An Inconvenient Truth

I understand that the “insufficient argument validation of hooked SSDT functions on multiple Antivirus and Firewalls” issue was fixed in Comodo Firewall Pro 3.0 and has been incorporated into every subsequent version of the firewall and the Internet Security suite. But that doesn’t answer the question brought up by the PCMag article dated November 3, 2008. On page 2 of that article, the reviewer states “Unfortunately, Comodo proved vulnerable to attack from another direction. Some Web sites host code that tries to breach security by taking advantage of vulnerabilities in a visitor’s browser or operating system. If your system is vulnerable, just visiting the Web site is enough to trigger the attack. I used the Core Impact penetration tool to unleash a number of exploits on a test system protected by Comodo (CIS 3.5). Defense+ noticed one of them, and all but one of the rest quietly failed. But one of the exploits managed to inject an agent into the test system. I verified that the agent could view and manipulate files.”

This vulnerability statement by the PCMag reviewer concerning Comodo Internet Security 3.5 was made in his recent review article dated November 3, 2008. Questions about that security vulnerability are what is being asked in both the “Bad Review by PCMag” thread and the current “An Inconvenient Truth” thread.

What does an “Insufficient argument validation of hooked SSDT functions” that was fixed in CFP V3.0 have to do with CIS 3.5 allowing an exploit to inject an agent into the test system, that could then view and manipulate files?

The PCMag article was written more than 5 months AFTER the Core Technologies article was written. This sounds to me as if those are two completely different issues. The Insufficient argument validation of hooked SSDT functions was discussed by Core Technologies in their article at: The Core Impact issue was discussed on page 2 of the PCMag article at:,2817,2333811,00.asp These questions brought up in the two threads have not been answered. You can go back to sleep if you want.

I sujest you take a look at his own forum. He ignored most of my questions actually… now how good is this guy ?


LOL, good for pointing that out Xan. If those tests bypassed CIS 3.5 he did some wrong when he ran the leaktests too! ;D :slight_smile:

I think this PCmag guy did a fool out of himself from the getgo, when he did the prevention (HIPS) test were he pressed allow on every alert and said CIS has bad prevention. :slight_smile: :slight_smile:

As stated earlier this PCMag guy don’t have the knowlege and should not do these sorts of testing… Hes results can’t be taken seriously… thats a FACT…

What about the people who do not fully understand HIPS? Does this mean CIS will not protect them at all? I have just enough knowledge to make HIPS some what useful at the very least, but Im sure others know less than I do and either disable it or click allow all the time.

My apologies to all, I have obviously misread some things here. I’ll go back and review things right fro the beginning.

Ewen :slight_smile:

He may not be very good at all, but that still doesn’t answer the question. It is rather ironic that Rubenking ignored most of your questions, because that is exactly what seems to be happening here on this thread. All the questions asked have received opinions or obfuscations, but not direct answers backed up with documented facts.

Someone who has technical knowledge about the “CIS 3.5 allowing an exploit to inject an agent into the test system, that could then view and manipulate files” issue needs to answer the question, supporting it with facts, and explaining it clearly and concisely so that everyone reading the forum can understand the answer and be comfortable with it.

The security question about CIS 3.5 has been brought up, and appears to be a valid question. If the question does not deal with a valid security issue, prove that it is not a valid issue. Opinions about an issue do not answer questions, nor do they prove anything. It would also be nice to know, if the issue was a valid issue with CIS 3.5, is it still a valid issue with CIS 3.8? These are simple, straightforward questions that CIS users should be able to get an answer to. Comodo is all about creating and building trust online, so give CIS users an answer to their questions about this issue that they can trust.


Some confirmation: You want to know if Neil Rubenking’s tests that he did on CIS 3.5 are actually a security issue/concern for CIS 3.5 & CIS 3.8. Is that correct?

Yes, exactly. Also, does the “insufficient argument validation of hooked SSDT functions on multiple Antivirus and Firewalls” issue that was fixed in Comodo Firewall Pro 3.0 have anything to do with the core impact issue that Rubenking says CIS 3.5 failed to stop. Some people seem to have indicated that this article written by Core Technologies already answered the questions about the CIS 3.5 core impact failure, that these two events were talking about the same vulnerability.

OK, that is straightforward. You’re asking the wrong people. You need to ask Neil. He’s the only one who actually knows “what” he did, “how” he did it & “what” he did it with. Your assertion that Comodo need to issue some sort response (other than already stated), supported by evidence (documented facts) on the basis of Neil’s article is reversed. It’s Neil that needs to produce the evidence, not Comodo. His article doesn’t do that & neither does any subsequent posting by Neil. That is the way it works & I’m sure Neil knows this… unless he’s trying to impress someone at The INQUIRER. Seriously.

Now, even if you reject all that… you’ve asked the questions and, in effect, demanded an official Comodo response. Wait for it. If you don’t get one… hit Support or PM a Comodo employee.

Having read both threads, I think that is pretty much what everyone asking questions on this thread and the original “Bad Review by PCMag” thread was wanting to know. I believe that is why the threads were started.

There’s nothing else that can be done really, unless Neil or Comodo choose otherwise. Neil’s published what he has in an article that, to be kind, has some weak points… which certainly does diminish the whole article in certain eyes… and he’s not supplied any detail or evidence, other than if you keep pressing Allow CIS allows everything… eventually & noisily.

edit: obviously, that last bit was a joke. :slight_smile:

Thanks kail. I really figured someone would have the technical knowledge to be able to answer. I guess that was not a valid assumption, because of the reasons you stated about not knowing a lot of his details. I guess everyone was assuming the testing methods concerning the failed test he described would be more well-defined and universal, rather than tester-defined. Apparently the question is lot more difficult to answer than a lot of people imagined, without having more information.


Could one of the developers please bring some clarity?



I can’t believe I’m doing this, but I just sended a pm to a dev. Whether he choses to join this topic or not, is his decision.

[at-bypass] Lasypan, if I indeed insulted you please accept my apologies. But could you refer me to the posts were I say the links are warez ? And then I don’t mean the posts from ‘Slangen’ ?



EDIT:: Never mind…

Good call Xan… Lets hope that could get a end to this… Yet answering accusations from people with no data provided whatsoever is not something the devs should need to do…