In the last test “AntiTest.exe” was not a safe app and did not appear in the Computer Security Policy. Defense + never asked me nothing so I think that is a weird bug or maybe I am missing something.[/s]
In proactive mode ask me about give permissions to the file, so in proactive mode seems that Comodo PASS all the tests
Partial Solution
Originally Posted by Yanix
Hi,
Its for D+, to be protected againts those 2 tests go to Defense+ Menu then open My Protected Files > Add > Search > and copy paste \Device\Usb#Vid* in the bar and confirm.
Then again in Defense+ Menu open My Protected COM Interfaces and do the same thing as before but copy \RPC Control\AudioSrv in the bar.
One new line must be added at the end, test again with antitest.exe for me it works, I get a alert for the Webcam acces and the Sound acces too.
I checked this out and the only way I could even get the program to run was to allow it’s requests for control before it even allowed me to get to the test. Essentially I had to already have given it complete control in order for it to even start the test. This is why it failed.
I tried running the program and blocking its access and it wouldn’t even run. I think Defense+ with the sandbox disabled passes the test as the program cannot even run without permission. It appears there is no way to test Defense+ directly using this program.
Same results as Chiron. That test is bogus and Comodo will not allow it to even run. In order to get it to run you have to give it some kind of access which even then it still wont run lol.
If you failed this test it’s because you allowed it to run when you should have blocked it if you didn’t have it running in sandbox or enabled. Honestly all the noobs should enable sandbox by default anyways.
There is nothing going to get past Comodo (CIS) except for one’s stupidity. There are tons of Comodo tests on youtube to back up my statement.
I think that you failed understanding the test.
There is nothing going to get past a pc without any security software except for one’s stupidity.
With “stupidity” (executing files presumably unsafe) is very easy pass throughout Comodo, like almost everyday somebody shows in the forums.
Anyway still the the leaktest is able to bypass the sandbox, like some “malware” is able to do lately.
I have just discover that during the test without the sanbox and with defense+ in safe mode the leaktest file was in “My Own safe applications” but I cant understand how the file get there because I never made it safe or allowed (I neither check the option “remember the action…”)
So I delete it from “My own safe apps” and I ran the leaktest in safe mode and without the sanbox I got the same results than with the proactive mode, tons of popups only trying to open the file, so I guess that Comodo pass all the test.
Then I ran again the test in the sanbox (Proactive, defese+ safemode, sandbox enable) and I got the same results, so the sanbox can be bypass.
I ran this test for Comodo and then for Online Armor. I suppose it’s allowed to run the test app itself. Sandboxed CIS failed Screen Shot 4 and sound logging. CIS with sandbox unchecked failed clipboard test additionally. Online Armor detected and “popupped” all the loggers very smoothly. And named them what they were - Key Logger, Screen Logger, Sound Logger etc in contrast to CIS’ which asked something what was hard to swallow. I didn’t have to run the test sandboxed to protect the system. Plus CIS couldn’t disable windows firewall the same old trouble which could not be cured for long long time, OA did it easy.
Somebody will make these tests clearer I don’t have much time for that. I’ve tried to clean the trusted list and app’s polisy lists though.
Sorry, forgot to mention - firewalls only were installed without AV component.
I have a Defense Wall v3 on another system installed. AntiTest as untrusted has failed 2 tests - sound logger and clipboard. But I was unable to test web-camera and streaming as it is not present on the PC.
Hope that was usefull as this is the only test I made for CIS with a leak test not from Comodo at least. It looks more… fair I think.
In ‘Advanced’ task in Defense+, I set the Image Execution Control Setting from Normal to Aggressive and now Defense+ alerts when I attempt to run the AntiTest.exe from Spyshelter. Yee Haw!
Nice! But what’s the point to “tune” a firewall for a particular test? And another question - how long will you pay attention to the tones of popups in paranoid mode?
With D+ in Safe Mode, and Image Execution set to Normal with executable group added, I cannot get CIS to block Screen Capture Test #4. AntiTest will succeed on that one test every time. Sandbox being enabled for Unknown applications or not makes no difference; the test #4 still succeeds.
Initially I found it in “pending files” even though I’m not in Clean PC mode, so there shouldn’t have been any “pending” files. ??? Perhaps tied to Sandbox being enabled for unknown apps? Not sure.
D+ Logs showed it was attempting to access the following key at the time of the Screenshot Test #4:
HKLM\Software\Classes\CLSID{A943AF2F-972A-F1C0-0979-ACA3499C5FF5}
So I added HKLM\Software\Classes\CLSID* to my protected registry files in D+. Then it tried to send a message to CIS, which I chose to block. The test still succeeded.
I even created a D+ rule for the exe, with every Access Right set to Block by default. It still failed Screenshot Test #4.
Thus I concluded that something the app is doing when first launched must allow it to later capture the screen for test #4. Since CIS was not giving any initial popups when I executed it, I set Image Execution to Paranoid, as ss1ctm mentioned. That allowed me to see that it was attempting to access every DLL running on the system, it not only went through the whole list, it tried a few of them twice, even from applications completely unrelated to system operations; it was obviously “looking” for a foot-hold. Without those it couldn’t launch or run at all.
All other tests CIS was able to intercept and block when I selected that option, even without Aggressive mode on Image Execution.
To Comodo Devs: Going back a ways, CFP v2.x had settings for DLL injection, which was massively annoying for all users… Is there some way for CIS to check for that w/o having to be “Aggressive” where we’re given an option to Block (or Allow) all DLL injection for an application (rather than having to respond to 50+ popups)? So kind of like one of the Access Rights settings…
Yeah, the fact that unless we got to Paranoid or Aggressive modes (or changing CIS’ default config from Internet to Proactive), it is able to launch and capture a screenshot w/o any user interaction is a little concerning. It’s obviously obtaining some privilege/access that CIS is not detecting or is seeing as benign.
Not too good. I know that CIS can be configured to stop it, but from an end-user standpoint, if OA stops it w/o any issue and CIS has to be “tuned” to do so, that’s not a plus…
Understandably there is reduced security in exchange for “user friendly” (ie, less popups). The thing that really concerns me about it is that if it’s able to launch/run at all, it’s able to capture at least one screenshot without the user being given even an opportunity to block it. To my way of thinking (however flawed that may be), reduced security for user-friendliness should still be able to stop that.
I PM’d egemen as well, and asked that he or someone from his team provide us some insight into what is going on. They’ve probably already tested this on their own…
Please give me an example of this malware via PM. Fact is, you’ll never find any real-world malware like this. But if you ever do, I’d be interested to test it haha.
Anyway, as has been said, Online Armor passes this, and therefore Comodo is losing this battle! Might be worth mentioning that OA Free fails it? Not sure if it does, but last time I checked, OA Free didn’t give much keylogger protection.