BOClean blocks GRC leaktest as trojan

Discontinued Products Comodo BOClean Anti-Malware
#1

I ran the GRC leaktest from GRC | LeakTest -- Firewall Leakage Tester   to test my firewall (CFP–it passed, of course), but I noticed that now, with BOClean installed, it never gets to the firewall at all because it is blocked as a trojan. No big deal, but I thought I’d put it out there in case this was an unknown issue. It doesn’t seem to me that BOClean should be blocking a legitimate firewall leak test. Is there a reason it does?

I really like this product. I haven’t really had to think about it since the installation and haven’t had any bad-ware to remove either. Maybe a coincidence, but I’m happy just the same.

#2

hello… BOC has detection for GRC’s “leaktest” so that people can use “leaktest” for testing to see if BOC is working properly, so yes, it was proper for BOC to flag it…

GRC’s “leaktest” has been used for testing BOC for a long time…

#3

Plus, a lot of these leaktests emulate trojan/trojan activity, so such a thing would certainly be within the purvue of BOC.

LM

#4

I’m not sure I understand. Why would people use a firewall leak test to check a non-firewall anti-malware product? If I understand correctly, all the test does is try to make an outbound internet connection, and the only thing you’re looking for is that your firewall either blocks the connection or asks you whether you want to allow it. It’s as basic as it gets. This is not in and of itself something an anti-malware product looks for, is it? I mean, lots of programs make outbound internet connections.

I may be wrong, but it seems to me that this test would be completely invalid for testing anything other than a firewall. I’ve never seen any other anti-malware product intercept it. In any case, it’s not a trojan.

And apparently there was a new post while I was writing this. Is anyone here familiar enough with this particular leak test to know what about it might be considered to emulate trojan activity? It’s hard for me to imagine since, as I said, its function is so basic.

#5

I agree with citizenphil. BOClean should be aware that Gibson’s leaktest is NOT a trojan and allow it to be used to test the firewall.

#6

Why not just pause BOClean when you want to test your firewall with the leaktest?

#7

using “leaktest” to test BOC is like using the “eicar” test file for testing your antivirus program… BOC flags “leaktest” the same way that your av program flags the “eicar” test file…

using “leaktest” for testing BOC has nothing to do with using “Leaktest” for testing your firewall…

if you want to use “leaktest” for testing your firewall, just close BOC when you want to run “leaktest” so that “leaktest” will be allowed to run…

#8

The following is pulled straight from GRC. I have highlighted some areas for pertinence.

Introducing LeakTest

This site has been most well-known for its FREE ShieldsUP! Internet security test. Crucial as it is to protect yourself from malicious hackers outside, those bad guys represent only half of the threat. The Internet has proven to be an extremely fertile transportation medium for all manner of nasty Trojan horse programs, rapidly proliferating viruses, and privacy invading commercial spyware. As a result, it is no longer true that all of the potential problems reside outside the computer.

Not only must our Internet connections be fortified to prevent external intrusion, they also provide secure management of internal extrusion. Any comprehensive security program must safeguard its owner by preventing Trojan horses, viruses, and spyware from using the system’s Internet connection without the owner’s knowledge. Scanning for the presence of Trojans, viruses, and spyware is important and effective, but if a piece of malware does get into your computer you want to expose it immediately by detecting its communication attempts and cut it off from communication with its external agencies.

LeakTest Ensure that your PC's personal firewall can not be easily fooled by malicious "Trojan" programs or viruses. Thanks to this first version of LeakTest, most personal firewalls are now safe from such simple exploitation.

The majority of leaktests emulate some sort of trojan or other malware activity. This is different than a legitimate application wanting to connect to the internet for the purpose of updates or otherwise “phone home.” However undesired that may be, it is somewhat legit, and the application is doing it by itself. Leaktests, as well as trojans and other malware, attempt to hijack other applications or system resources in order to gain access to the internet; they are not capable of such a connection by themselves. The idea being that if they could direct-connect, they’d be easier to spot; thus, they try to hide within the context of another, more legit application.

In this case, it’s trying to hijack the browser. A rough idea of the process. Browser is running, connected to the internet. Leaktest is downloaded and run. On execution, Leaktest tries to inject its code into the browser. If it is successful, this injection will attempt to access the browser’s internet connection to use for its own purpose (such as to contact GRC to verify the leak). So the injection of code comes before (even if only nanoseconds) the connection hijack. This is how it emulates trojan activity.

Hope that helps,

LM

PS: Not all leaktests will trigger BOC. CPIL and PCFlank are two I know of that don’t. There are also other specific anti-trojan tests (that would be more akin, IMO, to the eicar test), such as TrojanSimulator.

PPS: Some users have posted that while trying to even download various test files like this, their AV kicks it out. At least BOC waited until you ran it… :wink:

#9

I suppose that could explain it, then. And I am aware that I could temporarily disable BOClean to test the firewall; that’s not my concern. I meant the original post mostly to be a potential bug report, but if the program is just doing its job, no problem.

However, I don’t think the leak test in this case was attempting to inject its code into the browser. I had it saved to my Progam Files folder and attempted to run it as a standalone with the browser closed, as opposed to letting the browser open it immediately after the download. I believe that when I run the test, CFP reports that leaktest.exe is trying to access the internet with Explorer (as in Windows Explorer, not IE) as the parent app–basically, a straightforward “phone home” attempt like any other–which I think is all this particular test is designed to do. My impression is that the talk on the GRC page about trojans and spyware is simply pointing out that a firewall should allow the user to know every application that attempts to make any sort of internet connection to prevent anything malicious from connecting silently.

I hope this information is helpful. Unfortunately I’m not at the same computer right now and can’t verify with absolute certainty everything that I’ve said, but I’m pretty sure that’s the way the test was working. If it would be of any use, I’ll check again. Otherwise…well, I’ll shut up about this one. Consider the bug (?) reported.

Cheers, everyone! :■■■■