Author Topic: Comodo failed the Coat leak-test [Resolved]  (Read 5325 times)

Offline freshhh

  • Comodo Loves me
  • ****
  • Posts: 198
Comodo failed the Coat leak-test [Resolved]
« on: November 29, 2006, 06:42:45 PM »
http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php

this article said that Comodo only failed the "Coat leak-test". 

i would like to know if it has already been fixed in the current beta release. 

thanks

best regards

freshhh


/// From the same website ///

What is a firewall leak-test?

Leak tests are small, non-destructive, programs designed by security experts that deliberately attempt to bypass a firewall's outgoing security measures. The rationale behind them is painfully simple: "If this test can get past your computer's security defenses, then so can a hacker." Explicitly designed to help identify a firewall's security flaws, leak tests provide the invaluable function of informing the user whether or not their firewall is providing adequate protection. The tests pose no real threat to the security of a computer as they are harmless simulations of the attack techniques typically used by spyware and Trojan horse programs. There are many leak-testing programs available - each one designed to exploit a particular flaw and each using a particular attack technique to break a firewall's standard protection mechanisms.


--------------------------------------------------------------------------------
 
Techniques employed by leak-testing software
Substitution
This technique tries to present itself as a trusted application. There are a few different possibilities how to achieve this. For example the application can try to rename itself to a commonly known, safe application name such as iexplore.exe. As a result, firewalls that do not verify application signatures or verify too late fail to detect such attempts.

Trojans that use this technique: W32.Welchia.Worm, The Beast
Leak Tests that emulate this technique: LeakTest, Coat, Runner

Launching (Parent Substitution)
With this technique, a program launches a trusted program by modifying its startup parameters such as command line parameters, to access the Internet. This type of penetration bypasses the firewalls that do not apply parent process checking before granting the Internet access.

Trojans that use this technique: W32.Vivael [ at ] MM
Leak Tests that emulate this technique: TooLeaky, FireHole, WallBreaker, Ghost, Jumper, Surfer, CPIL, CPILSuite1, CPILSuite2, CPILSuite3

DLL Injection
Being one of the most commonly used techniques by Trojans, this method tries to load a DLL file into the process space of a trusted application. When a DLL is loaded into a trusted process, it acts as the part of that process and consequently gains the same access rights from the firewall as the trusted process itself. Firewalls that do not have an application component monitoring feature fail to detect such attacks.

Trojans that use this technique: The Beast, Proxy-Thunker, W32/Bobax.worm.a
Leak Tests that emulate this technique: pcAudit, pcAudit2, FireHole, Jumper, CPILSuite3, AWFT

Process Injection
This technique is the most advanced and difficult to detect penetration case that many personal firewalls still fail to detect although it is used by Trojans in the wild. The attacker program injects its code into process space of a trusted application and becomes a part of it. No DLL or similar component is loaded.

Trojans that use this technique: Flux trojan
Leak Tests that emulate this technique: Thermite, CopyCat, CPIL, DNStest, AWFT

Default Rules
Certain personal firewalls try to allow full Internet access rights to vital specific traffic such as DHCP, DNS and netbios. Doing so blindly may cause malicious programs to exploit these rules to access the Internet.

Trojans that use this technique: Unknown
Leak Tests that emulate this technique: YALTA

Race Conditions
While filtering the Internet access requests per application, personal firewalls need the process identifier (pid) of a process to perform its internal calculations. Attacker programs may try to exploit this fact by changing their process identifiers before personal firewalls detect them. A robust personal firewall should detect such attempts and behave accordingly.

Trojans that use this technique: Unknown
Leak Tests that emulate this technique: Ghost

Own Protocol Driver
All network traffic in Windows operating systems is generated by TCP/IP protocol driver and its services. But some Trojans can make use of their own protocol drivers to bypass the packet filtering mechanism provided by personal firewalls.

Trojans that use this technique: Unknown
Leak Tests that emulate this technique: None

Recursive Requests
Some system services provide interfaces to applications for common networking operations such as DNS, Netbios etc. Since using these interfaces is a legitimate behavior, a Trojan can exploit such opportunities to connect to the Internet.

Trojans that use this technique: Unknown
Leak Tests that emulate this technique: DNStester, BITStester

Windows Messages
Windows operating system provides inter process communication mechanism through window handles. By specially creating a window message, a Trojan can manipulate an application's behavior to connect to the Internet.

Trojans that use this technique: Unknown
Leak Tests that emulate this technique: Breakout

OLE Automation, DDE
Windows operating system also provides inter process communication mechanism through COM interfaces. By using a COM interface hosted by a server application, a Trojan can hijack the application to connect to the Internet. Another similar mechanism for inter process communication is Direct Data Exchange (DDE).

Trojans that use this technique: Unknown
Leak Tests that emulate this technique: PCFlank, OSfwbypass, Breakout2, Surfer, ZAbypass

Unhooking
Personal firewalls commonly use so-called hooks to implement their protection mechanisms. There exist two major types of hooks - kernel mode hooks and user mode hooks. If the self-protection mechanisms are not implemented well by the firewall it may be possible to unhook its hooks. As a result, some or all protection mechanisms of the firewall are disabled.

Trojans that use this technique: Unknown
Leak Tests that emulate this technique: FPR
« Last Edit: November 29, 2006, 07:04:02 PM by AOwL™ »

Offline AOwL

  • Comodo SuperHero
  • Comodo's Hero
  • *****
  • Posts: 2349
  • Comodo Firewall Pro - Be safe, use protection...
    • NordicNatureMedia
Re: Comodo failed the Coat leak-test
« Reply #1 on: November 29, 2006, 06:53:01 PM »
The latest beta pass the Coat leak test. ;)

Offline AOwL

  • Comodo SuperHero
  • Comodo's Hero
  • *****
  • Posts: 2349
  • Comodo Firewall Pro - Be safe, use protection...
    • NordicNatureMedia
Re: Comodo failed the Coat leak-test
« Reply #2 on: November 29, 2006, 07:02:44 PM »
I just tried it myself, and I got a popup that I denied, so it didn't take me to the website.
Great work Comodo! ;D

Offline AOwL

  • Comodo SuperHero
  • Comodo's Hero
  • *****
  • Posts: 2349
  • Comodo Firewall Pro - Be safe, use protection...
    • NordicNatureMedia
Re: Comodo failed the Coat leak-test
« Reply #3 on: November 29, 2006, 07:03:32 PM »
I'm putting resolved on this.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek