Author Topic: Image Execution Control doesn't work as claimed in help file (V3.0.14 - .25 X32)  (Read 18496 times)

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
Image Execution Control doesn't work as the help file claims.  Here is what the help file says: "Comodo Firewall Pro verifies the integrity of executable files by creating a hash of the file at the point it attempts to load itself into memory. It then compares this hash with the one on record for that application which is stored in the Comodo safe list. If the two are different then the file has been modified since it was last run - possibly by a malicious program such as a virus or worm. You will receive an alert if an executable file fails authentication in this way."  However, if an executable file is modified, no such alert is given at the time the modified executable is loaded into memory.  In reading previous threads, it seems the developers are aware of this issue already, but nonetheless the help file is not accurate.

Version: V3.0.14.276
CPU: 32 bit
OS: Win XP SP2
Other security programs running: Returnil, NOD32
Defense+ Security Level: Paranoid Mode
Firewall Security Level: Custom Policy Mode
« Last Edit: July 12, 2008, 07:20:48 PM by MrBrian »

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
Re: Image Execution Control doesn't work as claimed in help file (V3.0.14 X32)
« Reply #1 on: February 04, 2008, 08:31:24 PM »
Issue still exists in v3.0.16.295.

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
Re: Image Execution Control doesn't work as claimed in help file (V3.0.14 X32)
« Reply #2 on: February 21, 2008, 04:54:18 AM »
Issue still exists in v3.0.18.309. 

The wording in the help file for the topic Image Execution Control has changed, but the description is still inaccurate; no alert that a program has changed is generated for an altered program at the time of execution.

Of possible interest to some is, for an alert for an altered program whose unaltered version is on Comodo's whitelist, whether the user will be told that the altered program is safe or not recognized.  I tested this on 3 programs, with mixed results.  I modified 3 programs, all whose original versions are on Comodo's whitelist, with a hex editor.  In 2 of the altered programs, alerts for the modified program noted that the program was not recognized.  However, for the third altered program, the alert for the altered version stated that the program was safe; I did doublecheck that the file had indeed been altered.  For those wishing to reproduce my tests, I altered the main .exe for ObjectDock 1.9.0.536, WinRAR 3.70.0.0, and AutoRuns 8.70.0.0.
« Last Edit: February 22, 2008, 11:15:29 PM by MrBrian »

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
Issue still exists in v3.0.20.320.

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
Issue still exists in v3.0.21.329.

Offline gibran

  • Average User
  • Comodo's Hero
  • *****
  • Posts: 5056
  • A bad workman always blames his tools
Issue still exists in v3.0.21.329.

Can you explain in details how do you test this?
Do you use a trusted application to edit those files?
What kind of alert you get after you edit those files and test Image execution control?
"In the beginning the Universe was created. This has made a lot of people very angry and has been widely regarded as a bad move."- Douglas Adams

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
Can you explain in details how do you test this?
Do you use a trusted application to edit those files?
What kind of alert you get after you edit those files and test Image execution control?

I used the HxD hex editor freeware.  I edited a program that is on Comodo's whitelist; the part of the program I modified was an unimportant part - part with text strings near the beginning. Also, I made sure it wasn't a file protected by Windows File Protection.  Then I ran the edited program.  There is no alert that the program has changed upon execution of the changed program, which is not what the help file suggests should happen.  There is an alert when the program was changed, which is correct behavior.
« Last Edit: March 28, 2008, 10:38:27 PM by MrBrian »

Offline gibran

  • Average User
  • Comodo's Hero
  • *****
  • Posts: 5056
  • A bad workman always blames his tools
The help now states:

Quote
Comodo Firewall Pro calculates the hash an executable at the point it attempts to load into memory. It then compares this hash with the list of known/recognized applications that are on the Comodo safe list. If the hash matches the one on record for the executable, then the application is safe. If no matching hash is found on the safelist, then the executable is 'unrecognized' and you will receive an alert.


However this doesn't mean that you are going to get an alert about the hash change.
This mean that application are checked againt the trusted list before/when they are loaded.

Now comes the interesting part:

You need a partly learned whitelisted application.
edit it the same way you did.
launch it as long you do something that already got learned you get no alert.
but if the app does something new that require a new access right you'll get an alert because the application is not whitelisted anymore.

This is the way it is intended to work.
Please test if works this way.
"In the beginning the Universe was created. This has made a lot of people very angry and has been widely regarded as a bad move."- Douglas Adams

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
However this doesn't mean that you are going to get an alert about the hash change.
This mean that application are checked againt the trusted list before/when they are loaded.

I understand your point, but I think the help file passage is misleading though.  Let's suppose that I modify a whitelist program that had previously been allowed to run by CFP.  The help passage you cited suggests that since the modified program is now unrecognized, that "you will receive an alert," but this is not what happens.

You need a partly learned whitelisted application.
edit it the same way you did.
launch it as long you do something that already got learned you get no alert.
but if the app does something new that require a new access right you'll get an alert because the application is not whitelisted anymore.

This is the way it is intended to work.

I did test this in v3.0.18, and the results are listed earlier in this topic.  In some cases CFP exhibited the correct behavior, and in some cases it did not.  Here is what I wrote earlier:

"Of possible interest to some is, for an alert for an altered program whose unaltered version is on Comodo's whitelist, whether the user will be told that the altered program is safe or not recognized.  I tested this on 3 programs, with mixed results.  I modified 3 programs, all whose original versions are on Comodo's whitelist, with a hex editor.  In 2 of the altered programs, alerts for the modified program noted that the program was not recognized.  However, for the third altered program, the alert for the altered version stated that the program was safe; I did doublecheck that the file had indeed been altered.  For those wishing to reproduce my tests, I altered the main .exe for ObjectDock 1.9.0.536, WinRAR 3.70.0.0, and AutoRuns 8.70.0.0."

If my memory is correct, the modification of AutoRuns 8.70.0.0 gave the incorrect behavior.  Perhaps it was trusted by CFP because the unaltered version is from Microsoft.  You can likely substitute the latest version of AutuRuns in place of this version and still get the same behavior.

In summary, IMHO the manual's wording on this issue should be changed.  Also, CFP's behavior with regards to programs not on the whitelist ought to be made consistent.

Offline gibran

  • Average User
  • Comodo's Hero
  • *****
  • Posts: 5056
  • A bad workman always blames his tools
I made some tests.
This topic should be closed and few others should be opened although the links to these new topics should be added here too.

Regarding the help issue please open a new topic mentioning that is an help description issue. In that topic you can suggest a more fit description.
Regarding the Image executionn control. The design behaviour I described doesn't work as expected when the application got a digital signature listed in trusted vendors. I'll setup a topic for that to and and cite this topic too.
There is another issue with digitally signed app and I'll setup a new topic about that.

Image Exec. Control doesn't check if digital signature is invalid (3.0.21 x32)
Impossible to add Apps to Pending Or Trusted lists (3.0.21 X32)
« Last Edit: March 29, 2008, 11:14:26 AM by gibran »
"In the beginning the Universe was created. This has made a lot of people very angry and has been widely regarded as a bad move."- Douglas Adams

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
Regarding the help issue please open a new topic mentioning that is an help description issue. In that topic you can suggest a more fit description.

Thanks for confirming the issues I mentioned, gibran :).  I thought that the existing title topic 'Image Execution Control doesn't work as claimed in help file' was sufficient but if there is a better title please suggest it.

Offline gibran

  • Average User
  • Comodo's Hero
  • *****
  • Posts: 5056
  • A bad workman always blames his tools
Thanks for confirming the issues I mentioned, gibran :).  I thought that the existing title topic 'Image Execution Control doesn't work as claimed in help file' was sufficient but if there is a better title please suggest it.

I meant suggest an alternate description for the help file. a topic title like Misleading help description for Image Execution control would stress that the help is misleading
This topic will remain as a reference for those who previiously read it but new topics will address each single issue in a compact way.
« Last Edit: March 29, 2008, 02:24:37 PM by gibran »
"In the beginning the Universe was created. This has made a lot of people very angry and has been widely regarded as a bad move."- Douglas Adams

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
I meant suggest an alternate description for the help file. a topic title like Misleading help description for Image Execution control would stress that the help is misleading

Perhaps the help file could say something like this instead:

"Every Comodo Firewall alert classifies each executable file mentioned in the alert as either 'safe' or 'unrecognized'.  A 'safe' file is a file that is on Comodo's whitelist of known good files, and has not been altered.  An 'unrecognized' file is a file that either is not on Comodo's whitelist, or is a whitelist file that has been altered. 

The Image Execution Control settings determine which executable files may appear in alerts.  By default, only .exe files may appear in alerts.  You can change the defaults if you wish to also be alerted about .dll files."
« Last Edit: March 29, 2008, 04:10:02 PM by MrBrian »

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
Issue still exists in v3.0.22.349.

Offline sovereignty68

  • Comodo Member
  • **
  • Posts: 39
If that's true, then My Own Safe file will be still useless anyway even they fixed my issue
http://forums.comodo.com/bug_reports/my_own_safe_files_is_useless-t22638.0.html;msg158504#msg158504

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek