Comodo fails Atelier Web Firewall Tester

Comodo fails Test 5 of Atelier Web Firewall Tester.

Technique 5: Performs an heuristic search for proxies and other running software authorized to access the Internet, loads a copy and patches it in memory before execution from within a thread on Windows Explorer. Very difficult test for PFWs! “Accesses cmdagent.exe and connects to the internet”.

Hi Scooter31,

Can you tell us which version of the product you have installed?
What is the OS version + SP level?

If it’s Firewall only what did you answer on the ‘leak test’ page of the installer, it seems Defense+ is completely disabled else a product should not be able to access cmdagent.

Comodo Internet Securty 2011 Complete: 5.5.195786.1383
Windows 7 Ultimate x64 SP1

Firewall Custom Policy
Defense+ installed with default settings with Safe Mode

Process taken for the test, downloaded AWFT ran the installer, treated it as an installer, the installer tried to access the internet via explorer.exe and I blocked it. It then tried to access the internet via msi.exe I blocked it. The installer finished. I ran Tests 1-4 and was able to block them, ran test 5 and it did what i posted before, ran 6 and was able to block it.

Also the events from defense+ say it was blocked from accessing cmdagents memory but at the same time the active connections show my pc accessing the ip for the testing suite and AWFT says test failed.

I don’t know the tool, but if you give it ‘Installer’ rights on execution this could be causing the ‘leak’.
I’ll see if I can test this thing the the coming week.

What process was accessing the mentioned IP address?

cmdagent.exe outbound only

When I installed AWFT I received just one prompt from D+ (Safe Mode) (image d1.jpg) this asked to allow setup to execute msiexec.exe. The firat time the application is run it creates two entries under ‘Trusted Files’ (image tf.jpg) Because these are trusted, the application will silently use your default browser to make a connection. If you remove these ‘trusted entries’ you will receive numerous D+ alerts when the application is run.

I’m not sure why these trusted entries are created, as they’re still created even if setup.exe is removed form Computer Security policy, prior to launching the application for the first time. Also, the company (Atelier) doesn’t appear to be on the TVL, however, their setup.exe is signed by comodo…

[attachment deleted by admin]