CFP v3.0.13.268 DEFENSE+ (bugreports)

Sorry for my bad English (it’s not my native language).

Here’s two bugreports for CFP v3.0.13.268 (final):

CPU: AMD AthlonXP 3800+ (x86 family 15 model 15 stepping 0 AuthenticAMD~2412 Mhz)
Operating System: Windows XP Professional with sp2 (5.1.2600 Service Pack 2 Build 2600)
Operating System Language: English
Active security/utility applications: Fresh xp pro installation (only PowerArchiver 2007 + Winsnap installed)
Comodo firewall Pro Version = 3.0.13.268
Installation directory = Default installation directory

Configuration Wizard :

Choice#1: Advanced Firewall with Defense+

Choice#2: Would you like your firewall to approve COMODO certified applications
and create the automatic rules for them = No, let me answer the firewall alerts

Choice#3: Do you frequently use the applications which require incoming connections…= Yes, I do

Choice#4: Custom Settings

Choice#5: Advanced Protection

Stopped Services :

ClipBook, Error Reporting Service, Network DDE, Network DDE DSDM
Remote Registry, Routing and Remote Access (default), Security Center
SSDP Discovery Service, System Restore Service, TCP/IP Netbios Helper
Telnet, Terminal Services, WebClient, Windows Firewall / ICS &
Wireless Zero Configuration

Modified Services :

Print Spooler = Manual, Indexing Service = Manual, Help and Support = Manual

Not Installed :

All Microsoft .NET frameworks + some updates

BUGS:

All the following bugs were found with CFP v3.0.13.268 after the software installation
(not a single setting was changed or modified & no BSODs before bugs constatation)

BUG #1

Symptom:

MY PROTECTED FILES settings (with DEFENSE+) are innefective (by default)

Proof of concept:

C:\Documents and Settings\user\Start Menu\Programs\Startup
Action (right-click for contextual menu): Create New folder
Result: CPFP not blocking new folder creation
Action (right-click for contextual menu): Create New Text document
Result: CPFP not blocking new file creation

%windir%\system32*
Action (right-click for contextual menu): Create New folder
Result: CPFP not blocking new folder creation
Action (right-click for contextual menu): Create New Text document
Result: CPFP not blocking new file creation

…

Reason:

1- Computer Security Policy / %windir%\explorer.exe / custom policy - access rights rules =
All default actions are set by default to : Allow All (except RUN an executable which is set to ASK) - ALL of this without user approval.
2- %windir%\explorer.exe & Access Rights: EVEN if “RUN an executable” is set to “ASK”, “Allowed Applications” is polluted with many program (again without user approval).

Confused? Me too.

Steps to resolve the problem:

Go to DEFENSE+/Advanced/Computer Security Policy,
double-click on %windir%\explorer.exe, click on “access-rights”,
restore all default actions to “ASK”, click on “modify” for “Run an executable”
and remove all allowed applications + Apply settings.
(Access Rights of %windir%\explorer.exe for “Keyboard” will change to “Allow”)

BUG #2

Symptom:

MY PROTECTED REGISTRY KEYS (DEFENSE+) are not protected (by default)

Proof of concept:

For: \Software\Microsoft\Windows\CurrentVersion\Run
Action: Regedit / New DWORD = New Value #1
Result:

• Not blocked
• Defense+ is learning & c:\windows\regedit.exe modifies the key HKUS\s-1-5-21-606747145-813497703-682003330-1003 Value #1
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce is modifiable.

Picture: http://img406.imageshack.us/img406/6162/bug2wg7.jpg

For: HKLM\System\Software\Comodo*
Action: REGEDIT + HKLM\SYSTEM\Software\Comodo\Firewall Pro\Configurations\0\HIPS\Protected Keys, Delete “Protected Keys” Key
Result: Key “Protected Keys” Removed.

…

Reason: Unknown

Steps to resolve the problem: Unknown

:o ??? 88) :-X

My bad! I forgot to mention that those two critical bugs were for the 32 BIT version of CFP v3.0.13.268 on a 32 bit version of M$ xp pro sp2 (just in case you haven’t figured out). I hope there’s enough informations now. If not, just let me know.

Hi,

Im not 100% sure but if I remember well, I saw somewhere on the forums that terminal services need to be enabled for the correct operation of cpf. BTW have you tried the built in diagnostic utility on the miscallenous tab?

Terminal Services? Unless a CFP programmer post a reply saying this service is VITAL for the normal operation of this firewall/hips and explain me why in details, I’ll never activate this service. For me, it sounds too much like a kind of backdoor. A firewall needing TS? That’s a first!

About the diagnostic utility, yes I used it and nothing changed. If i remember well, there was a message saying that everything was ok.

Anyway, without going into details, I discovered three more bugs: the first one is that the logs disappear for unknown reasons so the only way to see the logs is to click on the “more” button. The second one is the group button disappearing, again for unknown reasons and the third is when I browse directories using CFP (ex: windows/system32…), the program will crash with the following error: “An invalid argument was encountered”.

That’s a big total of 5 bugs so my conclusion is that right now CFP v3.0.13.268 is FAR from being mature and decent. Even the GUI is horrible!

Anyway, if someone know an alternative to CFP, tell me. ZoneAlarm is unusable because of the startup/shutdown delay bug, Outpost slows down the internet too much so i’m out of ideas…

Btw, as DEFENSE+ is still unusable for many of us, a good alternative, I think, could be “Safety System Monitor”: http://www.syssafety.com/

For XP, I liked Kerio and Sygate better than Comodo 2, much better than Zone Alarm. What capabilities do you need from your firewall? Sygate is totally dead, Kerio is close, but both work well under XP. And allow careful monitoring of packet rules, along with outbound traffic analysis-although not with the details and sophistication of CFP3 with Defense+. Or wait until a little later this week when Comodo says a bug fix version of 3.0 is coming out. I used the Vista firewall in preference to Zone Alarm 7.1 until Comodo 3 was released.

I’m not behind a router and need something light on ressources. I’ll try keryo or sysgate (thanks for the suggestions) + SSM.

Since you are not behind a router, you do not have the protection of NAT and will see and ignore a tremendous amount of internet noise traffic as you probably observe. And need good packet filter rules. For Kerio, Google “Blitzen Zeus Kerio” for a well reviewed basic set of protection rules to augment their default setup. KPF4 is still in limited development by the company that bought it from Kerio, claims there might eventually be a Vista version. Sygate is a little more user friendly in terms of rule sets, and other than some concerns about proxies is also an excellent firewall. Sygate did not fail as a company, it was bought out and destroyed by Norton. Both are free, or at least have a free version that does everything you need. Good luck; and try Comodo 3 again too-it looks like it just needs a bit more seasoning to fix some individual inconsistencies.

Thank you so much for all the info, sded. And yes, I’ll try the next version of Comodo as this firewall/hips have HUGE potentials.

I retested v3.0.13.268 on my machine this time with all the services untouched + no windows updates and all the bugs reappeared so the problem isn’t because some of the services were disabled.
This time, no softwares has been installed, except the Nvidia nForce v6.86 drivers (for my nForce4 A8N-SLI Premium motherboard with raid0 activated) and the Nvidia Forceware driver v163.75.

I have no ideas on how to resolve the “MY PROTECTED REGISTRY KEYS are not protected (by default)” bug. Everytime I change a registry key which is supposed to be protected, I get the message “Defense+ is learning & c:\windows\regedit.exe modifies the key HKUS\s-1-5-21-…” and the protected key end up in the “Allowed Registry Keys” in the “acces rights” section.

All the Process Access Rights for regedit.exe are set to “ASK”.

Any ideas on how to fix the problem?

What is your defense+ security level?
If it is still in cleanpc mode maybe that is the reason it always learns regedit as safe regardless your custom settings. Try deleting all the rules of regedit and put defense+ to paranoid level for an experimental short period.

My defense+ security level is “train with safe mode” so there’s a problem here, don’t you think?

If I delete all the rules of regedit and set defense+ to paranoid level, I get the message: “regedit.exe is a safe application. It is about to modify the protected registry key HKUS\S-1-5-21-606747145-813497703-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Runonce\New Value #1…”.

I presume you see what’s wrong:

1. It’s ONLY working when I set it to paranoid
2. As it’s set to paranoid, rules will not be created anymore
3. The registry path seems a bit wrong as the path I used was “HKEY_CURRENT_USER\Sofware\Microsoft\Windows\CurrentVersion\RunOnce\New Value#1”, not HKEY_USER\S-1-5-21… wich means that point #1 isn’t right.

As the default action “ASK” of “Process Access Rights” for regedit.exe (and probably many other programs) doesn’t work, the only temporary solution (which we must call a rather lame fix) is to go to “protected registry keys” by clicking on “modify” and add all the registry groups in “Blocked Registry Keys” and repeat the procedure for ALL the programs inside “Computer Security Policy”.

Is everybody else realizing this true nonsense?

Now, the real questions to ask ourself is:

• Was this product really beta-tested with Windows XP Pro SP2?
• If so, why such lame bugs are in the final version considering that the discussed bugs were found on a freshly installed xp with not a single setting altered?
• If i’m not asked for the permission to change a registry key, will the software never ask for
  a specific permission and change something I don’t want?
• If such ridiculous bugs are present for defense+, can you just imagine the ones with the firewall?

Well it was beta tested and the majority of the recently discovered bugs were not found during the testing period. During the beta period I guess only few thousand people tried cfp. Now that it is final more than a million users got it. If you just look the numbers statistically there is a much greater chance that weird and unknown bugs appear. BTW in your case I think we are not talking about a bug. It is, AFAIK, the normal operation of cfp. As regedit is a legit windows application, it is considered safe unless it is modified. So changes made by it ar also learned automatically if not set to paranoid mode. I only asked you to put it to that mode to check if cfp can capture the modification attempt. I think it is not a security risk to let it learn the actions of regedit as normally regedit in itself wont do you harm. Yet, if a malware tries to play with your registry you should receive alerts. But I think I do understand your problem. I assume you dont want to receive tons of popups (paranoid mode) but you want full control of regedit? We were told by a dev that If we dont want to run sg that is in the safelist we could block it, this meant for me that user settings take precedence over auto rules made by the safelist (Im not sure though). I don’t know why didn’t work your solution of setting the rights of regedit to “ask”.
I also don’t understand the 2 different path for the same reg key although I’m not too familiar with the registry. A developer may clarify on it. I could be a bug, but also could be that we don’t understand correctly the implementation of cfp.