matousec and comodo

Hello Melih,

Well there is one other thing… Rotty wrote a great script for macking up the registry configuration files, and is easy to implement for someone familiar with scripts. However, it might be nice to have the ability to save and load configuration files from within Comodo.

To clarify the OLE issue. To me it is a human factors/interface issue. Something I know a little about. Basically, if a user is conditioned to grant permissions based on what is being suggested here as a way of dealing with the pop-ups being generated, they are going to become conditioned in very short order to reflexively grant permission and not even read the fine print. To many warning flags will do this and become self-defeating. I used MediaMonkey/Firefox as an example of this problem. MediaMonkey was block, by me from accessing the net. That was it. It should have never shown up in OLE if it was working properly. Blocked to most people, means exactly that. Blocked… no exceptions no conditions. Yet here OLE is telling me it is trying to access the net! I won’t insult your intelligence by listing all the problems with this. Suffice it to say, this is the very thing a malware author is going to exploit. He/she doesn’t have to be clever, just aware of the human factors involved and use that interface weakness to their advantage.

Panic and I have exchange PM’s that I know you have been cc’d. I have given him permission to share my PM’s to Ewen, with you or any of the other Comodo staff. Hopefully you might find something of value in my reply to him.

What I have said here was never meant as a personal attack on you, your abilities or those of your staff. Yes it was blunt, but sometimes directness serves a purpose. What I said was said here and not on any other forums. I tend to deal with people through emails and PM’s when there is an issue rather than using a public forum.

Best regards,

While we’re on the subject of bugs and fixes, does anyone have info on when the fix for HIPS process spoofing will be ready?

Latest word is around March.

ok so far we have 3 main issues raised by Hillsboro:

1)OLE: come up with some other mechanism because of too many pop ups
2)password protection
3)backup settings

first 2 are security related whereas the 3rd one is usability.

I can tell you that, ver 3 will have OLE issue resolved.
Password protection will definitely be in v3, if we can do it earlier we will, lets see.
Backup will most definitely be in v3

thanks

Melih

What about the reality that governments have close contact with Microsoft about the undocumented “features” no single firewall in existence will block.

Now, still, have a happy and “secure” New Year (:WIN)

It is already fixed in this BETA versions.

Yes we have already improved the self defense significantly again. On tuesday, we will provide the BETA so that you can test it. Previously, it was possible to simulate some mouse clicks.

“Password” protection is useful for parental controlling. Namely, to protect a human being to change your CPF settings. It is not a defense against malware tampering and should not be.

To do well in Matousec test you need to have a full blown HIPS. It's obvious in the methodology they are expecting a fully locked down local system. Without that there is no way any firewall will get a decent rating. Comodo firewall is as close as you can get without hips.

Yes i agree. Many of the test parameters are targeted for an anti-malware product like HIPSs. Yet for desktop users, according to their feedback, such a distiction is hardly tolerable. We would add all such checks in CPF 2.4 but we planned to provide a full HIPS instead of partially implemented solutions related to internet accessing. Thats why CPF 3.0 will come with a HIPS and will act as an anti-malware solution too.

Thanks for the feedback,
Egemen

Hi,

i think “little green men” on Mars have hacked Microsoft last year. Since then, black out on this issue ! (joke ;D).

ALG

(R)

And the hard bit in writing a script that would shut the UI, thereby allowing unfettered access would be what ???

Someone can write a visual basic script which sends simulated mouse clicks to the GUI and shutdown the protection as if you do it manually. Password protection would help in this case unless you have a defense against such sort of things.

The password protection is not the correct way to handle this because it is not always activated by the user. So if it is not password protected, it can be shutdown anyway. But this is not it should be.

Thats why it must be used for human interference control. Not for malware tampering.

Egemen

Melih,

I know it’s off-topic, but I don’t think the OLE issue is one of too many popups… It’s one of the warning not being accurate, and of shutting down all internet connection if denied. The issue seems to occur with programs that are not actually connecting to the internet, even long after they’ve been closed down. For some reason CPF thinks there is an OLE Automation attempt occurring when you activate the browser. (I’ve had a lot of luck with apps this happens to, by creating a Block rule for those apps; however, it’s not 100%, and if you need the app to be able to connect, that’s out as well).

Then, once you get the warning, if you deny, your entire internet is blocked, rather than the allegedly-offending app. In other words, if CPF says Winamp is trying to hijack IE and we deny, CPF blocks everything, rather than just Winamp. Maybe with OLE it’s impossible to block just the offending app from a security standpoint, but from a user standpoint it’s doggone irritating/frustrating. It seems to me that there should be some way to block the OLE without shutting everything down and requiring a reboot to reset.

LM

G’day,

I’ve got to agree with LM on this, Melih. It’s quite common to start application X, end application X, start application Y, start application Z and suddenly get an OLE alert that application X is attempting an OLE connection to application Z. This alert is despite application X not actively running, not being resident in memory and not hiding behind the couch.

These aberrant OLE alerts can occur any time. I’ve had them warning me about an application that was closed (completely) more than 5 minutes prior to receiving the warning.

Example:

  1. Start Netstumbler
  2. Do something in NS
  3. Exit NS
  4. Do a “netsh winsock reset” to reassert IP stack
  5. Double check process tree and services to ensure NS is not running.
  6. Start GIMP
  7. Do something
  8. Exit GIMP
  9. Start IE
  10. Get a warning about NS attempting an OLE connection via IE.

There was just over 4 minutes between steps 3 and 10. It isn’t always reproducible, it isn’t always consistent and it isn’t always there. I had to try 4 combinations of apps until I got one of htese alerts. Strangely, I couldn’t reporoduce the results using the same apps when executed in the same order.

This inconsistency could lead users to start blindly clicking on alerts, thereby negating the security provided.

Cheers,
Ewen :slight_smile:

Hello! and thanks for such a well supported free firewall!

I installed comodo last week (after years using sygate) and have found this “OLE issue” to be extremely frustrating.

In my frustration and noob-ishness I started ticking allow boxes without even reading them and even resorted to disabling the firewall altogether, to defeat OLE popups and ensure my system isn’t inadvertently locked down.

I have 3 minor requests to make.

  1. If I create a rule denying ALL access for a particular program, then I don’t want a popup 5 minutes later asking if it can then connect via Opera or Firefox (Or Outlook Or Word).

  2. Please don’t force a reboot after denying an action.

  3. (off topic) It would be great if the log entries were re-orderable by columns from within the UI.

[ 4 ] I would also love to be able to allow access - for a certain program only - to a specific set (not range) of I.P. addresses. Like in Sygate’s advanced application rules. In particular I wish to only allow internet explorer access to Microsofts’s update I.P.s eg. 64.4.63.255,207.46.157.125,xxx.xxx.xxx.xxx etc. Have I missed something here?

Thanks again!

To clarify the issue :

Your example must not cause all internet connection to be blocked but just the iexplore.exe. You possibly answered an OLE Automation popup for svchost.exe which is also responsible for DNS queries. Thus all internet connection seems blocked since it cant resolve any names.

OLE messages have changed in CPF 3.0 and modified a bit in upcoming 2.4.

Egemen

From the threat point of view, just because an application is closed does not mean this popup is unnecessary. With OLE Automation, an application can schedule a download for 2 hours later and this can happen anytime the application is closed.

The only way to prevent this is either “intercepting and asking during the OLE operation” or “asking it without caring about the time of occurance”. Current CPF applies the latter and this is causing the problems for average users.

As I said before, In CPF 3.0, these problems will be irrelevant. In CPF 2.4, these alerts will be reduced significantly.

Egemen

To clarify:

If I block access for winamp then access should automatically be blocked for winamp via OLE automation.

I’m confused, you said it would help but that is not what you are doing?

The password protection is not the correct way to handle this because it is not always activated by the user.

What do you mean by “not always activated by the user”.

You say the new beta makes mouse simulation clicks not possible, how exactly is that done?
I like the password idea because it stops dead any and all future attempts based on this attack, while trying to block mouse simulation/script attacks might be only a implementation specific defense.

Another idea would be to implement CATCHPA solutions , I’m not too wild about the idea.

Sorry, egemen, but it blocks ALL internet, not just the browser and parent. No email, no nothin’. I pay very close attention to those popups, and the OLE in particular. When AOwl told a user that you didn’t need to reboot after an OLE, I did a lot of tests on it (my conclusion was that that is incorrect; it’s true for the other hijack attempts, but not for OLE). And no, there’s not necessarily a reference to svchost.exe; it can be just the offending app, the browser, and explorer.exe (as the parent to the browser). No svchost in the picture.

That’s why it’s so problematic. You are either forced to allow (without remember) and reboot ASAP, or block it and lose all your internet connectivity until you reboot. I don’t use WinAmp, but my big offenders have been XnView and WhatsRunning; occasionally others.

I absolutely concur with red502; if I create a “block” rule for XnView, I should never see any popup that XnView is trying to connect, modify another app, send special windows messages, OLE automation, anything. It should be blocked in every way, for all time (until I remove that block rule). While this mostly seems to be true, sometimes it still pops up at me.

LM

A bit off topic:

Is there an roadmap of what features CPF 2.4/3.0 and future versions would have? Which is public? And finally I would like to know when to expect the gaming friendly features which are on the wish list?

??? seems to me I started a row here… wasn’t my intention. So to ease things a bit : HAPPY NEW YEAR TO EVERYBODY !!! (:WAV)