My CLT test result 300/340

I test CIS6 Beta by CLT.
I use the CIS 6 Beta default setting.
This test shows 4 Vulnerable.
They are:
–10. Injection: SetWinEventHook,
–11. Injection: SetWindowsHookEx,
–20. InfoSend: ICMP Test, and
–24. Impersonation: DDE

My PC environment:
OS: MS 64bit OS Win 7
PC: ASUS
CPU: Intel 4 core -i5-T2410

Nice test thanks!

  1. “partially limited” does not block these actions.

keylog, screenlog, clipboardlog, install global hooks, access some COM interface

2.“Explorer as parent” can bypass “partially limited” too. (iexplore.exe is NOT sandboxed)

Only “fully virtualized” can block it. (iexplore.exe is sandboxed)

What about Untrusted setting?
Is it also bypassed?

“limited or upper levels” can block it.

Interesting that it now runs, it did not in mods Beta.

Careful re conclusions from this, the way CIS handles COM is now much more intelligent than before. Will need to compare your results with the rules to understand what is happening. Hope to get to this later

You also need to use CLT very carefully anyway. There are instructions for this from mods in the forum for testing re CIS 5.x, but these will probably need updating for 6.0.

Best wishes

Mouse

Egemen said CIS can make it full virtualization:

3 - How can I enable automatic virtualization? I dont see such an option.
You need to create a special registry value in order to see it. This feature is intended for advanced users only.

  • Open Windows registry editor, regedit.exe, and navigate to HKEY_LOCAL_MACHINE\SYSTEM\software\Comodo\Firewall Pro
  • Create a DWORD value and name it “EnableDefaultVirtualization”
  • Set this value to 1

After following these steps, Advanced Settings Editor will let you choose “Fully Virtulized” as an auto-sandboxing option.

I follow his instruction, but I am unable to find Fully Virtualized option.

After you switch it to “fully virtualized”, CIS will not block sandboxed (trusted) processes for accessing the network.

For example, a virus executed the svchost.exe.
Then, the svchost.exe was trying to connect the network.

CIS can not block this, and the data were successfully submitted by the svchost.exe.

So, it is one risk for “fully virtualized”.

CLT is never accurate esp in BETA mode.

CLT is not accurate at all.
This is what I got from Egemen:

"1. “partially limited” does not block these actions.

keylog, screenlog, clipboardlog, install global hooks, access some COM interface"

That’s not true. According to Egemen:

and following one:

How about a trojan makes a window, and then steal data of the users?

Its not about having visible window. Its about being active and visible.

My result is 340/340
auto-sandbox is disable and HIPS mode is Safe mode

http://www.img4up.com/up2/53170686844885485232.png

get 310/340 with:

SB: restricted

CIS 6: pro-active

Behaviour blocker: restricted

Does anyone know if this is intended behavior or is it a bug that the firewall did not catch it?

Strange, if you enable Game-mode it gets to 310 but otherwise only gets to 300. DDE no longer is vulnerable. Why is this?

I think this is just default CIS IS config behavior. All connections allowed outbound. The BB over-rides, I guess.

The way the KIosk is to be used - for web apps - would mean lots of alerts otherwise.

To change this use Proactive config or change firewall rules.

Please say if anyone knows this doesn’t work. Have not yet tried for apps run in sandbox.

Since FW active in sandbox obviously likely to be easy for Egemen to change this.

Best wishes

Mouse