comodo defense+ fails to block blocked exe and other results

[Guest]

[clockwork]

hello.
i was for a long time very trustful in the comodo firewall. but, after a simple security test i found some strange behaviours of it. it was the pc security test 2009 from heise.de (download). i have set no rules for this test exe, and i run comodo in paranoid mode. everything is set to highest values. its not a setting problem. and i have auto update on.
after installing this test:
1) comodo doesnt ask for this exe to be executed. it opens right after double click.
2) comodo allow this exe to be executed EVEN when this exe is set "BLOCKED".
3) this program gets complete ability to execute any of its hardware changing functions: for example open cd rom, move mouse, set the screen black, hide the mouse cursor.

only when the program tries to change registry things, comodo asked. but, when the fan is set to shut off, i dont care for registry changes anymore.....

what is about this? anyone has tested comodo with this test from heise.de?

[EricJH]

Do you have a url from where we can download the pc security test 2009 so we can take a look with you?

[OmeletGuy]

I dont mean to hijack this thread, but i belive this is the file.

http://www.pc-st.com/de/download.htm

I just tested it, the default configuration (Internet Security) for CIS does not catch this exe. 

Proactive security does block it.

[Toggie]

Is there an English version of this anywhere? Unfortunately, my German is not what it could be

[OmeletGuy]

Is there an English version of this anywhere? Unfortunately, my German is not what it could be

If my link is correct.. the only english version, is a 2007 version (v7.2.0), the 2009 version is German (v9.0.5)

2007:
http://www.pc-st.com/us/download.htm
2009:
http://www.pc-st.com/de/download.htm

(there is no 2009 english version )

[Toggie]

That's what I found too. I ran the tests but I'm not totally sure what I'm being asked...

[Toggie]

Looks like this program leaves a little present when it's uninstalled. Check your %winroot%/system32 for a file called system32.exe.

I think it's a FP, but one or two scanners see it as a potential baddie.

[EricJH]

1) comodo doesnt ask for this exe to be executed. it opens right after double click.I cannot confirm this in Proactive/Safe mode. Make sure to remove the program from the list of  programs that may be executed by Explorer.

2) comodo allow this exe to be executed EVEN when this exe is set "BLOCKED". Cannot confirm either. When Explorer asks to start the program and I choose block it does not start up. D+ doesn't have a block policy. You mean you set it to Isolated?

Its too late now to further study the workings of this program.....

[OmeletGuy]

It only gets passed CIS with Internet Security config!!

I can confirmed that on 3 XP machines.

[Toggie]

I didn't even see the program get loaded, then again I was trying to understand what is was asking me, so I may have missed it first time around. That aside, there wasn't a policy created for that exe in D+.

I'll do some more tests later.

[Toggie]

Ok, I've had time to take a better look at this now. After reading the English text on the 2007 version I could understand what it was doing. So, here's the result:

[OmeletGuy]

So any dev's looking at this, any feedback comming?

[Toggie]

Unfortunately, without English documentation it's impossible to understand how and what this program is trying to do.

I ran the tests, I did get a pop-up for notepad on the first run which I allowed, the second time I just denied it and the test finished. The mouse test finishes instantly, and the hardware test told me the cd was open, which it wasn't.

I appreciate the last test makes the screen go black and hides the mouse, but I'm not sure what that proves. To understand if this is a risk we'd have to know what the program is attempting to do. From what I was able to understand, it just says the test pints the screen black...

Is there any additional Information available or maybe a PoC?

As for steam, are you sure it's not simply using Internet Explorers connection settings as a great many other applications do?

[OmeletGuy]

D+ does NOT block the installer from launching. (at least on my 3 machines) So in a way D+ is bypassed.

(as far as i know its not on the Safe list)

[Toggie]

I'm only saying what happened when I ran the tests. As I said, without documentation it's impossible for me to test further.

[Tags:]