Getting Accurate Leak Test Results

Learn about Computer Security Leak Testing/Attacks/Vulnerability Research
#1

This guide should help you generate accurate test results when using Comodo Leak Test (CLT). This guide is meant for users of CIS 5 (also known as CIS 2011).

Note: there are specific circumstances when CLT reports very low scores. The moderators and developers are investigating these specific circumstances and hope to have more info soon. Based on current feedback from the developers, CLT can give erroneous and unreliable results when testing CIS in any configuration that is different from the one described below (it is a limitation within CLT). The reasons why CLT may give unreliable results when using other CIS configurations will be the topic of another FAQ post (as soon as we get more feedback from the developers).

  1. Make sure you have the following CIS settings:
  • Configuration = proactive. [Proactive security is the strongest security configuration, and will provide the best protection against leaks. I suggest that you always use the proactive security configuration. To select this setting, click on the “more” tab, then click on “manage my configurations”. Select “proactive Security”, click “activate”, and then click “close”.]
  • Firewall = safe mode, custom policy mode, or block all mode.
  • Defense + = safe mode or paranoid mode
  • Image execution control level = enabled [To set this, click on the defense+ tab, then click on “Defense + settings”, then click the “execution control settings” tab.]
  • Detect shellcode injections = selected [To set this, click on the defense+ tab, then click on “Defense + settings”, then click the “execution control settings” tab. At the bottom of the window, select the check-box titled “Detect shellcode injections (i.e. Buffer overflow protection)”].
  • Monitor settings = make sure all of the boxes are selected [To set this, click on the defense+ tab, then click on “Defense + settings”, then click the “Monitor settings” tab.]
  • Sandbox = disabled [CLT was not designed to be used in a sandbox. If CLT is sandboxed, it will generate erroneous results!]

  1. Make sure there are no CIS rules that have been generated by having run CLT previously (i.e. remove rules for CLT):

    Defense+ Security Policy

  • Click the “defense+” tab at the top of the CIS window

  • Click “Computer Security Policy”

  • Click on “Defense+ Rules” tab. Scroll down the list of files. Select any entry that has “clt.exe” in the application name and click the remove button.

  • Click on “Always Sandbox” tab. Scroll down the list of files. Select any entry that has “clt.exe” in the application name and click the remove button.

  • Click on “Blocked Files” tab. Scroll down the list of files. Select any entry that has “clt.exe” in the application name and click the remove button.

  • click “Ok”

    Unrecognized files

  • Click the “defense+” tab at the top of the CIS window

  • Click “Unrecognized Files”

  • Click on “Unrecognized Files” tab. Scroll down the list of files. Select any entry that has “clt.exe” in the application name and click the remove button.

  • click “Ok”

    Trusted files

  • Click the “defense+” tab at the top of the CIS window

  • Click “Trusted Files”

  • Scroll down the list of files. Select any entry that has “clt.exe” in the application name and click the remove button.

  • click “Close”

    Firewall Security policy

  • Click the “firewall” tab at the top of the CIS window

  • Click on “Network Security Policy”

  • Click on the “Application Rules” tab

  • Scroll down the list of files. Select any entry that has “clt.exe” in the application name and click the remove button.

  • click “OK”.

  1. Delete the Internet Explorer (IE) browsing history cache. Run IE, click on the “tools” menu, then select “internet options”. Click on the “general tab” and then click on the “delete” button under browsing history. You can also delete the browsing history using cleaning programs such as CCleaner or Cleanup! The reason why you need to clean the IE history: If CLT was previously run and previously failed “Impersonation: Coat”, IE will open the target webpage from the IE cache, and not through the leak, leading to a false failure of “Impersonation: Coat”. Erasing the browsing history ensures that IE cannot load the webpage from the cache and forces IE to load the webpage through the leak.

  2. Reboot your computer (The current version of CLT does not “clean out” some actions that it creates after it has been run. If CLT is re-run without rebooting, it may give an inaccurate score because of these left over actions. The only way to clean out these actions is to re-boot).

  3. Run CLT*. If you get an alert from the antivirus, click “ignore” and then “Add to trusted files” (the antivirus is alerting you that a leak test application has been launched [it’s flagged as “Application.Win32.LeakTest…”]; it is not saying that the file is malicious). The first alert that appears should be a defense+ alert that says “explorer.exe is a safe application. However, the executable clt.exe could not be recognized…” For this alert, make sure that “remember my answer” is unchecked, and then click allow. The CLT program window should appear. Click the “Test” button in CLT and, from this point onward, click “block” when a CIS alert appears. Now check your score. It should be 340/340.

    • Remember to run CLT with the sandbox disabled. If CLT is sandboxed, it will generate erroneous results! CLT was not designed to test HIPS security from within a sandbox.

  4. CLT was designed to test the HIPS component of CIS. Based on current feedback from the developers, CLT can give erroneous and unreliable results when testing CIS in any configuration that is different from the one described above (it is a limitation within CLT). The reasons why CLT may give unreliable results when using other CIS configurations will be the topic of another FAQ post (as soon as we get more feedback from the developers).

  5. If you still cannot get good score on CLT, try the following:

  • Run diagnostics [click on the “more tab”, then click “diagnostics”]. Repair any problem that is found with your CIS installation.
  • Perhaps your copy of CLT is corrupted. Download a fresh copy of CLT from here. Unzip the folder. Perform steps 1-3 above, then reboot. Then, run the newly downloaded CLT.
  1. If you still cannot get good score on CLT, start a new thread and we’ll try to help you. Please provide the following information in your post:
  • Your operating system (including service pack version if applicable, and whether you are running 32 or 64 bit version).
  • The version of CIS that you are using.
  • List any other real-time security or monitoring software that you have installed (including antivirus, antimalware, firewall, HIPs, behavior blockers, etc.)
  • The CIS settings that you have been using for the CLT tests
  • Your CLT score
  • If you still have the results, it may be helpful to post the names of the tests you failed.

Whoop

CIS 5 fails comodo leaktest
Sandboxed CLT fails?
CLT Results for the new CIS 5.3
#2

Whoop, I ran with Sandbox disabled
got full 340/340
(note I did not clean IE files or caches)
Enable sandbox, and on all but block, get 310/340. Always the same three:
Explorer as parent, DDE, and Coat.

#3

Based on current feedback from the developers, CLT can give erroneous and unreliable results when testing CIS in any configuration that is different from the one described in my first post (it is a limitation within CLT). The reasons why CLT may give unreliable results when using other CIS configurations will be the topic of another FAQ post (as soon as we get more feedback from the developers).