Did Comodo Firewall passed successfully LeakTests ?

pstein · September 9, 2006, 7:14am

Did Comodo Firewall successfully passed the LeakTests described on the following pages:

AJohn · September 9, 2006, 8:47am

The GRC link is not needed as firewallleaktester.com covers the method used there.

The answer to your question is yes.

PC_Junkie · September 9, 2006, 12:49pm

When testing them it passed all except wallbreaker v4.0. wallbreaker has 4 separate tests in that little program and it failed the 1st one, passed the second, and failed the last 2. Not sure if anyone else is aware of this, if you get the chance please someone else go test and please reply. i would like to see if maybe it might have something to do with my settings or if it indeed is the firewall.
                                                                                                             
                                                                                                            Thanks!

dlhan · September 9, 2006, 2:00pm

I got the same results as you with version 2.3.5.62. However Comodo’s previous version, if I remember correctly, passed all 4 tests.

cprtech · September 9, 2006, 3:04pm

Yes, I also remember the previous version passing all 4 tests. Unfortunately I can’t test this version 'til later this afternoon. Do you guys have the “parent path” being verified for explorer.exe and cmd.exe?

I would think that should be enough to enable Comodo to pass the first, 3rd and 4th tests.

egemen · September 9, 2006, 3:46pm

Disabling
Security->Advanced->Miscellaneous->Do not show alerts for the applications certified by comodo option should make CPF to show popups for those tests.

Egemen

cprtech · September 9, 2006, 4:52pm

Ahh, there you go! That makes perfect sense Did you run the leaktest egemen? I’m anxious to find out if Comodo can pass it.

dlhan · September 9, 2006, 5:17pm

This created masive popups asking if svchost could connect to internet through Internet Explorer. I created a rule that blocked internet access for svchost through Internet Explorer. It works to stop all Wallbreaker tests but unfortunately it also stops Windows Update. Still working on it but have decided the best for now is to just disable CPF when going to Windows Update. (I update manually).

cprtech · September 9, 2006, 5:41pm

The pop-ups are a good sign. Hopefully there is an indication that wallbreaker is the process attempting to launch svchost. That way it should be possible to deny permanently wallbreaker from launching other apps, while still allowing svchost to access Win updates.

dlhan · September 9, 2006, 6:04pm

There was no indication it was wallbreaker trying to access internet. All the popup says is that svchost is trying to access internet.

cprtech · September 9, 2006, 10:50pm

Just tried and Comodo passed all four Wallbreaker 4.0 tests. One of the keys is to make sure explorer.exe is blocked from Internet access. It should almost never need access for any reason, but for a few rare occasions (one is to read digital certificates, I think). I also got warned about wallbreaker acting as a parent process. Some screenshots below.

[attachment deleted by admin]

dlhan · September 9, 2006, 11:02pm

Comodo will warn about wallbreaker but only on test #2

dlhan · September 9, 2006, 11:46pm

This is the only configuration that stops all four Wallbreaker tests for me.

[attachment deleted by admin]

cprtech · September 10, 2006, 12:02am

Did you try creating a rule in Application Monitor to block explorer.exe from all outbound access? That should work.

Also, it looks as though wallbreaker.exe is the parent process in only test #2. I decided just to experiment and delete my block explorer rule and then run the tests again. I did get warned on test #1 that userinit as parent was trying to launch explorer.exe. I hit Deny and of course it blocked the test. I’m still trying to figure some things out to get a better understanding of how wallbreaker works. I guess it just comes down to having to be cautious and question anything that seems “out of the norm” When you stop to think about it, why would userinit want to launch explorer.exe and why would anyone simply allow that sequence of events to happen? That is obviously not a normal, frequently seen connection attempt.

In other words, if there is even an inkiling of doubt, just hit “Deny” without selecting “Remember”. If you find out it is a legit process requiring a necessary conenction, then all that’s needed to do is to invoke the connection attempt again and hit “Allow”.

dlhan · September 10, 2006, 12:19am

Here is the rule as I believe you stated. Still does not block Walbreaker 1,3 and 4 The only way I have been able to block all of the wallbreaker tests is to deny access internet access for svchost.exe.

[attachment deleted by admin]

dlhan · September 10, 2006, 12:24am

Sorry I posted the wrong picture. Here is the correct one.

[attachment deleted by admin]

cprtech · September 10, 2006, 12:49am

Actually, it is explorer.exe, not Iexplorer.exe Try creating a rule to block explorer.exe

dlhan · September 10, 2006, 1:45am

Please look again. It is Explorer.exe

cprtech · September 10, 2006, 1:52am

Okay, I see. I need a bit of time to research this.

cprtech · September 10, 2006, 2:08am

dlhan, I am noticing something kind of odd with Comodo. Please try logging off and log on again. Then try WB tests 1 & 3 once more. The rule you have looks perfectly good to me and should work.

I have noticed that if I select a decision on a rule without choosing “Remember”, I still need to log off my account then log on again for Comodo to “let go” of that decision.