A new leak test application from COMODO !

[Guest]

[ganda]

I guess it's just the principle of it all. This is the best firewall ever and I can't even stop a little leaktest.

in this case, i think it's the user, not the firewall ,i think you've proven that CFP3 CAN block the malicious attempt, but you've mistakenly allowed it. in reality, if a malware tried to send something out,  CFP3 will blocked it, but once we "allow" it, we're doomed. we can't expect a second chance from a malware.

[Boofo]

Yes, but the firewall should be more forgiving than that if we as a user mess up and allow something we shouldn't. If your scenario is correct, if we ever allow anything by accident, the firewall becomes useless after that for that allowance. Not a good idea for a top of the line firewall, huh?

[ganda]

Yes, but the firewall should be more forgiving than that if we as a user mess up and allow something we shouldn't.

yeah,i mean you have an uncommon problem there. what if you mistakenly block a legit app, maybe your AV updater  , maybe you can submit a support ticket to comodo?

If your scenario is correct, if we ever allow anything by accident, the firewall becomes useless after that for that allowance. Not a good idea for a top of the line firewall, huh?

well, yeah. the firewall has stopped the thief, but we open the door for him.

[Boofo]

Yes, but when you open the door to the thief once, doens't mean you want them stealiong from you again and again. There should be a way to relock the door, right?

Gotta love a good metaphor.

[ganda]

Yes, but when you open the door to the thief once, doens't mean you want them stealiong from you again and again. There should be a way to relock the door, right?

Gotta love a good metaphor.

yeah, how about the other app? do this issue only happen to CPIL or another app as well?  i think you really need to submit a support ticket to comodo. that's a serious issue, 

[Boofo]

yeah, how about the other app? do this issue only happen to CPIL or another app as well?  i think you really need to submit a support ticket to comodo. that's a serious issue, 

Well, I haven't really tried any other apps like that as I'm afraid it's going to do the same thing and I don't need to add to the problem. I was hoping some of the DEVs might be reading this and offer some sort of a solution to the problem. They do read the forums, right?

[Little Mac]

Boofo,

CPIL Suite works in this way:

CPIL Test Suite
Author: Comodo
Website: http://personalfirewall.comodo.com/cpiltest.html
Category: Process Injection
The CPIL  suite  contains  three  separate  tests  espe-
cially developed by Comodo engineers to test a firewall's
protection against parent  injection  leak attacks. Each of
the three tests involves the user typing some random text
into a text box which CPIL will attempt to transmit to the
Comodo servers.
Test 1: Attempts  to disable firewall hooks by directly
accessing the physical memory and then modifies explo-
rer.exe to bypass the firewall by running iexplore.exe with
a command line address.
Test 2: Attempts to inject cpil2.dll into explorer.exe by
using Windows accessibility API and then tries to bypass
the firewall by running iexplore.exe with a command line
address.
Test 3: Attempts to inject cpil3.dll into explorer.exe by
using Windows accessibility API and then tries to bypass
the firewall by running iexplore.exe and modifying iexplo-
re.exe with DDE communication.

Default installation of v3 with Defense+ set FW to Learn with Safe Mode and D+ to Clean PC Mode ('cause you shouldn't install on anything but a clean machine).  What this means is that if CPIL (or any other leaktest) is already on your machine, it will be automatically safelisted. 

However, that doesn't mean it's on the encrypted built-in safelist of signed applications.  It means D+ just "sees" or considers it as being safe.

Go to Defense +/My Own Safe Files.  Make sure there's no entry for it there (which would have been manually added by you); if there is, remove it.

I think you've already removed the entry from D+/Computer Security Policy, so you should be good there.  However, you should probably remove your browser entries as well, since it integrates with the browser.

Increase D+ Settings (security level) to Train with Safe Mode.  Reboot computer.

If you really want to be sure, remove CPIL from your computer before rebooting, and redownload after.  This means you will have to run and authorize your browser before doing CPIL, so you won't have to worry about that impacting your test.

And remember, any time you run these types of security tests, do not apply as a permanent rule (ie, don't select Allow with Remember; only Allow).  This way, any Allow rules you create are temporary and will be flushed with a reboot.  Also remember, you need to reboot in between each test you run (ie, between CPIL 1, CPIL 2, etc).  The reason is that you want to start each test with a clean slate, so to speak; all volatile memory cleared out.  If you don't reboot, you're setting yourself (and the firewall) up for failure and frustration.

Hope that helps,

LM

[Boofo]

That explained it all perfectly! I did as you instructed and the leaktest no longer was able to contact the site. I didn't realize just how smart Comodo Firewall Pro really is. It was picking up the EXE as safe in the Clean PC Mode. I switched it to Train with Safe Mode and ran the tests and the firewall  passed with flying colors. I then rebooted and switched it back to Clean PC Mode and re-downloaded the leaktest files, ran them again, and the firewall passed with flying colors once more. All is now well in Comodo-land. Thank you very much for the detailed explanation. You guys are amazing!

 

[ganda]

this is my "expert" opinion    :
2) you still had the CPIL leak test app on your comp when you reinstall CFP3 using Clean PC mode,
     so CPIL leak test was white listed on your PC.

It was picking up the EXE as safe in the Clean PC Mode. I switched it to Train with Safe Mode and ran the tests and the firewall  passed with flying colors.

Boofo  you'd make me confused for 2 days 
 

[Boofo]

Boofo  you'd make me confused for 2 days 
 

You think you were confused. Think what I was going through. 

Thank you very much for all your help, sir. You were the reason I never gave up trying to get it figured it out. .

[ganda]

You think you were confused. Think what I was going through. 

Thank you very much for all your help, sir. You were the reason I never gave up trying to get it figured it out. .

eehhhm, you raised my self esteem by 2 level   
cheers

[Boofo]

eehhhm, you raised my self esteem by 2 level   
cheers

We gave it a shot and I did learn some things from you along the way. You were very helpful and I appreciate that more than you know. Keep up the great work, sir. You're an asset to the site.

[Little Mac]

Glad that took care of it for you, Boofo! 

And thumbs up to you, ganda, for pointing to it in the first place. 

Have a great day learning about v3!!!

LM

[afpj]

Hi all,

Sorry for the newbie question, but if nothing happens (and I blocked all requests) is that a PASS? Nothing pops up to say I passed, nothing says I failed either. Aside from the Comodo pop ups which were blocked, that was it?

Out

FWIW, I tried this test on a laptop with Norton Protection Center and it failed (tried to go to website with ...text... at end of address, thereby giving me a 404 not found error--that's a fail right?)

[Pale Green Horse]

The best is the enemy of the good. Wow, COMODO 3 fails a test which for COMODO 2.4 is like a warm up. It fails even on the Block-All Security Level. It's a LeakTest.exe from Gibson Research Corp.
Well, wellcome back to square one, i.e. 2.4... 

[Tags:]