Welcome, Guest. Please login or register.
March 18, 2010, 04:58:00 PM

Login with username, password and session length

372586 Posts
41309 Topics
93960 Members

Latest Member: Tjosan

Search:     Advanced search | Tag Cloud
+  Welcome to the Comodo Forum
|-+  Learn about Computer Security and Interact with Security Experts
| |-+  Leak Testing/Attacks/Vulnerability Research
| | |-+  comodo defense+ fails to block blocked exe and other results
« previous next »
Pages: [1] 2 Go Down Print
Author Topic: comodo defense+ fails to block blocked exe and other results  (Read 5689 times)
clockwork
Comodo Family Member
***
Offline Offline

Posts: 51


« on: September 06, 2009, 11:29:12 AM »

hello.
i was for a long time very trustful in the comodo firewall. but, after a simple security test i found some strange behaviours of it. it was the pc security test 2009 from heise.de (download). i have set no rules for this test exe, and i run comodo in paranoid mode. everything is set to highest values. its not a setting problem. and i have auto update on.
after installing this test:
1) comodo doesnt ask for this exe to be executed. it opens right after double click.
2) comodo allow this exe to be executed EVEN when this exe is set "BLOCKED".
3) this program gets complete ability to execute any of its hardware changing functions: for example open cd rom, move mouse, set the screen black, hide the mouse cursor.

only when the program tries to change registry things, comodo asked. but, when the fan is set to shut off, i dont care for registry changes anymore.....

what is about this? anyone has tested comodo with this test from heise.de?
Logged
EricJH
Global Moderator
Comodo's Hero
*****
Online Online

Posts: 5748



« Reply #1 on: September 07, 2009, 06:54:17 PM »

Do you have a url from where we can download the pc security test 2009 so we can take a look with you?
Logged

Please read: Introduction to the Sandbox

Using CIS v4 and always the latest snapshot of Opera browser.

AMD Phenom 925 quad core with 4 GB RAM on MSI 785G E53
OmeletGuy
Good gamer, Omelet Chef, Rogue AV hater!
Global Moderator
Comodo's Hero
*****
Offline Offline

Posts: 2001


The only thing i ask for are eggs.


WWW
« Reply #2 on: September 07, 2009, 07:03:12 PM »

I dont mean to hijack this thread, but i belive this is the file.

http://www.pc-st.com/de/download.htm

I just tested it, the default configuration (Internet Security) for CIS does not catch this exe.  Sad

Proactive security does block it.
« Last Edit: September 07, 2009, 07:08:54 PM by OmeletGuy » Logged
Toggie
Guest
« Reply #3 on: September 07, 2009, 07:23:34 PM »

Is there an English version of this anywhere? Unfortunately, my German is not what it could be Sad
Logged
OmeletGuy
Good gamer, Omelet Chef, Rogue AV hater!
Global Moderator
Comodo's Hero
*****
Offline Offline

Posts: 2001


The only thing i ask for are eggs.


WWW
« Reply #4 on: September 07, 2009, 07:26:57 PM »

Is there an English version of this anywhere? Unfortunately, my German is not what it could be Sad
If my link is correct.. the only english version, is a 2007 version (v7.2.0), the 2009 version is German (v9.0.5)

2007:
http://www.pc-st.com/us/download.htm
2009:
http://www.pc-st.com/de/download.htm

(there is no 2009 english version Sad)
« Last Edit: September 07, 2009, 07:31:39 PM by OmeletGuy » Logged
Toggie
Guest
« Reply #5 on: September 07, 2009, 07:36:07 PM »

That's what I found too. I ran the tests but I'm not totally sure what I'm being asked...
Logged
Toggie
Guest
« Reply #6 on: September 07, 2009, 07:52:06 PM »

Looks like this program leaves a little present when it's uninstalled. Check your %winroot%/system32 for a file called system32.exe.

I think it's a FP, but one or two scanners see it as a potential baddie.
« Last Edit: September 07, 2009, 08:08:05 PM by Quill » Logged
EricJH
Global Moderator
Comodo's Hero
*****
Online Online

Posts: 5748



« Reply #7 on: September 07, 2009, 08:29:33 PM »

1) comodo doesnt ask for this exe to be executed. it opens right after double click.I cannot confirm this in Proactive/Safe mode. Make sure to remove the program from the list of  programs that may be executed by Explorer.

2) comodo allow this exe to be executed EVEN when this exe is set "BLOCKED". Cannot confirm either. When Explorer asks to start the program and I choose block it does not start up. D+ doesn't have a block policy. You mean you set it to Isolated?

Its too late now to further study the workings of this program.....
Logged

Please read: Introduction to the Sandbox

Using CIS v4 and always the latest snapshot of Opera browser.

AMD Phenom 925 quad core with 4 GB RAM on MSI 785G E53
OmeletGuy
Good gamer, Omelet Chef, Rogue AV hater!
Global Moderator
Comodo's Hero
*****
Offline Offline

Posts: 2001


The only thing i ask for are eggs.


WWW
« Reply #8 on: September 07, 2009, 08:36:04 PM »

It only gets passed CIS with Internet Security config!!

I can confirmed that on 3 XP machines.
Logged
Toggie
Guest
« Reply #9 on: September 07, 2009, 08:41:22 PM »

I didn't even see the program get loaded, then again I was trying to understand what is was asking me, so I may have missed it first time around. That aside, there wasn't a policy created for that exe in D+.

I'll do some more tests later.
Logged
Toggie
Guest
« Reply #10 on: September 07, 2009, 10:07:42 PM »

Ok, I've had time to take a better look at this now. After reading the English text on the 2007 version I could understand what it was doing. So, here's the result:

Logged
OmeletGuy
Good gamer, Omelet Chef, Rogue AV hater!
Global Moderator
Comodo's Hero
*****
Offline Offline

Posts: 2001


The only thing i ask for are eggs.


WWW
« Reply #11 on: September 08, 2009, 09:28:02 PM »

So any dev's looking at this, any feedback comming?


Logged
Toggie
Guest
« Reply #12 on: September 08, 2009, 10:35:17 PM »

Unfortunately, without English documentation it's impossible to understand how and what this program is trying to do.

I ran the tests, I did get a pop-up for notepad on the first run which I allowed, the second time I just denied it and the test finished. The mouse test finishes instantly, and the hardware test told me the cd was open, which it wasn't.

I appreciate the last test makes the screen go black and hides the mouse, but I'm not sure what that proves. To understand if this is a risk we'd have to know what the program is attempting to do. From what I was able to understand, it just says the test pints the screen black...

Is there any additional Information available or maybe a PoC?

As for steam, are you sure it's not simply using Internet Explorers connection settings as a great many other applications do?
Logged
OmeletGuy
Good gamer, Omelet Chef, Rogue AV hater!
Global Moderator
Comodo's Hero
*****
Offline Offline

Posts: 2001


The only thing i ask for are eggs.


WWW
« Reply #13 on: September 08, 2009, 10:48:57 PM »

D+ does NOT block the installer from launching. (at least on my 3 machines) So in a way D+ is bypassed.

(as far as i know its not on the Safe list)
Logged
Toggie
Guest
« Reply #14 on: September 08, 2009, 10:54:49 PM »

I'm only saying what happened when I ran the tests. As I said, without documentation it's impossible for me to test further.
Logged
Tags: security  test  2009  heise.de  download  comodo  bug  Defense+ 
Pages: [1] 2 Go Up Print 
« previous next »
Jump to:  

SSL Certificate Free Virus Removal Firewall
Page created in 0.056 seconds with 18 queries.
Powered by SMF 1.1.11 | SMF © 2006, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks
Design by 7dana.com