Leak Test 40/340 (YIKES!) Help....

Learn about Computer Security Leak Testing/Attacks/Vulnerability Research
#1

Hi All. I recently installed CIS 4.1 Everything has been working perfectly (maybe too perfect), so I started to wonder if the firewall was actually providing adequate protection. I just downloaded Comodo Leak Tests v 1.1.0.3 and ran a test… now I feel exposed. My score came back as “40/340”. My question is, should it allow this many vulnerabilities if I’m running Firewall Security Level as “SAFE” and Alert Frequency as “MEDIUM”. Basically, using all default setting and activated the Sandbox. Here’s my results: I want to provide maximum protection, while at the same time, not blocking every event and making everyday use a pain. Thanks in advance for your suggestions/recommendation!
COMODO Leaktests v.1.1.0.3
Date 17:39:57 - 9/1/2010
OS Windows XP SP2 build 2600

  1. RootkitInstallation: MissingDriverLoad Protected
  2. RootkitInstallation: LoadAndCallImage Vulnerable
  3. RootkitInstallation: DriverSupersede Vulnerable
  4. RootkitInstallation: ChangeDrvPath Vulnerable
  5. Invasion: Runner Protected
  6. Invasion: RawDisk Vulnerable
  7. Invasion: PhysicalMemory Vulnerable
  8. Invasion: FileDrop Vulnerable
  9. Invasion: DebugControl Vulnerable
  10. Injection: SetWinEventHook Vulnerable
  11. Injection: SetWindowsHookEx Vulnerable
  12. Injection: SetThreadContext Vulnerable
  13. Injection: Services Vulnerable
  14. Injection: ProcessInject Vulnerable
  15. Injection: KnownDlls Vulnerable
  16. Injection: DupHandles Vulnerable
  17. Injection: CreateRemoteThread Vulnerable
  18. Injection: APC dll injection Vulnerable
  19. Injection: AdvancedProcessTermination Vulnerable
  20. InfoSend: ICMP Test Protected
  21. InfoSend: DNS Test Vulnerable
  22. Impersonation: OLE automation Protected
  23. Impersonation: ExplorerAsParent Vulnerable
  24. Impersonation: DDE Vulnerable
  25. Impersonation: Coat Vulnerable
  26. Impersonation: BITS Vulnerable
  27. Hijacking: WinlogonNotify Vulnerable
  28. Hijacking: Userinit Vulnerable
  29. Hijacking: UIHost Vulnerable
  30. Hijacking: SupersedeServiceDll Vulnerable
  31. Hijacking: StartupPrograms Vulnerable
  32. Hijacking: ChangeDebuggerPath Vulnerable
  33. Hijacking: AppinitDlls Vulnerable
  34. Hijacking: ActiveDesktop Vulnerable
    Score 40/340
Let's check how CLT scores this beta
#2

Did you by any chance “allow” the leak-test access to your computer?

This would explain the poor score. You need to block it or sandbox it.

#3

No… did not “allow” leak test… actually, no alerts ever popped up when running it. I did notice that COMODO added itself to the “My Trusted Software Vendors”… and I cannot remove COMODO from this section. There are 2 Vendor listings for COMODO “Comodo CA Limited” and “Comodo, CP Inc”. Also, under “FIREWALL”, “Stealth Ports Wizard”, when I set to 2nd setting “Alert me to incoming connections and make my ports stealth on a per-case basis”… hit “Finish”, message does say “Success”, “your firewall has been configured accordingly”. However, when I open it again, it’s back to the top selection “Define a new trusted network and make my ports stealth to everyone else” ??

#4

Which version of CIS are you using?

#5

CIS 4.1.150349.920

#6

Check your “Computer Security Policy” and see if there are already rules created for it.

If so delete them and then try to run CLT again.

#7

Thanks! Cleared out Computer Security Policy, then rebooted. CIS then only allowed a few startup programs back into the Security Policy (i.e., C:\WINDOWS\system32\smss.exe, csrss.exe, winlogin.exe, sass.exe, services.exe, svchost.exe). Somehow, the CLT leak test was also in my “My Own Safe Files”! Removed, and re-ran CLT test… now score is 320/340… Impersonation DDE and Coat failed. See below:

COMODO Leaktests v.1.1.0.3
Date 18:17:27 - 9/2/2010
OS Windows XP SP2 build 2600

  1. RootkitInstallation: MissingDriverLoad Protected
  2. RootkitInstallation: LoadAndCallImage Protected
  3. RootkitInstallation: DriverSupersede Protected
  4. RootkitInstallation: ChangeDrvPath Protected
  5. Invasion: Runner Protected
  6. Invasion: RawDisk Protected
  7. Invasion: PhysicalMemory Protected
  8. Invasion: FileDrop Protected
  9. Invasion: DebugControl Protected
  10. Injection: SetWinEventHook Protected
  11. Injection: SetWindowsHookEx Protected
  12. Injection: SetThreadContext Protected
  13. Injection: Services Protected
  14. Injection: ProcessInject Protected
  15. Injection: KnownDlls Protected
  16. Injection: DupHandles Protected
  17. Injection: CreateRemoteThread Protected
  18. Injection: APC dll injection Protected
  19. Injection: AdvancedProcessTermination Protected
  20. InfoSend: ICMP Test Protected
  21. InfoSend: DNS Test Protected
  22. Impersonation: OLE automation Protected
  23. Impersonation: ExplorerAsParent Protected
  24. Impersonation: DDE Vulnerable
  25. Impersonation: Coat Vulnerable
  26. Impersonation: BITS Protected
  27. Hijacking: WinlogonNotify Protected
  28. Hijacking: Userinit Protected
  29. Hijacking: UIHost Protected
  30. Hijacking: SupersedeServiceDll Protected
  31. Hijacking: StartupPrograms Protected
  32. Hijacking: ChangeDebuggerPath Protected
  33. Hijacking: AppinitDlls Protected
  34. Hijacking: ActiveDesktop Protected
    Score 320/340
#8

Coat Fails probably because you did not clean out IE history/cache etc, there is a flaw in CLT testing.

  1. You have to reboot after each test run.
  2. You have to clean out IE history/cache after each run.

Was CLT run limited/sandboxed?