hello.
i was for a long time very trustful in the comodo firewall. but, after a simple security test i found some strange behaviours of it. it was the pc security test 2009 from heise.de (download). i have set no rules for this test exe, and i run comodo in paranoid mode. everything is set to highest values. its not a setting problem. and i have auto update on.
after installing this test:
comodo doesnt ask for this exe to be executed. it opens right after double click.
comodo allow this exe to be executed EVEN when this exe is set “BLOCKED”.
this program gets complete ability to execute any of its hardware changing functions: for example open cd rom, move mouse, set the screen black, hide the mouse cursor.
only when the program tries to change registry things, comodo asked. but, when the fan is set to shut off, i dont care for registry changes anymore…
what is about this? anyone has tested comodo with this test from heise.de?
comodo doesnt ask for this exe to be executed. it opens right after double click.I cannot confirm this in Proactive/Safe mode. Make sure to remove the program from the list of programs that may be executed by Explorer.
comodo allow this exe to be executed EVEN when this exe is set “BLOCKED”. Cannot confirm either. When Explorer asks to start the program and I choose block it does not start up. D+ doesn’t have a block policy. You mean you set it to Isolated?
Its too late now to further study the workings of this program…
I didn’t even see the program get loaded, then again I was trying to understand what is was asking me, so I may have missed it first time around. That aside, there wasn’t a policy created for that exe in D+.
Ok, I’ve had time to take a better look at this now. After reading the English text on the 2007 version I could understand what it was doing. So, here’s the result:
Unfortunately, without English documentation it’s impossible to understand how and what this program is trying to do.
I ran the tests, I did get a pop-up for notepad on the first run which I allowed, the second time I just denied it and the test finished. The mouse test finishes instantly, and the hardware test told me the cd was open, which it wasn’t.
I appreciate the last test makes the screen go black and hides the mouse, but I’m not sure what that proves. To understand if this is a risk we’d have to know what the program is attempting to do. From what I was able to understand, it just says the test pints the screen black…
Is there any additional Information available or maybe a PoC?
As for steam, are you sure it’s not simply using Internet Explorers connection settings as a great many other applications do?
AFAIK that access right is usually meant to provide a way to prevent an application to grab a screenshoot. Such technique can be tested using Anti-Keylogger Tester (AKLT).
When an alert is provided it will denied by default if the user will provide no answer after an user configurable (Defense+ Tasks > Advanced > Defense+ Settings >Keep an alert on screen for maximum (n) seconds ) timeframe which defaults to 120 seconds. In such cases the block action will be mentioned in D+ log (Defense+ Tasks > Common Tasks > View Defense+ Events)
BTW did you test again using Comodo - Proactive Security Config from CIS tray icon Configuration menu?
Did your test machines had Image Execution Control set to disabled and explorer.exe set to something else than Windows System Application (or equivalent) policy?
Nevertheless malicious actions ought to be automatically blocked even if the screen will supposedly turn black and your mouse cursor is gone.
Though I assumed mouse hijacking trapping was added few months ago whereas it looks like isn’t there, I’m curious as to if it was actually added or I was blatantly mistaken.
??? I did ask if you tested using the Comodo proactive config and I would still suggest you to try that if you haven’t done it yet to confirm if by any chance the proactive config defaults provide other improvements over your current settings or at least if you still don’t get Run an executable alerts like you mentioned in your first post.
Does this mean you were aware that your test machines had Image Execution Control set to disabled and explorer.exe set Windows System Application policy (which is what I asked to you)? ???
