Let’s be defined that we speak about the most widespread case. The most users(most numerous) don’t delete any entries in Trusted Vendor List(TVL). For example, I (as skilled user) only now I am going to filter TVL after I learned how Defense+ work!
In TVL there are MANY different organizations(well-known and not so well-known) and private persons. It’s very easy to steal a private key of the private person or the small organization rather than at famous big organization such as Microsoft, Google, Adobe, Apple, Opera, Mozilla and so on.
Besides, it’s very easy to get a certificate where field CN(common name) or O(organization) will coincide with already existing in Comodo’s TVL.
Besides there can be a namesake in other country which can legally receive the signed certificate and his name will be in TVL. Comodo check only CN and O fields.
Besides, one of the private “developers”, whose name is in the TVL can want to play “pranks”!
All written above lead to we have a malware that have a “legal” digital signature and the name of the organization or the private person is in the TVL.
After that usual user that runs this malware file can trust it, because it have a digital signature. Usual user can even let to run this program with administrative privileges if program asks them.
He can do it because more serious danger is when this program wants to connect to Internet. But he hopes for his Comodo firewall :), that it won’t allow any new program connect to the Internet without any alerts.
Now, such potential malware is already in TVL. But it hasn’t any allowed rule in the Firewall. What it can do?
After this it can replace without any alerts any file that not in system folders like “Windows” or “Program Files” and have an access to the Internet on 80 port. This can be Total Commander, for example. And after we(suspecting nothing) run Total Commander, the replaced file transfers all what it want to the Internet. No alerts from Comodo! This is really a leak! The smart malware can do it all in silent mode. I mean it transfer all what it needed and then returns control to the replaced program, unpacks the code of the replaced program directly in memory and user sees usual running of his program! The injection(replacement) can be done in many different variants. But we don’t get any alerts from Comodo because our program in TVL!
Certainly after that we loose the trust to replaced program for HIPS activity, but we really don’t need it!
Besides, if our malware would have administrative privileges(see above) it could replace any file in the “Program Files” folder. For example, opera.exe. firefox.exe or others. And we’ll get the same leak!
This all can happens because Comodo don’t check the hash of the file in Firewall Rules! But if Comodo will use the hash of the files in Firewall Rules and possibly Defense+ Rules(but this is already the next topic), nothing will happen because existing rules won’t operate - the hash is changed!
But you can ask that about legal update of really trustable program?
If there was an update of software and we installed new version of trusted program, that have at least one rule in Firewall(first of all) or Defense+, Comodo should notify us that the file was changed and should ask us: do we want to apply old rules for new trusted file if paths are identical. If file has no digital signature it’s not a trusted file and so question must not be asked and no any old rule should apply to this new changed file, and in this case the rules for this file must be temporarily disabled.
For example in Outpost Firewall we at least always get a popup alert that the trusted file was changed regardless who is changing trusted application or not.
Certainly we must filter our TVL and even more(because what usual user really think about this?): Comodo must have 2 TVLS, one(small) for trusted vendors(such as Microsoft, Google, Adobe, Apple, Opera, Mozilla) and one for others, not trusted vendors. Programs from vendors from the first list can be added to TFL automatically and programs from vendors from the second one must be added to TFL only with question.
Comodo must uses hash for files in Firewall Rules!