Here is another leak test from Comodo

Hi guys,

We have created a new leak test. You can check it out.
https://forums.comodo.com/index.php/topic,737.0.html

Egemen

Well, CPIL2 is an improvement to CPIL1 currently being offered on your website.CPIL1 always gave me the following message when I ran it:


Sending rrrrrr
Win XP (5.1.2600 Service Pack 2)

Could not find explorer.exe!


Duhhh, how hard can it be to find that? :slight_smile:

CPIL1 works for some people, but I think it has to do with the IE version one has installed.
Mine is Version 6.0.2900.2180.xpsp_xp2_gdr.050301-1519. Not sure though.

CPIL2 now uses the default browser for its payload. CPF does alert me every time I try to run the test as long as my default browser is Mozilla and I close it each time I run CPIL2. If I do not close Mozilla, I no longer get an alert and my previous selection stays with me for the whole time Mozilla is running. I do not like this behaviour and find it insecure. Especially if I allowed something that I should not have.

I also tried IE as my default browser. If I selected deny the first time I ran CPIL2, CPF would remember this selection and no longer alert me when CPIL2 was run multiple times. Closing IE before each test did not have the same effect as it did closing Mozilla. This is even worse.

Why is CPF allowing this to happen?

When a leak type popup occurs,

if you allow, CPF will allow and not ask about it again. If you Deny, CPF will deny all further attempts of that browser instance and dont raise an alert again.

The security risk would be the case if you deny but your browser connects. Do you have such an instance?

IF you allow even once, then CPF wont ask you again until you restart your browser.

Otherwise, you will see lots of irritating, same popups again and again.

Egemen

Ok, understood. My problem is with the IE instance. If I deny, I can no longer access the internet with it. Even if I close and open IE again, CPF doesn’t notice. Specifying deny to an explorer pop-up activated by a leatest makes the internet inaccessible with IE. If I allow, following leaktests will get through. I.e. Tooleaky.

This should be easy to test. Can you try CPIL2 with IE to try and recreate my situation with the Beta?

Start with a clean instance of IE
Run CPIL2
Select deny to the pop-up
Close IE
Open IE and try to get to www.google.com (This fails for me. See log)

Al

[attachment deleted by admin]

I tried but could not reproduce the behavior. Here are a couple of tips for you to check :

  • When you deny iexplore.exe and close, check if it really closed from the Task Manager. There may be an active instance.
  • According to your logs, I see explorer.exe but not iexplore.exe. Why explorer.exe is being blocked? Anything happened previously so that you denied it?
  • Windows has very complicated features like COM/DDE and this type of communication always occurs between windows explorer and internet explorer. How do you try to start internet explorer?

And what other security software do you have?

I think we are getting closer to the problem. When I open or close IE, no tasks are added to the taskmanger. I also used ProcessExplorer from the Sysinternals website, and it also only shows Windows Explorer. If I minimize IE and select “bring to front” using the explorer.exe process, I get the IE browser. If I close IE and do “bring to front” again, nothing appears.

That is probably why CPIL1 does not work on my system and complains about not finding the exe.

I lauch IE from the programs menu which is set as “C:\Program Files\Internet Explorer\iexplore.exe”,
but iexplore.exe doesn’t show up as a task. It looks like explorer.exe is the controlling factor and
SCF always sees that instance which would explain explain my problems.

I have MS06-021: Cumulative security update for Internet Explorer (KB916281) installed on my system and pretty much have all the critical security fixes that came via windows update since SP2. Hopefully your test systems are at the same level :slight_smile:

I just checked another system and it shows both iexplore.exe and explorer.exe as tasks, so something
id different on my system. Works like a charm though except for CPF :slight_smile:

Any more ideas ideas?

Al

What other security software do you have?

Standard stuff:

Symantec Antivirus for the Enterprise 9.0
Ad-Aware SE Plus
Spybot Search and Destroy

Nothing else I can think of.

Do you agree that not seeing an instance of iexplore.exe is confusing SCF?

Al

There is no such thing as not seeing the application created. It is either successfully created or not. However, some rootkits may force such a behavior if installed as a kernel driver.

www.sysinternals.com has a utility called rootkit revealer. You can try it to see if it detects something strange. Very simple program.

Symantec Antivirus for the Enterprise 9.0 may be doing something wrong. If you have a chance, you can uninstall it and retry if it is the cause or not. The other 2 programs do not cause such a thing.

There may be something wrong with your process creation routines but i am not sure.

Egemen

Hi,

I ran RootkitRevealer and it showed no discrepancies. Virus scans, etc all clean. My system is behaving normally.

Please try the following:

Close all instances of IE
Open My Computer
type www.google.com in the address field and hit enter (should launch IE with the google website)
Check Task Manager
Do you see IEXPLORE.EXE as a task?

If not, this means that that IE can be run from the explorer task. Which means a leak test can do this too. If I understand correctly, when I block a leak test, the deny is remembered by CPF for as long as the instance blocked is up and running. In my case this would be explorer.exe that was blocked. The instance is always up so the firewall blocks all further attempts of explorer.exe connecting outbound. This means I can no longer use IE because it is always being blocked. If I allow the leak test, I can use IE, but now my firewall is open for further leak tests. Not a good situation.

I did try one last test which surprised me. If I launch IE from ‘Run’ in the Start Menu and enter iexplore www.google.com, I see ‘IEXPLORE.EXE’ in the task manager. If I launch it without the url - no task.

I would be interested in what Melih thinks about this. I’ve done some googling and there are other XP systems out there that behave the same way. I.e. no iexplore.exe task visible.

Thanks for any help,
Al.

No it should not launch internet explorer. What you do is to connect the internet with windows explorer. Thats an expected behavior. So thats why explorer.exe is being blocked in your PC.

I did try one last test which surprised me. If I launch IE from 'Run' in the Start Menu and enter iexplore www.google.com, I see 'IEXPLORE.EXE' in the task manager. If I launch it without the url - no task.
Yes. This is the same as running the internet explorer by double clicking..
I would be interested in what Melih thinks about this. I've done some googling and there are other XP systems out there that behave the same way. I.e. no iexplore.exe task visible.

All Windows operating systems behave this way after Windows 2000.

In your previous post, you told us that you were starting internet explorer from the start menu by clicking on the shortcut. If you start IE that way, it is not possible not to see iexplore being created as a seperate process.

Can you please provide us some exact steps to reproduce your behaviors? Because what you describe and whats happening seem not related to each other.

Or somehow explorer.exe is being your default browser. Can you try to disable Security->Advanced->Automativally approve safe appllications option and delete all rules related to explorer.exe and try everything without remembering so that we can see what sort of alerts CPF will produce?

Thx,
Egemen

Let me see if I understand what you are saying. If IE is my default browser, the following should happen on a normal system:

  1. If I run IE using the icon via Start Menu, Desktop or Quick Launch, I should see an iexplore process in Task Manager

  2. If I enter iexplore in the Run Box, I should see an iexplore process in Task Manager

  3. If I double-click on a URL on the Desktop, I should see an iexplore process in Task Manager

  4. If I enter a URL in the Windows Explorer address field, I should not see an iexplore in Task Manager.

Now, please help me determine why steps 1 and 2 are not true on my system. I have a second system which behaves the same way.

I deleted all the rules for explorer and do not allow approval of safe applications. I ended up
with the attached pop-ups when I ran the tooleaky test. I selected deny for both an now if I start
IE from the desktop icon or anywhere else all URL requests are blocked. Even if i double-click on
a URL it is blocked.

This is making me crazy :slight_smile:

Al

[attachment deleted by admin]

When you click on internet explorer using example 1, do you see it opened? I mean do you see Internet Explorer on your screen?

After removing all rules for explorer.exe and iexplore.exe, instead of tooleaky test, please run internet explorer as in example 1 and show me the popup you see from the CPF.
I need to be sure that when you click internet explorer, windows explorer takes the request.

Egemen

I believe I have found out why the iexplore task is not showing up. The symptom is caused by
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

being set to ‘no’. If I set it to ‘yes’, the iexplore task becomes visible. Systems that do not have more than 32MB storage will normally have this set to no. So it is considered normal system behaviour. I still feel that the SCF developer(s) need(s) to think about how to deal with this situation. My two systems have more than 32MB, but for some reason that entry was still set to ‘no’.

You should be able to test this easily by setting this entry on your system to no. If you still want me to test anything please let me know. Here are some URLs that I found with information about BrowseNewProcess

http://www.winguides.com/registry/display.php/964/
http://forum.zonelabs.org/zonelabs/board/message?board.id=AllowAccess&message.id=62

If you need more, just google on BrowseNewProcess. You’ve got the ball now :slight_smile:

Al

Hi Al,

Thank you for the feedback. We will be looking at the issue.

Egemen