Comodo passes new Matousec test

Matousec has a new tool and Comodo 2.4 passed without flaws:

I hope this is not old news.

Too late ;D

Almost all firewalls vulnerable when SSDT hooks are implemented.

Hooking kernel functions by modifying the System Service Descriptor Table (SSDT) is a very popular method of implementation of additional security features and is used frequently by personal firewalls and other security and low-level software. Although undocumented and despised by Microsoft, this technique can be implemented in a correct and stable way. However, many software vendors do not follow the rules and recommendations for kernel-mode code writing and many drivers that implement SSDT hooking do not properly validate the parameters of the hooking functions.


Almost every software that implements SSDT hooks is vulnerable to the bug we introduce in this article.
BlackICE PC Protection,
G DATA InternetSecurity,
Ghost Security Suite,
Kaspersky Internet Security,
Norton Internet Security,
Online Armor Personal Firewall,
Outpost Firewall Pro,
ZoneAlarm Pro,
Process Monitor,
and RegMon are just a few examples of badly written, not properly tested, vulnerable software.

There were only two personal firewalls that passed our argument validation testing successfully, Comodo Personal Firewall and Sunbelt Personal Firewall.

Our tests revealed, that the current versions of these products are probably not vulnerable, but earlier versions of both these personal firewalls contained the bug and they were both fixed after our notifications to their vendors. So in fact, the only product that passed the tests was Daemon Tools.

We also found many articles, tutorials and papers that described either SSDT hooking or other driver code and contained improper parameter validation. Even more disturbing is that these bugs are present in professional software products and also in official Sysinternals (Microsoft) tools – Process Monitor and RegMon. Even Mark Russinovich and Bryce Cogswell, the authors of these tools and two of the most famous Windows kernel hackers, seem to have forgotten about validation in their tools. Process Monitor and RegMon have been vulnerable for ages.

We advise all vendors of affected products to download and use our tool and/or contact us and order our software testing services.


For me Comodo is the winner, big advantage over Sunbelt is that it’s free. I am a beta tester / coder working for Sunbelt who always was the first in investigating test results done by third party’s seriously and respond really fast if vulnerabilities where found and confirmed by our test team. I was amazed Comodo was the first to fix the bug this time. Thumbs up to Comodo’s free firewall and for that matter all free software, i am testing it right now and it seems to work great. I´ll sure spread the word on my website and forums in the Netherlands.

The major Dutch Security site translated part of the original report and spread the story throughout the Netherlands.

Read the original test report on

Well done Comodo. (R)

Z. 88)

Zocor: welcome to the forum.

As you can see, this has already been posted before, so I moved your thread here.

Oops, sorry Soya Lv. 4 had not checked, i am a little over enthusiastic some times. I landed on this forum because i read the story on Anyway nice to be here i have a better look at the forums next time. You guys firewall is on the test bench here, and first impression is awesome.

Cheers, Z. (:CLP)