Author Topic: Comodo release 5 new security tests [CLOSED]  (Read 67846 times)

Offline Paul Comodo

  • Administrator
  • Comodo Loves me
  • *****
  • Posts: 120
Comodo release 5 new security tests [CLOSED]
« on: April 16, 2008, 05:18:03 PM »
Hi

Comodo developers have created a new set of security tests. The Comodo HIPS and Firewall Leak Test Suite contains five new tests that simulate a range of dangerous exploits – including Root Kits, Background Intelligent Transfer attacks and process injection attacks.

The suite is available for download here:
 
http://download.comodo.com/securitytests/CLT.zip  (extract zip to local drive and open clt.exe )

I've also attached the zip file to this post

Developer Notes:

Rootkit Installation 1 - Loads a driver in via ZwSetSystemInformation API. A very old, known and effective way to install a rootkit.

Rootkit Installation 2 - Loads driver by overwriting a standard driver (beep.sys) and starting it with service control manager (e.g. Trojan.Virantix.B).

DLL Injection 1 - Injects DLL into trusted process (svchost.exe) by injecting APC on LoadLibraryExA with "dll.dll" as a param. The string "dll.dll" is not written into process memory, it's from the ntdll.dll export table which has the same address in all processes. The APC is injected into second thread of the svchost.exe which is always in alertable state.

DLL Injection 2 - An old technique. The DLL is injected via remote thread creation in the trusted process, without using WriteProcessMemory.
 
BITS Hijack - Downloads a file from the internet using "Background Intelligent Transfer Service" which acts from the trusted process (svchost.exe)

The tests can be automatically run in sequence by selecting 'Run all Tests' or run individually. The GUI provides clear, color coded indication on whether target systems are vunerable or protected.

Please take a look at the new tests - all feedback greatly appreciated.

Paul


[attachment deleted by admin]
« Last Edit: November 15, 2008, 08:55:11 PM by 3xist »

Offline disinter1

  • Comodo Loves me
  • ****
  • Posts: 133
Re: Comodo release 5 new security tests
« Reply #1 on: April 16, 2008, 06:27:48 PM »
Am I supposed to block all, cause that's what I did and I failed 2-4, is that right?

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14676
    • Video Blog
Re: Comodo release 5 new security tests
« Reply #2 on: April 16, 2008, 06:29:33 PM »
These tests are important tests because they test whether a rootkit can install itself or not. As we all know if your security application allows a rootkit to install itself, then you are smoke!

any half decent security application should protect you against that.

thanks
Melih

Josh123

  • Guest
Re: Comodo release 5 new security tests
« Reply #3 on: April 16, 2008, 11:54:21 PM »
I will say now, I past all tests!  :BNC

Josh

Offline coltrane

  • Newbie
  • *
  • Posts: 17
Re: Comodo release 5 new security tests
« Reply #4 on: April 17, 2008, 11:16:28 AM »
Am I supposed to block all, cause that's what I did and I failed 2-4, is that right?

Hi,

same here. D+ Train with safe mode, test 2,3 and 4 fails. #5 just crashes the app. Of course, blocking all the D+ alerts.  :-[

Offline SS26

  • Comodo's Hero
  • *****
  • Posts: 1925
Re: Comodo release 5 new security tests
« Reply #5 on: April 18, 2008, 04:24:57 PM »
D+ Train with safe mode, test 2,3 and 4 fails. #5 just crashes the app. Of course, blocking all the D+ alerts.  :-[
Same here except d+ in paranoid mode. XP SP2 x32. Crash dump attached. Will do further attempts. Let me know if more details are needed.
 

[attachment deleted by admin]

Offline SS26

  • Comodo's Hero
  • *****
  • Posts: 1925
Re: Comodo release 5 new security tests
« Reply #6 on: April 18, 2008, 05:04:20 PM »
Sorry i was not accurate: CFP doesn't fail, it is clt that shows error (picture attached).
Addition to previous info: no actively running apps except CFP. Issue is always reproducible: it doesn't mater if we allow or deny debug privilege for clt.exe just after it is executed, it doesn't mater whether we run all tests at once or one by one, it doesn't mater whether we wait some time before block activity or if we block alert just after it appeared. 

Hope this helps. Let me know if more details are needed.

[attachment deleted by admin]

Offline Blas

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 373
Re: Comodo release 5 new security tests
« Reply #7 on: April 18, 2008, 06:02:13 PM »
Same here....
But I found out that if you allow the first servicecontroll manager alert for the rootkit2 test and block all the followings it will pass.

Offline kail

  • Randomly Appearing
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11361
  • The future is much like the present, only longer.
    • COMODO's free software!
Re: Comodo release 5 new security tests
« Reply #8 on: April 18, 2008, 09:42:50 PM »
On the system I first ran CLT on, BITS is intentionally broken. This seemed to distress CLT, which crashed. On another system (BITS working), all was OK.. but, I think there should be clear instructions on how to respond to CFPs alerts.
My System Details: W10Px64 with CIS 10 Beta, Firefox & Becky!
Forum Policy.
____
The problem is not the problems, the problem is people's attitude towards those problems.

Josh123

  • Guest
Re: Comodo release 5 new security tests
« Reply #9 on: April 19, 2008, 04:11:00 AM »
I think there should be clear instructions on how to respond to CFPs alerts.

Yes, I agree. There should be.

Josh

Offline coltrane

  • Newbie
  • *
  • Posts: 17
Re: Comodo release 5 new security tests
« Reply #10 on: April 19, 2008, 04:05:15 PM »
Yes, I agree. There should be.

Josh

I do agree also, but if the devs want to make these tests useful, the only way to proceed is to block all the requests, because if I run an unknown file that wants to obtain debug privilege for example, I will block it.

Otherwise, this program will only test the security software, but not the protection in the real world.


Offline kail

  • Randomly Appearing
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11361
  • The future is much like the present, only longer.
    • COMODO's free software!
Re: Comodo release 5 new security tests
« Reply #11 on: April 19, 2008, 04:18:21 PM »
OK, then they probably need to state what is part of "test application" & thus needs to be allowed in order for the actual "testing" to be performed. On this thought, maybe asking for all the required privileges up-front before any tests are performed might help.

I think it also needs to be stated in a way that is not CFP specific (in order to test, and be relevant to, other security software).
My System Details: W10Px64 with CIS 10 Beta, Firefox & Becky!
Forum Policy.
____
The problem is not the problems, the problem is people's attitude towards those problems.

Offline MikeH

  • Comodo Loves me
  • ****
  • Posts: 169
Re: Comodo release 5 new security tests
« Reply #12 on: April 19, 2008, 06:59:26 PM »
I think it also needs to be stated in a way that is not CFP specific (in order to test, and be relevant to, other security software).

Exactly right!

Regards,
Mike

Offline cheater87

  • Comodo's Hero
  • *****
  • Posts: 700
Re: Comodo release 5 new security tests
« Reply #13 on: April 19, 2008, 10:31:34 PM »
I can't download it. It does not let me hit ok. Also what do I do after I download it???

Josh123

  • Guest
Re: Comodo release 5 new security tests
« Reply #14 on: April 19, 2008, 11:43:02 PM »
I can't download it. It does not let me hit ok. Also what do I do after I download it???

It's a ZIP File. Extract it to your C Drive, and click the clt executable.

Josh

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek