Analysis of COMODO toolbar by BOClean standards

Recently, questions have arisen with respect to the “Ask.com” toolbar which is offered along with COMODO’s “Safe Surf” software, which is bundled with recent releases of the COMODO firewall. As a result of these questions, I was requested to provide an independent examination of these concerns as part of an internal review of the issues raised as an employee of COMODO. I can only offer that despite my employment by COMODO, it is important to note that my “independence” is contractual and therefore I’m putting my PERSONAL reputation “on the line” in this commentary. I speak for myself in what follows, without encumberances, directives or reservations.

Let’s begin with information as to the basis for malware detection with respect to “search bars” and BHO’s (“Browser Helper Objects”) in general not only by BOClean, but by the standards of the rest of the “anti-malware community” in general. Some programs and “system add-ons” can be useful and non-malicious. Other search toolbars provided by Google, Yahoo and others are considered inert or “safe” because they go about their installation in specific, proper ways, and do not compromise privacy or security. And when their actions are discretionary and do not interfere with normal internet activities, then they are routinely judged inert and not covered.

In past years, such operations as “AskJeeves,” “MyWay,” “MySearch” and other holdings had a long history of adverse behavior not only in the way their software was designed, but also their “affiliate” programs. These improper policies resulted in “hijacking” of existing home pages or URL requests, installation of what is referred to as “additional crapware,” false “click throughs” and “page hits” when the pages were never intended to be visited, as well as hiding of these mechanisms by other means preventing the user from correcting any of these changes. We’ve always referred to these as “rogue affiliates” and “drive-by installs.” In short, clearly “Malware.”

In addition, most of these “toolbars” were surreptitiously installed as part of a “drive-by download” with the toolbar provider taking few if any steps to control the behavior of their affiliates. All were well known as “rogue” and stopped by most anti-malware programs, including BOClean.

Since that time, IAC (the current owner of Ask.com) has changed their policies and practices and have since become “responsible parties.” It’s happened before with other programs. COMODO did extensive vetting of this toolbar supplier prior to accepting this “toolbar” as now have I. Regardless of their prior activities, they have “changed their ways” and have apparently found that the only way to be accepted is to follow the legitimate requirements of the " internet community."

BOClean, like most other anti-malware programs decides that a “toolbar” is malware if it meets one or more of the following suspicious behaviors, which are not listed in any particular priority:

1. Installed without the knowledge of the user.
2. Cannot be removed by either uninstall or control panel.
3. Reinstalls itself once it has been removed.
4. Changes system or browser settings without asking permission first.
5. Redirects page requests to other “sites.”
6. “Spoofs” search sites or other “phishing-like” actions.
7. Removes other pages and replaces them with “affiliate” pages.
8. Transmits personal information or reports back to a third party without the permission of the user or some form of prior notification.
9. Downloads and/or installs other software without permission.
10. Hides itself or other components.
11. Results in noticeable deterioration of browser performance
12. Results in spam.

There are other “egregious” behaviors I’ve likely forgotten, but the above are the more serious ones. Any one or more of the above will result in BOClean and most other anti-malware “detecting” any such toolbars or BHO’s as malware. However, there are “legitimate” and desireable “add-ons” which can be useful such as the “Google toolbar” or the “Yahoo toolbar” and numerous others which no one would classify as “malicious” or “suspicious” even if they are installed with other software installations.

I have personally performed a BOCLEAN analysis of the toolbar, subject to the ORIGINAL BOClean “standards” and have determined the following:

1. Notification is given to the user prior to completion of installation and the user has the option of not installing the software.

2. License agreement and privacy notification during installation is given.

3. User can readily decline the installation of the toolbar and other options because they are not hidden or placed beyond an “expert installation mode” and is clearly visible on a “main screen” during the installation.

[0.jpg]

4. The toolbar can be readily uninstalled using “Add/Remove programs” in the control panel and the uninstall is successful after a system reboot has occurred, leaving behind only an “Uninstall Ask Toolbar.dll” in the “Program Files” folder. This file is both visible in the folder, and can be successfully deleted:

[1.jpg]

5. In Internet Explorer, the toolbar can be successfully disabled if the following three settings in Internet Explorer are set to disabled. It does not perform a “zombie reload” if it hasn’t been uninstalled if these settings are made in Internet Explorer:

[2.jpg]

Under Firefox, the toolbar can be disabled by unchecking it as follows:

[3.jpg]

Obviously if there is concern about this toolbar, then it should be uninstalled using the Add/Remove Programs option in Control Panel (as shown in item #4 above) which assures a complete removal. It will not recur once uninstalled.

6. Behavior analysis of the added toolbar indicates that it does not contain any personally-identifying information, does not create a unique ID within its programs, does not assert itself into any other interactions, and does not do anything unless you enter a search request and submit it to ask.com or click on a button which simply loads the URL into the browser as though it were a bookmark/favorite being clicked on. No other transactions were noted in traffic analysis. Therefore, even with the toolbar present on the browser, if it is not used, no interaction occurs. The individual files, configurations, registry data, and internet traffic were examined to arrive at this determination.

Conclusion: By BOClean’s long-standing standards since 1997, the IAC/Ask toolbar included with COMODO’s “Safe Surf” does not constitute malware and therefore does not qualify for detection.

(Please note that the screenshot images only appear for logged in members - guests will not see them)

[attachment deleted by admin]

Kev, you are perfectly right But I will always refuse to use a toolbar that is forced to me for whatever reasons, even if that means that I am less protected. I think Comodo should only give you an option to use the toolbar

Greetz, Red.

Great analysis Kevin!

People should remember, the can always untick the options during cpf installation and they can separately install Comodo Memory Firewall for BO protection.

P.S. The Ask toolbar can be uninstalled independantly of Comodo Safesurf. Even with the ask toolbar element and therefore no toolbar in the browser you still appear to be protected when running the BO Tester because Comodo Safesurf still runs without the toolbar.

(:m*) (:s*) BoClean Rocks (:s*) (:m*)

You can installed CFP with the toolbar and then uninstall Ask.com toolbar. Comodo SafeSurf will still protect your system.

Personally, I believe that it should had been given the user the option to install both Ask.com (to help Comodo) and Comodo SafeSurf separately and not as a bundle. That way only people who feel the need to help Comodo for the great products they make would install Ask.com Toolbar and all the others would only install Comodo SafeSurf. The ones who do not want to use Ask.com and want to use Comodo SafeSurf will waste extra time uninstalling Ask.com Toolbar (also needs to clean the registry as even uninstalling it leaves traces behind).

I know that is a solution boys. But for me it’s a matter of principle : Toolbars bundled with software are bloatware, and I will always advise NOT to install them.

Greetz, Red.

Kevin you make a lot of sense. (:CLP) We can refer to this topic, not only about this particuar issue, but to answer the FAQ “are toolbars malware yes or no?”

Be careful, there are malware toolbars too. Some even perfectly emulates the functionality of legitimate toolbars.

Greetz, Red.

This is a really good explanation! Good on ya Kevin & keep up the great work you do! (:CLP)

Made this a sticky (:m*)

Josh

Exactly right. It,s bad to have a toolbar like this. I am trying to be soft. It,s in Comodo,s benefit indeed. I am sure people who use Comodo FW are such computer savy that naturally very few of them will install a toolbar and ultimately Comdo is not going to get any major benefit money wise even and it might put their repute on stack even.

Thanks for the kind words, all! Only motivation I had to write this in the first place is that back in the old PSC days, we knew Donna over at “Calendar of Updates” and we had a great relationship there. I was kind of taken aback by the controversy over COMODO’s addition of the “Ask toolbar” in a way that apparently was missed here. I saw this as an entirely different angle than most other “gifts from vendors” in that COMODO went out of its way to make the addition quite noticeable and easily removed if “unintentionally installed” as well as making it QUITE clear during the install that it would be going in in the first place.

Toolbars have been historically rather difficult to remove, even when they come from so-called “respectable” sites such as Yahoo or Google … in fact, for anyone who is still upset over the way COMODO handled it, go google “how to remove yahoo toolbar” or “how to remove google toolbar” and see all the grief people have with both of the “majors” in that respect. And of course, if you go to install Firefox, what’s in there? I know that “askjeeves” was rogue, that’s why BOClean was one of the very first to stand its ground when Viacom’s lawyers came after Nancy and I demanding that we remove detection for it, and we had to spend a couple of weeks with attorneys outlining the specific “rules” I cited in the first message as our “defense.” All of the other vendors backed down where we stood our ground on the issue. Same as we did for many other so-called “legitimate” programs who sent in the lawyers, but still violated our now solid “standards” by which BOClean slices the “malware bologna.” Those rules became pretty well defined for us over ten plus years, and what COMODO is providing actually follows those rules 100% of the time as best as our own analysts determine. Compare to googling removing the other two major “respectable” toolbars. That’s what tipped the scales for me on this issue - the complaining about COMODO doing it and not the others. And I also forget which other vendor is installing “Ask” without asking (except on the “expert” install) but it’s kind of unfair to lump COMODO into that same situation when the delineations are VERY clear and up-front at least with us.

And now I work on getting my OWN self in trouble since I’ve not discussed this with Melih, so I’m guessing here as to what I’m about to say. Those who were with BOClean all along might not know that any programmer can write and finish code, put it out there, and make some money. It’s VERY different though when you’re writing software that has to be updated every day AFTER the sale. We sold lots of copies of BOClean over the years, but there was no recompense for the insane expenses of updating it daily. And this goes for BOClean, the firewall, the AV and everything else COMODO gives away for free. I’m sure having hundreds of people on the payroll, protecting people and working day after day is a pretty significant financial drain on COMODO. Those costs are what put Privacy Software Corp out of business because our expenses continued to outstrip our income for YEARS.

The same degree of dedication to the need exists at COMODO, and yet the price is still FREE. So I can understand the need to bring in a little more revenue by offering the toolbar - if people use it, it means that I can have a few more people and have some time off. I’d see that as pretty nice myself. As I’ve said, I don’t know the circumstances behind all this, but I do understand it from my own perspective. I’m kind of in the dark about all this, and hopefully there’s an explanation I am unable to provide. But bottom line, criticism was out there, it kind of honked me off, and so I wrote a book report.

But wanted to put the angles out there because I don’t quite understand what all the hoohah is about, even yet.

I’m using the toolbar and for my searches every so often though I confess to using google as my primary search tool though comodo toolbar is the only toolbar I’ve got installed.

Comodo really hit the jackpot when you joined the team!

Eric

To Kev

The hoohah is about the fact that ( not only in this case, but in general ) you have to install a toolbar to get ( some ) functionality. Why can’t Comodo just give an option for ONLY the toolbar ? Why should we install a toolbar TOO to get some functionality, and than uninstall the toolbar AFTERWARDS if we don’t want to use the toolbar ? That simply doesn’t make sence !

So it is not about making some revenue, at least not for me. I would rather buy a licence, or make a donation, than having this situation.

Greetz, Red.

Comodo’s own stand alone toolbar is due out at some point soon which, as far as I undestand it, will enable the option to install it separately.

Eric

Hi Guys,

My note or question will be only about

[b]1. [/b] Installed without the knowledge of the user.

Initially at the first install of new version offering SS & Toolbar I declined. The boxes as on image #1 were unchecked.

Then I decided that I want to try it and as you know due to the bug with CPF uninstall or subsequent clean installation none of the above are offered anymore. That issue died - nobody knows the answer, Support Ticked forgotten “On Hold” forever…That is different story.

But can anybody tell me where initially when Comodo (stressing that) Toolbar was introduced there was anything said about “Ask”?
Then two weeks later (or even more) after I declined the Toolbar; made several unsuccessful attempts to get “the famous screen #1” back and gave up … I scanned my system with SpyBot or MBAM (sorry … cannot tell now precisely what scanner) … and I found “malware threat” on my computer called Ask.Whatever!!! Hello! :o

Sure I found it in Add/Remove I uninstalled; I found several leftovers in registry and I cleaned them too; after all I found Ask.dll hanging just on C:\ root !?? - I killed that one too
…Boooring…

My question is - what about point #1 by Kevin? How that could happen?

What kind of knowledge I as a user should have when I said in the first place "Do Not install Comodo(stressing again) Toolbar and…
I have to Ask myself now: how that Ask could possibly sneak into my system??? that’s what I am Asking

Other than that (R) Cheers

Greetings all,
Just wondering. It would be nice to get some responses to my previous post…
unless I am ASKing something, which doesn’t have an answer.
Cheers

Some anti-malware products falsely identify the toolbar as malware even though it isn’t.

The toolbar was added as a CPF feature a couple of versions back. Version: Version 3.0.23.364.

A Lot of information about it came out at the time and can be found on this sticky post: https://forums.comodo.com/help_for_v3/comodo_safesurf_toolbar_info-t24180.0.html

Comodo’s OWN toolbar is currently in beta. The idea of the toolbar was to provide some in browser BO Protection like Comodo Memory Firewall Does but only in browsers.

At the time, I did find a work around for installing comodo Safesurf and still being protected while at the same time uninstalling the ASK element of the toolbar.

Simply uninstall the ASK Toolbar in your Add/Remove programs.

Comodo SafeSurf is a separate entry.

Eric

Hi Eric

Some anti-malware products identify the toolbar as adware, and I do beleve they have a point. The work around is known, but an installing option instead of un un-installing option would be better, don’t you think ???

Greetz from the other Erik aka Red.

Hi Guys,

Eric,

I know a lot about FPs. And I know when Comodo’s Toolbar was introduced.
(there are several posts of mine here and a Support Ticket hanging about (quite opposite) inability to install it even if you want it)

Excluding s2.tmp s2.tmp, for example, detected by many - wasn’t a question for me.

Aside note: why are they sitting there when Comodo cannot install the Toolbar is a different Q (forget about it)

The discussion you are referring to was post factum findings and indeed “came out”/emerged .

Then, sure, you found workaround, I found workaround…, other users found workaround
(probably some still don’t know).

Uninstall process of ASK via Add/Remove as I described is not Clean. There are leftovers.
The reputation of the company is still doubtful.

I do not ever allow myself install Real Player. That will never happen here no matter what.
I use Real Player Alternative for known reasons.

The reason of my initial question was raised because it was stated that users were aware of Ask. I don’t think so. I was trying to install Comodo’s ToolBar and I am fine with s1/2.tmp FPs…
… but not with Ask. In this case even being FP - it is not from my point of view because of
the way it sneaked into my PC - it is infection.

It is unacceptable !

I did want to use Comodo’s Toolbar for the reasons published here - now I will not.
When and if “ASK” removed from installation… I may re-consider.

My regards

Comodo have subsequently come out with their own toolbar. As far as I understand it, the ASK element has been removed though the search facility is still linked to the ASK Search page abut the ASK Toolbar isn’t installed.https://forums.comodo.com/comodo_safesurf_and_comodos_own_toolbar/comodo_safesurf_toolbar_beta_0901_available_here-t24665.0.html

You can get better protection by simply installing Comodo Memory Firewall for the time being until Comodo’s Toolbar is further develped or alternatively download teh toolbar beta and test it.

Personally, I run CMF instead of the toolbar so I get the added protection when I use my AOL account as well as IE7 and FF3.

P.S. There was some information around when the toolbar was introduced, that the toolbar was using the ASK toolbar as it’s installation but since there has always been the alternative to install CMF and now with Comdo’s own toolbar, there are plenty of alternatives.

P.P.S. Maybe a complete ASK Removal patch would be a good idea.

E

Eric,

Thanks for quick reply.
I just want to reply even before reading the link you provided.

Yes. That removal would be excellent idea.
I hope that eventually it will be pure Comodo’s "Tools and Bars "

I use CMF too (I should change Signature).

It was a bit surprising though to find Kevin’s review and his opinion about this one in particular.

Thanks again. Cheers

[size=6pt]P.S. …almost forgot… !ot!
“AOL account ???” … how it is possible that “security related” people using it.
Just kidding… at the same time pages of info & manuals regarding removing AOL in many cases end with “reformat”[/size]