We have just created a simple leak test, CPIL v.2. CPIL2 is an example leak test whose bypassing techniques are actively being used by many trojans in the wild. This is not a new technique that we found. It was there in the wild. So we wanted to give the community a chance to see how strong their firewalls are, and allow them take an immediate action if necessary.
CPIL2 is still in its early BETA stage and will be developed more in the future. So feel free to share your opinions.
If the test suceeds, internet explorer will be opened and you will be redirected to comodo site which should show you the data you entered.
If program fails to start or CPF shows you a popup, this means test fails. CPF 2.0-2.3 should be passing this test with no problems. It may be a case that with OSMode = 3, CPF may not detect this because it is problematic. But i dont think this will be a case.
You should see either of the screenshots in the attachment. The test may say it suceeded, but if you see an alert from CPF like the attachment, you pass the test. If you see “can not initiate the instance” message, it also means you passed the test.
I rebooted with OSMODE=0 and everything seems to be working now!
I ran CPIL2, leaktest1.2, tooleaky, firehole, and yalta. All were blocked by CPF via popups where I replied DENY.
One thing of note was that when I was using OSMODE=3 I did not get any popups from CPF at all. However the threat was blocked as indicated by the ‘test failed’ message in the DOS box and the fact that no browser window came up.
When I ran CPIL2 using OSMODE=0 I got 2 popups when the test started to which I replied DENY to both of them.
All the other tests resulted in popups no matter if I used OSMODE=0 or 3. It was only CPIL2 that behaved a little differently depending on the OSMODE I chose.
I would imagine that there is still cause to be concerned. OSMODE=0 was letting the threats get by yesterday when I reported the problem. Why they cleared up today is a mystery.
I wonder if this is just a cached data or a failed leek test:
I’ve opened HyperSnap;
i let it to search for updated version;
i’ve close it;
i’ve reopen it and told to search again for updates: i didn’t click allow/deny (it remained active);
i’ve opened another HyperSnap instance which was able to show that there’s a new version over the Internet;
I strongly belive that this is just a HyperSnap solution (fe. from the first check it stored that data somewhere) but i also wonder if you could ensure me :). Anyway, this data will be good for the FAQ at least (V)
(Also, there was a - couldn’t reproduce - bug with the specified “parent” (setup.exe).)
1- Hypersnap may be recognized as safe and automatically approve safe apps are selected,
2- Hypersnap may be showing the cached data(this is more probable)
3- Parents of the instances are different and one is recognized as safe
every once in a while, I like to go back and redo different leaktests. Today I tried CPIL2 and it no longer works at all. I get the following even though I’m running as admin. Any ideas what might cause this?
Do you want to proceed (Y/N)? : y
Enter the text to be transmitted : cccccccccccccccccc
Could not initiate an instance. Make sure you are running as Administrator.
DO NOT FORGET TO RESTART YOUR COMPUTER!