Finds out your true IP by installing and running a small Java program. Cool huh? 
BTW, I manually erased with Total Commander (no undelete is possible) the Java cache, set SeaMonkey (my web browser) as âLimitedâ and then âIsolatedâ (I made 2 tests) app in D+ and âWeb Broserâ in the FW, I set D+[at]Paranoid Mode, set the FW[at]Safe Mode.
My Global Rules:
http://img193.imageshack.us/img193/3136/fwglobalrules.th.jpg
Firewall and Defense+ can handle it with proper config.
I got 6 alerts. Allowed 5 of 6. Alert #6 was blocked. And test failed. If i start to block earlier (not waiting for 6th alert) i got fewer alerts because test fails earlier (smallest value is 2 alerts - both blocked).
#1 firefox.exe tries to modify protected registry key HKLM.âŚ\JavaQuickStarterService ;
#2 firefox.exe tries to execute java.exe
#3 java.exe tries to modify protected registry key HKLM.âŚ\JavaQuickStarterService ;
#4 java.exe tries to access RPC/DNS service
#5 java.exe tries to access protected COM interface âWindows Sockets Interfaceâ
#6 java.exe tries to connect to host 198.104.150.202 on port 80 [the only alert by Firewall, others are by D+]
Internet Explorer. Similar 6 alerts. Only replace firefox.exe with iexplore.exe.
The bottom line. If you donât like your browser or the web sites your visiting knowing your Internet IP address (which they really need btw), then you need to use a proxy and perform the remote connect from a completely different IP address.
Kail, the web address I posted is a test site to test how accessible your network is, so is not just any site.
As a side note, Java.exe is not listed in D+ Computer Security Policy, so the question is for COMODO Dev team: How come SeaMonkey install a small java program and execute java.exe, without D+even say anything about it.
I have repeated the test, I manually set all SeaMonkeyâs access rights to âBlockâ and nothing changed, this looks like a clearly flaw in CIS v 3.12.
Yes, of course it is. It has to be. You contacted them right? Itâs like on the TCP header along with your MAC address⌠if you really want to threat about something.
MAC address (wikipedia)
Pardon my ignorance but youâre writing that my real IP is in every TCP header I send? well, even so, why D+ doesnât pop up something about it,IMO it should when SeaMonkey tries to install the Java propgram and when Java tries to run it, donât you think?
And youâre welcome
Let me put it another way, how could a web site send you data and not know your Internet IP address? If they didnât know your IP address, they couldnât tell you that they could see it⌠if you know what I mean? You are in direct communication with them and that is based on their and your IP address. In short, they have to know it.
Yes, every TCP packet you send out contains your Internet IP address and the MAC address. Otherwise, it would be considered invalid and will not make it pass the second hop (your ISP probably). If this was not the case, then nothing could be sent back anyway. Because itâs the IP address. You are initiating these connections.
OK kail, I get that,but my question then is still valid, D+ should pop up on the small Java program install and Java trying to run it. I mean, I told D+ to block every single SeaMonkey access right and still D+ did nothing.
Recently I uninstalled CIS & Avast! Home, made a Registry cleaning (COMODO System Cleaner, NTREGOPT, and CCleaner) then Installed both programs again, I updated from 3.11.x to 3.12.x a few days ago, made a âchkdskâ on all partitions, so I donât think is my WinXP SP3, or is it?
Youâre barking up the wrong tree. Seamonky isnât Java. 
Unless youâve edited your trusted vendor list, Sun is on there so Java is trusted.
Sorry, I missed your question. On default settings? A recent version? Iâm not a 100% sure to be honest, but I maybe not. Java (Sun) are trusted, itâs possible that D+ wouldnât bother the user to do that. I guess it depends on exactly what it was and what the settings were in regards to it and SeaMonkey. Checking SeaMonkeyâs D+ rules in detail to see how it has been set to ask/allowed/blocked for each element and the allowed âRun An Executableâ as well would be good. Seeing what ended up in your CIS event logs might also prove useful.
Oh I know perfectly that SeaMonkey is not Java what I meant is that SeaMonkey should had been stopped since it was installing the small Java program and then calling the Java plug-in to run it.
I didnât edited the default definitions for âIsolated appâ nor âLimited appâ, I simply used them and after trying the mentioned Security Policies I went to âUse Custom Policyâ and there I blocked everything.
But is OK now, I found the flaw(as I think is a flaw): I checked the D+ logs and found all the messages that SS26 beep beep found, all of them, and I also checked the âTrusted Vendorsâ and yes Sun and Mozilla where there. It didnât occurred to me that âTrusted Vendorsâ would be adding more vendors as I trusted them from the apps. Very good COMODO, this is a great feature. :comodorocks: (:CLP) but this is the flaw: The âComputer Security Policyâ should precede the âTrusted Vendorsâ, in case I want some functionality crippled or to activate some âProtection Settingsâ just in case a virus have hijacked a program/app or to monitor a possible infected app/program or many other security reasons.
Cheers. :ilovecomodo:
It doesnât. Unless youâve added a vendor to the list manually, everything in there has been added by Comodo. It is confusing because they do say they were defined by âUserâ, but that isnât the case.
When you update CIS, more and more vendors are added by Comodo. If you were to do a clean install, youâd still find Mozilla and Sun in the list, as well as all of those supposed defined by the user.
Oh I see, yes is in deed confusing but anyway it can be added this feature to the wishlist.
Mod dudes, can you please forward what we have discussed here to the devs? I think is kinda important not because I pointed out but for security reasons. Or at least can you write me if this would be valid as worth the quick check of one of the devs? or am I asking too much.
Sorry if I look over-eager.
not to be a stick in the mud, but KIS blocks this just fine, this is what I get when I visit that link
[attachment deleted by admin]
I see the same thing, but I have Java disabled. Is your Java enabled?
yes it is
So it sounds like it has a Java blocking feature.
ZA had this feature back when I used to use it. You could have it block Java and Javascript and then whitelist the web pages you wished to be able to run them.
no java block becasue java works just fine on any other pages without me having to whitelist anything, so no input from me.
Really? Thatâs very interesting.
Iâm curious how Java functions on other pages but not this one. Iâm assuming you know that Javascript is not Java? Javascript is prolific on web pages, while Java is uncommon. What other pages are you visiting that Java works on?
Iâm just wondering how KIS is determining what to block. I would have thought that it was just blocking Java completely, but it appears that it is somehow selective. Itâs odd that it apparently blocks the Java applet before it even loads. I would expect it to need to at least start downloading the code in order to determine whether it was malicious or not.
Unless, does KIS have a site blacklist feature buried in there somewhere? I know you said you gave it no input, but is it added by default?
