comodo defense+ fails to block blocked exe and other results

i was for a long time very trustful in the comodo firewall. but, after a simple security test i found some strange behaviours of it. it was the pc security test 2009 from (download). i have set no rules for this test exe, and i run comodo in paranoid mode. everything is set to highest values. its not a setting problem. and i have auto update on.
after installing this test:

  1. comodo doesnt ask for this exe to be executed. it opens right after double click.
  2. comodo allow this exe to be executed EVEN when this exe is set “BLOCKED”.
  3. this program gets complete ability to execute any of its hardware changing functions: for example open cd rom, move mouse, set the screen black, hide the mouse cursor.

only when the program tries to change registry things, comodo asked. but, when the fan is set to shut off, i dont care for registry changes anymore…

what is about this? anyone has tested comodo with this test from

Do you have a url from where we can download the pc security test 2009 so we can take a look with you?

I dont mean to hijack this thread, but i belive this is the file.

I just tested it, the default configuration (Internet Security) for CIS does not catch this exe. :frowning:

Proactive security does block it.

Is there an English version of this anywhere? Unfortunately, my German is not what it could be :frowning:

If my link is correct… the only english version, is a 2007 version (v7.2.0), the 2009 version is German (v9.0.5)


(there is no 2009 english version :()

That’s what I found too. I ran the tests but I’m not totally sure what I’m being asked…

Looks like this program leaves a little present when it’s uninstalled. Check your %winroot%/system32 for a file called system32.exe.

I think it’s a FP, but one or two scanners see it as a potential baddie.

  1. comodo doesnt ask for this exe to be executed. it opens right after double click.I cannot confirm this in Proactive/Safe mode. Make sure to remove the program from the list of programs that may be executed by Explorer.

  2. comodo allow this exe to be executed EVEN when this exe is set “BLOCKED”. Cannot confirm either. When Explorer asks to start the program and I choose block it does not start up. D+ doesn’t have a block policy. You mean you set it to Isolated?

Its too late now to further study the workings of this program…

It only gets passed CIS with Internet Security config!!

I can confirmed that on 3 XP machines.

I didn’t even see the program get loaded, then again I was trying to understand what is was asking me, so I may have missed it first time around. That aside, there wasn’t a policy created for that exe in D+.

I’ll do some more tests later.

Ok, I’ve had time to take a better look at this now. After reading the English text on the 2007 version I could understand what it was doing. So, here’s the result:

[attachment deleted by admin]

So any dev’s looking at this, any feedback comming?

Unfortunately, without English documentation it’s impossible to understand how and what this program is trying to do.

I ran the tests, I did get a pop-up for notepad on the first run which I allowed, the second time I just denied it and the test finished. The mouse test finishes instantly, and the hardware test told me the cd was open, which it wasn’t.

I appreciate the last test makes the screen go black and hides the mouse, but I’m not sure what that proves. To understand if this is a risk we’d have to know what the program is attempting to do. From what I was able to understand, it just says the test pints the screen black…

Is there any additional Information available or maybe a PoC?

As for steam, are you sure it’s not simply using Internet Explorers connection settings as a great many other applications do?

D+ does NOT block the installer from launching. (at least on my 3 machines) So in a way D+ is bypassed.

(as far as i know its not on the Safe list)

I’m only saying what happened when I ran the tests. As I said, without documentation it’s impossible for me to test further.

AFAIK that access right is usually meant to provide a way to prevent an application to grab a screenshoot. Such technique can be tested using Anti-Keylogger Tester (AKLT).

When an alert is provided it will denied by default if the user will provide no answer after an user configurable (Defense+ Tasks > Advanced > Defense+ Settings >Keep an alert on screen for maximum (n) seconds ) timeframe which defaults to 120 seconds. In such cases the block action will be mentioned in D+ log (Defense+ Tasks > Common Tasks > View Defense+ Events)

BTW did you test again using Comodo - Proactive Security Config from CIS tray icon Configuration menu?

Did your test machines had Image Execution Control set to disabled and explorer.exe set to something else than Windows System Application (or equivalent) policy?

IIRC recent CIS versions should have been able to monitor the clipboard and mouse movements by triggering a Direct Keyboard alert.

Though it looks that the current CIS version cannot trap mouse hijacking anymore. ???

Nevertheless malicious actions ought to be automatically blocked even if the screen will supposedly turn black and your mouse cursor is gone.

Though I assumed mouse hijacking trapping was added few months ago whereas it looks like isn’t there, I’m curious as to if it was actually added or I was blatantly mistaken.

??? I did ask if you tested using the Comodo proactive config and I would still suggest you to try that if you haven’t done it yet to confirm if by any chance the proactive config defaults provide other improvements over your current settings or at least if you still don’t get Run an executable alerts like you mentioned in your first post.

like i have said before, It (installer) gets passed CIS in Internet Security mode. (proactive does block it)

Does this mean you were aware that your test machines had Image Execution Control set to disabled and explorer.exe set Windows System Application policy (which is what I asked to you)? ???