comodo defense+ fails to block blocked exe and other results

[Guest]

[clockwork]

hello.
i was for a long time very trustful in the comodo firewall. but, after a simple security test i found some strange behaviours of it. it was the pc security test 2009 from heise.de (download). i have set no rules for this test exe, and i run comodo in paranoid mode. everything is set to highest values. its not a setting problem. and i have auto update on.
after installing this test:
1) comodo doesnt ask for this exe to be executed. it opens right after double click.
2) comodo allow this exe to be executed EVEN when this exe is set "BLOCKED".
3) this program gets complete ability to execute any of its hardware changing functions: for example open cd rom, move mouse, set the screen black, hide the mouse cursor.

only when the program tries to change registry things, comodo asked. but, when the fan is set to shut off, i dont care for registry changes anymore.....

what is about this? anyone has tested comodo with this test from heise.de?

[EricJH]

Do you have a url from where we can download the pc security test 2009 so we can take a look with you?

[OmeletGuy]

I dont mean to hijack this thread, but i belive this is the file.

http://www.pc-st.com/de/download.htm

I just tested it, the default configuration (Internet Security) for CIS does not catch this exe. 

Proactive security does block it.

[Quill]

Is there an English version of this anywhere? Unfortunately, my German is not what it could be

[OmeletGuy]

Is there an English version of this anywhere? Unfortunately, my German is not what it could be

If my link is correct.. the only english version, is a 2007 version (v7.2.0), the 2009 version is German (v9.0.5)

2007:
http://www.pc-st.com/us/download.htm
2009:
http://www.pc-st.com/de/download.htm

(there is no 2009 english version )

[Quill]

That's what I found too. I ran the tests but I'm not totally sure what I'm being asked...

[Quill]

Looks like this program leaves a little present when it's uninstalled. Check your %winroot%/system32 for a file called system32.exe.

I think it's a FP, but one or two scanners see it as a potential baddie.

[EricJH]

1) comodo doesnt ask for this exe to be executed. it opens right after double click.I cannot confirm this in Proactive/Safe mode. Make sure to remove the program from the list of  programs that may be executed by Explorer.

2) comodo allow this exe to be executed EVEN when this exe is set "BLOCKED". Cannot confirm either. When Explorer asks to start the program and I choose block it does not start up. D+ doesn't have a block policy. You mean you set it to Isolated?

Its too late now to further study the workings of this program.....

[OmeletGuy]

It only gets passed CIS with Internet Security config!!

I can confirmed that on 3 XP machines.

[Quill]

I didn't even see the program get loaded, then again I was trying to understand what is was asking me, so I may have missed it first time around. That aside, there wasn't a policy created for that exe in D+.

I'll do some more tests later.

[Quill]

Ok, I've had time to take a better look at this now. After reading the English text on the 2007 version I could understand what it was doing. So, here's the result:

[clockwork]

i made a policy for blocked programs in defense+. with this policy i am able to block a program. until now. when i double click the desktop symbol, the test exe will be executed. without question, or when its set to permanent blocked, too.
the screened tests you made , i had the same results. but, try the PROOF MODE. and there "DIVERSE AKTIONEN".
then you will see, that the test will show another picture. if you press "ok" or the windowX to close, however, each time the hardware funktion will be executed. and you can do all this tests, without beeing asked a single time. from pressing the exe until the screen is "off", or other effects. only notepad (test1) doesnt open, but even there no asking.
WARNING (for people who dont speak german): the last test will demonstrate a "lock-out of user". it shows messages, and whatever you press, it will just proceed. first the screen goes black, with the next message the mousecursor will disappear too. after 20 seconds it will end this demonstration, and you can act again.

i setted everything on in comodo, what can be set on. so i think i have a "normally very proof" config. there is nothing what i could set higher. i even made extra file types for defense+ to check (8. like *.scr). and i use paranoid mode. the list of programs is cleaned of any rules for this test exe. it doesnt ask to start.

heise.de is a very trusted site. they would not make downloads for doubtful software. i dont find this "present" system32.exe in my folder.

[clockwork]

[at]eric jh
"when the explorer asks to start this program"
that reminds me on something. have you ever used steam? without any question from comodo it executes the internet explorer as a backpack. since that time i use to block ie permanent. the result is: many pages inside steam are now just filled with notifications, that an internet connection failed. i began to suspect steam to use ie backpacked, as comodo simply asked: "steam tries to connect port 80". no word about ie. an ie-block showed at last what really happened.
there are often security problems in ie. so i would not want it to start, first of all not as a backpack of another program.

[OmeletGuy]

So any dev's looking at this, any feedback comming?

[Quill]

Unfortunately, without English documentation it's impossible to understand how and what this program is trying to do.

I ran the tests, I did get a pop-up for notepad on the first run which I allowed, the second time I just denied it and the test finished. The mouse test finishes instantly, and the hardware test told me the cd was open, which it wasn't.

I appreciate the last test makes the screen go black and hides the mouse, but I'm not sure what that proves. To understand if this is a risk we'd have to know what the program is attempting to do. From what I was able to understand, it just says the test pints the screen black...

Is there any additional Information available or maybe a PoC?

As for steam, are you sure it's not simply using Internet Explorers connection settings as a great many other applications do?

[Tags:]