Comodo Firewall or Online Armor (full version)

[alex_s]

Summary posted guys here:

https://forums.comodo.com/forum_policy_violation_board/ot_thread_2-t40868.0.html;msg296425#msg296425

Cheers,
Josh

Crazy. The topic was split to the pieces and cut down again. This is a shame.

[egemen]

Your approach starts to frighten me. I do not say this is too high risk, still this is the same risk any keylogger/screenlogger/webcamlogger presents. There is no logic in catching screen/webcam loggers while ignoring tcp/ip traffic loggers. Nobody knows in what way a LOT of third-party programs send data over non-crypted connections. Security MUST guarantee this traffic cannot be sniffed at least on a computer it is installed on.

Ok let me list you the differences between keyloging and passive packet sniffing and hopefully you will see:

1 - Keylogging is designed to sniff your confidential information like username and passwords whether there is a network connection or not. The information does not have to be sent through any network channel. E.g. Windows logon authentication, all sorts of CRM programs (those where people keep their confidential information) etc.

2 - With keylogging an adversary can obtain a singificant deal of information with 5 lines of code, whereas with passive sniffing, adversary has to write a lot of protocol parsing code in order to get "some" information. This makes passive sniffing a highly specialized and targeted threat. So in laments terms, only an adversary with a quite experience in TCP/IP protocols programming can write it and only for a targeted environment i.e. a PC whcih he knows what sort of network communication is going on. 

3 - Keylogging can steal information from even encrypted channels whereas passive sniffing is as risky as connecting a computer to the Internet.

These 3 basic differences are quite obvious. While the risk profile is equivalent to conecting to the internet, AND WHILE there is a WAY to DETECT and PROTECT this if wanted(Defense+ is able to block access to Windows Socket Interface if wanted),  we will ofcourse focus on real threats and protecting our users from the real threats(Unless ofcourse your aim is to pass the leak tests).

Now tell me your affiliation and let me talk about your company and how proactive your company is.

Please do not try to waste my time as acting like an avreage technical person who is interested only in innocent technical discussions. You have OBVIOUS problems with COMODO as company and everyone should know why first.

[egemen]

Egenem, it is allowed to Melih do not understand this, but you should understand this is a kind of a DOS attack. Security should protect system, not just itself. There is no much sense in security that can protect itself perfectly, but cannot protect system from  DOS.

Again a misleading comment. You are talking as if that test is intended to test a DOS attack against the system. It has nothing to do with it. Passing that test does NOT make your system immune to those kind of issues.

And yes, the test itself was designed with somewhat different purpose, but while it is allowed for the users to take things literally, security experts (which I hope you are) should take it not only literally, but to see all the possible outcomes, especially if they claim to be not just "test passers".

Well obviously matousec took the test literally. But since you asked, lets talk about it. We ofcourse evaluated the test and found absolutely nothing related to security of the user.  I myself could not even see any crash although we modified its grace time for 20 minutes. Nonetheless i am assuming there is an application crash somewhere.

If you have a point be direct and techncial. We are not disccusing theory of software quality assurance or system performance and reliability.

We are talking about a simple test. Tell me with your experience what practical effects have you seen as a result of this test? What system stability issues or security malfunction have you observed against CIS? Nothing...Please state otherwise.

Again if you want to talk about quality assurance or software development or even simple technical things, first show your credentials and be honest. Let everyone know whom I am talking with. It is very easy to act as a security expert and fabricate stuff to mislead users.

[alex_s]

These 3 basic differences are quite obvious. While the risk profile is equivalent to conecting to the internet, AND WHILE there is a WAY to DETECT and PROTECT this if wanted(Defense+ is able to block access to Windows Socket Interface if wanted),  we will ofcourse focus on real threats and protecting our users from the real threats(Unless ofcourse your aim is to pass the leak tests).

So you agree, the risk is real. For me this is enough not to ignore that risk, at least not in a proper security product. That is to say some keylogger types need more than just 5 lines of the code, socksniff POC is not too diffucult to reproduce, and some malware samples demonstrate very high technical level. The main idea I want to say using raw sockets is a sign of malicious activity (unline device\afd\endpoint, which is used by a lot of the programs), so the better approach to prevent this risk is to intercept in directly. Comodo for for now intercepts it very very indirectly.

Focusing on real threats is fine, but ignoring known risk vectors is not. Focusing only on real == known threats you are always step back after the threats. I understand that it's impossible to predict everything, but to prevent known is "must do", undoubtedly.

Now tell me your affiliation and let me talk about your company and how proactive your company is.

Please do not try to waste my time as acting like an avreage technical person

I don't need that you to spend your time. You are free to leave anymoment.

You have OBVIOUS problems with COMODO as company and everyone should know why first.

I don't think everyone should know. I think people should know more about the products they use. And this is the primary target of this forum, isn't it ? And, please, do not make me to say rude things, by asking immodest questions.

[alex_s]

Again a misleading comment. You are talking as if that test is intended to test a DOS attack against the system. It has nothing to do with it. Passing that test does NOT make your system immune to those kind of issues.

This depends much on HOW you pass it. If you reserve some memory you know is enough for your program to function normally, for example, this is what you talk about, but if you PREVENT crazy program from taking too much memory, you save not only itslef, but a system as well.

Well obviously matousec took the test literally. But since you asked, lets talk about it. We ofcourse evaluated the test and found absolutely nothing related to security of the user.  I myself could not even see any crash although we modified its grace time for 20 minutes. Nonetheless i am assuming there is an application crash somewhere.

The test can be improved. If improved it can put ANY system into semi-functional state, because ALL the available memory is taken, swapping is enourmous, responce is VERY slow. This is definitely a potential security risk. You can ignore this risk, of course, but do not expect everybody to follow your approach. I know people that do not forgive much less risky "ignores" to security.

If you have a point be direct and techncial. We are not disccusing theory of software quality assurance or system performance and reliability.

We are talking about a simple test.

Nope, not me. I'm talking about approach this test demonstrates and all the possible unpredictable outcomes that can be prevented and can be ignored. I prefer the first.

[hkjoj]

Hm!  I trust CIS is a real threat to Online Armor. Otherwise, they won't spend time to attack and badmouth CIS here.   

[alex_s]

Hm!  I trust CIS is a real threat to Online Armor. Otherwise, they won't spend time to attack and badmouth CIS here.   

This comparative thread was started by "cimmind", who seems to be CIS user.
I don't think CIS is a real threat to OA, but unfair and misleading information about OA is a real threat.

[Melih]

Hm!  I trust CIS is a real threat to Online Armor. Otherwise, they won't spend time to attack and badmouth CIS here.   

CIS is a very usable product now. It has achieved great security and great usability with the reduction in pop ups that is less than others afaik. And we don't charge for that. CIS is a threat to anyone who is trying to make money from consumers by charging for the security product they provide!

Comodo's real competitors are Symantec, McAfee and likes of Kaspersky. They are the ones that has the market share that we are after tbh.

Melih

[alex_s]

CIS is a very usable product now. It has achieved great security and great usability with the reduction in pop ups that is less than others afaik. And we don't charge for that. CIS is a threat to anyone who is trying to make money from consumers by charging for the security product they provide!

Comodo's real competitors are Symantec, McAfee and likes of Kaspersky. They are the ones that has the market share that we are after tbh.

Melih

Amen. If I heard something like this from Mike, I'd immediatley dropped to use OA and switched to some more modest company.

[egemen]

So you agree, the risk is real.

No please read the post again. If you consider connecting to the internet a risk, then it is a risk. Again if this is not a misleading attempt what is it?

I don't think everyone should know. I think people should know more about the products they use. And this is the primary target of this forum, isn't it ?

I am sorry. You have been asked at least 4 times before to explain your affiliations and you are still avoiding to name it.

If you dont want everyone to know, PM me and let me know. This is important because as you said people should know the products they are using.  If you have an affiliation, then my replies to your messages will be really really technical and revealing.

I have proofs that you intentionally tried to mislead the users against COMODO before. And you did not make my judgement about you any better by saying you know people from our offices.

Until you do this, I do not see any point in continuing a dead end, neither here nor there discussion with you.

[alex_s]

Until you do this, I do not see any point in continuing a dead end, neither here nor there discussion with you.

Bye, bye, Egenem. It was a great pleasure to talk to you.

[panic]

Bye, bye, Egenem. It was a great pleasure to talk to you.

Alex, please check your PMs and your manners.

[egemen]

Amen. If I heard something like this from Mike, I'd immediatley dropped to use OA and switched to some more modest company.

Keep watching us If our cholestrol levels go up, you might consider switching your software because of that too.

[Endymion]

Gievawayoftheday provided OA paid license for free only for one day. As usual the activation program had default optins that added bookmarks entries to the browsers.

Indeed there would have been no need to rely on GAOTD as the activation mentioned the actual registration had to be carried on tallemu site whereas obviously Tallemu had no issue to rely on giveawayoftheday services and its default optins.

OA seemingly works even with 384kB of RAM and thus will supposedly protect the user against MS-DOS( ) even if they run a Photo imaging software on a far more conceding XP [at] minimal requirements.

Whereas Run safer provide the unmatched functionality of Run As... Safer

Soon enough OA paid will switch to the emsi A2 AV engine although nobody knows if there will be an official test about the difference with the superseded (OA-wise) Kaspersky AV engine.


OA was affected for 8 months by a known BSOD issue that could be potentially abused to cause a Denial of Service . The issue was reported, supposedly in a proper and detailed way, by ntinternals security researchers. Apparently a (supposedly) unofficial OA speech-person stated that the issue had low priority.

What they say is if you bugger oamon.sys driver with a rabbish parameters it is possible to invoke a BSOD. But OA doesn't allow to contact its drivers under normal conditions. To be able to connect oamon.sys you need first to unload OA. This is why this "bug" was never considered as a real bug. But when timetable allowed it was tuned.

To say the truth, those guys at ntinternals seem to have nothing to do

In case anybody wonders the issue was not publicly disclosed (eg like matousec tests) until a proper fix was implemented whereas ntinternals  researchers had enough time to wait for a final/proper fix while testing partial updates and providing further reports...

2008-10-04 - Vulnerability reported to vendor
2008-10-04 - Vendor response
2008-10-09 - Partial update released by the vendor
2008-10-11 - Vulnerability reported to vendor a second time
2008-10-11 - Vendor response
2009-04-20 - Status update request
2009-04-20 - Vendor response
2009-04-27 - Update released by the vendor
2009-06-04 - Full technical details released to general public

It looks like that in case OA services are terminated OA cannot block Internet connections to prevent leaks. Apparently no OA representative commented about the priority/severity of this issue.

Although it looks like that OA in some cases can prevent Internet connections whereas this was considered a bug and fixed. The version provided with GAOTD was likely affected by BSODs too.


Indeed appreciably senseless feature race pose much more risks for security products that needlessly hooks too many kernel functions.

For example, in Vista SP2 some functions has different parameters number comparing to Vista SP1, s any security that hooks that function becomes buggy with SP2 release (this is just an example of what happened recently).

Thus one critical update could cause unpredictable effects the more the number of critical functions used, whereas in such cases there is an increased chance of BSODs and overall malfunctions imposing a variable amount of time until a proper fix is provided.

Bottom line is that OA webcam logging alert worths a piece of paper-security 

Neglecting some other apparently blatant details, webcam logging would seemingly be a threat posing the same exposure risks of audio logging, screen capture and keyboard logging, or maybe it is something nice to show around...

[Ultra-Bot]

This particular test just passively sniffs the traffic and poses no real risks. Internet Traffic is ASSUMED to be SNIFFED all the time anyway. As soon as your packet leaves your PC, it can be sniffed by anyone else. It is not a threat at all.

There are many ways in windows and recently with windows Vista that can be used to sniff the traffic AND ACTUALLY SEND custom packets bypassing the weak firewalls.  CIS filters the ones that can be used to bypass the firewalls by crafting packets.

Note:
I remember your username from wilders forum. Some of your posts about COMODO, trying to be technical, were misleading (willingly or unwillingly) and clearly wrong. E.g. CLT DuplicateHandle tests with DUPLICATE_SAME_ACCESS being no threat at all(Perhaps because your product was failing?).
I did not pay too much attention but If you are affiliated with the development of the product you are advocating, we can have a technical discussion in detail.

Otherwise you should thank COMODO as a user that because of our leak tests, your company is trying to cover some of the real threats.

So, I guess CIS's inbound protection is better than my Edimax router's inbound protection and Windows XP firewall protection turned on?

It's very interesting I finally found the way how to disable router's protection if I want only for CIS to protect me from both inbound/outbound attacks. I simply went into DMZ and typed LAN's IP address.

But can you explain me why I have been never attacked seriously?
Basically I'm using router, Avira Antivirus (free) and Windows XP firewall turned on. I've never been infected, and I've been visiting truly all kinds of websites.
It just doesn't make any sense to me for the dangers you're talking about since I never experienced not a single one, never been infected.
I still don't understand this, by the post where you were describing dangers of surfing, despite malware is going more and more complex and tougher, I've never experienced such thing and again I'm only using router, Avira Antivirus (free) and Windows XP firewall turned on.
I wish anyone here can explain me this, I would be truly grateful.
Thanks to all.