Be able to stop this!

Comodo Internet Security - CIS Added/Rejected Wishes - CIS
#1

http://www.auditmypc.com/software_audit.asp

Finds out your true IP by installing and running a small Java program. Cool huh? :slight_smile:

BTW, I manually erased with Total Commander (no undelete is possible) the Java cache, set SeaMonkey (my web browser) as ‘Limited’ and then ‘Isolated’ (I made 2 tests) app in D+ and ‘Web Broser’ in the FW, I set D+[at]Paranoid Mode, set the FW[at]Safe Mode.

My Global Rules:
http://img193.imageshack.us/img193/3136/fwglobalrules.th.jpg

#2

Firewall and Defense+ can handle it with proper config.
I got 6 alerts. Allowed 5 of 6. Alert #6 was blocked. And test failed. If i start to block earlier (not waiting for 6th alert) i got fewer alerts because test fails earlier (smallest value is 2 alerts - both blocked).

#1 firefox.exe tries to modify protected registry key HKLM…\JavaQuickStarterService ;

#2 firefox.exe tries to execute java.exe
#3 java.exe tries to modify protected registry key HKLM…\JavaQuickStarterService ;

#4 java.exe tries to access RPC/DNS service
#5 java.exe tries to access protected COM interface “Windows Sockets Interface”

#6 java.exe tries to connect to host 198.104.150.202 on port 80 [the only alert by Firewall, others are by D+]

#3

Internet Explorer. Similar 6 alerts. Only replace firefox.exe with iexplore.exe.

#4

The bottom line. If you don’t like your browser or the web sites your visiting knowing your Internet IP address (which they really need btw), then you need to use a proxy and perform the remote connect from a completely different IP address.

#5

Kail, the web address I posted is a test site to test how accessible your network is, so is not just any site.

As a side note, Java.exe is not listed in D+ Computer Security Policy, so the question is for COMODO Dev team: How come SeaMonkey install a small java program and execute java.exe, without D+even say anything about it.

I have repeated the test, I manually set all SeaMonkey’s access rights to ‘Block’ and nothing changed, this looks like a clearly flaw in CIS v 3.12.

#6

Yes, of course it is. It has to be. You contacted them right? It’s like on the TCP header along with your MAC address… if you really want to threat about something. :slight_smile:

MAC address (wikipedia)

#7

Pardon my ignorance but you’re writing that my real IP is in every TCP header I send? well, even so, why D+ doesn’t pop up something about it,IMO it should when SeaMonkey tries to install the Java propgram and when Java tries to run it, don’t you think?

And you’re welcome :slight_smile:

#8

Let me put it another way, how could a web site send you data and not know your Internet IP address? If they didn’t know your IP address, they couldn’t tell you that they could see it… if you know what I mean? :slight_smile: You are in direct communication with them and that is based on their and your IP address. In short, they have to know it.

Yes, every TCP packet you send out contains your Internet IP address and the MAC address. Otherwise, it would be considered invalid and will not make it pass the second hop (your ISP probably). If this was not the case, then nothing could be sent back anyway. Because it’s the IP address. You are initiating these connections.

#9

OK kail, I get that,but my question then is still valid, D+ should pop up on the small Java program install and Java trying to run it. I mean, I told D+ to block every single SeaMonkey access right and still D+ did nothing.

Recently I uninstalled CIS & Avast! Home, made a Registry cleaning (COMODO System Cleaner, NTREGOPT, and CCleaner) then Installed both programs again, I updated from 3.11.x to 3.12.x a few days ago, made a ‘chkdsk’ on all partitions, so I don’t think is my WinXP SP3, or is it?

#10

You’re barking up the wrong tree. Seamonky isn’t Java. :wink:

Unless you’ve edited your trusted vendor list, Sun is on there so Java is trusted.

#11

Sorry, I missed your question. :slight_smile: On default settings? A recent version? I’m not a 100% sure to be honest, but I maybe not. Java (Sun) are trusted, it’s possible that D+ wouldn’t bother the user to do that. I guess it depends on exactly what it was and what the settings were in regards to it and SeaMonkey. Checking SeaMonkey’s D+ rules in detail to see how it has been set to ask/allowed/blocked for each element and the allowed “Run An Executable” as well would be good. Seeing what ended up in your CIS event logs might also prove useful.

#12

Oh I know perfectly that SeaMonkey is not Java :slight_smile: what I meant is that SeaMonkey should had been stopped since it was installing the small Java program and then calling the Java plug-in to run it.

I didn’t edited the default definitions for ‘Isolated app’ nor ‘Limited app’, I simply used them and after trying the mentioned Security Policies I went to ‘Use Custom Policy’ and there I blocked everything.

But is OK now, I found the flaw(as I think is a flaw): I checked the D+ logs and found all the messages that SS26 beep beep found, all of them, and I also checked the ‘Trusted Vendors’ and yes Sun and Mozilla where there. It didn’t occurred to me that ‘Trusted Vendors’ would be adding more vendors as I trusted them from the apps. Very good COMODO, this is a great feature. :comodorocks: (:CLP) but this is the flaw: The ‘Computer Security Policy’ should precede the ‘Trusted Vendors’, in case I want some functionality crippled or to activate some ‘Protection Settings’ just in case a virus have hijacked a program/app or to monitor a possible infected app/program or many other security reasons.

Cheers. :ilovecomodo:

#13

It doesn’t. Unless you’ve added a vendor to the list manually, everything in there has been added by Comodo. It is confusing because they do say they were defined by “User”, but that isn’t the case.

When you update CIS, more and more vendors are added by Comodo. If you were to do a clean install, you’d still find Mozilla and Sun in the list, as well as all of those supposed defined by the user.

#14

Oh I see, yes is in deed confusing but anyway it can be added this feature to the wishlist.

Mod dudes, can you please forward what we have discussed here to the devs? I think is kinda important not because I pointed out but for security reasons. Or at least can you write me if this would be valid as worth the quick check of one of the devs? or am I asking too much.

Sorry if I look over-eager.

#15

not to be a stick in the mud, but KIS blocks this just fine, this is what I get when I visit that link

[attachment deleted by admin]

#16

I see the same thing, but I have Java disabled. Is your Java enabled?

#17

yes it is

#18

So it sounds like it has a Java blocking feature.

ZA had this feature back when I used to use it. You could have it block Java and Javascript and then whitelist the web pages you wished to be able to run them.

#19

no java block becasue java works just fine on any other pages without me having to whitelist anything, so no input from me.

#20

Really? That’s very interesting.

I’m curious how Java functions on other pages but not this one. I’m assuming you know that Javascript is not Java? Javascript is prolific on web pages, while Java is uncommon. What other pages are you visiting that Java works on?

I’m just wondering how KIS is determining what to block. I would have thought that it was just blocking Java completely, but it appears that it is somehow selective. It’s odd that it apparently blocks the Java applet before it even loads. I would expect it to need to at least start downloading the code in order to determine whether it was malicious or not.

Unless, does KIS have a site blacklist feature buried in there somewhere? I know you said you gave it no input, but is it added by default?