Author Topic: Comodo 4.1 still fails with spyshelter leaktests  (Read 66359 times)

Offline lordraiden

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 921
Re: Comodo fails with the new spyshelter leaktests
« Reply #15 on: April 23, 2010, 02:42:57 PM »
I sent a PM to egemen but get the feedback is not the best that Comodo know how to do.

Offline brucine

  • Comodo's Hero
  • *****
  • Posts: 1533
Re: Comodo fails with the new spyshelter leaktests
« Reply #16 on: April 23, 2010, 03:02:04 PM »
Quote
Yeah, the fact that unless we got to Paranoid or Aggressive modes (or changing CIS' default config from Internet to Proactive)

Isn't it to say that Internet/Safe mode, friendly to the user but not secure, shouldn't be proposed as a running option?

Offline Little Mac

  • Forum Volunteer
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 6303
  • The Colonel told me to.
Re: Comodo fails with the new spyshelter leaktests
« Reply #17 on: April 23, 2010, 03:33:11 PM »
Understandably there is reduced security in exchange for "user friendly" (ie, less popups).  The thing that really concerns me about it is that if it's able to launch/run at all, it's able to capture at least one screenshot without the user being given even an opportunity to block it.  To my way of thinking (however flawed that may be), reduced security for user-friendliness should still be able to stop that.

I PM'd egemen as well, and asked that he or someone from his team provide us some insight into what is going on.  They've probably already tested this on their own...

LM
These forums are focused on providing help and improvement for Comodo products.  Please treat other users with respect and make a positive contribution.  Thanks.
Forum Policy

Offline ssj100

  • Comodo's Hero
  • *****
  • Posts: 482
Re: Comodo fails with the new spyshelter leaktests
« Reply #18 on: April 23, 2010, 04:56:26 PM »
Anyway is still a method able to bypass comodo and that probably some malware use.

Please give me an example of this malware via PM.  Fact is, you'll never find any real-world malware like this.  But if you ever do, I'd be interested to test it haha.

Anyway, as has been said, Online Armor passes this, and therefore Comodo is losing this battle!  Might be worth mentioning that OA Free fails it?  Not sure if it does, but last time I checked, OA Free didn't give much keylogger protection.
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)

Offline Little Mac

  • Forum Volunteer
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 6303
  • The Colonel told me to.
Re: Comodo fails with the new spyshelter leaktests
« Reply #19 on: April 27, 2010, 06:55:45 PM »
Egemen has informed me that they are analyzing this leaktest, and CIS's handling of it.

LM
These forums are focused on providing help and improvement for Comodo products.  Please treat other users with respect and make a positive contribution.  Thanks.
Forum Policy

Offline Cavehomme

  • Comodo's Hero
  • *****
  • Posts: 391
Comodo fails more leaktests
« Reply #20 on: May 02, 2010, 08:21:32 AM »
The screenshot #4 also fails on my tests, quite worrying especially when I do lots of e-banking.

The biggest concern for me is that although sandbox is switched on, the first alert I receive is not the sandbox one, but of antitest.exe asking for com access.

I would also assume that nothing significant can escape the sandbox therefore no screenshots should be possible by antitest. At least that is how I would want a sandbox to operate. And there should be no need to change D+ settings from clean PC mode since this exe is not part of the baseline applications on the PC, simple as that.

The Devs really need to fix this leak since it may have wider implications than just this one test  :o

Update #1:
...and just to add 1 day later that the webcam capture also succeeds if the sandbox dialogue box is ignored and it times out naturally. If i manually confirm to keep the exe in the sandbox then webcam does not succeed.

Sorry guys but this seems like insufficient design and especially since as we say in English that comodos "eggs are all in one basket" in that Melih says it is all about prevention not detection  :P0l

On the positive side at least the Matsoutec tests results are excellent, but these holes need to be fixed and understood how they happened! Less new features, more quality and design control please guys.

Update 2:
I forgot to mention that on antitest.exe CIS failed also the sound recorder test.

I have since noticed that a bunch of leaktests have been performed recently by malware research group and especially one on financial / banking security by testing specific apps such as Prevx, not generic Internet Security apps such as CIS. Here is the link to the very interesting test:
http://malwareresearchgroup.com/wp-content/uploads/2009/02/MRG-Online-Banking-Security-Test-Mar-2010.pdf
Prevx came out top scoring 13 out of 13 and had CIS been included it would have got 11/13 according to my tests above, so pretty good, but those holes need plugging! I also noticed that disabling the sandbox produced a clearer control over alerts and gives me higher confidence of preventing leaks than sandbox alone. I also tried the Zemana tests and CIS succeeded in all those that managed to execute.

Also if D+ prompts a user to allow or deny an exe and deny is selected then there should be NO FURTHER EXECUTION ALLOWED of that exe. I tried the keyboard.exe test from Zemana and CIS continued to prompt me with D+ alerts and allowed the application to display!

Interestingly the Malware Research Group has since tried to test generic apps such as CIS but it seems that Comodo may have requested themselves to have been removed since on the product list there is now a black line exactly where alphabetically CIS should be !!!  Hey comodo, what's the story?!
Here is the link: http://malwareresearchgroup.com/wp-content/uploads/2009/01/MRG-Online-Banking-Browser-Security-Project2.pdf
« Last Edit: May 03, 2010, 06:49:02 AM by cavehomme »

Offline Endymion

  • Comodo's Hero
  • *****
  • Posts: 1360
  • Reality is subordinate to perception.
    • Faces -The Madman (Kahlil Gibran, 1918)
Re: Comodo fails more leaktests
« Reply #21 on: May 03, 2010, 09:44:21 AM »
Also if D+ prompts a user to allow or deny an exe and deny is selected then there should be NO FURTHER EXECUTION ALLOWED of that exe. I tried the keyboard.exe test from Zemana and CIS continued to prompt me with D+ alerts and allowed the application to display!
It looks another member posted a New feature suggestion : Block + Terminate instantly wish in the corresponding board.


The Allow/Deny on alerts apply to the specific action whose security consideration are described.

eg: In case the action is "Run an executable" deny will prevent the executable (whose name is provided on the right half of the dialog) from being launched.


The biggest concern for me is that although sandbox is switched on, the first alert I receive is not the sandbox one, but of antitest.exe asking for com access.
Even if there are much less alerts, some alerts might sitll apply even if an application is sandboxed. In such case the application carried an action for which user input is needed.


« Last Edit: May 03, 2010, 10:44:09 AM by Endymion »
I have learnt silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet strange, I am ungrateful to these teachers.
Kahlil Gibran (1883 - 1931)

Offline Endymion

  • Comodo's Hero
  • *****
  • Posts: 1360
  • Reality is subordinate to perception.
    • Faces -The Madman (Kahlil Gibran, 1918)
Re: Comodo fails with the new spyshelter leaktests
« Reply #22 on: May 03, 2010, 10:44:15 AM »
Found no way to block Spyshelter Screenshot grabbing PoC N #4. :(

Webcam logging PoCs were tested on V3. The related steps still apply whereas the sandbox is disabled (tested on XP SP3)
I have done some testing and i can make this fail by adding the following to the "default" setup.

Go to D+, Select My Protected Files.
Press Groups, Press Add, A New Group, give it a name like "Webcam Alert"
Scroll down to the newly created group and select it, right mouse click add, type:

\Device\Usb#Vid*

Press the [ + ] button and click Apply twice, now click on the Add button and select, File Groups, Webcam Alert and press Apply.

Now if you start the webcamlogger it will alert you for accessing this interface.
If you block this request the application will pop-up a list of video devices, if you click OK on that screen webcam logger will tell you you security software blocked the access to the webcam.

I know it's not perfect, but if your looking for protection of your webcam this should work.

Can someone please confirm that this works on their setup also ?
Liike the previous one even this webcam PoC cannot access the webcam if used by another application (eg video-chat).

Logging an active webcam video-session could be achived using screenshots or through kernel drivers fit for that purpose.

The PoC in itself apply more to environmental monitoring scenarios whereas the webcam has no lens-cap covering the optics while not in use.


Adding \RPC Control\AudioSrv   to "My protected COM Interfaces" it was possible to have Spyshelter Sound recording PoC Fail (tested on XP SP3)
« Last Edit: May 03, 2010, 10:54:38 AM by Endymion »
I have learnt silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet strange, I am ungrateful to these teachers.
Kahlil Gibran (1883 - 1931)

Offline Cavehomme

  • Comodo's Hero
  • *****
  • Posts: 391
Re: Comodo fails more leaktests
« Reply #23 on: May 03, 2010, 10:54:35 AM »

The Allow/Deny on alerts apply to the specific action whose secirity consideration are described.

eg: In case the action is "Run an executable" deny will prevent the executable (whiose name is provided on the right half of the dialog) from being launched.

Even if there are much less alerts, some alerts might sitll apply even if an application is sandboxed. In such case the application carried an action for which user input is needed.


Thanks Endymion. I don't know a great amount about firewalls, let alone CIS, other than being a Comodo user for a few years and so far knowing / enough to avoid any major malware or leaks.

Since my earlier post I decided to uninstall CIS and then reinstall with firewall plus maximum security. I then disabled sandbox.

For reasons I do not fully understand when I now run antitest.exe and keyboard.exe I am prompted with a D+ alert and when I select block and remember it now fully blocks and the apps to not progress any further. They do not however appear in blocked files list, so am not sure what CIS is doing with them exactly. When I try an run a second time then I actually get a Win 7 system message saying that win cannot access the exe. In task manager antitest.exe is visible but not keyboard.exe.

So it seems this change has effectively isolated the exe files, but I am not clear how, although I do feel more re-assured now.
« Last Edit: May 03, 2010, 10:56:24 AM by cavehomme »

Offline Endymion

  • Comodo's Hero
  • *****
  • Posts: 1360
  • Reality is subordinate to perception.
    • Faces -The Madman (Kahlil Gibran, 1918)
Re: Comodo fails more leaktests
« Reply #24 on: May 03, 2010, 11:09:29 AM »
For reasons I do not fully understand when I now run antitest.exe and keyboard.exe I am prompted with a D+ alert and when I select block and remember it now fully blocks and the apps to not progress any further. They do not however appear in blocked files list, so am not sure what CIS is doing with them exactly. When I try an run a second time then I actually get a Win 7 system message saying that win cannot access the exe. In task manager antitest.exe is visible but not keyboard.exe.

So it seems this change has effectively isolated the exe files, but I am not clear how, although I do feel more re-assured now.

As I mentioned earlier allow/deny apply to the specific action described in each alert.

Though you did not make mention of what alert you denied it looks like it was a  "Run an executable" one with explorer.exe as parent (left side) and antitest.exe or keyboard.exe as child (right side):

Denying such type of alert will prevent explorer.exe to run those executables.

If such alert is not marked to be remembered it will be still enforced as long the parent application (explorer.exe) is running (usually explorer.exe will run until a reboot/logoff)

"My blocked files" is meant to be used differently as described in the help file. In short manually adding antitest.exe and keyboard.exe pathnames to that dialog will prevent any application to launch those executables (eg not just explorer.exe)

« Last Edit: May 03, 2010, 11:16:12 AM by Endymion »
I have learnt silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet strange, I am ungrateful to these teachers.
Kahlil Gibran (1883 - 1931)

Offline Cavehomme

  • Comodo's Hero
  • *****
  • Posts: 391
Re: Comodo fails with the new spyshelter leaktests
« Reply #25 on: May 03, 2010, 11:52:22 AM »
Yes i can see from the log it was explorer.exe being prevented from running the target .exe

But what puzzles me is that this did not work before re-installation earlier today. The previous installation was not on the maximum security default and I do not know why the difference occurs.

Anyway, now D+ blocks effectively.

Offline Endymion

  • Comodo's Hero
  • *****
  • Posts: 1360
  • Reality is subordinate to perception.
    • Faces -The Madman (Kahlil Gibran, 1918)
Re: Comodo fails with the new spyshelter leaktests
« Reply #26 on: May 03, 2010, 12:45:24 PM »
Yes i can see from the log it was explorer.exe being prevented from running the target .exe

But what puzzles me is that this did not work before re-installation earlier today. The previous installation was not on the maximum security default and I do not know why the difference occurs.

I see. Installing "Firewall with Maximum Proactive Defense+" activated "COMODO - Proactive Security" configuration defaults.

This configuration got an explorer.exe policy that is meant to trigger alerts when explorer launch unrecognized (non safelisted) executables whereas this alert type is triggered when Sandbox is Disabled and D+ is Enabled.

"COMODO - Internet Security" is another configuration seamlessly activated  (no multiple choices during install) when both Comodo firewall and AV are installed and probably if "Firewall with Optimum Proactive Defense" is selected whereas firewall only install is used.

With "COMODO - Internet Security" configuration,  explorer.exe will get a different policy (along with slightly different defaults) with a rule that will allow explorer.exe to execute also unrecognized applications without triggering the corresponding "Run an executable" alert.
« Last Edit: May 03, 2010, 01:35:25 PM by Endymion »
I have learnt silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet strange, I am ungrateful to these teachers.
Kahlil Gibran (1883 - 1931)

Offline Cavehomme

  • Comodo's Hero
  • *****
  • Posts: 391
Re: Comodo fails with the new spyshelter leaktests
« Reply #27 on: May 03, 2010, 01:12:01 PM »

"COMODO - Internet Security" configuration is seamlessly activated  (no multiple choices during install) when both Comodo firewall and AV are installed

Great explanation and refreshing my misty memory!  What you are highlighting is that the full suite default is not as secure as I think it should be. It should not allow screen captures etc by malware !!!

Due to the risk of malware slipping through full CIS with AV i uninstalled and decided to now run just Comodo Firewall in proactive security mode + Microsoft Security Essentials + Threatfire alongside.

Whilst I do not feel fully comfortable using MSE, as a free firewall 88)  AntiVirus I prefer it to many others I have tried Avast, AVG, Avira, etc, etc. etc, but they all had important issues. MSE permission to be used in commercial use "home based small business" is also important for me. It also has good reactive detection according to several tests.

It's worth mentioning that I actually received this laptop 2 months ago with Norton IS 2010 pre-installed but I simply could not relax the firewall to allow incoming connections from my local network from scanners and other devices, plus it was a resource hog. The interface was, I am sorry to say, designed for visually impaired people, with huge bright icons and labels and actually very difficult to navigate and track down exactly where to go to fix an alert or configure something.

Then I installed my commercial licence of Kasperksy 2010 but still faced various issues and performance hits. It is also visually impaired in its design and difficult to troubleshoot issues with it. Seems everyone is happy to dumb-down.

So now I am back to Comodo once again after several months away and one day hope to be 100% comodo once the AV improves and melih allows it to be tested on VB100 and other tests!

Perhaps Threatfire is redundant now that D+ is working well, but there are no conflicts and I guess it could one day save my ass if I inadvertantly allow CIS to let something nasty through! And I guess that's another issue with CIS, it is highly dependent on rules whereas tools like Threatfire and Prevx have quite a lot of built-in intelligence, assessment and decision making.

Anyway, time for dinner now. Bye.
« Last Edit: May 04, 2010, 04:23:49 AM by cavehomme »

Offline languy99

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3981
Re: Comodo fails with the new spyshelter leaktests
« Reply #28 on: May 03, 2010, 08:11:49 PM »
Great explanation and refreshing my misty memory!  What you are highlighting is that the full suite default is not as secure as I think it should be. It should not allow screen captures etc by malware !!!

Due to the risk of malware slipping through full CIS with AV i uninstalled and decided to now run just Comodo Firewall ++ with Microsoft Security Essentials plus Threatfire alongside

Whilst I do not feel fully comfortable using MSE, as a free firewall I prefer it to many others I have tried Avast, AVG, Avira, etc, etc. etc, but they all had important issues. MSE permission to be used in commercial use "home based small business" is also important for me. It also has good reactive detection according to several tests.

It's worth mentioning that I actually received this laptop 2 months ago with Norton IS 2010 pre-installed but I simply could not relax the firewall to allow incoming connections from my local network from scanners and other devices, plus it was a resource hog. The interface was, I am sorry to say, designed for visually impaired people, with huge bright icons and labels and actually very difficult to navigate and track down exactly where to go to fix an alert or configure something.

Then I installed my commercial licence of Kasperksy 2010 but still faced various issues and performance hits. It is also visually impaired in its design and difficult to troubleshoot issues with it. Seems everyone is happy to dumb-down.

So now I am back to Comodo once again after several months away and one day hope to be 100% comodo once the AV improves and melih allows it to be tested on VB100 and other tests!

Perhaps Threatfire is redundant now that D+ is working well, but there are no conflicts and I guess it could one day save my ass if I inadvertantly allow CIS to let something nasty through! And I guess that's another issue with CIS, it is highly dependent on rules whereas tools like Threatfire and Prevx have quite a lot of built-in intelligence, assessment and decision making.

Anyway, time for dinner now. Bye.

MSE is not a firewall, just a antivirus. Threatfire will be a thing of the past because a behavior blocker is coming to comodo. Also the AV has improved lots, I would give it about 98% from the malware research I have done. I submit tons of files to virustotal and have a pretty good idea who leads in av detection rates.
http://www.youtube.com/languy99

Software Reviews for all.

Follow me on Twitter http://twitter.com/#!/languy99

Offline Endymion

  • Comodo's Hero
  • *****
  • Posts: 1360
  • Reality is subordinate to perception.
    • Faces -The Madman (Kahlil Gibran, 1918)
Re: Comodo fails with the new spyshelter leaktests
« Reply #29 on: May 04, 2010, 06:51:22 AM »
Great explanation and refreshing my misty memory!  What you are highlighting is that the full suite default is not as secure as I think it should be.

Even installing the full suite is possible to activate "COMODO - Proactive Security" configuration defaults (tray icon configuration menu).

And of course each user can choose to change those defaults even further as long their ownership of the suite increase (eg by asking in these forums )
I have learnt silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet strange, I am ungrateful to these teachers.
Kahlil Gibran (1883 - 1931)

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek