Returned Explorer.exe rule to block. Returned svchost.exe rule to allow. Closed CPF and rebooted system. Wallbreaker went through on 1,3 and 4. Changed svchost to block. Wallbreaker was stopped on 1, 3, 4 (and 2 of course)
Well this is really puzzling me ??? svchost is never part of the picture when I run any of the wallbreaker tests. One more thing, if I even remove the block explorer.exe rule with userinit.exe as the parent app, I am still prompted to allow or deny the connection attempt.
Hmmm, do you have svchost connecting to any ip address? This is bugging me and I will keep trying to find out what is going on. The trouble is that svchost can not be totally blocked. It is required for dns lookups (well, there is a way around that, but more on that later) and also MS updtaes and DHCP renewals. More on this later 
If I can remember correctly when I ran the Wall breaker test(except for #2) The warning was that svchost.exe was trying to connect to internet through iexplorer.exe . But I am sure there was no mention of Wallbreaker (except #2).
BTW, Here is a picture of my log when Wallbreaker is successfully stopped.
[attachment deleted by admin]
Well, one discovery here is that if I first open Internet Explorer I also fail wallbreaker tests 1, 3 & 4 There are no prompts whatsoever. As long as IE is closed when I start the tests, Comodo passes them all. This is strange and something I’ll need to look into more. Maybe someone has an answer?
WB is designed to leak via IE, so as long as IE is closed, it will not leak.
The same situation happened, when I was trying WB with Outpost Pro.
Although, Outpost was not able to block all leak tests, not even all WB.
As long as “Do not show comodo certired applications” option is not selected, CPF must always show you a popup no matter ie is open or not.
Just make sure you do not have an IPC rule for “explorer.exe OLE Automate iexplore.exe” in HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Personal Firewall\AppCtrl\IPC
Look for an entry with filename iexplore.exe and see if there are any subkeys with filename explorer.exe.
This can be the only case. Otherwise, without an IPC rule created, CPF must always show you a popup whether IE is open or not.
Egemen
Hi Egemen,
“Do not show comodo certired applications” option is not selected, and there is no rule for “explorer.exe OLE Automate iexplore.exe” in HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Personal Firewall\AppCtrl\IPC .
As long as IE is first open, there are no prompts for tests 1 & 3. My mistake on test 4. It does not even get off the ground. A task is scheduled 1 minute later but nothing ever happens.
One other thing that is puzzling and gets me thinking this test might be somewhat flawed. It shows my ip address as aaaa.bbbb.cccc.dddd when it is actually eeee.ffff.gggg.hhhh. The ip address it shows is, I believe, one of my ISP’s servers (proxy maybe?? a tracert seems to indicate this). Even after the tests 1 & 3 have launched, I check the logs and the remote connections go only to that second ip. Nowhere else.
Just to confirm, if IE is not open, Comodo stops Wallbreaker on my system
Forget my last post. Open or closed, Wallbreaker gets through Comodo unless I block svchost.exe
You know, I don’t have a single application rule where svchost is a parent. I figured maybe you have it as a parent process because your dns client service might be turned off, so I sropped mine and did some surfing, but there is never any prompt where svchost is an attempted parent process. Well, I’m baffled again ???
I do have DNS client service turned. It was recommened to be turned off because I have a large HOSTS file (hpguru’s host file). Try Windows Update site. Just in case; remember you have to have “Do not show alerts for the applications certified by COMODO” unchecked and Alert Frequency Level set on “Very High”.
FYI This is what is logged when Walbreaker gets through Comodo and BTW you are right for some reason if IE is closed Wallbreaker fails but if IE is running it opens another instance and gets through. Maybe wallbreaker is “cheating”?
[attachment deleted by admin]
Yes to these settings:
you have to have “Do not show alerts for the applications certified by COMODO” unchecked and Alert Frequency Level set on “Very High”.
I tried the Win updates but still no prompt for svchost trying to be a parent. As expected, svchost makes several conections using ports 68, 80 and 443 with services.exe acting as its parent.
You mention using a hosts file. I can’t see how that would illicit svchost to be a parent process. On my system I use Ad Muncher for blocking adverts and pop-ups, so I can’t be sure how the hosts file might play a part, except if memory serves, it just re-directs blacklisted ip’s to the localhost address.
I get the same results, as long as i have “do not show applications certified by comodo” unchecked and IE is closed. Comodo passes all tests for wallbreaker 4.0. But if IE is open before the test 1,3, and 4 fail everytime. Although for me i do not have to set the alert frequenzy to high. So far ive only used one firewall that passes all the known leaktests with ease and thats Jetico. But alot of people say its too confusing to use. But Comodo has great potential, its the only other firewall that even comes close. (R)
Please do the following:
1- Delete HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Personal Firewall\AppCtrl\IPC key
2- Restart your PC
3- Open IE and restest.
CPF passes 4 more(Breakout1, breakout2, jumper, CPIL3) tests than the firewall you mentioned. That firewall is coming close to CPF on the contrary.
Egemen
Followed your directions and yes I did start to get a popup warning even with IE already opened… However as you can see in the attached picture, there is no mention of Wallbreaker as the offending program. This time I, of course, knew it was Wallbreaker and clicked on deny. However if I just looked at the popup with no other information I would probably allow the connection. I am not trying to nitpic because CPF, in my opinion, is the best firewall I have found so far. I am more curious than dissatisfied. At least I learned not to blindly let EXPLORER connect to whatever it wants.
[attachment deleted by admin]
Yes. CPF does not go further in the chain. Some WB tests use explorer->svchost->iexplore or explorer->OLE explorer->iexplore.
We did leave further check intentionaly because we will be providing a HIPS mode for CPF which will be responsible for analyzing further possiblities instead of adding more confusion to alerts. In case of WB tests, trojans use better techniques to bypass firewalls than just using “ShellExecute” function.
So until HIPS enabled CPF, which will also control process creations, we intentionally left further checks which would include walbreaker.exe in security considerations section.
Hope this helps,
Egemen