Edit by Chiron: The formatted bug report can be found halfway down the 2nd page of this topic.
Hello, I installed Comodo Firewall 6.2.282872.2847 and I enabled HIPS in Secure mode. My current configuration is Proactive Security. The bug I found is that when I run applications in Virtual Kiosk, they can kill “virtkiosk.exe” processes, and so:
• or the user returns immediately and automatically at the normal environment (if the virtkiosk.exe child will be killed),
• or else the Virtual Kiosk’s bar at the bottom disappears, and so returning to the normal environment is impossible (if you kill before the virtkiosk.exe [parent] and then the virtkiosk.exe [child] processes). In this case, I tried to launch virtkiosk.exe from sandbox mode: the bar at the bottom reappears (I use Touchscreen mode), but if I click button to return to Windows, it doesn’t work and if I click Exit button I pass to a black screen, because I’m still in the sandbox mode but processes are closed. If I press CTRL+ALT+DEL, I go to a logonui.exe screen and if I want to start the Task Manager, it will be open out of black screen and so I can’t see it.
A virus that kills antivirus’s processes and decides to kill virtkiosk.exe can cause data less, because this makes impossible returning on Windows environment, and Word documents etc… can be lost if they weren’t saved.
A notepad.exe’s document or sensible applications will be damaged in a similar case.
Therefore, to fix this bug, protect virtkiosk.exe is required.
I hope this bug will be fixed soon.
Technical info about my settings and my computer:
• Operating System: Windows 7 Professional 32-bit
• Security Software: Avira Free Antivirus (see its details below).
• Removed software before installing Comodo Firewall: ZoneAlarm Free Firewall, Online Armor Free, Microsoft Security Essentials.
• Removed software after installing Comodo Firewall: nothing.
• HIPS Mode: Secure. Advanced Protection Mode enabled.
• Comodo Firewall version: 6.2.282872.2847
Technical details about Avira Free Antivirus (in italian, translated by me to English):
Programma | Versione | Data (Program | Version | Date)
Versione del prodotto 13.0.0.3640 18/04/2013 (Product version)
Motore di ricerca 8.02.12.68 26/06/2013 (Search engine)
File di definizione dei virus 7.11.87.216 30/06/2013 (Virus signature files)
Control Center 13.06.00.1194 19/06/2013 (Control Center)
Config Center 13.06.00.1246 19/06/2013 (Config Center)
Luke Filewalker 13.06.00.1262 19/06/2013 (Luke Filewalker)
Real-Time Protection 13.06.00.778 19/06/2013 (Real-Time Protection)
Filtro 13.05.01.10 19/06/2013 (Filter)
Web Protection 13.06.07.1236 19/06/2013 (Web Protection)
Pianificatore 13.06.00.778 19/06/2013 (Scheduler)
Updater 13.06.14.1262 19/06/2013 (Updater)
Rootkits Protection 13.05.01.05 19/06/2013 (Rootkits Protection)
Local Decider 13.06.02.1262 19/06/2013 (Local Decider)
Excuse me if my english isn’t perfect… I installed Italian version so some words like “Advanced Protection Mode” could be different from original name given in English. I retranslated to English a program translated from English to Italian…
Richard
Interesting. However, please put this in the standard format, which can be found in this topic. If you have any questions about how to do that please feel free to ask.
This format will allow me to better understand the issue, although I believe I already understand most of it from your explanation, and to forward it to the devs.
Thank you.
A. THE BUG/ISSUE (Varies from issue to issue)
[ol]- Summary - Give a clear summary in the topic subject, NOT here.
-
Can U reproduce the problem & if so how reliably?: Always.
-
If U can, exact steps to reproduce. If not, exactly what U did & what happened: Go into kiosk mode, ctrl alt del and load task manager. Then terminate all kiosk exe’s and now you are ■■■■■■■. Also if it crashes it would happen too, same effect different cause.
-
If not obvious, what U expected to happen: Kiosk would either close back to normal desktop or comodo would know kiosk was tampered with and reload the kiosk interface and upon repeated failure it would simply load a different exe that only wants the password for the kiosk which would then release the system back to normal desktop.
[li]Any other information, eg your guess at the cause, how U tried to fix it etc: Comodo does not pay attention to the kiosk exe’s running status and act accordingly to restore kiosk access during a crash or wilful termination / doesn’t ask for password to return to normal desktop.[/ol]
I’m sorry, but for an issue like this I need the full format. Please copy and paste the main format (which can be found here) and fill in your answers after the colons. You can edit your first post to put it in this format.
Please answer all fields. Let me know if you have any questions. Also, please attach both your diagnostics report and the KillSwitch Process list.
Thanks.
I cannot give out information about my choice of security setup. I reported the problem. All you need to do is put a password on the kiosk and do as detailed in the bug report and the issue appears.
Please fill out all portions of the formatting. This is the only way I can forward it to the devs and hopefully get this fixed.
Thank you and I hope you understand.
I have provided all the information neccesarry to replicate the issue. I made a thread elsewhere to draw attention to this issue and you asked me to make a bug report even though someone else a couple of days ago has already made a bug report on the same exact issue: https://forums.comodo.com/bug-reports-cis/comodo-firewall-found-bug-in-virtual-kiosk-t96368.0.html
It is unreasonable to request that people give you all the ins and outs of their security setup. I cannot and will not give that kind and level of information out. Both myself and the other guy has detailed the issue.
I have given you everything that I can and feel comfortable giving out. If you choose to withhold this from the developers, that, of course, is your choice.
Sorry that I cannot give any further information on this. If this is not enough you will have to wait for more people than myself and the other guy to make more reports of this same issue who are fine with making the details of their levels and degree of security public knowledge. I am not willing to do that, personally. Part of being secure means not only setting your security up but also not going around telling everyone/anyone exactly what you are doing.
It only takes 1 bug to be found or 1 exploit found that can weaken something and then someone can perform targeted attacks on people they know who would be susceptible to the attack because they would know the details of people’s security configuration/choices to make that kind of determination. A very reckless thing to do.
Just FYI, I do not work for Comodo. I am a volunteer, and thus should be considered much as any other user. I asked for your bug report because the previous user was not able to create a formatted bug report. I will personally try to replicate this at some other time, but if I am unable to do so then I cannot forward this.
It is for this reason that I asked for it to be put in the proper format. As you can currently replicate it on your computer then there is 100% certainty that I can forward it to the devs. If, however, I cannot replicate it on my computer (for whatever reason) I cannot forward it. It’s just because I really want these bugs to get fixed that I asked for you, and the other user, to put the report in the correct format.
I apologize if I came off rude. I hope you now better understand my situation.
I will try to replicate this myself within the next few days. Hopefully it is replicable on my computer.
Thank you.
Thanks. I do appreciate your position. I just cannot give out the kind of info required for a complete bug report. You should easily be able to replicate it. Just put a password on the kiosk, enter the kiosk and then ctrl alt delete and load task manager and kill all the kiosk executables until you have a blank gray screen. Now you will be unable to get back to the desktop. You can ctrl alt delete again and use windows to shutdown/log out etc but you are not actually able to just get back to the desktop.
If you think about it, this could be exploited because someone can come up to a kiosk computer and sabotage it to prevent the user from regaining access to their computer without having to logout/reboot.
I’ve now merged these two similar bug reports.
Okay, I am not able to replicate this. When running in the Kiosk (with a password added) if I select ctrl-shift-esc it apparently opens task manager on the real computer, which I cannot access unless I close the Kiosk or switch to windows. When I select ctrl-alt-dlt it takes me to the normal screen (as it would if I wasn’t in the Kiosk), then, if I choose the option to open task manager it takes me to the normal windows desktop. I also tried starting the Kiosk, using ctrl-alt-dlt, opening the task manager, and killing off virtkiosk.exe. This didn’t result in the computer going to a black screen or any unintended consequences.
Am I missing some important step?
Thanks.
There is more than 1 process of it. You must kill all running kiosk exe’s
Sorry, my mistake. Even after control-alt-delete from inside the Kiosk (and selecting task manager) I needed to select the option to switch to Windows mode. However, I was able to kill both virtkiok.exe processes without trouble. I even tried opening the Kiosk again, through the widget, and that worked fine.
Am I still missing something?
If you are in the kiosk mode and you use task manager to terminate the exe’s, it goes blank and you are stuck. I don’t know if there is an order to killing them or whatever but all I know is myself and this other guy both have noticed this happening now. It is the perfect way to make someone’s computer inoperable until they forcefully logout/reboot if they walk away from their system in kiosk mode thinking it is safe from harm.
Which operating system are you using? I’m using Windows 7 x64.
Also, when you access task manager is it running on the normal Windows desktop (not inside the Kiosk)?
Also, please do give me the exact order in which you kill the executables. This may be critical in replicating this.
Thanks.
Windows 8 x64
When task manager comes up, I am still locked into the kiosk mode as expected.
There were only 2 kiosk exe’s I have no idea of the order. I do not want to perform this again because it is very inconvenient to have to deal with being locked out of my PC.
I think this is likely a bug specific to Windows 8. Thus, I cannot reproduce it and create a bug report. Please create a formatted bug report so I can forward this to the devs. The required format can be found in this post.
Thank you and be sure to let me know if you have any questions.
It isn’t windows 8 specific issue because this original guy who reported the issue was on “Windows 7 Professional 32-bit”. Like I said before I put as much detail as I can on my bug report I cannot provide specific details about the security configuration of my system.