Author Topic: Did Comodo Firewall passed successfully LeakTests ?  (Read 30001 times)

Offline cprtech

  • Comodo Loves me
  • ****
  • Posts: 145
Re: Did Comodo Firewall passed successfully LeakTests ?
« Reply #30 on: September 10, 2006, 02:42:29 PM »
Forget my last post. Open or closed, Wallbreaker gets through Comodo unless I block svchost.exe

You know, I don't have a single application rule where svchost is a parent. I figured maybe you have it as a parent process because your dns client service might be turned off, so I sropped mine and did some surfing, but there is never any prompt where svchost is an attempted parent process. Well, I'm baffled again  ???

Offline dlhan

  • Comodo Member
  • **
  • Posts: 49
Re: Did Comodo Firewall passed successfully LeakTests ?
« Reply #31 on: September 10, 2006, 03:25:58 PM »
I do have DNS client service turned. It was recommened to be turned off because I have a large HOSTS file (hpguru's host file). Try Windows Update site. Just in case; remember you have to have "Do not show alerts for the applications certified by COMODO" unchecked and Alert Frequency Level set on "Very High".
« Last Edit: September 10, 2006, 03:43:25 PM by dlhan »

Offline dlhan

  • Comodo Member
  • **
  • Posts: 49
Re: Did Comodo Firewall passed successfully LeakTests ?
« Reply #32 on: September 10, 2006, 04:57:22 PM »
FYI This is what is logged when Walbreaker gets through Comodo and BTW you are right for some reason if IE is closed Wallbreaker fails but if IE is running it opens another instance and gets through. Maybe wallbreaker is "cheating"?

[attachment deleted by admin]

Offline cprtech

  • Comodo Loves me
  • ****
  • Posts: 145
Re: Did Comodo Firewall passed successfully LeakTests ?
« Reply #33 on: September 10, 2006, 07:37:33 PM »
I do have DNS client service turned. It was recommened to be turned off because I have a large HOSTS file (hpguru's host file). Try Windows Update site. Just in case; remember you have to have "Do not show alerts for the applications certified by COMODO" unchecked and Alert Frequency Level set on "Very High".

Yes to these settings:

you have to have "Do not show alerts for the applications certified by COMODO" unchecked and Alert Frequency Level set on "Very High".

I tried the Win updates but still no prompt for svchost trying to be a parent. As expected, svchost makes several conections using ports 68, 80 and 443 with services.exe acting as its parent.

You mention using a hosts file. I can't see how that would illicit svchost to be a parent process. On my system I use Ad Muncher for blocking adverts and pop-ups, so I can't be sure how the hosts file might play a part, except if memory serves, it just re-directs blacklisted ip's to the localhost address.

Offline PC_Junkie

  • Newbie
  • *
  • Posts: 23
Re: Did Comodo Firewall passed successfully LeakTests ?
« Reply #34 on: September 12, 2006, 03:08:44 PM »
   I get the same results, as long as i have "do not show applications certified by comodo" unchecked and IE is closed. Comodo passes all tests for wallbreaker 4.0. But if IE is open before the test 1,3, and 4 fail everytime. Although for me i do not have to set the alert frequenzy to high. So far ive only used one firewall that passes all the known leaktests with ease and thats Jetico. But alot of people say its too confusing to use. But Comodo has great potential, its the only other firewall that even comes close.   (R)

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
Re: Did Comodo Firewall passed successfully LeakTests ?
« Reply #35 on: September 12, 2006, 04:28:35 PM »
   I get the same results, as long as i have "do not show applications certified by comodo" unchecked and IE is closed. Comodo passes all tests for wallbreaker 4.0. But if IE is open before the test 1,3, and 4 fail everytime. Although for me i do not have to set the alert frequenzy to high. So far ive only used one firewall that passes all the known leaktests with ease and thats Jetico. But alot of people say its too confusing to use. But Comodo has great potential, its the only other firewall that even comes close.   (R)

Please do the following:
1- Delete HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Personal Firewall\AppCtrl\IPC key
2- Restart your PC
3- Open IE and restest.

CPF passes 4 more(Breakout1, breakout2, jumper, CPIL3) tests than the firewall you mentioned. That firewall is coming close to CPF on the contrary.

Egemen

Offline dlhan

  • Comodo Member
  • **
  • Posts: 49
Re: Did Comodo Firewall passed successfully LeakTests ?
« Reply #36 on: September 12, 2006, 04:57:22 PM »
Followed your directions and yes I did start to get a popup warning even with IE already opened.. However as you can see in the attached picture, there is no mention of Wallbreaker  as the offending program. This time I, of course, knew it was Wallbreaker and clicked on deny. However if I just looked at the popup with no other information I would probably allow the connection. I am not trying to nitpic because CPF, in my opinion, is the best firewall I have found so far. I am more curious than dissatisfied.  At least I learned not to blindly let EXPLORER connect to whatever it wants.

[attachment deleted by admin]

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
Re: Did Comodo Firewall passed successfully LeakTests ?
« Reply #37 on: September 12, 2006, 07:17:19 PM »
Followed your directions and yes I did start to get a popup warning even with IE already opened.. However as you can see in the attached picture, there is no mention of Wallbreaker  as the offending program. This time I, of course, knew it was Wallbreaker and clicked on deny. However if I just looked at the popup with no other information I would probably allow the connection. I am not trying to nitpic because CPF, in my opinion, is the best firewall I have found so far. I am more curious than dissatisfied.  At least I learned not to blindly let EXPLORER connect to whatever it wants.

Yes. CPF does not go further in the chain. Some WB tests use explorer->svchost->iexplore or explorer->OLE explorer->iexplore.

We did leave further check intentionaly because we will be providing a HIPS mode for CPF which will be responsible for analyzing further possiblities instead of adding more confusion to alerts. In case of WB tests, trojans use better techniques to bypass firewalls than just using "ShellExecute" function.
So until HIPS enabled CPF, which will also control process creations, we intentionally left further checks which would include walbreaker.exe in security considerations section.


Hope this helps,
Egemen

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek