defining rules

r2baruch · July 28, 2006, 12:11pm

Is it advisable and if so how do I define a rule so that an internal program trying to reach my modem/router’s lan address 10.0.0.138 or the computer’s dead letter box 127.0.0.1 will not generate a popup warning? I believe that these addresses do not allow sending of information to the internet and I shouldn’t need a popup for them. Please correct if I am wrong.

egemen · July 28, 2006, 8:52pm

Hi,

With the latest BETA, we have provided a better popup structure where an option to skip loopback packets are presented. But loopback connections are not harmless at all. If you skip TCP loopback connections, then an application can use another proxy application which listens on loopback to connect to the internet. This is not something uncommon. So if a firewall blindly allows all loopback connections, then there is a reasonable security risk.

Think of the following scenario:

1 - You have installed a transparent proxy server(proxy.exe) for security purposes so that it listens on 127.0.0.1. Lets assume all your outbound connections are redirected to this proxy and this proxy is the actual application that connects to the Internet.
2- Virus.exe tries to connect to http://www.evilip.com
4- Virus.exe will try to connect 127.0.0.1, which in turn use proxy.exe to connect to www.evilip.com
5- Firewall detects virus.exe for 127.0.0.1 and since it is a loopback connection, it allows.
6- Firewall detects proxy.exe connecting to www.evilip.com and since proxy.exe is trusted, it allows.
7- Virus accessed the internet without being detected.

Hope this helps,
Egemen

m0ng0d · July 29, 2006, 1:57am

Egemen,

If I had happened to check that box (for no other reason than… curiosity)… where would I go to undo that?

egemen · July 29, 2006, 2:38am

We havent put some options to BETA GUI yet. The release version will have the option in advanced page.

r2baruch · July 29, 2006, 8:07pm

I haven’t installed such a proxy, at least not knowingly. Does that remove the danger?

egemen · July 30, 2006, 7:10am

If you dont have a local proxy installed, loopback traffic can be ignored.

r2baruch · July 30, 2006, 9:15am

In internet options, connections, lan setup, no proxy is specified so this should confirm that I have no proxy installed. Can I now define a rule to prevent popups pertaining to my lan ip address (10.0.0.138) or the loopback address (127.0.0.1)?

Secondly, we can now connect this issue with my first question in Comodo Forum in which I asked about an app which generated a popup pertaining to comunication with my lan ip address (10.0.0.138) as shown in the screen shot. I would like to prevent this kind of popup and correspondingly popups for communication with the loopback ip address (127.0.0.1).
I see that matters are beginning to come together and I await your response.
Many thanks.

P.S. I still cannot figure out whether to consider this plethora of popups an advantage or disadvantage and whether it indicates superior or inferior functioning of CPF in comparison with others say ZA. Do you have any comment?

panic · July 30, 2006, 9:57am

Please bear in mind that some applications use the 127 loopback for their own purposes. F5 Networks SSL based clientless VPN installs an ActiveX or Java dynamic host proxy when you log in on a F5 VPN web page. No user intervention required, and its removed at the end of the session.

There are others, but that’s the first one that comes to mind.

Ewen

r2baruch · July 30, 2006, 11:33am

I don’t have any such application installed

panic · July 31, 2006, 12:00am

I was just pointing out that some programs setup their own internal proxy or otherwise use the 127 subnet for their own purposes. It was only offered so that people didn’t think “I’ve never explicilty installed a proxy, so the 127.0.0.X thingy cant be an issue.”

Cheers,
Ewen

egemen · July 31, 2006, 4:13am

Hi,

At www.pcflank.com there is a test called PCFlankLeakTest.exe. Download it and test ZoneAlarm to see why CPF is superrior(Btw, this is just one example. As I recall you were seeing lots of OLE Automation popups so this is an example test)With CPF, you will have the control over all harmful activities.

But again, if you want to install and forget, just select “Automatically approve safe applications”(Over 10000 applications are recognized in the 2.2.0.11 database) option.

Or, you can go to Security->Advanced section and disable “Monitor COM/OLE requests” option, which ZoneAlarm does not have at all. Also after making sure you have “Security->Advanced->Basic popup logic” is enabled, CPF should not ask you anything except suspicious activities.

We have already demonstrated with many examples that even the loopback(127.0.0.1) is not something you can trust easily. Many AV email scanner modules come with transparent proxies which make loopback traffic completely untrustable.

Unlike ZA, CPF is a full parent based firewall. This means your application checking is 2 times more than ZA. Just this feature alone causes more popups than ZA. So why do we check parent applications? Because without it, there can be no true application based outbound filtering that can not be bypassed.

In a couple of days, we will be releasing another proof of concept leak test called CPIL3, that ZA(6.5 Pro with highest settings) could not detect(None of the firewalls we tested could detect) while CPF 2.2 is already capturing it proactively(Note that when we found this technique, CPF 2.2 was already released and we did not know if it cathed or not, honestly. Thats why our betas sometimes fail this test).

This test will prove that without a proper parent check, all firewalls are bypassable or not proactive enough.

Hope this helps,
Egemen

r2baruch · July 31, 2006, 8:28am

Welcome to PCFlank Leaktest results page
I failed the pcflank leaktest with comodo:
Here are the results of PCFlank’s Leaktest for your firewall.

If you see the text you typed in the table your firewall flunked the test.

If your text is not shown, you either didn’t take the test, your previous IP address was different from your current one or your firewall successfully prevented the leak of data (i.e. passed this leak test).

IP Date Text
88.152.107.243 Jul 31, 2006 08:24:13 GMT My name is yokohama

egemen · July 31, 2006, 8:33am

If CPF showed a popup, asking you about pcflankleaktest.exe, then you passed the test. While using that test try to use different texts because it stores previous texts and confuses users.

If you did not see a popup at all, then let us know your CPF version and Application behavior analysis configuration.

Thx,
Egemen

r2baruch · July 31, 2006, 8:49am

The popup was for mcaffee siteadvisor, not pcflank leaktest.

I also failed the browser privacy test (referrer): While visiting web sites your browser reveals private information (called ‘referrer’) about previous sites you have visited.

I passed stealth test, trojans test, and exploits test

egemen · July 31, 2006, 8:52am

If you saw this popup, and allowed, then this means you allow leak test to connect to the internet. IF you read the security considerations carefully, it warns you about the parent application for McAfee siteadvisor which is iexplore.exe.

Egemen

[attachment deleted by admin]

r2baruch · July 31, 2006, 9:37am

Now I don’t recall whether the popup mentioned leaktest in the lower panel. What can I do to make the popup show again? Maybe I am beginning to understand how this works.

egemen · July 31, 2006, 9:45am

You can simply retest. Just start internet explorer and then rerun the test to see what sort of popups it will produce.

r2baruch · July 31, 2006, 9:55am

This time there was no popup at all