Wallbreaker 4 test

[Guest]

[Herschel]

There are some special conditions for CPF to fail test 1:

1-"Do not show any alerts for applications certified by COMODO option" is selected or
2- A completely valid IE instance is open and its parent is explorer.exe and IE is visible, or
3- explorer.exe is allowed to COM/OLEAutomation IE, and CPF has this rule in HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Personal Firewall\AppCtrl\IPC key

These 3 cases can cause CPF 2.3.3.33 BETA to fail. 2nd item is a bug and will be fixed.

Tests 3, 4 can only fail if the user has a previously created a rule for IE with parent svchost.exe in application monitor or parent check for IE is skipped in the rule.

Currently, you wont be able to use CPF in intercepting mode, which actually exists, but will be made available for use when we release HIPS enabled versions.

Egemen

On my computer 2.3.3.33 does not fail under condition 2

I have the following  IE6 - Tools - Internet Options

  Security-internet = Medium

  Privacy = Medium

  Programs-Manage Add Ons   The security programs are:

     Safer Networking Ltd. - BHO  (this is Spybot Search & Destroy's malicious download stopper)
     Microsoft - Malicious Software Removal tool
     PolicyMaker - BHO   (not setup to do anything so far as I know)
     PrivBar   (shows the browser privileges,  admin/user)

Advanced-Browsing  Only the following are unchecked:

     Automatically check for IE updates
     Display a notification about every script error
     Enable Install On Demand (IE)
     Enable Install On Demand (Other)
     Enable Personalized Favorites Menu
     Force offscreen compositing ...
     Notify when downloads complete
     Reuse windows for launching shortcuts
     Show friendly URLs
     Use inline AutoComplete

Advanced-Security  Only the following are unchecked:

     Allow active content from CDs to run on My Computer
     Allow active content to run in files on My Computer
     Allow software to run or install even if the signature is invalid
     Check for server certificate revocation (requires restart)
     Do not save encrypted pages to disk
     Empty Temporary IE files folders when browser is closed
     Use TLS 1.0
     Warn if changeing between secure and not secure mode

Hope this helps

[egemen]

On my computer 2.3.3.33 does not fail under condition 2

I have the following  IE6 - Tools - Internet Options

  Security-internet = Medium

  Privacy = Medium

  Programs-Manage Add Ons   The security programs are:

     Safer Networking Ltd. - BHO  (this is Spybot Search & Destroy's malicious download stopper)
     Microsoft - Malicious Software Removal tool
     PolicyMaker - BHO   (not setup to do anything so far as I know)
     PrivBar   (shows the browser privileges,  admin/user)

Advanced-Browsing  Only the following are unchecked:

     Automatically check for IE updates
     Display a notification about every script error
     Enable Install On Demand (IE)
     Enable Install On Demand (Other)
     Enable Personalized Favorites Menu
     Force offscreen compositing ...
     Notify when downloads complete
     Reuse windows for launching shortcuts
     Show friendly URLs
     Use inline AutoComplete

Advanced-Security  Only the following are unchecked:

     Allow active content from CDs to run on My Computer
     Allow active content to run in files on My Computer
     Allow software to run or install even if the signature is invalid
     Check for server certificate revocation (requires restart)
     Do not save encrypted pages to disk
     Empty Temporary IE files folders when browser is closed
     Use TLS 1.0
     Warn if changeing between secure and not secure mode

Hope this helps

Possible. It does depend on the timing. But since we addressed the bug,  it wont fail anymore.

[2072]

There are some special conditions for CPF to fail test 1:

1-"Do not show any alerts for applications certified by COMODO option" is selected or
2- A completely valid IE instance is open and its parent is explorer.exe and IE is visible, or
3- explorer.exe is allowed to COM/OLEAutomation IE, and CPF has this rule in HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Personal Firewall\AppCtrl\IPC key

These 3 cases can cause CPF 2.3.3.33 BETA to fail. 2nd item is a bug and will be fixed.

Tests 3, 4 can only fail if the user has a previously created a rule for IE with parent svchost.exe in application monitor or parent check for IE is skipped in the rule.

Currently, you wont be able to use CPF in intercepting mode, which actually exists, but will be made available for use when we release HIPS enabled versions.

Egemen

I'm using 2.3.6.81 and under condition 1 (-"Do not show any alerts for applications certified by COMODO option" is checked), tests 1, 3 and 4 fails (it successfully open and load pages). From what I understood it is not considered as a bug but is it normal? Isn't this option dangerous?

And what do you mean by "HIPS enabled version" isn't COMODO already what we called an HIPS (Host Intrusion Prevention System)?

[egemen]

I'm using 2.3.6.81 and under condition 1 (-"Do not show any alerts for applications certified by COMODO option" is checked), tests 1, 3 and 4 fails (it successfully open and load pages). From what I understood it is not considered as a bug but is it normal? Isn't this option dangerous?

And what do you mean by "HIPS enabled version" isn't COMODO already what we called an HIPS (Host Intrusion Prevention System)?

CFW has the application heuiristic analysis based detection but HIPS mode will allow you to intercept instead of detection.

Like "xxx.exe is trying to modify the memory of yyy.exe. Allow/Deny?".

Currently, CPF does not intercept such things but records for analysis in case of a network connection.

Egemen

[solo]

Try disabling Security->Advanced->Miscellaneous->Do not show alerts for the applications certified by COMODO(previously called as automatically approve safe applications).

This solution works on my machine.  When I uncheck that setting, I pass all 4 Wallbreaker leak tests.  However, this also causes Comodo to give me a TON of warnings/pop ups that I don't really want to see.  For example, when my antivirus goes to update, I get a pop up.  If someone sends me an email with a link inside, when I click on the link, I get a pop up.

Is there any other solution available that might be more user friendly to those that are not so computer literate/a solution that will not cause so many alerts?

[dlhan]

I have Comodo set :To "Do Not show any alerts for applications certified by Comodo" and Alert frequency set to "medium". On my system Comodo warns me about Wallbreaker on all 4 tests. It only names wallbreaker in the 2nd test. In the other three it states  OLE is trying to connect through Internet Explorer. If I deny, Wallbreaker fails. This is true with or without an instance of IE open. See attached picture.

[solo]

I have Comodo set :To "Do Not show any alerts for applications certified by Comodo" and Alert frequency set to "medium". On my system Comodo warns me about Wallbreaker on all 4 tests. It only names wallbreaker in the 2nd test. In the other three it states  OLE is trying to connect through Internet Explorer. If I deny, Wallbreaker fails. This is true with or without an instance of IE open. See attached picture.

I am unable to duplicate your results.  I pass all 4 tests if I uncheck that box.  But I fail 3 of 4 tests if I have that box checked an have IE open.  Go figure.....?

[dlhan]

I was having the same problem several weeks ago. Egemen told me to go to HKEY_LOCAL_MACHINE\System\Software\Comodo\Personal\AppCtrl and delete the IPC key. (Comodo has to be closed before it will delete.) then reboot computer and you should pass all 4 tests. Just to be sure, always backup registry before modyfying. 

Here I found the post with his exact words:

Please do the following:
1- Delete HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Personal Firewall\AppCtrl\IPC key
2- Restart your PC
3- Open IE and restest.

[AOwL]

I was having the same problem several weeks ago. Egemen told me to go to HKEY_LOCAL_MACHINE\System\Software\Comodo\Personal\AppCtrl and delete the IPC key. (Comodo has to be closed before it will delete.) then reboot computer and you should pass all 4 tests. Just to be sure, always backup registry before modyfying. 

Here I found the post with his exact words:

Please do the following:
1- Delete HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Personal Firewall\AppCtrl\IPC key
2- Restart your PC
3- Open IE and restest.

I fail with 1,3,4 no matter what settings i use...

dlhan, do you mean that i should delete the folder IPC and all subfolders (9) with it?

[dlhan]

Yes, When you delete the IPC key all subfolders will also be deleted. If you are a little leary of deleting this key. I suggest you right click and choose "Export" save it somewhere easy to find like Desktop. Later if necessary you can "merge" it back into your registry. I don't think it will be necessary to put it back, but better safe than sorry

[AOwL]

Thanks!
Now I pass all tests in wallbreaker. 
Deleting IPC did make it pass. Why is it so?

[dlhan]

I really don't know. Be sure and give credit to egemen. I just passed the info along. I would make a note of this registry hack, just in case you need it again. That is what I did.

[toejam]

This solution works on my machine.  When I uncheck that setting, I pass all 4 Wallbreaker leak tests.  However, this also causes Comodo to give me a TON of warnings/pop ups that I don't really want to see.  For example, when my antivirus goes to update, I get a pop up.  If someone sends me an email with a link inside, when I click on the link, I get a pop up.

Is there any other solution available that might be more user friendly to those that are not so computer literate/a solution that will not cause so many alerts?

I'm with Solo on this one. I really don't want to take off the "Do not show alerts for the applications certified by COMODO" option because I don't want to see 1000 popups per day from which I don't even know half what is what, why, where and when. I also have alert frequency level set to "very low". My solution to this Wallbreaker test, while keeping the precious option on, is to remove the rule where svchost.exe is the parent of iexplore.exe, since svchost.exe is used in tests 1,3 and 4. I just took that rule off and so far I've noticed only Windows Update Site to use svchost.exe as the parent of iexplore.exe.
So in the future I'll only click allow BUT not the "remember this setting" when going to Windows Update, to prevent Comodo to create the rule. Now there is a popup and Comodo prevents Wallbreaker sending that info using iexplore.exe.

My questions are as follows:
Should my way be used instead of taking off the option "Do not show alerts for the applications certified by COMODO" in sense of preventing these (OLE automation) type of attacks?
Is iexplore.exe used sometimes, mostly or almost always in these OLE Automation techniques by bad guys (sending personal information to crackers)? i.e. has Firefox ever been used in such techniques?
What other events/programs in Windows XP use svchost.exe as the parent of iexplore.exe like Windows Update Site does?

[Tags:]