Comodo 4.1 still fails with spyshelter leaktests

[lordraiden]

Leak test from http://www.spyshelter.com/
http://www.spyshelter.com/download/AntiTest.exe   NEW VERSION! 1.2

WIN 7 X64
Comodo v4 latest version, defense+ safemode with sanbox enable.
The program is executed inside the sandbox

Keyloging: PASS
WebCam: FAIL
Screenshot: PASS/PASS/PASS/FAIL
Clipboard: PASS
System: PASS
Sound Record: FAIL


After I disabled the sandbox and I ran it only with defense + in safe mode

Keyloging: FAIL
WebCam: FAIL
Screenshot: FAIL/FAIL/FAIL/FAIL
Clipboard: FAIL
System: FAIL
Sound Record: FAIL

In the last test "AntiTest.exe" was not a safe app and did not appear in the Computer Security Policy. Defense + never asked me nothing so I think that is a weird bug or maybe I am missing something.

In proactive mode ask me about give permissions to the file, so in proactive mode seems that Comodo PASS all  the tests



Partial Solution

Originally Posted by Yanix
Hi,

Its for D+, to be protected againts those 2 tests go to Defense+ Menu then open My Protected Files > Add > Search > and copy paste \Device\Usb#Vid* in the bar and confirm.

Then again in Defense+ Menu open My Protected COM Interfaces and do the same thing as before but copy \RPC Control\AudioSrv in the bar.

One new line must be added at the end, test again with antitest.exe for me it works, I get a alert for the Webcam acces and the Sound acces too.

Thanks to wilders: http://www.wilderssecurity.com/showpost.php?p=1688272&postcount=51

Should be this in the default configuration?

[Chiron]

I have Windows 7 x64 and the sandbox disabled.

I checked this out and the only way I could even get the program to run was to allow it's requests for control before it even allowed me to get to the test. Essentially I had to already have given it complete control in order for it to even start the test. This is why it failed.

I tried running the program and blocking its access and it wouldn't even run. I think Defense+ with the sandbox disabled passes the test as the program cannot even run without permission. It appears there is no way to test Defense+ directly using this program.

Let me know if anyone gets different results.

[Concepts]

Same results as Chiron. That test is bogus and Comodo will not allow it to even run. In order to get it to run you have to give it some kind of access which even then it still wont run lol.

If you failed this test it's because you allowed it to run when you should have blocked it if you didn't have it running in sandbox or enabled. Honestly all the noobs should enable sandbox by default anyways.

There is nothing going to get past Comodo (CIS) except for one's stupidity. There are tons of Comodo tests on youtube to back up my statement.

[lordraiden]

There is nothing going to get past Comodo (CIS) except for one's stupidity.

I think that you failed understanding the test.
There is nothing going to get past a pc without any security software except for one's stupidity.
With "stupidity" (executing files presumably unsafe) is very easy pass throughout Comodo, like almost everyday somebody shows in the forums.



Anyway still the the leaktest is able to bypass the sandbox, like some "malware" is able to do lately.

[Apach]

Thanks lordraiden for not letting'em live in a sated complacency. 

[lordraiden]

I have just discover that during the test without the sanbox and with defense+ in safe mode the leaktest file was in "My Own safe applications" but I cant understand how the file get there because I never made it safe or allowed (I neither check the option "remember the action...")

So I delete it from "My own safe apps" and I ran the leaktest in safe mode and without the sanbox I got the same results than with the proactive mode, tons of popups only trying to open the file, so I guess that Comodo pass all the test.

Then I ran again the test in the sanbox (Proactive, defese+ safemode, sandbox enable) and I got the same results, so the sanbox can be bypass.

[ss1ctm]

I have run this Antitest.exe from Spyshelter and I get no pop ups from Defense+ whatsoever.

In the monitoring tab in Defense+ settings, all the boxes are checked.

CIS 4 fails all the tests on my Windows 7 64bit PC.

[Apach]

I ran this test for Comodo and then for Online Armor. I suppose it's allowed to run the test app itself. Sandboxed CIS failed Screen Shot 4 and sound logging. CIS with sandbox unchecked failed clipboard test additionally. Online Armor detected and "popupped" all the loggers very smoothly. And named them what they were - Key Logger, Screen Logger, Sound Logger etc in contrast to CIS' which asked something what was hard to swallow. I didn't have to run the test sandboxed to protect the system. Plus CIS couldn't disable windows firewall the same old trouble which could not be cured for long long time, OA did it easy.
Somebody will make these tests clearer I don't have much time for that. I've tried to clean the trusted list and app's polisy lists though.

Sorry, forgot to mention - firewalls only were installed without AV component.

[Apach]

I have a Defense Wall v3 on another system installed. AntiTest as untrusted has failed 2 tests - sound logger and clipboard. But I was unable to test web-camera and streaming as it is not present on the PC.
Hope that was usefull as this is the only test I made for CIS with a leak test not from Comodo at least. It looks more... fair I think.

[ss1ctm]

I have run this Antitest.exe from Spyshelter and I get no pop ups from Defense+ whatsoever.

In the monitoring tab in Defense+ settings, all the boxes are checked.

CIS 4 fails all the tests on my Windows 7 64bit PC.

In 'Advanced' task in Defense+, I set the Image Execution Control Setting from Normal to Aggressive and now Defense+ alerts when I attempt to run the AntiTest.exe from Spyshelter. Yee Haw!

[Apach]

In 'Advanced' task in Defense+, I set the Image Execution Control Setting from Normal to Aggressive and now Defense+ alerts when I attempt to run the AntiTest.exe from Spyshelter. Yee Haw!

Nice! But what's the point to "tune" a firewall for a particular test? And another question - how long will you pay attention to the tones of popups in paranoid mode?

[Little Mac]

With D+ in Safe Mode, and Image Execution set to Normal with executable group added, I cannot get CIS to block Screen Capture Test #4.  AntiTest will succeed on that one test every time.  Sandbox being enabled for Unknown applications or not makes no difference; the test #4 still succeeds.

Initially I found it in "pending files" even though I'm not in Clean PC mode, so there shouldn't have been any "pending" files.    Perhaps tied to Sandbox being enabled for unknown apps?  Not sure.

D+ Logs showed it was attempting to access the following key at the time of the Screenshot Test #4:
HKLM\Software\Classes\CLSID\{A943AF2F-972A-F1C0-0979-ACA3499C5FF5}

So I added HKLM\Software\Classes\CLSID\* to my protected registry files in D+.  Then it tried to send a message to CIS, which I chose to block.  The test still succeeded.

I even created a D+ rule for the exe, with every Access Right set to Block by default.  It still failed Screenshot Test #4.

Thus I concluded that something the app is doing when first launched must allow it to later capture the screen for test #4.  Since CIS was not giving any initial popups when I executed it, I set Image Execution to Paranoid, as ss1ctm mentioned.  That allowed me to see that it was attempting to access every DLL running on the system, it not only went through the whole list, it tried a few of them twice, even from applications completely unrelated to system operations; it was obviously "looking" for a foot-hold.  Without those it couldn't launch or run at all.

All other tests CIS was able to intercept and block when I selected that option, even without Aggressive mode on Image Execution.

To Comodo Devs:  Going back a ways, CFP v2.x had settings for DLL injection, which was massively annoying for all users..  Is there some way for CIS to check for that w/o having to be "Aggressive" where we're given an option to Block (or Allow) all DLL injection for an application (rather than having to respond to 50+ popups)? So kind of like one of the Access Rights settings...

LM

[ssj100]

All these tests are simply to help market products.  Why do you think developers try hard to pass them etc?

If Comodo wants to stay in the game, they'd better keep up!

[lordraiden]

All these tests are simply to help market products.  Why do you think developers try hard to pass them etc?

If Comodo wants to stay in the game, they'd better keep up!

Anyway is still a method able to bypass comodo and that probably some malware use.

[Little Mac]

Anyway is still a method able to bypass comodo

Yeah, the fact that unless we got to Paranoid or Aggressive modes (or changing CIS' default config from Internet to Proactive), it is able to launch and capture a screenshot w/o any user interaction is a little concerning.  It's obviously obtaining some privilege/access that CIS is not detecting or is seeing as benign.

Not too good.  I know that CIS *can* be configured to stop it, but from an end-user standpoint, if OA stops it w/o any issue and CIS has to be "tuned" to do so, that's not a plus...

I'll make sure the devs are aware of this thread.

LM