korben
August 13, 2009, 11:35am
#1
Date 13:28:13 - 2009-08-13
OS Windows Vista SP2 build 6002
RootkitInstallation: MissingDriverLoad Protected
RootkitInstallation: LoadAndCallImage Protected
RootkitInstallation: DriverSupersede Protected
RootkitInstallation: ChangeDrvPath Vulnerable
Invasion: Runner Protected
Invasion: RawDisk Vulnerable
Invasion: PhysicalMemory Protected
Invasion: FileDrop Vulnerable
Invasion: DebugControl Protected
Injection: SetWinEventHook Vulnerable
Injection: SetWindowsHookEx Vulnerable
Injection: SetThreadContext Vulnerable
Injection: Services Vulnerable
Injection: ProcessInject Protected
Injection: KnownDlls Vulnerable
Injection: DupHandles Protected
Injection: CreateRemoteThread Protected
Injection: APC dll injection Vulnerable
Injection: AdvancedProcessTermination Vulnerable
InfoSend: ICMP Test Protected
InfoSend: DNS Test Vulnerable
Impersonation: OLE automation Protected
Impersonation: ExplorerAsParent Vulnerable
Impersonation: DDE Vulnerable
Impersonation: Coat Vulnerable
Impersonation: BITS Vulnerable
Hijacking: WinlogonNotify Protected
Hijacking: Userinit Vulnerable
Hijacking: UIHost Protected
Hijacking: SupersedeServiceDll Vulnerable
Hijacking: StartupPrograms Vulnerable
Hijacking: ChangeDebuggerPath Protected
Hijacking: AppinitDlls Vulnerable
Hijacking: ActiveDesktop Vulnerable
In short - FAIL
or fail BIG TIME
I’ve been trying to PASS the test for a couple of days
I uninstalled PC Tools Firewall Plus 5.0 [it gave me 180/340]
My AV - Avira 9.407
I stumbled upon the guide on how to configure the firewall yet I keep failing.
Yes, I am new to the field but would like to score more.
Any tips would be greatly appreciated.
system
August 13, 2009, 12:00pm
#2
If you haven’t already done so, change your configuration to proactive security and try again…
korben
August 13, 2009, 12:42pm
#3
Could you be more exact, please ?
Change what settings to what?
system
August 13, 2009, 12:51pm
#4
Right click on the CIS Icon in the system tray, select Configuration and click COMODO - Proactive Security.
By the way when you run the tests do you block each request?
korben
August 13, 2009, 1:27pm
#5
Somehow it never occured to me to find out what’s under R+Click menu O0
By the way when you run the tests do you block each request?
I laughed reading this
In the meantime I tried to run Gibson’s Firewall Leak Testing Utility but blocked the first instance and it requires net access on 1st run. How to re-enable it?
system
August 13, 2009, 1:34pm
#6
It probably will have created a block rule in your firewall rules section, just select it, click remove and apply.
korben
August 13, 2009, 1:43pm
#7
Yup, found it in Net Security Policy.
Any other suggestions regarding COMODO Leaktest failure?
system
August 13, 2009, 1:54pm
#8
If you have chosen proactive security and have the firewall and D+ in safe mode, you should be good to go. I just ran the test in that configuration on a test system and it passed 340/340.
korben
August 13, 2009, 2:17pm
#9
proactive security and have the firewall and D+ in safe mod
check!
I looked into Net Security Policy and clt.exe was allowed.
COMODO Leaktests v.1.1.0.3
OS Windows Vista SP2 build 6002
RootkitInstallation: MissingDriverLoad Protected
RootkitInstallation: LoadAndCallImage Protected
RootkitInstallation: DriverSupersede Protected
RootkitInstallation: ChangeDrvPath Vulnerable
Invasion: Runner Protected
Invasion: RawDisk Vulnerable
Invasion: PhysicalMemory Protected
Invasion: FileDrop Vulnerable
Invasion: DebugControl Protected
Injection: SetWinEventHook Vulnerable
Injection: SetWindowsHookEx Vulnerable
Injection: SetThreadContext Vulnerable
Injection: Services Vulnerable
Injection: ProcessInject Protected
Injection: KnownDlls Vulnerable
Injection: DupHandles Protected
Injection: CreateRemoteThread Protected
Injection: APC dll injection Vulnerable
Injection: AdvancedProcessTermination Vulnerable
InfoSend: ICMP Test Protected
InfoSend: DNS Test Protected
Impersonation: OLE automation Protected
Impersonation: ExplorerAsParent Vulnerable
Impersonation: DDE Vulnerable
Impersonation: Coat Vulnerable
Impersonation: BITS Vulnerable
Hijacking: WinlogonNotify Protected
Hijacking: Userinit Vulnerable
Hijacking: UIHost Protected
Hijacking: SupersedeServiceDll Vulnerable
Hijacking: StartupPrograms Vulnerable
Hijacking: ChangeDebuggerPath Protected
Hijacking: AppinitDlls Vulnerable
Hijacking: ActiveDesktop Vulnerable
10 points more - still weak
what can be wrong with my laptop settings? I’m clueless…
system
August 13, 2009, 2:30pm
#10
This might sound daft, but are you sure D+ is not in ‘Installation Mode’ when you run the tests?
Also, before doing anything else, review your settings and your entries in D+ Computer Security and Your firewall rules. As you’ve run these tests several times, there’s always a possibility something got left behind.
korben
August 13, 2009, 2:44pm
#11
Nope, the button that says Switch to Installation Mode - untouched.
I looked into Comp Secutiry Policy and found the .exe
Date 16:36:07 - 2009-08-13
OS Windows Vista SP2 build 6002
RootkitInstallation: MissingDriverLoad Protected
RootkitInstallation: LoadAndCallImage Protected
RootkitInstallation: DriverSupersede Protected
RootkitInstallation: ChangeDrvPath Protected
Invasion: Runner Protected
Invasion: RawDisk Protected
Invasion: PhysicalMemory Protected
Invasion: FileDrop Protected
Invasion: DebugControl Protected
Injection: SetWinEventHook Protected
Injection: SetWindowsHookEx Protected
Injection: SetThreadContext Protected
Injection: Services Protected
Injection: ProcessInject Protected
Injection: KnownDlls Protected
Injection: DupHandles Protected
Injection: CreateRemoteThread Protected
Injection: APC dll injection Protected
Injection: AdvancedProcessTermination Protected
InfoSend: ICMP Test Protected
InfoSend: DNS Test Protected
Impersonation: OLE automation Protected
Impersonation: ExplorerAsParent Vulnerable
Impersonation: DDE Vulnerable
Impersonation: Coat Vulnerable
Impersonation: BITS Protected
Hijacking: WinlogonNotify Protected
Hijacking: Userinit Vulnerable
Hijacking: UIHost Protected
Hijacking: SupersedeServiceDll Vulnerable
Hijacking: StartupPrograms Vulnerable
Hijacking: ChangeDebuggerPath Protected
Hijacking: AppinitDlls Vulnerable
Hijacking: ActiveDesktop Vulnerable
we’re making headways here!
system
August 13, 2009, 2:53pm
#12
As you say, getting there
korben
August 13, 2009, 4:56pm
#13
I might have…I can’t remember…since almost all my actions are carried out using this method:
should I make a screenshot of sth?
korben
August 13, 2009, 5:54pm
#14
Date 19:50:41 - 2009-08-13
OS Windows Vista SP2 build 6002
RootkitInstallation: MissingDriverLoad Protected
RootkitInstallation: LoadAndCallImage Protected
RootkitInstallation: DriverSupersede Protected
RootkitInstallation: ChangeDrvPath Protected
Invasion: Runner Protected
Invasion: RawDisk Protected
Invasion: PhysicalMemory Protected
Invasion: FileDrop Protected
Invasion: DebugControl Protected
Injection: SetWinEventHook Protected
Injection: SetWindowsHookEx Protected
Injection: SetThreadContext Protected
Injection: Services Protected
Injection: ProcessInject Protected
Injection: KnownDlls Protected
Injection: DupHandles Protected
Injection: CreateRemoteThread Protected
Injection: APC dll injection Protected
Injection: AdvancedProcessTermination Protected
InfoSend: ICMP Test Protected
InfoSend: DNS Test Protected
Impersonation: OLE automation Protected
Impersonation: ExplorerAsParent Protected
Impersonation: DDE Protected
Impersonation: Coat Protected
Impersonation: BITS Protected
Hijacking: WinlogonNotify Protected
Hijacking: Userinit Protected
Hijacking: UIHost Protected
Hijacking: SupersedeServiceDll Protected
Hijacking: StartupPrograms Protected
Hijacking: ChangeDebuggerPath Protected
Hijacking: AppinitDlls Protected
Hijacking: ActiveDesktop Protected
we made it!
Quill, thank you for this valuable lesson!!
But we’ve still a few holes in there somewhere? have you created any firewall rules or D+ rules, or more to the point what are the rules that may have been created automatically in these two areas?