Finds out your true IP by installing and running a small Java program. Cool huh?
BTW, I manually erased with Total Commander (no undelete is possible) the Java cache, set SeaMonkey (my web browser) as ‘Limited’ and then ‘Isolated’ (I made 2 tests) app in D+ and ‘Web Broser’ in the FW, I set D+[at]Paranoid Mode, set the FW[at]Safe Mode.
Firewall and Defense+ can handle it with proper config.
I got 6 alerts. Allowed 5 of 6. Alert #6 was blocked. And test failed. If i start to block earlier (not waiting for 6th alert) i got fewer alerts because test fails earlier (smallest value is 2 alerts - both blocked).
#1 firefox.exe tries to modify protected registry key HKLM…\JavaQuickStarterService ;
#2 firefox.exe tries to execute java.exe #3 java.exe tries to modify protected registry key HKLM…\JavaQuickStarterService ;
#4 java.exe tries to access RPC/DNS service #5 java.exe tries to access protected COM interface “Windows Sockets Interface”
#6 java.exe tries to connect to host 18.104.22.168 on port 80 [the only alert by Firewall, others are by D+]
The bottom line. If you don’t like your browser or the web sites your visiting knowing your Internet IP address (which they really need btw), then you need to use a proxy and perform the remote connect from a completely different IP address.
Kail, the web address I posted is a test site to test how accessible your network is, so is not just any site.
As a side note, Java.exe is not listed in D+ Computer Security Policy, so the question is for COMODO Dev team: How come SeaMonkey install a small java program and execute java.exe, without D+even say anything about it.
I have repeated the test, I manually set all SeaMonkey’s access rights to ‘Block’ and nothing changed, this looks like a clearly flaw in CIS v 3.12.
Pardon my ignorance but you’re writing that my real IP is in every TCP header I send? well, even so, why D+ doesn’t pop up something about it,IMO it should when SeaMonkey tries to install the Java propgram and when Java tries to run it, don’t you think?
Let me put it another way, how could a web site send you data and not know your Internet IP address? If they didn’t know your IP address, they couldn’t tell you that they could see it… if you know what I mean? You are in direct communication with them and that is based on their and your IP address. In short, they have to know it.
Yes, every TCP packet you send out contains your Internet IP address and the MAC address. Otherwise, it would be considered invalid and will not make it pass the second hop (your ISP probably). If this was not the case, then nothing could be sent back anyway. Because it’s the IP address. You are initiating these connections.
OK kail, I get that,but my question then is still valid, D+ should pop up on the small Java program install and Java trying to run it. I mean, I told D+ to block every single SeaMonkey access right and still D+ did nothing.
Recently I uninstalled CIS & Avast! Home, made a Registry cleaning (COMODO System Cleaner, NTREGOPT, and CCleaner) then Installed both programs again, I updated from 3.11.x to 3.12.x a few days ago, made a ‘chkdsk’ on all partitions, so I don’t think is my WinXP SP3, or is it?
Sorry, I missed your question. On default settings? A recent version? I’m not a 100% sure to be honest, but I maybe not. Java (Sun) are trusted, it’s possible that D+ wouldn’t bother the user to do that. I guess it depends on exactly what it was and what the settings were in regards to it and SeaMonkey. Checking SeaMonkey’s D+ rules in detail to see how it has been set to ask/allowed/blocked for each element and the allowed “Run An Executable” as well would be good. Seeing what ended up in your CIS event logs might also prove useful.
Oh I know perfectly that SeaMonkey is not Java what I meant is that SeaMonkey should had been stopped since it was installing the small Java program and then calling the Java plug-in to run it.
I didn’t edited the default definitions for ‘Isolated app’ nor ‘Limited app’, I simply used them and after trying the mentioned Security Policies I went to ‘Use Custom Policy’ and there I blocked everything.
But is OK now, I found the flaw(as I think is a flaw): I checked the D+ logs and found all the messages that SS26 beepbeep found, all of them, and I also checked the ‘Trusted Vendors’ and yes Sun and Mozilla where there. It didn’t occurred to me that ‘Trusted Vendors’ would be adding more vendors as I trusted them from the apps. Very good COMODO, this is a great feature. :comodorocks: (:CLP) but this is the flaw: The ‘Computer Security Policy’ should precede the ‘Trusted Vendors’, in case I want some functionality crippled or to activate some ‘Protection Settings’ just in case a virus have hijacked a program/app or to monitor a possible infected app/program or many other security reasons.
Oh I see, yes is in deed confusing but anyway it can be added this feature to the wishlist.
Mod dudes, can you please forward what we have discussed here to the devs? I think is kinda important not because I pointed out but for security reasons. Or at least can you write me if this would be valid as worth the quick check of one of the devs? or am I asking too much.
I’m just wondering how KIS is determining what to block. I would have thought that it was just blocking Java completely, but it appears that it is somehow selective. It’s odd that it apparently blocks the Java applet before it even loads. I would expect it to need to at least start downloading the code in order to determine whether it was malicious or not.
Unless, does KIS have a site blacklist feature buried in there somewhere? I know you said you gave it no input, but is it added by default?