 340/340
 

(C) COMODO 2008

[cocopara]

Why do I get these results?


Date   21:34:34 - 02.10.2010
OS   Windows Vista SP0 build 7600
1. RootkitInstallation: MissingDriverLoad   Protected
2. RootkitInstallation: LoadAndCallImage   Protected
3. RootkitInstallation: DriverSupersede   Protected
4. RootkitInstallation: ChangeDrvPath   Vulnerable
5. Invasion: Runner   Vulnerable
6. Invasion: RawDisk   Vulnerable
7. Invasion: PhysicalMemory   Protected
8. Invasion: FileDrop   Vulnerable
9. Invasion: DebugControl   Protected
10. Injection: SetWinEventHook   Vulnerable
11. Injection: SetWindowsHookEx   Vulnerable
12. Injection: SetThreadContext   Protected
13. Injection: Services   Vulnerable
14. Injection: ProcessInject   Protected
15. Injection: KnownDlls   Vulnerable
16. Injection: DupHandles   Protected
17. Injection: CreateRemoteThread   Protected
18. Injection: APC dll injection   Protected
19. Injection: AdvancedProcessTermination   Protected
20. InfoSend: ICMP Test   Protected
21. InfoSend: DNS Test   Vulnerable
22. Impersonation: OLE automation   Protected
23. Impersonation: ExplorerAsParent   Protected
24. Impersonation: DDE   Protected
25. Impersonation: Coat   Vulnerable
26. Impersonation: BITS   Protected
27. Hijacking: WinlogonNotify   Protected
28. Hijacking: Userinit   Vulnerable
29. Hijacking: UIHost   Protected
30. Hijacking: SupersedeServiceDll   Vulnerable
31. Hijacking: StartupPrograms   Vulnerable
32. Hijacking: ChangeDebuggerPath   Protected
33. Hijacking: AppinitDlls   Vulnerable
34. Hijacking: ActiveDesktop   Protected
Score   200/340

I am infact using W7 and not vista as it shows.

I put heur etc all to full and maximized the security yet such a poor result.WTF

[John Buchanan]

CLT was not designed to be used in a sandbox.  It was designed to test the firewall and D+/HIPS only
Using it inside a sandbox or with a sandbox gives erroneous results

[cocopara]

I even disabled the sandbox so why did I get such an retarded result?

[Whoop-dee-doo]

I even disabled the sandbox so why did I get such an retarded result?

Please see this post. It will help you set CIS appropriately and help you achieve an accurate leak test result.

[Comm512]

When i do achieve a 340 score, is it unwise to alter any setting in Comodo after that? I mean, can i enabled the sandbox again without compromising security?

Is it not possible to get a 340 without user intervention? I do like Comodo blocking all untrusted files so that i am able to check afterwards (after execution of exe) what was trying to run.

I see a lot of 'clt.exe scanned online and found malicious'. I do get 3 or 4 warning from the Cloud that clt.exe is dangerous

[Whoop-dee-doo]

When i do achieve a 340 score, is it unwise to alter any setting in Comodo after that? I mean, can i enabled the sandbox again without compromising security?

Yes, you can enable the sandbox without compromising security. The CLT program is not designed to test the sandbox, and that it why you are supposed to turn off the sandbox for the test. The developers tested 15,000 malware files against the sandbox, and none of the malware files were able to run after rebooting (some harmless files may get dropped on your hard drive, but the malware cannot "infect" your computer and cause harm).

Is it not possible to get a 340 without user intervention? I do like Comodo blocking all untrusted files so that i am able to check afterwards (after execution of exe) what was trying to run.

You can set CIS to block all alerts.

I see a lot of 'clt.exe scanned online and found malicious'. I do get 3 or 4 warning from the Cloud that clt.exe is dangerous

I am not sure why Comodo decided to let the AV flag CLT (it is not detected as malware, it is detected as a leak test application), but they are sticking to that decision. Simply add it to the AV exclusion list. CLT is a safe program and is harmless.

[Johnzbzb]

what the heck, why do I get Application.Win32.LeakTest.~B[at]1, in the "A malicious item has been detected".

[Johnzbzb]

Wow I got a really crap score 30/340 in the leak test.

[Whoop-dee-doo]

what the heck, why do I get Application.Win32.LeakTest.~B[at]1, in the "A malicious item has been detected".

I am not sure why Comodo decided to let the AV flag CLT (it is not detected as malware, it is detected as a leak test application), but they are sticking to that decision. Simply add it to the AV exclusion list. CLT is a safe program and is harmless.

Wow I got a really crap score 30/340 in the leak test.

Please see this post. It will help you set CIS appropriately and help you achieve an accurate leak test result.

[cocopara]

Ive read that flipping* post and I get an really bad result. Will that affect my overall security. Anyhow if a person in STOCK CONFIG gets 100% why am I in the most protected CONFIG and I  reach really low -.-.

[Tags:]