An Inconvenient Truth

Thanks Xan,
That is much clearer. It appears that an independent testing company, Corelabs Research - part of Core Research Technologies, wrote this article April 28, 2008, and that article is what you were quoting. So this “Insufficient argument validation of hooked SSDT functions on multiple Antivirus and Firewalls” is the “Core Impact” issue being referred to by the PCMagazine reviewer? This is indeed old news. A clear, concise post replying to the thread created by the first poster referencing the PCMagazine reviewer’s article could have put this to rest long ago. Once again, I do not mean to sound critical or argumentative. I only want to weed out all the opinions and get to the hard facts. As these issues are brought up again, the answers and the facts of the issue tend to be forgotten, because so much time has passed.

No problem, if there are any other things you would like to know please ask. If not, feel free to close this one

A clear, concise post replying to the thread created by the first poster referencing the PCMagazine reviewer's article could have put this to rest long ago.

I'm sorry, but I didn't know about the website then and I was tend to stay out of the "yes - no" fight...

Xan

Hmm yes it was a bit early to close the thread… Lets keep this open till all are happy… :-TU 88)

https://forums.comodo.com/feedbackcommentsannouncementsnews_cis/an_inconvenient_truth-t35956.0.html

Still I think the concern of yours has been addressed in 2 previous threads and will not try to prove you wrong a third time…

The thread “Bad Review by PCMag” is now on page 2 and is closed. The link to the last post on that thread is: https://forums.comodo.com/feedbackcommentsannouncementsnews_cis/bad_review_by_pcmagcom_closed-t35217.0.html;msg254384#msg254384
What is interesting is that yesterday, before that thread was closed, that post was not the last post on the thread. There were also several replies by Xan, one where he linked one of his earlier replies, that are now missing from the thread. My last reply that USED to be on that thread, in which I pointed out that his link brought up the wrong reply post, one that didn’t say anything about Melih or address the issue he was replying to. I also mentioned that it was not clear who he was quoting in the quote he posted. In his next-to-last post that is now deleted from the thread, Xan referenced the article that he was quoting. The article was written by Core Technologies on April 28, 2008 and he posted a link to that article. That article is at: http://www.coresecurity.com/content/Insufficient-firewall

Now that the Bad Review by PCMag is closed, all of Xan’s posts, except for one on page 1 of the thread, have been deleted. Also I notice that my post, the one that USED to be next to last on that thread, has also been deleted. The timeline pointed out concerning the PCMag article vs. the Core Technologies article is interesting. The PCMag article is only about 4 months old and the Core Technologies article used to answer the PCMag article was about 10 months old.

I am not technically knowledgeable enough to know whether the “Insufficient argument validation of hooked SSDT functions on multiple Antivirus and Firewalls” title of the Core Technologies article was the same as the Core Impact issue that the PCMag article was talking about. Was it? It very well may be, and the Core Impact issue may have been answered by the Core Technologies article. But since the question was brought up in the thread that is now closed, the best way to deal with the issue is with factual answers, not opinions. Most of the posts on the closed thread were opinions and references to other opinions. Several posters requested simple, straightforward ‘yes’ or ‘no’ answers, but didn’t seem to get them. After posting my reply and getting Xan’s reply with the link to the Core Technologies article, he posted one last reply, which I can’t remember exactly what it said, other than the thread would now be closed. I think he was replying to me, but he formulated his statement in such a manner that I got the impression that he was talking to the original poster who started the thread, which I was not that person. Then this morning I discover this new thread and find that the Bad Review by PCMag thread is closed, has multiple deleted posts, and has been relegated to page 2 of the Feedback/Comments thread.

That sequence of events is somewhat disconserting, and almost seems to indicate that the person, 3xist (Josh), who closed the thread, doesn’t want to address this Core Impact issue, because he considers it dead and already answered. It may be an old issue and it may very well have already been answered, but I have yet to see one that totally satisfies me. Also, I assume eXPerience (Xan) removed his own posts, but who removed my last post? As a user, I have a good understanding of computers and a lot of functionality issues, having used them for 2­­½ decades, but I am not technically knowledgable enough to understand whether the title of the Core Technologies article “Insufficient argument validation of hooked SSDT functions on multiple Antivirus and Firewalls” does indeed refer to the Core Impact issue described by the PCMag article. Does it?

Answering the questions that were brought up by the PCMag article, regardless of how old the issues brought up by the article are, and answering the questions that were brought up in the thread, should not be difficult. Any forum member is able to post replies and give opinions, but not just any forum member is able to answer the questions in a clear, concise, straightforward manner. One knowledgeable source, whether it be Melih or a developer should be all that is necessary to put this issue to rest. Opinions, thread closings and post removals aren’t going to do the trick. Opinions about the PCMag reviewer’s methods aren’t going to do the trick. The PCMag review is out there, and how many times the issue has been brought up is irrelevant, because it has been brought up again. Even if it ends up being brought up 10 times over a period of years, it should receive a satisfactory answer each time. The answer should contain facts, presented in a clear, concise, straightforward manner. People who may have never read any previous threads about this issue, may now be reading the threads on this topic and want answers, not opinions.

I have used CIS since it first came out in Beta on 3 production machines and I trust it to protect those machines. When important, security-related questions arise, I want to see Comodo forum answers that are factually supported, not just opinions and obfuscations. These forum threads are always interesting and informative, and never dull. BUT, sometimes they don’t get to the heart of the issue and provide solid answers to the questions being brought up. This thread could be titled “Thread of the Long Posts”, so I am contributing to that trend.

Edit:
Quote from a subsequent post I made addressed to Xan:

I am sorry for the confusion, because I am obviously confused myself. My post, and your other posts, that I thought were deleted from the ‘Bad Review by PCMag’ thread were actually on the orignial ‘An Inconvenient Truth’ thread, which was closed, but is now reopened. I couldn’t even find this original thread, and mistakenly thought I had posted to the ‘Bad Review by PCMag’ thread.

Because of my confusion created by the closing of the original “An Inconvenient Truth” thread, there are only bits and pieces of this article that are relevant to the “An Inconvenient Truth” thread, which was closed and has been reopened. So to make my post readable, I am going to copy only the relevant parts to a new post, that hopefully will be clear and understandable.

I have nothing to do with this… I’ll take a look at some logs to see what happened. Also, I’ll try to find a core impact test so I can test the newest cis

Best regards, and I’ll keep you posted

Xan

Topics merged again, open for remaining discussion

Xan

Xan,
I am sorry for the confusion, because I am obviously confused myself. My post, and your other posts, that I thought were deleted from the ‘Bad Review by PCMag’ thread were actually on the orignial ‘An Inconvenient Truth’ thread, which was closed, but is now reopened. I couldn’t even find this original thread, and mistakenly thought I had posted to the ‘Bad Review by PCMag’ thread.

now, let’s have this dealt with ones and for always

Old? Hmmm? The review is only 4 month old and about CIS 3.5, while your reference is more than a year old and about CFP 3.0!

BTW, why has Comodo left the issue for 4 month(, which is the way I look at this)? [/quote] Because there is no issue at all ! Comodo passes the leaktests, but they were faked by PCMag. Feel free to test the Core Impact software yourself and see the results !

It's obvious! I can easily see they are talking about different core impact attacks.

As far as I know, core impact isn't a way of attacking, it's a company that provides the software : core impact. It's a combination of all different leaktests ! So there are no different core impacts, they're the same but faked

What a optimist you are. :) That is the response that ■■■■■■ znix off and dissapointed me.

optimist in hart and veins ;)

Sometimes people refer to a firewall as a firewall + HIPS/BB, and sometimes they refer it as just a firewall. I guess he think Comodo's firewall alone (CFP) is still great but their HIPS(Defense+) is not that good. In fact, he recomanded Comodo's firewall along with ThreatFire here: http://discuss.pcmag.com/forums/permalink/1004410194/1004410194/ShowThread.aspx#1004410194 NOTICE the date when he posted it is pretty close to the date of the review).

Now we're talking about optimism Why would he advise a firewall that leaks as hell as he says ?

I'm not sure about that ... maybe because I read too many discussions like this (http://www.dslreports.com/forum/r21928994-Matousec-has-posted-new-results) and I remembered Melih once called it a "marketing gimmick"(, and you will agree with him if you read what Mike Nash said in the discussion I linked to). Anyway, I don't care about Matousec's tests, because CIS did well on it. I guess we have completely different mindsets. When we read the review saying that CIS failed the test Norton had passed, we are worried and wonder why Comodo hasn't fixed the thing Norton seemed to take care of a long time ago, while you guys think the review is wrong and biased. Either way, as znix said, getting the top spot in Matousec's test is only a partial victory. They test firewalls only against a limited number of threats. Unlike AV tests such as AV Comparatives, they don't try to test them against as all threats possible on the Internet.

I would like to ask you why you say that. Matousec is using all the latest techniques to tackle firewalls and HIPS. The ones that aren't testing everything are companies like AV comparatives. Why I say that ? Because AV comparatives can impossibly have all the malware. they only have a piece of all the malware that are in the wild...

I know, but we also know Melih. He used to be so determined to make his products the best. Whenever someone started a thread like this, he came, listened to a concern about his product and assured us that he would take care of it. When someone made a false complaint about his procduct, he fought back really, really hard! He wouldn't have left any issue for this wrong. This is very unusual for him! I began to be worried that he might be having a health problem or his company might be in a trouble,especially becasue we're in global recession! I really hope this recession has nothing to do with it.

… Well, seems that there are two different types of Comodo fans here. One wants Comodo products to be the best. The other wants

Comodo products to just look the best. Like I said eairlier, we have completely different mindsets. So, you cannot convince us that

Core Imapct attacks are not a threat to CIS(and, in this forum, I think, only Melih or the CIS team can do it)! Don’t waste your time, for both of us!

Anyway, which of us more wants and helps CIS to be a better product?

1. Comodo never had a better period then the last one.
2. I think melih is travelling ?
3. I want Comodo to be the best, I don’t want them to work on extra coding CIS so that it can pass some test. I want it to pass all the real threads !

Xan

I just realize that I hadn’t linked to znix's thread I'm talking. Here is the link: https://forums.comodo.com/feedbackcommentsannouncementsnews_cis/bad_review_by_pcmagcom_closed-t35217.0.html. Sorry about that!

Also, here is a thread about PCMag’s review of “CIS” on their own forum: http://discuss.pcmag.com/forums/1004410519/ShowPost.aspx
If you want refute it, post there. I’m sure that Mr. Rubenking will respond.

I’ve registered and asked him some questions. Thanks for the direct link, I wouldn’t have seen the topic otherwise

Xan

Again ! Slangen please don’t post warez links anymore !!!

Xan

The following is a corrected version of a post that I wrote this morning that contained erroneous conclusions because of my confusion due to the closing of the original “An Inconvenient Truth” thread. This thread has obviously since been reopened and merged with the new thread by the same name. To be quite honest, my main motivation for writing my original article was because I was rather concerned that these posts had been deleted, when in fact, the thread that they were in had been closed, and another thread by the same name had been opened.

The thread “Bad Review by PCMag” is now on page 2 and is closed. The link to that thread is at: https://forums.comodo.com/feedbackcommentsannouncementsnews_cis/bad_review_by_pcmagcom_closed-t35217.0.html In the original “An Inconvenient Truth” thread, Xan referenced the article that he was quoting in a reply to me. The article was written by Core Technologies on April 28, 2008 and he posted a link to that article. That article is at: http://www.coresecurity.com/content/Insufficient-firewall The timeline pointed out by a subsequent poster concerning the PCMag article vs. the Core Technologies article is interesting. The PCMag article is only about 4 months old and the Core Technologies article used to answer the PCMag article is about 10 months old.

I am not technically knowledgeable enough to know whether the “Insufficient argument validation of hooked SSDT functions on multiple Antivirus and Firewalls” title of the Core Technologies article is the same as the Core Impact issue referred to in the PCMag article. Is it? It very well may be, and the Core Impact issue may have been answered by the Core Technologies article. But since the question was brought up in the thread that was closed, but subsequently reopened, the best way to deal with the issue is with factual answers, not opinions. Most of the posts on this closed, but subsequently reopened, “An Inconvenient Truth” thread were opinions and references to other opinions. Several posters requested simple, straightforward ‘yes’ or ‘no’ answers, but didn’t seem to get them. This morning I started reading this “An Inconvenient Truth” thread and couldn’t find some of the posts that I had read yesterday and one post that I had posted myself. This led me to mistakenly conclude that all these posts must have been in the “Bad Review at PCMag” thread.

Answering the questions that were brought up in the original “An Inconvenient Truth” thread about the PCMag article, regardless of how old the issues brought up actually are, should not be difficult, if the person answering has an adequate knowledge of the subject and is willing to give a clear, concise answer. Any forum member is able to post replies and give opinions, but not just any forum member is able to answer the questions in a clear, concise, straightforward manner. One knowledgeable source, whether it be Melih or a developer, should be all that is necessary to give a satisfactory answer. Opinions about the PCMag reviewer’s methods are valid, but don’t really answer the question. The PCMag review is out there, and how many times the issue has been brought up is irrelevant, because it has been brought up again. Even if it ends up being brought up 10 times over a period of years, it should receive a satisfactory answer each time. The answer should contain facts, presented in a clear, concise, straightforward manner. People who may have never read any previous posts about this issue, may now be reading the posts on this topic and want answers, not opinions.

I have used CIS since it first came out in Beta on 3 production machines and I trust it to protect those machines. When important, security-related questions arise, I want to see Comodo forum answers that are factually supported, not just opinions and obfuscations. These forum threads are always interesting and informative, and never dull. Sometimes, however, they don’t get to the heart of the issue and provide solid, straightforward answers to the questions being brought up.

This is like the never-ending thread .

I don’t think that the vulnerability linked to by Xan (Insufficient argument validation of hooked SSDT functions on multiple Antivirus and Firewalls) was the vulnerability highlighted in the review. The page states that it was fixed in CFP 3.0.

What I would like to see is the results of the tests if he had set CIS to proactive security.

I don't think that the vulnerability linked to by Xan (Insufficient argument validation of hooked SSDT functions on multiple Antivirus and Firewalls) was the vulnerability highlighted in the review. The page states that it was fixed in CFP 3.0.

That is EXACTLY what I am trying to find out. I have asked that specific question. The page stating that it was fixed in CFP 3.0 was in the Core Technologies article dated April 28, 2008.

No, the user Slangen has apparently posted warez links in a few threads…

But your rant was funny! ;D

lisapan

You need to take a step back, re-read the forum’s rules & consider what you have posted. I strongly recommend that you do not throw any more accusations around.

totally !ot!, but there was a member that was posting a warez link to your so beloved core impact. which is of course against the forum policy. I moved it send him a pm, but he reposted, that’s why I made the notice here.
( i’ll reistall XP on of the days so I can test it again CIS.)

But there is something I would like you to read.

Respect members. Please use common courtesies and netiquette. Forums are intended for a many to many communication, please be considerate of other members even if you are asking help to solve a specific issue. Helping yourself means helping other members too. + Respect moderators. They volunteer to keep these forums running efficiently. Please respect Moderators' decisions and acknowledge that Moderators and Administrators may not be able to ask for or accept your feedback every time.

Please try to respect this a little more

Xan

yeah i posted a link to your beloved core impact stuff - coz YES YOU CAN (test) (turns out its a slightly older version and NO i didnt d/l it… i cant be testing stuff out - i gotta make me money trading the stock markets… … though the way things are going atleast try too. 88))

… i am SORRY … wont happen again.

got cheesed off after reading that first lengthy ■■■ stuff…

ps. shouldnt warez links be encouraged… mostly the keygens/cracks are malware infested… wouldnt it be a REAL in the wild test for CIS… hahahahahahaha… i know you want to.

ps. sorry no offense meant.

PC MAG is BORING… :-TD

now endgaget is :-TU

The PCMag article was from around 2 years ago and was a review of Comodo Firewall Pro V2.5 (point something). That version did indeed have insufficient validation of hooked SSDT functions. This flaw was rectified from CFP V3 onwards, which includes CIS V3.8, as stated on the Core Impact site.

The PCMag and DSLReport sites are NOT malware sites.

Nor are they maleware sites.

Now we can all get some sleep.

Ewen

Wow this subject is sure getting folks steamed up 88)

I’m a bit slow this week due to serious lack of sleep so I can’t be bothered delving into pages of info.My questions are:
1.Is this Core impact ‘security hole’ a genuine exploitable issue in a real world sense,or merely a POC? (if yes examples of malware in the wild please)
2.Was this/has this been tested against the current version of CIS?
3.If so which particular configurations were used?

Hopefully the answers to these questions will determine if this hole is froth or fact. :-\

It’s a $10,000 program to test this. I doubt any one of us would be able to validate that test at this time.