Application Control: Checksum / Hash Control (v3.0.13.268)

I don’t understand this. I was first alerted here - Comodo Firewall Pro 3.0 (Final) Released Today | Page 7 | Wilders Security Forums
Post 165 down.

I tried a simple exercise: replaced firefox’s exe with TCPView in firefox’s folder, changed TCPView’s name to firefox, used ff’s shortcut in the desktop (opened TCPView of course), then opened Spybot to update (tcpview will look up the ip address) and had no prompts. Note that i had no rule for TCPView.
The icon for firefox in the application rules was changed to TCPView’s…

I don’t understand this, CFP doesn’t check a hash or something??

If you agree with these results, then i call this beta, not even RC. Great potential, but beta.

Hello Pedro,

The Defense+ must have shown you the alerts before replacing the files. Once approved by the user or by the “Computer Security Policy” CFP will not ask about the already approved change again. These are cooperating systems. Even if Defense+ is deactivated, you will receive a file modification alert if an unknown program modifies an application which has a firewall rule.

However, if you say “I have replaced/renamed those files without any alerts from Defense+”, this can be because :

“You may have a rule in Computer Security Policy which allows explorer.exe(assuming you used Windows Explorer to rename those files) to modify protected files” or you disabled file system protection completely.

All these hash keeping practices are to prevent malware hijacking the allowed applications. You need to keep hashes if you dont know what is going on in the file system. CFP 3 knows all these.

There is a leaktest in www.grc.com. LeakTest 1.2.exe. You can rename that application as firefox.exe and test.

So you have a guaranteed defense against malware tampering. Why would you need hashing?

Besides, CFP 3 allows you to use wildcard characters while defining the applications. In this case, hashing is just useless. You cant keep hashes for such a set of applications. Thats why, IMHO, other firewalls do not have such a feature as wildcard based rules.

Hope this helps,
Egemen

Most intriguing reply, thank you for the explanation.
You say it works without D+? I ask since i had it disabled.
Wildcards, i just fell off my chair now! ;D Why do i need that? Isn’t that permissive/ default allow?

One thing i can’t picture correctly: i take your word for it that it was allowed since it was explorer (it was). But this just complicated things in my head.
For instance, i use SSM free since i can lock things down with “disconnect UI” (and this setting alone can block things allowed in ‘connected UI’ mode). I can then let people use my computer, knowing they can’t use IE7, tamper with some things, and execute anything new. All this silently. Comodo as it is, will allow people to bypass my rules as long as they use explorer. While i know such people shouldn’t use my computer, i think nevertheless this is not an ideal solution.
What about public computers, other situations where this is needed?

In these cases, this means more trouble configuring it. Is there a setting then so i can be alerted whenever any allowed application is changed, explorer or no explorer? Is it the default action, allow/ask/block? (and then i have to answer for all files…)

I’m really confused, thinking about all possibilities. I realize i could be resisting change pure and simple. But i don’t think so, i think i’m resisting complication.

Here’s a scenario: suppose something filters the activity reported in the file system (rootkit). CFP has no was of telling something changed. I know this is already a compromised system, but D+ is really advanced to this paranoid point (any advanced HIPS is).
It gets complicated when a process permission to change “protected files” already bypasses firewall’s rules (or user intended rules). It takes an advanced user (really advanced lol) to keep up.
The firewall part (the part i want) only looks for the application name, but does not ask about it’s integrity. Dazed and confused

Also, pretty much any program that interacts with explorer can potentially do it also (i’m not thinking about firewall rule’s consequences when allowing an app to modify explorer or something - this is a snowball effect) .

One would additionally gain from the clear separation of firewall rules and file permissions (with hash check). And if i can’t/won’t use file permissions, or there is a bug in it, i’m naked.

Can’t you put the option to use hashes? SHA-1 as the minimum these days (i think). Go ahead an make a warning that i can’t use wildcards. I don’t want them :-\

Please reply addressing my concerns (here or PM), by correcting me or acknowledging.


the following paragraph can actually complicate things, take it as just another idea in the pot to refine and discuss, i do not expect it to be practical nor ideal

It (hash) can also serve as an extra check for D+ itself - as D+ allows modifications based on its rules, it would recalculate the hash to check integrity as they are executed or used - independently of firewall allowed programs; then if a previously firewall allowed app tries to access after modification, there would be a prompt that notifies that, and describes it as an allowed D+ event with the description (a log of the event, with something like ‘explorer has rights’ etc.) or if it doesn’t match D+ hash from previous allowed actions (‘this is potentially dangerous, as D+ didn’t allow such change’ etc).
end of madness episode ;D


Egemen posts are informative as always so I cannot takes his place to reply.
Anyway since I was interested in this particular topic since V3 beta I’ll join this topic.

So back on topic I’ll give you a short answer. You can really set D+ to address all issue you mentioned.

Hashes served only one purpose in V2: Monitor file changes when a process attempted a connection.
This was made in order to bind a ruleset to a specific executable. If that executable was altered you
got an alert. No one reaally paid attention to the hash string representation.

Anyway hashes had a price in terms of CPU and memory usage. That’s why loaded DLL used weaker
hashes (CRC).

Actually V2 was only capable to block connections. If something suspicious happened and an app
attempted a connection users got an alert to block the connection. Nothing more.

V3 works in a Different way. Defence+ is a Full HIPS and as long is active actually watch over
many important system operations.

This mean that once you defined a ruleset Defence+ will enforce it.

If there are few delicate operations that you would like to deny to other users you
only have to set those to ask and password protect V3 because there is an option
to hide alerts if password protection is enabled.

This will pretty much deny those operations. The only thing you miss would be an option to
hide V3 tray icon ( you can submit you wish here)

Using wildcards you can allow or deny a group of operation on certain files or registry keys (and more…)
Although there is a glitch that use widcards in learned rules, alerts always create rules without wildcards.

What does this means?
Although I would like a more complex rule language (with at least a NOT operator)
and a some more user defined policies like the * policy to address some cases,
you can already control how an app has to behave. You can limit its actions to a specific directory
or you can allow to change only few registry keys or load some specific executable.

So you need to make trusted only apps that really cannot do any harm (yes let them use your AV full potential ;D ).

IMHO Explorer.exe need a custom policy (or cmd.exe or regedit and so on). I watch over every program it lauches and
I actually mark some of them to trigger alerts again (Run an executable not remeber checkbox.
If Explore.exe (or any program that can write files) has an Allow privilege for protected files
it can overwrite everything. So I usually leave it to ask.

But you can deny any program to change program files or sytemroot directory,
you only need to create an entry in block section of protected files.

This way you don’t have to wait for an hash to change as you have control
over what it is causing hashes to change.

[attachment deleted by admin]

First of all, thank you Gibran for your participation. I think highly of your knowledge and opinions!

A few clarifications before:

  • I know the main difference between 2.4 and 3, and i know what a HIPS program is and does. I’ve tried most, even Neoava Guard. Just so we can get to the point, nothing else.
  • SSM allows me to run IE7 in normal mode, and block it when disconnected (password protected) - these are rules, not “ask”, but allow and block rules. I can’t be bothered to reply to the same pop-ups over and over - SSM is very flexible in this regard.
  • Like i said, if i allow something to use explorer, CFP probably won’t ask me again. Then if a program is modified through explorer (notify me if i’m entering sci-fi), and previously allowed in firewall, it’s allowed to connect.

So i change the permissions of explorer to ask. CFP asks if explorer can use Firefox (whatever the prompts), i say allow and remember. That’s it, things will soon arrive where i started. If i am wrong, point that out for me please.

I take this opportunity also to note that i don’t refer to leaktests. This is the application specifically allowed in the firewall rules to connect that changes. I never thought of that when allowing X to do something to explorer. When it’s time to connect, i want to know Firefox is different - it was not updated - block!

Regarding CPU usage of hashes, you could be right, but i’m using Kerio 2.1.5 right now (md5) and no CPU problem whatsoever. AppDefend, in alpha stage, uses SHA-1 and i don’t see any drag from it. It does have serious bugs, but i don’t think it has to do with that.

Wildcards, i think i got your point. Thank you.

One last remark: you will probably find file protection troublesome. It will give you headaches. I don’t ignore it’s usefulness, but i do want to point out the complexity of the Windows Operating System. It’s pretty vast, and when you ask for regular users to keep up with all this, you’re asking too much → default rules will stay, or turned off! If it’s turned off, CFP is really insecure.

The only experience I have with HIPS came from Winpooch (its barking can drive anyone to insanity maybe that’s why I’m much more tolerant with alerts ;D).
I never used SSM but from your post I guess you can craft your rules in order to change apps behaviour to account from disconnected mode.
Or will it block all allowed apps when disconnected :o ? (this cannot be)
I’ll search an SSM help manual ASAP to look at the gui and fuctionalities.

Regarding your scenario the answer is yes. I usually don’t mark few apps to remember for this reason. But i have to test this further as I guess that launcing an app
doesn’t grant another process a way to use it (well at least without using inline parameters like program.exe -do_harm_options)

The only way to attain a certain flexibility is to create two profiles (like admin profile and low privilege profile) and switch to the other profile turning password on.
I know this is not user friendly :stuck_out_tongue:

But v3 engine is there and I guess that adding more features and few modes it could be possible to cover every aspect.
Anyway if you can control what process overwrites what file is really hash needed?

Regarding file protection maybe it is true. I started every installation from scratch so it could be annoying to write the
same rules again and again anyway it is possible to add some blank privileges to the * policy (although I only added deny ones :P)
(too bad you cannot import only specific part of a ruleset)

The only apps I crafted file protection rules were internet browsers and an archiver.
Actually many apps only need to have write access to My documents folder or desktop.

I think you tried that and Win Patrol and confused them now. Win Patrol is the one that barks ;D

Yes this one is correct. You allow IE7 for instance (i always do this for IE…), and tick a box “Block for Disconnected UI” (or edit the rule later to block for D. UI). Now when you disconnect it (Comodo password protection equivalent) it will be blocked without warning.
It (D. UI) will also allow you to either block new executables or to fully enforce the policy - anything that doesn’t match a rule is blocked silently.

You’re right, it’s not! :smiley:

Make no mistake about it, there’s alot in V3 i like (ports lists, IP’s lists etc. - i already had started editing rules with NOT in Privilege ports, really cool)
But
1- The GUI is confusing as i said in the other thread, too many links, windows and clicks (and close that window to open the other…), so even if this makes sense in the end (and i’m wrong with my hash concern ;D) the user will not get the big picture of his rules. He will give up.
2- Defense+ needs more work. They just created a full blown HIPS from scratch, all the way to file protection, and no hashes in sight. I’m not comfortable with this.

I take the opportunity to also note that i can’t see child AND parent permissions for a given process in that same process window (i only see what it can open, not what can open it). I have to see ALL processes to get the picture. Again confusing and unnecessarily complicated. Just add two columns, parent and child.

BTW, maybe this should be moved since it’s not a bug :o
If you do, make sure Egemen knows it. If he wants to reply like i hope he does, he should know.

Winpooch too :o I got barking everytime. I stamped its ugly mug shot in mind

http://winpooch.free.fr/res/images/rand/top_logo_left-1.png

To be honest I’m not confortable without hashes too so everyday I try to find a way to break V3 protection :-X
I guess I have not found anything serious. But I’m relying on my pending files too.

I agree with your comments on D+ interface I expecially miss a way to track parent childs chains but I have yet to allow more than 4 program that can form a chain (eg explorer-firefox-downloader-archiver) and explorer is the only process that has a long list (I guess It’s my habit to mark some program to run once)

Regarding File protection I guess that My pending list should report also the application that modified the listed files (if it was an installer I would like to know what msi file or child/parent process to blame for)
I guess I would like an option to disable existing D+ policies if a file is in My pending list or at least an alert.

You may not need it but system administrators frequenly need such grouping for mass configuration etc. With Defense+ protecting the files, there is no danger in using it.

One thing i can't picture correctly: i take your word for it that it was allowed since it was explorer (it was). But this just complicated things in my head. For instance, i use SSM free since i can lock things down with "disconnect UI" (and this setting alone can block things allowed in 'connected UI' mode). I can then let people use my computer, knowing they can't use IE7, tamper with some things, and execute anything new. All this silently. Comodo as it is, will allow people to bypass my rules as long as they use explorer. While i know such people shouldn't use my computer, i think nevertheless this is not an ideal solution.

You have the same behavior in CFP. Defense+ Settings->Block All unknown requests while the application is closed option will do the same. (OR you can even set a password and suppress the popups). Once D+ properly trained and stable, this option can be enabled.

What about public computers, other situations where this is needed?

In these cases, this means more trouble configuring it. Is there a setting then so i can be alerted whenever any allowed application is changed, explorer or no explorer? Is it the default action, allow/ask/block? (and then i have to answer for all files…)

You will always be alerted when an application changes. There are HARD alerts andthere are SOFT alerts.

HARD alerts are D+ popups about protected files. These attempts will be intercepted immediaty by D+. So called SOFT alerts are My Pending Files accessible through Summary and D±>Common Tasks.

I'm really confused, thinking about all possibilities. I realize i could be resisting change pure and simple. But i don't think so, i think i'm resisting complication.

Here’s a scenario: suppose something filters the activity reported in the file system (rootkit). CFP has no was of telling something changed. I know this is already a compromised system, but D+ is really advanced to this paranoid point (any advanced HIPS is).
It gets complicated when a process permission to change “protected files” already bypasses firewall’s rules (or user intended rules). It takes an advanced user (really advanced lol) to keep up.
The firewall part (the part i want) only looks for the application name, but does not ask about it’s integrity. Dazed and confused

No no. If a kernel rootkit is installed, nothing can protect against it. For the firewall part, think it like this:

CFP “protects the integrity of firewall applications” instead of “detecting integrty changes”. A malware cant simply bypass CFP to infect your applications.

Also, pretty much any program that interacts with explorer can potentially do it also (i'm not thinking about firewall rule's consequences when allowing an app to modify explorer or something - this is a snowball effect) .

Sure. But they must first bypass D+ to interact with explorer.exe or any other program. It is reallt not that easy to bypass D+ and compromise the security.

One would additionally gain from the clear separation of firewall rules and file permissions (with hash check). And if i can't/won't use file permissions, or there is a bug in it, i'm naked.

Can’t you put the option to use hashes? SHA-1 as the minimum these days (i think). Go ahead an make a warning that i can’t use wildcards. I don’t want them :-</blockquote>

Sure we can. Actually for basic firewall mode, it would save us from much trouble of inspecting the file system statefully.

But again feel comfortable with the protection of “Stateful File Inspection” of CFP. You know what, i myself, run every virus sample(sent to me by our users) in my production computer. Not in a virtual machine, not in a test machine. Only CFP 3 in Clean PC mode and my PC.

It is not easy to bypass D+.

Hope this helps,
Egemen

I’ve been absent. One thing has been on my mind: if CFP3 doesn’t use hash, and not every program is signed, how do you build/check the safelist?

Cheers

Safelisted apps have an hash but I guess that is checked only once when a new app is launched. As long a rule is created new unknown apps will always use that rule because D+ protect them.
Trusted vendor instead is able to learn also new app signed by trusted vendors.

Thank you Gibran.