Even if it’s a 1 second fix and everyone’s happy? 88) Just awesome!
Understood.
Yep, get on it. ;D
In all seriousness though if these “theoretical security holes” can be properly simulated by users then they can also be used when creating malware.
From what I can tell Shaoran’s program, if it works the way it appears to, is an example of the dangers of the “allow all” rule.
I’m not sure how you can rule it out without properly investigating the code and its implementation.
So why use this kind of rule ? It’s the only error here because the application won’t do anything to the system., that why D+ don’t see anything. It’s just about take an information and that all.
You made the rule because you think that it will be better for novice users, but what use novice users ? All applications that lot of people use and so, without any alert because they are already in your safe list.
So really, why put this rule whereas it can be a security hole in certain conditions ?
I think a way around this rule would be to use the white list for the firewall also, if the application is signed and part of the white list it gets access, if not you get asked. I don’t think it would be to hard to implement and that way you will have security and ease of use.
It’s already done. Use proactivity configuration for example.
You’re talking about firewall’s Safe Mode which is present in CIS since its beginning.
I personally have a problem with the way the new firewall policy is implemented rather than there exists such thing like allow all outgoing connections mode in CIS. By adding these weird policy to Application Rules in Network Security Policy, Comodo practically rendered Firewall Security Level setting completely useless. IMHO, here is how it should be done…
[attachment deleted by admin]
these possibilities exist IF you can infect the PC in the first place.
So what is being talked about here is NOT even how to infect the PC…
it is IF they managed to infect the pc, this is how they can extract information.
hope this clarifies…
Melih
We just have to send a little mail
“Hey, look this new application to synchronize your pictures with facebook. I try it and it’s great !”
Once executed, it takes web browser informations and send it. We just hoping to have some cookies or saved passwords to steal some facebook accounts in this example.
Why you want we find a way to infect the computer whereas the user will do it for us ? >:-D
There are reasons behind why CIS by default allows outgoing connections… Which Melih did clarify.
The risk profile is VERY low. In order for a Trojan to steal data, it MUST infect first. And with the current CIS 4 architecture in CIS this is pretty much virtually impossible. Off course there will be a Trojan that is non-infecting and tries to read protected files/keys, but screen capturing/key logging is not possible.
So basically, for a trojan to steal data, it will need to infect the PC first. D+ & Sandbox together prevent the trojans from infecting in the first place.
Ok granted the dev’s reason “can’t infect so allow all oubtound”; then why should I use CIS’s firewall? XP’s does the same. It allows all outbound and stops all inbound. 7’s is one step ahead (and I think msft have done a wonderful job on this); it has outbound and inbound. CIS’s firewall is redundant, turn it off.
It doesn’t make any sense to use CIS’s firewall with this rule setup. Its a waste of code/cpu cycles/ram/read-write cycles and what not. I don’t use CIS to filter inbound, I have a router and windows own wall…what I do need is outbound. And by I, I mean all users using Comodo products since v2 days. Remember it was just a firewall back then… 8)
I love the direction Comodo’s heading in=AV+BB+Sandbox, oh wait we already have another product like that… :-TD
We just have to send a little mail“Hey, look this new application to synchronize your pictures with facebook. I try it and it’s great !”
Once executed, it takes web browser informations and send it. We just hoping to have some cookies or saved passwords to steal some facebook accounts in this example.
Why you want we find a way to infect the computer whereas the user will do it for us ?
It is precisely the issue: CIS V4 was aimed at novice users, with a default friendly minimal alerting behavior, whereas most often this novice user wants to use facebook and more largely speaking whatever gaming or p2p ■■■■ thinking he will be silently protected:
you won’t keep these people infecting themselves, and such a silent behavior is therefore not an argument for the protecting software qualities.
CIS V4 would lose in market share but gain in credibility if setting the defaults tighter, with the evident counterpart of more alerts and customization: a very good product is under attack here (and elsewhere…) not because of its lack of quality, but because its default behavior is not.
I don't use CIS to filter inbound, I have a router and windows own wall...what I do need is outbound. And by I, I mean all users using Comodo products since v2 days. Remember it was just a firewall back then...
Not serious.
Not speaking of windows firewall (it is, by the way, lousy in its default xp version) and i have it personnally disabled, most end users do not have a reliable router firewall, or even no router firewall at all.
I have used Comodo 2.x (no other choice under, at the time, windows 2000) and i am now using V3, i don’t want to hear about V4 at the time speaking.
But i definitely want both inbound and outbound, and i suppose i am not the only one.
Umm. I haven’t been programming for very long, But without hooking\installing anything I can make an application to read data, store it within a list. and If I was knowledgeable enough… Could send it somewhere.
OK Melih,
As another user in the forums has already posted. There is indeed forms an app can steal data. For example a test key/sound/etc.logger. The following app can bypass CIS sandbox and take a snapshot, also it can record sounds from the microphone, and it can capture video.
Try it,
http://www.spyshelter.com/download/AntiTest.exe
In screenshot log, the test 4 is the one that is able to take screenshot.
With the rule in default allow all outgoing traffic, auto-sandboxed malware using this methods can:
-send screen captures
-send sound captures (using mic)
-send video (using camera)
if you just want the firewall, then you can download and install just the firewall version of Comodo and you can tweak it to your liking.
Melih
Melih, Can your Devs test my latest post, so they can fix the issues of the screen grab, and sound logging?
Even in Proactive Mode, it cant block the app, if its auto.sandboxed.
You don’t understand what a sandbox is meant to do… please use Wikipedia… Sandboxing is NOT mean’t to protect you from those things. It’s meant for Virtualization and software restriction.
mouse1 had a good intro into sandbox on the forum.
thx
melih
So, using CISwith autosandbox is less safe thanusing CIS without autosandbox?
I only trust CIS to protect against inbound.
After a few years using only Comodo firewall protection (v.2) I was given a Netgear router / modem.
I liked the higher speed its modem obtained from my ISP.
I liked the hardware firewall taking the strain when a trojan army was hammering my IP Address.
I retained all Comodo protection because I trusted it, and Netgear protection was unproven .
Even though set to block all incoming, Netgear protection FAILS against incoming.
I needed to upgrade software from a remote site.
Netgear had no objection to the download.
Comodo protected me from potential malware because what started as an IP OUT that should have returned the download to the originating Port number, was instead taken by the remote site as an invitation to attempt an unauthorised IP IN to a Port number I had not sanctioned.
That remote site has a good reputation, and I do not believe the owners intend to supply malware,
but I only had that experience once, which suggests the site may have been hacked.
Netgear gave zero protection.
Netgear is configured to block ICMP incoming.
If I initiate a TCP out connection via a specific port to a specific site,
Netgear will still allow that site to respond with a connectionless (no Port) ICMP transaction.
Could be a privacy violation,
could actually allow infection by ICMP protocol messages and a total take-over by hackers.
Netgear seems to protect against any incoming from sites to which I have not established communication,
but if I do communicate with a site then Netgear allows them to throw any form of malware onto me.
I name Netgear because that is what I experienced.
I have no reason to believe that any hardware based firewall is superior
I require 100% incoming protection from a software firewall,
a mere 99.?% incoming protection from Windows Firewall + hardware will not let me sleep at night.
Alan
What makes u think that software inbound is any stronger than a hardware inbound firewall?