Author Topic: Getting Accurate Leak Test Results  (Read 29522 times)

Offline Whoop-dee-doo

  • Cave Dweller
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1105
  • What are you staring at?
Getting Accurate Leak Test Results
« on: September 14, 2010, 10:13:46 PM »
This guide should help you generate accurate test results when using Comodo Leak Test (CLT). This guide is meant for users of CIS 5 (also known as CIS 2011).

Note: there are specific circumstances when CLT reports very low scores. The moderators and developers are investigating these specific circumstances and hope to have more info soon. Based on current feedback from the developers, CLT can give erroneous and unreliable results when testing CIS in any configuration that is different from the one described below (it is a limitation within CLT). The reasons why CLT may give unreliable results when using other CIS configurations will be the topic of another FAQ post (as soon as we get more feedback from the developers).

1. Make sure you have the following CIS settings:
  • Configuration = proactive.  [Proactive security is the strongest security configuration, and will provide the best protection against leaks. I suggest that you always use the proactive security configuration. To select this setting, click on the "more" tab, then click on "manage my configurations". Select "proactive Security", click "activate", and then click "close".]
  • Firewall = safe mode, custom policy mode, or block all mode.
  • Defense + = safe mode or paranoid mode
  • Image execution control level = enabled  [To set this, click on the defense+ tab, then click on "Defense + settings", then click the "execution control settings" tab.]
  • Detect shellcode injections = selected [To set this, click on the defense+ tab, then click on "Defense + settings", then click the "execution control settings" tab. At the bottom of the window, select the check-box titled "Detect shellcode injections (i.e. Buffer overflow protection)"].
  • Monitor settings = make sure all of the boxes are selected [To set this, click on the defense+ tab, then click on "Defense + settings", then click the "Monitor settings" tab.]
  • Sandbox = disabled [CLT was not designed to be used in a sandbox. If CLT is sandboxed, it will generate erroneous results!]


2. Make sure there are no CIS rules that have been generated by having run CLT previously (i.e. remove rules for CLT):

    Defense+ Security Policy
  • Click the "defense+" tab at the top of the CIS window
  • Click "Computer Security Policy"
  • Click on "Defense+ Rules" tab. Scroll down the list of files. Select any entry that has "clt.exe" in the application name and click the remove button.
  • Click on "Always Sandbox" tab. Scroll down the list of files. Select any entry that has "clt.exe" in the application name and click the remove button.
  • Click on "Blocked Files" tab. Scroll down the list of files. Select any entry that has "clt.exe" in the application name and click the remove button.
  • click "Ok"

    Unrecognized files
  • Click the "defense+" tab at the top of the CIS window
  • Click "Unrecognized Files"
  • Click on "Unrecognized Files" tab. Scroll down the list of files. Select any entry that has "clt.exe" in the application name and click the remove button.
  • click "Ok"

    Trusted files
  • Click the "defense+" tab at the top of the CIS window
  • Click "Trusted Files"
  • Scroll down the list of files. Select any entry that has "clt.exe" in the application name and click the remove button.
  • click "Close"

    Firewall Security policy
  • Click the "firewall" tab at the top of the CIS window
  • Click on "Network Security Policy"
  • Click on the "Application Rules" tab
  • Scroll down the list of files. Select any entry that has "clt.exe" in the application name and click the remove button.
  • click "OK".

3. Delete the Internet Explorer (IE) browsing history cache.  Run IE, click on the "tools" menu, then select "internet options". Click on the "general tab" and then click on the "delete" button under browsing history. You can also delete the browsing history using cleaning programs such as CCleaner or Cleanup! The reason why you need to clean the IE history:  If CLT was previously run and previously failed "Impersonation: Coat", IE will open the target webpage from the IE cache, and not through the leak, leading to a false failure of "Impersonation: Coat". Erasing the browsing history ensures that IE cannot load the webpage from the cache and forces IE to load the webpage through the leak.

4. Reboot your computer (The current version of CLT does not "clean out" some actions that it creates after it has been run. If CLT is re-run without rebooting, it may give an inaccurate score because of these left over actions. The only way to clean out these actions is to re-boot).

5. Run CLT*.  If you get an alert from the antivirus, click "ignore" and then "Add to trusted files" (the antivirus is alerting you that a leak test application has been launched  [it's flagged as "Application.Win32.LeakTest..."]; it is not saying that the file is malicious). The first alert that appears should be a defense+ alert that says "explorer.exe is a safe application. However, the executable clt.exe could not be recognized..."  For this alert, make sure that  "remember my answer" is unchecked, and then click allow. The CLT program window should appear. Click the "Test" button in CLT and, from this point onward, click "block" when a CIS alert appears.  Now check your score. It should be 340/340.

   * Remember to run CLT with the sandbox disabled. If CLT is sandboxed, it will generate erroneous results! CLT was not designed to test HIPS security from within a sandbox. 

6. CLT was designed to test the HIPS component of CIS. Based on current feedback from the developers, CLT can give erroneous and unreliable results when testing CIS in any configuration that is different from the one described above (it is a limitation within CLT). The reasons why CLT may give unreliable results when using other CIS configurations will be the topic of another FAQ post (as soon as we get more feedback from the developers).

7. If you still cannot get good score on CLT, try the following:
  • Run diagnostics [click on the "more tab", then click "diagnostics"]. Repair any problem that is found with your CIS installation.
  • Perhaps your copy of CLT is corrupted. Download a fresh copy of CLT from here. Unzip the folder. Perform steps 1-3 above, then reboot. Then, run the newly downloaded CLT.

8. If you still cannot get good score on CLT, start a new thread and we'll try to help you. Please provide the following information in your post:
  • Your operating system (including service pack version if applicable, and whether you are running 32 or 64 bit version).
  • The version of CIS that you are using.
  • List any other real-time security or monitoring software that you have installed (including antivirus, antimalware, firewall, HIPs, behavior blockers, etc.)
  • The CIS settings that you have been using for the CLT tests
  • Your CLT score
  • If you still have the results, it may be helpful to post the names of the tests you failed.


Whoop
« Last Edit: October 12, 2010, 07:32:29 PM by Whoop-dee-doo »
"The best way to have a good idea is to have a lot of ideas." - Linus Pauling   :-La 

"Don't find fault. Find a remedy." - Henry Ford

Offline John Buchanan

  • "Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well armed lamb contesting the outcome of the vote." ~ Benjamin Franklin
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 6568
  • Personal Dragons can be defeated. Improve yourself
Re: Getting Accurate Leak Test Results
« Reply #1 on: September 15, 2010, 10:05:27 PM »
Whoop, I ran with Sandbox disabled
got full 340/340
(note I did not clean IE files or caches)
Enable sandbox, and on all but block, get 310/340.  Always the same three:
Explorer as parent, DDE, and Coat.
Please follow Comodo Forum Policy

Bah! Ban 'em all! The only good member is a banned member
And a member is just a policy violator who hasn't been caught yet. >:-D

Offline Whoop-dee-doo

  • Cave Dweller
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1105
  • What are you staring at?
Re: Getting Accurate Leak Test Results
« Reply #2 on: September 23, 2010, 04:51:30 AM »
Whoop, I ran with Sandbox disabled
got full 340/340
(note I did not clean IE files or caches)
Enable sandbox, and on all but block, get 310/340.  Always the same three:
Explorer as parent, DDE, and Coat.


Based on current feedback from the developers, CLT can give erroneous and unreliable results when testing CIS in any configuration that is different from the one described in my first post (it is a limitation within CLT). The reasons why CLT may give unreliable results when using other CIS configurations will be the topic of another FAQ post (as soon as we get more feedback from the developers).
« Last Edit: September 23, 2010, 05:21:40 AM by Whoop-dee-doo »
"The best way to have a good idea is to have a lot of ideas." - Linus Pauling   :-La 

"Don't find fault. Find a remedy." - Henry Ford

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek