Author Topic: Comodo 4.1 still fails with spyshelter leaktests  (Read 66358 times)

Offline rogerg2

  • Comodo's Hero
  • *****
  • Posts: 308
  • If It Is Not Broken, DO NOT TRY TO FIX IT!
Re: Comodo fails with the new spyshelter leaktests
« Reply #30 on: May 04, 2010, 10:21:54 AM »
Same results as Chiron. That test is bogus and Comodo will not allow it to even run. In order to get it to run you have to give it some kind of access which even then it still wont run lol.

If you failed this test it's because you allowed it to run when you should have blocked it if you didn't have it running in sandbox or enabled. Honestly all the noobs should enable sandbox by default anyways.

There is nothing going to get past Comodo (CIS) except for one's stupidity. There are tons of Comodo tests on youtube to back up my statement. :)

LOL You sound just like me! And I totally agree 100%!

Rog :-)
Windows 7 Ultimate/Asus Crosshair V Formula/AMD 8350FX 4.4xx GHz/CD 31.1 /CIS 7.0.315459.4132/Norton DNS/Malwarebytes 2.0.1.1004

Offline Cavehomme

  • Comodo's Hero
  • *****
  • Posts: 391
Re: Comodo fails with the new spyshelter leaktests
« Reply #31 on: May 04, 2010, 12:38:21 PM »
[quote
If you failed this test it's because you allowed it to run when you should have blocked it if you didn't have it running in sandbox or enabled. Honestly all the noobs should enable sandbox by default anyways. There is nothing going to get past Comodo (CIS) except for one's stupidity.
[/quote]

Errm, no, that's incorrect conclusion.

The whole issue, at least what I have experienced in my tests after reading about these controversial tests, is that running the standard CIS config which includes sandbox enabled and with all alerts clicked to deny and remember DOES ALLOW access to screenshot (test number 4 on the antitest.exe) as well as access to the microphone. In some cases, depending upon the order which CIS D+ decides to serve up its alerts it even got access to the webcam.

The main point is that with pro-active security config enabled and sandbox disabled DOES PREVENT the leaks from occuring by completely stopping antitest.exe

Comodo need to fix this rather arguing the toss about methodology etc. OK the testing organisation might not be fully credible, but malware writers are not going to follow any standards in trying to hack anyone's data.

And it does not really help Comodo community to be so arrogant and to mock newbs. Please remember that everyone was once a newb. And we have all been stupid at some time, hence the need for good software like CIS; it just needs tweaking a bit, that's all.
« Last Edit: May 04, 2010, 12:42:51 PM by cavehomme »

Offline Endymion

  • Comodo's Hero
  • *****
  • Posts: 1360
  • Reality is subordinate to perception.
    • Faces -The Madman (Kahlil Gibran, 1918)
Re: Comodo fails with the new spyshelter leaktests
« Reply #32 on: May 04, 2010, 01:03:24 PM »
As far I see D+ provides features meant to block screenshot grabbing (Direct Screen access monitor) and I guess there is no need to argue about methodology to wish that D+ will address Screenshoot #4 PoC like the other three Spyshelter screenshot PoCs.

Sound Recording and Webcam prevention were never introduced as D+ features though it still looks possible to Configure D+ to prevent both whereas sandbox is disabled (sound recording configuration rely on \RPC Control\AudioSrv preudo COM interface and will trigger such alert also when sandbox is enabled)
« Last Edit: May 04, 2010, 01:31:48 PM by Endymion »
I have learnt silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet strange, I am ungrateful to these teachers.
Kahlil Gibran (1883 - 1931)

Offline brucine

  • Comodo's Hero
  • *****
  • Posts: 1533
Re: Comodo fails with the new spyshelter leaktests
« Reply #33 on: May 04, 2010, 03:54:59 PM »
So, aren't we all saying that testing is supposed to be done on the default configuration (sandbox enabled if speaking ov v4), and that therefore the sandbox should not be installed as default, and that the firewall/defense+ settings should be at higher degrees than the default ones today?

Under these conditions, CIS (factually using the v3 "expert" behavior) becomes very tight, and thus there shouldn't be a default newbie installation and a default "expert" installation, but only a highly secured default installation, everybody being then free to overcome these settings.

The problem is that such settings are very unfriendly when starting to use the software or, said in another manner, that commercial considerations seem to be ranked higher than security considerations.

Offline Cavehomme

  • Comodo's Hero
  • *****
  • Posts: 391
Re: Comodo fails with the new spyshelter leaktests
« Reply #34 on: May 04, 2010, 04:21:08 PM »
So, aren't we all saying that testing is supposed to be done on the default configuration (sandbox enabled if speaking ov v4), and that therefore the sandbox should not be installed as default, and that the firewall/defense+ settings should be at higher degrees than the default ones today?

Yes that is what I am suggesting Brucine, but I think it is hopefully quite a simple fix / tweak to implement especially so that it can be understood by newbs. I am a bit tired now and not thinking too clearly but the basic method might be....

Any incoming exe not already on the system baseline and not recognised as friendly by CIS database should be given a default alert of suspicious file with 3 choices: 1) deny 2) sandbox 3) allow.

If deny, then it should be FULLY denied and not have access to ANYTHING, unlike today's standard config that allows screenshots etc.

IF sandbox, then a warning that you execute it at your own risk although it is restricted something may still slip through (sandboxie users may laugh at this reduced effectiveness of comodo sandbox...just for now). But you have been warned at least as a newb.

If allow, then finger's crossed as the exe is passed over to the system.
« Last Edit: May 04, 2010, 04:23:11 PM by cavehomme »

Offline Endymion

  • Comodo's Hero
  • *****
  • Posts: 1360
  • Reality is subordinate to perception.
    • Faces -The Madman (Kahlil Gibran, 1918)
Re: Comodo fails with the new spyshelter leaktests
« Reply #35 on: May 04, 2010, 05:21:52 PM »
Microsoft Windows sound recorder qualified as PoCs under the same considerations for ages and yet nobody cryed wolf so far.
Any video chat application would have qualified as a PoC and yet it passed unnoticed until  months ago somebody (probably videochat user) got a videochat PoC to to test V3 with.

Both sound grab and webcam monitoring were never implemented in D+ even if it apparently matter of a ruleset change.

Among the PoCs tested in these forums there are also mouse-move PoC (typical of Joke apps) AFAIK still not monitored as well.

On the other hand, Direct screen access monitor is indeed a D+ feature: first three screenshot tests are thwarted regardless if sandbox is enabled (without alerts) or disabled (by means of alerts) whereas the 4th Screenshot grabbing PoC would occur no matter the sandbox security level is set at.

I'm not sure why such tests should be used to generalize over some product "defaults" as if settings/options were not actually meant to be changed to match each user preferences whereas actually possible (and it won't for the 4th screenshot PoC).

I cannot count anymore the times whereas somebody implicitly discouraged any new user to learn to use a HIPS when such feature (D+) was introduced in V3.

Well times change and V4 introduced sandboxing...

...and for one reason or another, a new controversy began to take place (again about new users or rather about defaults)
« Last Edit: May 04, 2010, 06:50:23 PM by Endymion »
I have learnt silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet strange, I am ungrateful to these teachers.
Kahlil Gibran (1883 - 1931)

Offline lordraiden

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 921
Re: Comodo fails with the new spyshelter leaktests
« Reply #36 on: May 05, 2010, 04:09:26 AM »
The thing is that the sandbox can be bypass.
On the other hand the default configuration is unsafe since the sandbox will never be 100% free of bugs (like any software in this world), no excuse for that.

Offline Cavehomme

  • Comodo's Hero
  • *****
  • Posts: 391
Re: Comodo fails with the new spyshelter leaktests
« Reply #37 on: May 05, 2010, 04:20:06 AM »
The thing is that the sandbox can be bypass.
On the other hand the default configuration is unsafe since the sandbox will never be 100% free of bugs (like any software in this world), no excuse for that.

Indeed yes. But what happens now? How does this kind of important issue get to be included on the agenda for assessment and decisions on what to do amongst Comodo desginers, devs, fixers, etc?

Offline Endymion

  • Comodo's Hero
  • *****
  • Posts: 1360
  • Reality is subordinate to perception.
    • Faces -The Madman (Kahlil Gibran, 1918)
Re: Comodo fails with the new spyshelter leaktests
« Reply #38 on: May 05, 2010, 06:46:26 AM »
Whereas sandbox and D+ approaches might have different protective spans it might be relevant to confirm these differences whenever the narrow focus might be not enough to provide an unbiased picture.

The thing is that the sandbox can be bypass.
On the other hand the default configuration is unsafe since the sandbox will never be 100% free of bugs (like any software in this world), no excuse for that.
Obviously it took no effort to leverage on the PoCs to claim "unsafety" whereas it apparently matters not how much safe an approach it is.

There is no need to claim that any software in the world will never be 100% free of bugs in an attempt to backup unsafety claims specifically targeting the sandbox whereas such statement was to be applied to "any software in the world"

Though such sensationalism might be enough to warrant generalized fear theres is still place in these forums to address these mystifications.

The sandbox is obviously not a panacea but fared as well as D+ whereas "defaults" are concerned.

No doubt improvements are possible but each member is entitled to acknowledge the PoC results and see whenever are relevant to their approach and needs.


Indeed Computer monitor access bypasses have been confirmed for both sandbox and D+ regardless of configuration changes.

Whereas a webcam lens cap (or a piece of paper) will be enough to thwart the videochat PoC it might be possible to guard against sound and webcam PoCs in case members are interested (IF they have a webcam and/or a mic)
« Last Edit: May 05, 2010, 07:30:27 AM by Endymion »
I have learnt silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet strange, I am ungrateful to these teachers.
Kahlil Gibran (1883 - 1931)

Offline Cavehomme

  • Comodo's Hero
  • *****
  • Posts: 391
Re: Comodo fails with the new spyshelter leaktests
« Reply #39 on: May 05, 2010, 07:33:02 AM »
Deny access should mean exactly that, no access to anything. It's black and white for me, and that this should be for default setting, however achieved by comodo, and I do not think it is complex thing for comodo experts to implement and should not effect any other rules or configs.

Any devs reading this thread?

Offline Endymion

  • Comodo's Hero
  • *****
  • Posts: 1360
  • Reality is subordinate to perception.
    • Faces -The Madman (Kahlil Gibran, 1918)
Re: Comodo fails with the new spyshelter leaktests
« Reply #40 on: May 05, 2010, 07:42:53 AM »
Deny access should mean exactly that, no access to anything. It's black and white for me, and that this should be for default setting, however achieved by comodo, and I do not think it is complex thing for comodo experts to implement and should not effect any other rules or configs.
Then why you did not provide you explicit support to the member who created New feature suggestion : Block + Terminate instantly topic in the wishlist board?

Surely they asserted the advantages of a "terminate" option instead of redefining what "deny" _should_ mean.

Was your wish so much complex thing that do not match his one?

If it was not, it is a pity as only an handful members posted in that topic to support such new feature and you obviously did not take such chace whenever you should have been aware of such topic by now.


Any devs reading this thread?
Perhaps you missed it but it was ponted out earlier that CIS lead developer (egemen) was analyzing the executable  linked in the fist post of this thread.
« Last Edit: May 05, 2010, 08:15:26 AM by Endymion »
I have learnt silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet strange, I am ungrateful to these teachers.
Kahlil Gibran (1883 - 1931)

Offline Cavehomme

  • Comodo's Hero
  • *****
  • Posts: 391
Re: Comodo fails with the new spyshelter leaktests
« Reply #41 on: May 05, 2010, 08:14:12 AM »

If not it is a pity as only an handful members posted in that topic to support such new feature and you obviously did not take such chace whenever you should have been aware of such topic by now.


Sorry Endymion but everyone's circumstances are surely different. I did not notice that thread and I rarely come to these forums unless I have an issue and then I have very limited time to browse because I am have a business to run.

So thank you for pointing that thread out, I will quickly go there now.

Offline Endymion

  • Comodo's Hero
  • *****
  • Posts: 1360
  • Reality is subordinate to perception.
    • Faces -The Madman (Kahlil Gibran, 1918)
Re: Comodo fails with the new spyshelter leaktests
« Reply #42 on: May 05, 2010, 08:50:27 AM »
So thank you for pointing that thread out, I will quickly go there now.
Taking time to redefine what deny would be supposed to mean (while disregarding the available documentation)  was undoubtedly a fruitless exercise and it looked reasonable to advice you to direct your effort to a more appropriate board.

Whenever much more of your time was spent generalizing over these tests, glad to point you to that wishlist topic as much as it was needed whereas it matched your explicit wish whenever it was unexplicably neglected till now.

Sorry Endymion but everyone's circumstances are surely different. I did not notice that thread and I rarely come to these forums unless I have an issue and then I have very limited time to browse because I am have a business to run.

Considering everybody comes to these forums in their spare time I see no need to state a reason for that whereas you seemingly posted in this topic like anybody else that found it by chance (AFAIK only Opening Posters would be able to come for the specific purpose to create a new thread regardless if the topic pertains an issue, an help request etc.)


I take it surely took some effort to quote only the part of a post omitting only the lines such topic was mentioned whereas that obviously took more time than quoting the whole post.

I do not know how you managed to remove only that part without paying attention to it whereas it was an obvious match to an explicit comment/wish of yours.

That aside I wish your best for you business and circumstances as there is no doubt they deserve your time and attention.
« Last Edit: May 05, 2010, 10:19:28 AM by Endymion »
I have learnt silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet strange, I am ungrateful to these teachers.
Kahlil Gibran (1883 - 1931)

Offline lordraiden

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 921
Re: Comodo fails with the new spyshelter leaktests
« Reply #43 on: May 05, 2010, 01:10:19 PM »
Yes If you have any good idea post it in the Wishlist forum.
If someday the devs start to read it they will need to do it since 2008 at least.

Offline Endymion

  • Comodo's Hero
  • *****
  • Posts: 1360
  • Reality is subordinate to perception.
    • Faces -The Madman (Kahlil Gibran, 1918)
Re: Comodo fails with the new spyshelter leaktests
« Reply #44 on: May 05, 2010, 01:25:07 PM »
Yes If you have any good idea post it in the Wishlist forum.
If someday the devs start to read it they will need to do it since 2008 at least.

Looks like you have a knack for mixing a good advice with such nonconstructive remarks.

Was not enough posting a blatant flamebait not long ago?
« Last Edit: May 05, 2010, 01:27:07 PM by Endymion »
I have learnt silence from the talkative, toleration from the intolerant, and kindness from the unkind; yet strange, I am ungrateful to these teachers.
Kahlil Gibran (1883 - 1931)

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek