Author Topic: seriously flawed leak test  (Read 6411 times)

Offline WxMan1

  • Comodo's Hero
  • *****
  • Posts: 606
seriously flawed leak test
« on: September 13, 2010, 02:01:48 AM »
All this test does is verify that the sandbox works.

If CLT.exe is blocked, the test aborts and nothing executes.  If CLT is sandboxed, it passes 340/340

If a computer security rule for CLT.exe is established - ask all - then the test results in 40/340 (and hardly anything whatsoever is intercepted).

Offline brucine

  • Comodo's Hero
  • *****
  • Posts: 1533
Re: seriously flawed leak test
« Reply #1 on: September 13, 2010, 06:52:52 AM »
CLT runs on cis v3 where no sandbox exists, and where it achieves perfect score for me.

I don't say that CLT is an objective and overall test; but failing it does not entitle you to state that it's flawed, but only that you didn't run it properly and/or don't have the proper cis settings.

As for testing, it should of course not be sandboxed, allowed for initial execution, but blocked for every following request: the flaw is for one to rely on a partial sandbox and, if not, to think that the said sandbox is safe so as not to enforce proper firewall and defense+ settings.

Offline WxMan1

  • Comodo's Hero
  • *****
  • Posts: 606
Re: seriously flawed leak test
« Reply #2 on: September 13, 2010, 09:02:31 AM »
Read what I wrote again.  It obviously is flawed if it doesn't pass its own test unless sandboxed what other explanation is there?

If the test isn't sandboxed, it results in a 40/340.  If CLT.exe has a computer security rule w/custom access rights established - ask all - and it asks NOTHING results in a 60/340, what OTHER condusion can I come to?  I just changed the rule to BLOCK ALL and it ASKED if it could connect to the internet.  The score was 90/340.

I'm running v4.1.150349.920, anti-virus: statefull, firewall: proactive (alert settings: high - all options checked except 'computer is ICS server', advanced: all checked except: monitor NDIS protocol), defense+: safemode (image execution:normal+detect shellcode checked, settings monitored: all options checked), sandboxing on

 

Offline Whoop-dee-doo

  • Cave Dweller
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1097
  • What are you staring at?
Re: seriously flawed leak test
« Reply #3 on: September 13, 2010, 11:27:19 AM »
WxMax,

I cannot tell from your post, is your configuration set to proactive?
(your post says your firewall is proactive, but that is not a firewall option).
Firewall should be in safe mode or custom policy mode.

I'm running v4.1.150349.920, anti-virus: statefull, firewall: proactive (alert settings: high - all options checked except 'computer is ICS server', advanced: all checked except: monitor NDIS protocol), defense+: safemode (image execution:normal+detect shellcode checked, settings monitored: all options checked), sandboxing on

Try this:

1) Make sure your configuration is set to proactive: Right click the tray icon, click on configuration, and select proactive.

2) Then remove all rules pertaining to CLT (see this post to see how to do this).

3. Empty your Internet explorer cache ("Impersonation: Coat" fails when CLT was previously run because the webpage is opened from the IE cache, and not through the leak). You can use a program like CCleaner and delete the Internet explorer cache/history.


How did you score?
« Last Edit: September 13, 2010, 11:34:39 AM by Whoop-dee-doo »
"The best way to have a good idea is to have a lot of ideas." - Linus Pauling   :-La 

"Don't find fault. Find a remedy." - Henry Ford

Offline brucine

  • Comodo's Hero
  • *****
  • Posts: 1533
Re: seriously flawed leak test
« Reply #4 on: September 13, 2010, 02:25:34 PM »
defense+ safe mode is not enough.

set to paranoid, check all monitor settings.

firewall should be set to custom, beware of general too wide rules.

Disable the sandbox, wipe every trusted editor and try again: you should achieve cis3 settings and succeed.

Failing to do something is not enough to state that other people don't know how to read.

Offline JamesFrance

  • Comodo's Hero
  • *****
  • Posts: 1270
Re: seriously flawed leak test
« Reply #5 on: September 13, 2010, 02:49:20 PM »
This topic just shows that you should not mess with the default settings, or decide to run something unknown to you out of the sandbox.

Using CIS 2011 if you do what the few alerts tell you to you will have a perfect score and be protected.   If you decide to disable parts of it, or change settings without considerable knowledge, it will probably fail, but that will be down to the user.
James

Offline brucine

  • Comodo's Hero
  • *****
  • Posts: 1533
Re: seriously flawed leak test
« Reply #6 on: September 13, 2010, 03:43:57 PM »
Some recent threads show that, in not so peculiar situations (e.g. lan and routers), out of the box cis 4 and cis 5 plainly won't work: you shall have then no other choice then to customize them.

And i disagree about the "considerable knowledge" assumption: i always myself customize everything and, altough not a computing beginner, i have no particular expertise and most surely not any "considerable knowledge".

However, my customized cis configuration allows this lan and router configuration...while it still fully passes CLT (for what it might be worth...)

All of us maybe should stop lying to the rest of the world; if cis 4 and 5 pretend to be the "quiet absolute protection", they are definitely not at the time speaking: we should advise people not wanting to mod anything to choose something else, and cis becomes very powerful only when modded.

The latter does not require a "considerable knowledge", but only some time and work as to adapt the default configuration of the software to your peculiar situation, that can't be strictly compared to any other.

Offline Whoop-dee-doo

  • Cave Dweller
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1097
  • What are you staring at?
Re: seriously flawed leak test
« Reply #7 on: September 13, 2010, 03:51:20 PM »
defense+ safe mode is not enough.

set to paranoid, check all monitor settings.

firewall should be set to custom, beware of general too wide rules.

Disable the sandbox, wipe every trusted editor and try again: you should achieve cis3 settings and succeed.

Failing to do something is not enough to state that other people don't know how to read.

You are incorrect. With defense + in safe mode and firewall in safe mode, I achieve 340/340 with CLT. Paranoid and custom policy modes are not required to achieve 340/340.
"The best way to have a good idea is to have a lot of ideas." - Linus Pauling   :-La 

"Don't find fault. Find a remedy." - Henry Ford

Offline WxMan1

  • Comodo's Hero
  • *****
  • Posts: 606
Re: seriously flawed leak test
« Reply #8 on: September 14, 2010, 04:20:54 AM »
Thanx for the response [at] #3 Woop-de-doo,

I mispoke, the firewall was indeed set to 'safe'.  I've changed that to custom policy now.  The configuration has always been set to proactive.

Defense + Security policy

Only one entry present, the one I deliberately created with all options checked 'ask'.  After that resulted in 60/340, I tried setting all options to 'blocked'.  The latter allowed a 90/340 result.  Don't see how that's relevent in particular to the raw disk access test: in the latter case it was specifically was set to 'block' and CLT still failed on that account.  In the former case: no notification.  I delete the rule entirely, and the same result: 80/340.

FWIW, Image Execution has been set to aggressive w/no exclusions.

Firewall Security policy

No entries are present.

My pending files

Yeah, there was one CLT entry in there.  I deleted it.

My own safe files list

No CLT entries.

Despite internet temp files clearing on browser close setting, I manually cleared the temp & cache and re-ran CLT.  I scored 80/340.  I stand by my original assessment: there's something seriously flawed with CLT.

First off, when CLT is initially executed, it warns that it isn't digitally signed and presents the option to either sandbox, allow or block.  This is unusual behavior for Comodo in that anytime it encounters something its never seen before: it sandboxes as a matter of course.  Normally this requires checking 'don't sandbox the application again', terminate the app, and then relaunch it and everything works fine.  If I sandbox CLT I score 340/340.

I've been warned by Comodo that apps are taking direct control of the keyboard, monitor, HDD, etc.  I get warned about none of that when running CLT.

I notice in the plugins folder there's a runnerexe.exe, guess what?  I never get notified that EXE is being launched by CLT.  That is so totally bizarre, I wonder if I should reinstall CIS.  Its possible it got wacked a couple weeks ago when I upgraded the mobo and there were issues w/memory configuration.  I ended up having to reinstall several applications because they weren't workin' right.  Furthermore, dunno what I did, but it doesn't even notify me that CLT isn't digitally signed anymore.

Offline JamesFrance

  • Comodo's Hero
  • *****
  • Posts: 1270
Re: seriously flawed leak test
« Reply #9 on: September 14, 2010, 04:36:12 AM »
As CIS 2011 is expected to be released within about 8 hours from now, I would suggest that you install and test that.   It is a bit late to reinstall 4.1, unless you want to wait for a while after the release.
James

Offline WxMan1

  • Comodo's Hero
  • *****
  • Posts: 606
Re: seriously flawed leak test
« Reply #10 on: September 14, 2010, 01:34:08 PM »
Roger that.  Given post #102 at this thread http://forums.comodo.com/news-announcements-feedback-cis/fyi-about-comodo-internet-security-41150349920-update-t57466.90.html

It appears that release 920 has some 'issues'.  Not that I've encountered any such, i.e., CIS seemed to function perfectly well it was utterly abysmal results obtained from Leak Test that are at issue.

Given that people ARE able to obtain perfectly satisfactory result with CLT after adhereing to Whoop-de-do's (and other's) suggestions, a perfectly valid conclusion would be that there's nothing intrinscially wrong with CLT per se.  If it IS doing an end-run around CIS' defenses NOBODY would get any where near decent results.

SO.  I'm off to image %SystemDrive%, run Comodo System Cleaner and then install cispremium_5_0_162636_1135.exe

Offline WxMan1

  • Comodo's Hero
  • *****
  • Posts: 606
Re: seriously flawed leak test
« Reply #11 on: September 14, 2010, 06:05:59 PM »
Just got done re-running CLT w/the cispremium_5_0_162636_1135.exe and voila!

70/340

Comdo Leak Test is wacked.


Offline Whoop-dee-doo

  • Cave Dweller
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1097
  • What are you staring at?
Re: seriously flawed leak test
« Reply #12 on: September 14, 2010, 09:30:52 PM »
Just got done re-running CLT w/the cispremium_5_0_162636_1135.exe and voila!

70/340

Comdo Leak Test is wacked.



I am not sure why your CLT score is so low. Please follow all the steps in this post. This may help us figure out what is going on.

I may have missed this info in a previous post, but:
1) what is your operating system?
2) are you running any other real-time security programs?

Whoop

"The best way to have a good idea is to have a lot of ideas." - Linus Pauling   :-La 

"Don't find fault. Find a remedy." - Henry Ford

Offline i4u1

  • Comodo Loves me
  • ****
  • Posts: 108
  • My Personal Text
Re: seriously flawed leak test
« Reply #13 on: September 17, 2010, 09:14:06 AM »
confirm 30/340 and completely random results. One session gave me 340/340 and 330/340 (sandboxed) and now 30/340 with clt not listed as trusted.
too bad for that "randomly working" defence
Win7x64SP1+, MSE and CIS latest (D+/FW Sec.only, sandbox off)
__

Offline Whoop-dee-doo

  • Cave Dweller
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1097
  • What are you staring at?
Re: seriously flawed leak test
« Reply #14 on: September 17, 2010, 01:18:10 PM »
confirm 30/340 and completely random results. One session gave me 340/340 and 330/340 (sandboxed) and now 30/340 with clt not listed as trusted.
too bad for that "randomly working" defence

The CLT program was accidentally added to the trusted list (whitelist in the Cloud) in the past 24 hours.
CLT will be removed from the whitelist with the next antivirus update.

So, update the antivirus, then follow the instructions here, and see how CLT works.
"The best way to have a good idea is to have a lot of ideas." - Linus Pauling   :-La 

"Don't find fault. Find a remedy." - Henry Ford

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek