COMODO Leak Test Suite Updated Version

[Guest]

[L.A.R. Grizzly]

Ive read that flipping post and I get an really bad result. Will that affect my overall security. Anyhow if a person in STOCK CONFIG gets 100% why am I in the most protected CONFIG and I  reach really low -.-.

See this:

https://forums.comodo.com/leak-testingattacksvulnerability-research/comodo-leak-test-suite-updated-version-t30110.0.html;msg443168#msg443168

[Whoop-dee-doo]

Ive read that flipping post and I get an really bad result. Will that affect my overall security. Anyhow if a person in STOCK CONFIG gets 100% why am I in the most protected CONFIG and I  reach really low -.-.

If you did read this post carefully, you would have noticed the instructions listed in #8, which tells you to post the requested information so that we can help you. I suggest that you make sure you have followed the flippin instructions exactly, and if you are still getting a low score, then post the flippin information that is requested.

[Jacob]

Doing Good
340/340

Default Settings

[rajeshs]

I do know this thread is Very old but cant find any other thread more suitable to post this

I configed my CIS 5.3  as per instruction in below post
Configuration = proactive
https://forums.comodo.com/leak-testingattacksvulnerability-research/getting-accurate-leak-test-results-t61715.0.html;msg434827#msg434827

but i am getting    210/340


COMODO Leaktests v.1.1.0.3
Date   09:09:32 - 27-05-2011
OS   Windows Vista SP1 build 7601
1. RootkitInstallation: MissingDriverLoad   Protected
2. RootkitInstallation: LoadAndCallImage   Protected
3. RootkitInstallation: DriverSupersede   Protected
4. RootkitInstallation: ChangeDrvPath   Vulnerable
5. Invasion: Runner   Vulnerable
6. Invasion: RawDisk   Vulnerable
7. Invasion: PhysicalMemory   Protected
8. Invasion: FileDrop   Vulnerable
9. Invasion: DebugControl   Protected
10. Injection: SetWinEventHook   Vulnerable
11. Injection: SetWindowsHookEx   Vulnerable
12. Injection: SetThreadContext   Protected
13. Injection: Services   Vulnerable
14. Injection: ProcessInject   Protected
15. Injection: KnownDlls   Vulnerable
16. Injection: DupHandles   Protected
17. Injection: CreateRemoteThread   Protected
18. Injection: APC dll injection   Protected
19. Injection: AdvancedProcessTermination   Protected
20. InfoSend: ICMP Test   Protected
21. InfoSend: DNS Test   Protected
22. Impersonation: OLE automation   Protected
23. Impersonation: ExplorerAsParent   Protected
24. Impersonation: DDE   Vulnerable
25. Impersonation: Coat   Vulnerable
26. Impersonation: BITS   Protected
27. Hijacking: WinlogonNotify   Protected
28. Hijacking: Userinit   Vulnerable
29. Hijacking: UIHost   Protected
30. Hijacking: SupersedeServiceDll   Vulnerable
31. Hijacking: StartupPrograms   Vulnerable
32. Hijacking: ChangeDebuggerPath   Protected
33. Hijacking: AppinitDlls   Vulnerable
34. Hijacking: ActiveDesktop   Protected

1) how to fix these ? , thank u

[EricJH]

Do the tips in Getting Accurate Leak Test Results help?

[rajeshs]

Do the tips in Getting Accurate Leak Test Results help?

1. Make sure you have the following CIS settings:

    Configuration = proactive     [checked]
Firewall = safe mode, custom policy mode, or block all mode.      [Safe Mode]
Defense + = safe mode or paranoid mode [Safe Mode]
Detect shellcode injections  enabled
Monitor settings = ALl is ticked

Sandbox = disabled   Yes
 Defense+ Security Policy  checked  no CLT entries
Unrecognized Files"  none
Firewall Security policy  Removed entry of CLT
 Trusted files  checked
Delete the Internet Explorer (IE)  Done

5. Run CLT* Done

posting result [ i re done the test]


te   03:13:42 - 01-06-2011
OS   Windows Vista SP1 build 7601
1. RootkitInstallation: MissingDriverLoad   Protected
2. RootkitInstallation: LoadAndCallImage   Protected
3. RootkitInstallation: DriverSupersede   Protected
4. RootkitInstallation: ChangeDrvPath   Vulnerable
5. Invasion: Runner   Vulnerable
6. Invasion: RawDisk   Vulnerable
7. Invasion: PhysicalMemory   Protected
8. Invasion: FileDrop   Vulnerable
9. Invasion: DebugControl   Protected
10. Injection: SetWinEventHook   Vulnerable
11. Injection: SetWindowsHookEx   Vulnerable
12. Injection: SetThreadContext   Protected
13. Injection: Services   Vulnerable
14. Injection: ProcessInject   Protected
15. Injection: KnownDlls   Vulnerable
16. Injection: DupHandles   Protected
17. Injection: CreateRemoteThread   Protected
18. Injection: APC dll injection   Protected
19. Injection: AdvancedProcessTermination   Protected
20. InfoSend: ICMP Test   Protected
21. InfoSend: DNS Test   Vulnerable
22. Impersonation: OLE automation   Protected
23. Impersonation: ExplorerAsParent   Protected
24. Impersonation: DDE   Vulnerable
25. Impersonation: Coat   Vulnerable
26. Impersonation: BITS   Protected
27. Hijacking: WinlogonNotify   Protected
28. Hijacking: Userinit   Vulnerable
29. Hijacking: UIHost   Protected
30. Hijacking: SupersedeServiceDll   Vulnerable
31. Hijacking: StartupPrograms   Vulnerable
32. Hijacking: ChangeDebuggerPath   Protected
33. Hijacking: AppinitDlls   Vulnerable
34. Hijacking: ActiveDesktop   Protected
Score   190/340

[zakazak]

okay i have some troubles with this:

When i run the test without sandboxing it (so allowing it) i get 190/340.. i pressed "block" on all the pop ups comodo asked me during the test.

COMODO LEAKTESTS V.1.1.0.3
Date   00:00:36 - 29.08.2011
OS   Windows Vista SP1 build 7601
1. RootkitInstallation: MissingDriverLoad   Protected
2. RootkitInstallation: LoadAndCallImage   Protected
3. RootkitInstallation: DriverSupersede   Protected
4. RootkitInstallation: ChangeDrvPath   Vulnerable
5. Invasion: Runner   Vulnerable
6. Invasion: RawDisk   Vulnerable
7. Invasion: PhysicalMemory   Protected
8. Invasion: FileDrop   Vulnerable
9. Invasion: DebugControl   Protected
10. Injection: SetWinEventHook   Vulnerable
11. Injection: SetWindowsHookEx   Vulnerable
12. Injection: SetThreadContext   Protected
13. Injection: Services   Vulnerable
14. Injection: ProcessInject   Protected
15. Injection: KnownDlls   Vulnerable
16. Injection: DupHandles   Protected
17. Injection: CreateRemoteThread   Protected
18. Injection: APC dll injection   Protected
19. Injection: AdvancedProcessTermination   Protected
20. InfoSend: ICMP Test   Protected
21. InfoSend: DNS Test   Protected
22. Impersonation: OLE automation   Protected
23. Impersonation: ExplorerAsParent   Vulnerable
24. Impersonation: DDE   Vulnerable
25. Impersonation: Coat   Vulnerable
26. Impersonation: BITS   Protected
27. Hijacking: WinlogonNotify   Protected
28. Hijacking: Userinit   Vulnerable
29. Hijacking: UIHost   Protected
30. Hijacking: SupersedeServiceDll   Vulnerable
31. Hijacking: StartupPrograms   Vulnerable
32. Hijacking: ChangeDebuggerPath   Protected
33. Hijacking: AppinitDlls   Vulnerable
34. Hijacking: ActiveDesktop   Protected
Score   190/340
(C) COMODO 2008

when i sandbox it (with comodo ofc.. when the pop comes which says "sandbox,allow,block") i get 320/340:

Impersonation : ExplorerAsParent
Impersonation : DDE

I use:
Windows 7 Prof. x64
EMET 2.1 with most programs added to it.
Comodo Internet Security suite 5.5
Proactive Security (with some changes that should INCREASE security)
Firewall: Safe Mode + Medium Alert level
Defense+: Safe Mode

Can anyone help me with this? Should I post pictures of my CIS settings?

Thanks

[at]edit: i will make a new thread

[SivaSuresh]

Hi,

This is my score on Windows7 x64, CIS 5.8.2 Beta, all defaults + Proactive Conf.


It is 340/340, if I sandboxed CLT.exe in the first alert (I don't know why but every time I run CLT.exe I get two consecutive D+ alerts)

Allowed CLT.exe to run for the first time, rest all alerts, I blocked, then I get 200/340

COMODO Leaktests v.1.1.0.3
Date   10:17:04:AM - 29-08-2011
OS   Windows Vista SP1 build 7601
1. RootkitInstallation: MissingDriverLoad   Protected
2. RootkitInstallation: LoadAndCallImage   Protected
3. RootkitInstallation: DriverSupersede   Protected
4. RootkitInstallation: ChangeDrvPath   Vulnerable
5. Invasion: Runner   Vulnerable
6. Invasion: RawDisk   Vulnerable
7. Invasion: PhysicalMemory   Protected
8. Invasion: FileDrop   Vulnerable
9. Invasion: DebugControl   Protected
10. Injection: SetWinEventHook   Vulnerable
11. Injection: SetWindowsHookEx   Vulnerable
12. Injection: SetThreadContext   Protected
13. Injection: Services   Vulnerable
14. Injection: ProcessInject   Protected
15. Injection: KnownDlls   Vulnerable
16. Injection: DupHandles   Protected
17. Injection: CreateRemoteThread   Protected
18. Injection: APC dll injection   Protected
19. Injection: AdvancedProcessTermination   Protected
20. InfoSend: ICMP Test   Protected
21. InfoSend: DNS Test   Protected
22. Impersonation: OLE automation   Protected
23. Impersonation: ExplorerAsParent   Protected
24. Impersonation: DDE   Vulnerable
25. Impersonation: Coat   Vulnerable
26. Impersonation: BITS   Protected
27. Hijacking: WinlogonNotify   Protected
28. Hijacking: Userinit   Vulnerable
29. Hijacking: UIHost   Protected
30. Hijacking: SupersedeServiceDll   Vulnerable
31. Hijacking: StartupPrograms   Vulnerable
32. Hijacking: ChangeDebuggerPath   Protected
33. Hijacking: AppinitDlls   Vulnerable
34. Hijacking: ActiveDesktop   Protected
Score   200/340

[Arbie]

I'm running Comodo free firewall v5.5.195786.1383.  I've just found and run the Comodo Firewall Leak Test which scored 340/340 with the firewall in 'Safe' mode.  Two suggestions on that:  make the link for the test much easier to find, and advise people to just keep pressing 'Cancel' on all the pop-ups while the test is running.

Anyway - I have also now just tried PCFlank's leak test.  With Comodo in 'Safe' mode, the firewall failed i.e. my random text string appeared as-typed on the PCFlank site.  When I went to 'Custom Policy' the leak test app was dectected as dangerous based on cloud info.

I'm writing this partly to let you know that the PCFlank test gets through 'Safe' mode, since I didn't find any recent discussions of this in the forum.  And I wonder:  Can I expect Comodo to upgrade the firewall so that 'Safe' mode will stop this leak, or should I expect to need 'Custom' mode forever?

Thx

Arbie

[rkg.narnaul]

Plz can anyone gimme latest version of Comodo Leak Test Suite...??

I am using Comodo Firewall free version, Which Antivirus I should use with it....

[SivaSuresh]

The worst ever possible score for me...30/340

CIS 5.10 with Proactive Security defaults


Date   10:36:08 AM - 3/13/2012
OS   Windows XP SP3 build 2600
1. RootkitInstallation: MissingDriverLoadProtected 2. RootkitInstallation: LoadAndCallImageVulnerable 3. RootkitInstallation: DriverSupersedeVulnerable 4. RootkitInstallation: ChangeDrvPathVulnerable 5. Invasion: RunnerProtected 6. Invasion: RawDiskVulnerable 7. Invasion: PhysicalMemoryVulnerable 8. Invasion: FileDropVulnerable 9. Invasion: DebugControlVulnerable 10. Injection: SetWinEventHookVulnerable 11. Injection: SetWindowsHookExVulnerable 12. Injection: SetThreadContextVulnerable 13. Injection: ServicesVulnerable 14. Injection: ProcessInjectVulnerable 15. Injection: KnownDllsVulnerable 16. Injection: DupHandlesVulnerable 17. Injection: CreateRemoteThreadVulnerable 18. Injection: APC dll injectionVulnerable 19. Injection: AdvancedProcessTerminationVulnerable 20. InfoSend: ICMP TestProtected 21. InfoSend: DNS TestVulnerable 22. Impersonation: OLE automationVulnerable 23. Impersonation: ExplorerAsParentVulnerable 24. Impersonation: DDEVulnerable 25. Impersonation: CoatVulnerable 26. Impersonation: BITSVulnerable 27. Hijacking: WinlogonNotifyVulnerable 28. Hijacking: UserinitVulnerable 29. Hijacking: UIHostVulnerable 30. Hijacking: SupersedeServiceDllVulnerable 31. Hijacking: StartupProgramsVulnerable 32. Hijacking: ChangeDebuggerPathVulnerable 33. Hijacking: AppinitDllsVulnerable 34. Hijacking: ActiveDesktopVulnerable
Score   30/340

[wasgij6]

The worst ever possible score for me...30/340

CIS 5.10 with Proactive Security defaults


Date   10:36:08 AM - 3/13/2012
OS   Windows XP SP3 build 2600
1. RootkitInstallation: MissingDriverLoadProtected 2. RootkitInstallation: LoadAndCallImageVulnerable 3. RootkitInstallation: DriverSupersedeVulnerable 4. RootkitInstallation: ChangeDrvPathVulnerable 5. Invasion: RunnerProtected 6. Invasion: RawDiskVulnerable 7. Invasion: PhysicalMemoryVulnerable 8. Invasion: FileDropVulnerable 9. Invasion: DebugControlVulnerable 10. Injection: SetWinEventHookVulnerable 11. Injection: SetWindowsHookExVulnerable 12. Injection: SetThreadContextVulnerable 13. Injection: ServicesVulnerable 14. Injection: ProcessInjectVulnerable 15. Injection: KnownDllsVulnerable 16. Injection: DupHandlesVulnerable 17. Injection: CreateRemoteThreadVulnerable 18. Injection: APC dll injectionVulnerable 19. Injection: AdvancedProcessTerminationVulnerable 20. InfoSend: ICMP TestProtected 21. InfoSend: DNS TestVulnerable 22. Impersonation: OLE automationVulnerable 23. Impersonation: ExplorerAsParentVulnerable 24. Impersonation: DDEVulnerable 25. Impersonation: CoatVulnerable 26. Impersonation: BITSVulnerable 27. Hijacking: WinlogonNotifyVulnerable 28. Hijacking: UserinitVulnerable 29. Hijacking: UIHostVulnerable 30. Hijacking: SupersedeServiceDllVulnerable 31. Hijacking: StartupProgramsVulnerable 32. Hijacking: ChangeDebuggerPathVulnerable 33. Hijacking: AppinitDllsVulnerable 34. Hijacking: ActiveDesktopVulnerable
Score   30/340

thats really surprising. i just tested my system and i got 340/340 running proactive. do you have the sandbox enabled?

[SivaSuresh]

thats really surprising. i just tested my system and i got 340/340 running proactive. do you have the sandbox enabled?

Am I supposed to sandbox clt.exe? (I never sandboxed it previously) I just allowed it when it first asks for permission.
By the way, it says that clt.exe is not digitally signed. Is this correct ?

Completely removed CIS, reinstalled again, still 70/340...I don't understand what happened...

COMODO Leaktests v.1.1.0.3
Date   11:46:19 AM - 3/13/2012
OS   Windows XP SP3 build 2600
1. RootkitInstallation: MissingDriverLoadProtected 2. RootkitInstallation: LoadAndCallImageVulnerable 3. RootkitInstallation: DriverSupersedeVulnerable 4. RootkitInstallation: ChangeDrvPathVulnerable 5. Invasion: RunnerProtected 6. Invasion: RawDiskVulnerable 7. Invasion: PhysicalMemoryVulnerable 8. Invasion: FileDropVulnerable 9. Invasion: DebugControlVulnerable 10. Injection: SetWinEventHookVulnerable 11. Injection: SetWindowsHookExVulnerable 12. Injection: SetThreadContextVulnerable 13. Injection: ServicesVulnerable 14. Injection: ProcessInjectVulnerable 15. Injection: KnownDllsVulnerable 16. Injection: DupHandlesVulnerable 17. Injection: CreateRemoteThreadVulnerable 18. Injection: APC dll injectionProtected 19. Injection: AdvancedProcessTerminationVulnerable 20. InfoSend: ICMP TestProtected 21. InfoSend: DNS TestProtected 22. Impersonation: OLE automationVulnerable 23. Impersonation: ExplorerAsParentProtected 24. Impersonation: DDEVulnerable 25. Impersonation: CoatProtected 26. Impersonation: BITSVulnerable 27. Hijacking: WinlogonNotifyVulnerable 28. Hijacking: UserinitVulnerable 29. Hijacking: UIHostVulnerable 30. Hijacking: SupersedeServiceDllVulnerable 31. Hijacking: StartupProgramsVulnerable 32. Hijacking: ChangeDebuggerPathVulnerable 33. Hijacking: AppinitDllsVulnerable 34. Hijacking: ActiveDesktopVulnerable
Score   70/340

I will do a fresh install of CIS 5.9 and come with the results in the evening. I am little worried now.

[wasgij6]

the only alert you should allow is the first one which says explorer.exe is trying to execute clt.exe. then block the rest of the alerts. (if you have the sandbox disabled)

no clt is not made to test the sandbox it is meant to test the firewall and defense +. have you tried following the advice given in this article to get accurate leak test results?

EDIT: reworded

[JoWa]

Am I supposed to sandbox clt.exe? (I never sandboxed it previously) I just allowed it when it first asks for permission.
By the way, it says that clt.exe is not digitally signed. Is this correct ?

By allowing it, you give it “unlimited access to your computer”. Press Sandbox in the alert. Or test with sandbox disabled.

Correct. clt.exe is not signed. If it were signed by Comodo, it would automatically be trusted by CIS (with default settings).

[Tags:]