Comodo Firewall FAILS TERMINATION TEST

Hello everyone.

I’ve just created a tool that terminates cfp.exe (and other COMODO processes). I’ve attached it, and it requires the .NET Framework 2.0. Simply allow it to run and deny all other requests (like debug privilege, etc.)

Here’s how it does it:

  1. Unhooks all Nt* functions (many are hooked by CFP’s guard32.dll). This is done by going through ntdll’s exports and restoring the first 5 bytes of each function. This is the most important step.
  2. Looks for processes with a description containing “COMODO”.
  3. Opens each process with PROCESS_DUP_HANDLE access.
  4. Blindly calls NtDuplicateObject with values 0 to 10000, attempting to close all of the process’ handles.
  5. The process will be terminated.

Please provide feedback.

wj32.

Mod edit : termination tool removed (rather be too careful, than not careful enough) and forwarded to development team

Hi wj32,

Sure moderators will look at it and most likely will remove it.

Nobody should download that.

Even if you are right you have to send that to Comodo developers for testing.
They will run it test it and respond.

If attachment includes executables it could be just a malware sent.
I am not accusing you of doing that, but rules are rules.
Suspicious links should not be posted, suspected malware should be submitted as passworded archive to Comodo lab, and so on.

My regards

It would be interesting to know a response in this regard by one of the developer as soon as possible…

Txs…

+1

Thanks :stuck_out_tongue:

We are still waiting a feedback from development team …

+1 to wj32 if this in fact are killing CIS. =)

Unfortunately (or fortunately :)) this only works if ZwDuplicateObject is not hooked. This is the case on my Vista machine, but not on XP. Can someone else please verify that ZwDuplicateObject is not hooked?

It was only reported 8 hours ago. Exactly how quickly were you expecting a response, given that their development people are only just waking up?

Please be reasonable everyone.

Ewen :slight_smile:

I’m sorry, but our time zone is different from yours (BTW I don’t think ALL Comodo developers has yours) :wink:

We’re not asking for a patch, but only to a developer confirm of this issue…
Obviously the patch needs time…We’ll wait… :stuck_out_tongue:

last question: Why is this topic in Help-CIS section and not in Defense+ Bugs one?

Thanks,
Regards :slight_smile:

Hi kronos,

When I noticed the <>.zip attached and posted - the thread was somewhere else and alive.
Then it was inaccessible for a while.
Moderators removed attachment and moved the topic.

It happened so fast, I cannot tell where the thread was initially :slight_smile:

My regards

Thanks for testing CIS. But I did not see it terminating CIS in Windows XP 32. Matousec leak tests do the same while trying to terminate and bypass CIS.

If you believe otherwise, please give more details about how you tested etc…

Egemen

Egemen wj32 said some special case had to be in place and that it for him only worked on his Vista machine as well so maby vista is the OS you should run this bastard with:

=) But its to technical for me… Just saying…

I’ve just retested my program with a clean Vista installation + CIS 3.8. It still fails the test.

hi, wj32!

I’m quite sure that the breach you discovered has been fixed with the last beta2 (3.9.74199.494):
infact, among other things, in the changelog is clearly showed this,

FIXED! CIS handles can be closed in Windows Vista by attacker programs

Txs a lot for helping to point out this… :-TU

It would be interesting if some developers answer to this item. :-\

BTW the segnalation is 7 days old, and we’re still waiting for an official response (that honestly doesn’t seem to come).

Regards,
Kronos

How did you get the beta changelog? I searched Google and the COMODO website but I can’t find it… ???

In the release post: https://forums.comodo.com/beta_corner_cis/comodo_internet_security_3974199494_beta_released-t38039.0.html

11 days old …

The developers basically confirmed it in the beta changelog: “handles can be closed by attacker programs”.