Leak test problem

Learn about Computer Security Leak Testing/Attacks/Vulnerability Research
1

On WinXP x64 sp2(updated) and the lastest version of comodo with default settings

COMODO Leaktests v.1.1.0.3
Date 11:05:41 - 24/11/2008
OS Windows XP SP2 build 3790

  1. RootkitInstallation: MissingDriverLoad Protected
  2. RootkitInstallation: LoadAndCallImage Protected
  3. RootkitInstallation: DriverSupersede Protected
  4. RootkitInstallation: ChangeDrvPath Vulnerable
  5. Invasion: Runner Protected
  6. Invasion: RawDisk Vulnerable
  7. Invasion: PhysicalMemory Protected
  8. Invasion: FileDrop Protected
  9. Invasion: DebugControl Protected
  10. Injection: SetWinEventHook Vulnerable
  11. Injection: SetWindowsHookEx Vulnerable
  12. Injection: SetThreadContext Protected
  13. Injection: Services Vulnerable
  14. Injection: ProcessInject Protected
  15. Injection: KnownDlls Vulnerable
  16. Injection: DupHandles Protected
  17. Injection: CreateRemoteThread Protected
  18. Injection: APC dll injection Protected
  19. Injection: AdvancedProcessTermination Vulnerable
  20. InfoSend: ICMP Test Protected
  21. InfoSend: DNS Test Protected
  22. Impersonation: OLE automation Vulnerable
  23. Impersonation: ExplorerAsParent Vulnerable
  24. Impersonation: DDE Vulnerable
  25. Impersonation: Coat Vulnerable
  26. Impersonation: BITS Protected
  27. Hijacking: WinlogonNotify Vulnerable
  28. Hijacking: Userinit Vulnerable
  29. Hijacking: UIHost Vulnerable
  30. Hijacking: SupersedeServiceDll Vulnerable
  31. Hijacking: StartupPrograms Vulnerable
  32. Hijacking: ChangeDebuggerPath Vulnerable
  33. Hijacking: AppinitDlls Vulnerable
  34. Hijacking: ActiveDesktop Vulnerable
    Score 150/340

Defense+ in paranoid mode and checking all the monitor settings options
COMODO Leaktests v.1.1.0.3
Date 11:18:42 - 24/11/2008
OS Windows XP SP2 build 3790

  1. RootkitInstallation: MissingDriverLoad Protected
  2. RootkitInstallation: LoadAndCallImage Protected
  3. RootkitInstallation: DriverSupersede Protected
  4. RootkitInstallation: ChangeDrvPath Vulnerable
  5. Invasion: Runner Protected
  6. Invasion: RawDisk Protected
  7. Invasion: PhysicalMemory Protected
  8. Invasion: FileDrop Protected
  9. Invasion: DebugControl Protected
  10. Injection: SetWinEventHook Vulnerable
  11. Injection: SetWindowsHookEx Vulnerable
  12. Injection: SetThreadContext Protected
  13. Injection: Services Vulnerable
  14. Injection: ProcessInject Protected
  15. Injection: KnownDlls Vulnerable
  16. Injection: DupHandles Protected
  17. Injection: CreateRemoteThread Protected
  18. Injection: APC dll injection Protected
  19. Injection: AdvancedProcessTermination Vulnerable
  20. InfoSend: ICMP Test Protected
  21. InfoSend: DNS Test Protected
  22. Impersonation: OLE automation Error
  23. Impersonation: ExplorerAsParent Vulnerable
  24. Impersonation: DDE Protected
  25. Impersonation: Coat Protected
  26. Impersonation: BITS Protected
  27. Hijacking: WinlogonNotify Vulnerable
  28. Hijacking: Userinit Vulnerable
  29. Hijacking: UIHost Vulnerable
  30. Hijacking: SupersedeServiceDll Vulnerable
  31. Hijacking: StartupPrograms Vulnerable
  32. Hijacking: ChangeDebuggerPath Vulnerable
  33. Hijacking: AppinitDlls Vulnerable
  34. Hijacking: ActiveDesktop Vulnerable
    Score 180/340
    (C) COMODO 2008

What can I do for get 340/340 score?
I did better score with Outpost Firewall with the default settings

Thanks

2

Evening, And Welcome

Please remove clt.exe from both network policy and computer policy ( Firewall/Defense > Advance > Network/Computer Security Policy > clt.exe > Remove > Apply)

Run CLT Again But Treat As Blocked Application / Isolated Application

Give Me Your Score…

CG

3

I have deleted ctl.exe from from both network policy and computer policy and them i ran again the test blocking all the request but uncheking the checkbox of remember answer.
The settings are:
Defense plus: paranoid mode, monitor settings (all options checked)
Firewall: safe mode

COMODO Leaktests v.1.1.0.3
Date 21:55:49 - 24/11/2008
OS Windows XP SP2 build 3790

  1. RootkitInstallation: MissingDriverLoad Protected
  2. RootkitInstallation: LoadAndCallImage Protected
  3. RootkitInstallation: DriverSupersede Protected
  4. RootkitInstallation: ChangeDrvPath Vulnerable
  5. Invasion: Runner Protected
  6. Invasion: RawDisk Protected
  7. Invasion: PhysicalMemory Protected
  8. Invasion: FileDrop Protected
  9. Invasion: DebugControl Protected
  10. Injection: SetWinEventHook Vulnerable
  11. Injection: SetWindowsHookEx Vulnerable
  12. Injection: SetThreadContext Protected
  13. Injection: Services Vulnerable
  14. Injection: ProcessInject Protected
  15. Injection: KnownDlls Vulnerable
  16. Injection: DupHandles Protected
  17. Injection: CreateRemoteThread Protected
  18. Injection: APC dll injection Protected
  19. Injection: AdvancedProcessTermination Vulnerable
  20. InfoSend: ICMP Test Protected
  21. InfoSend: DNS Test Protected
  22. Impersonation: OLE automation Protected
  23. Impersonation: ExplorerAsParent Vulnerable
  24. Impersonation: DDE Protected
  25. Impersonation: Coat Vulnerable
  26. Impersonation: BITS Protected
  27. Hijacking: WinlogonNotify Vulnerable
  28. Hijacking: Userinit Vulnerable
  29. Hijacking: UIHost Vulnerable
  30. Hijacking: SupersedeServiceDll Vulnerable
  31. Hijacking: StartupPrograms Vulnerable
  32. Hijacking: ChangeDebuggerPath Vulnerable
  33. Hijacking: AppinitDlls Vulnerable
  34. Hijacking: ActiveDesktop Vulnerable
    Score 180/340

I have run the test again with the proactive security profile and the result have been “Score 170/340”
maybe the problem is that my OS is x64 and the ctl do not work fine, I reply more messages than tests have the CTL, and the test suite ends before i end to block the requests.

Or maybe the problem is COMODO because I block a lot of request to open internet explorer, and CTL open some windows of ie.

4

Anyone has tested comodo with CTL on windows xp 64bits?

5

Put Firewall and Defense+ in Safe Mode. And then put CIS in Proactive Security Configuration via right clicking the tray icon.

Now re-run the test, allow explorer.exe to launch the test, but then when you run the test, block all alerts.

Josh

6

I have put Firewall and Defense+ in Safe Mode and CIS in Proactive Security Configuration.
I have added my configuration file of comodo, and a video of all the process. I could not attached to the post the files so i upload it to megaupload please donwload it.

http://www.megaupload.com/es/?d=OFTTI18H

You also can see the video in youtube but the quality is poor in megaupload is better:

I am runing winXP x64 sp2+updates

SCORE 170/340

7

With the new version of comodo in proactive security mode
340/340
Perfect (B)

Conclusion: Bug Fixed!