Hi,
I went to the Green Border site today and ran their little test Sicherheit, only to learn I failed all 5 tests. I am installing the program now but am interested to know if future versions of Comodo will incorporate Green Border technology, or if it is something outside the realm of firewall tools.
Thanks!
Sue
well these are hips like tests… rather than firewall tests.
however with v3 of our firewall, because it will have full hips, it will pass all these plus more 
Melih
If you deny their program, their test will fail…
I think it’s only bogus…
Any leaktest will succeed if you allow it to run…
This is a quote from them.
Important Note: Hackers and criminals on the Internet have many different ways of silently injecting code into your PC ? [b]without your permission[/b].
Without your permission… BS…
Of course they can do those things if you allow their program to run, and allow it to use your browser and so on…
CFP warned about everything, and when denied, they couldn’t do anything…
If you allow the program, but deny the browser hijack, you wont even get the results…
Makes sense. However, i think i’ve setup something wrong in that case :-[ - i didn’t get any popups or any anything, and so i also failed all 5 tests. I’m using the default settings with a few extra network rules for my network and a few games that panic kindly provided the rules for me to test. And i’ve just updated to v2.4.16.174 about an hour ago.
If you try and uncheck "do not show alerts for apps certified by Comodo and raise the alert frequency to high, and then test again. Do you fail now?
:BNC
Yay, thanks AOwl! Now i get a popup, which i denied, and voila the tests don’t even start. Thanks for that.
Is your Component Monitor set to Learn? You should (at the very least) get several popups for changes to the library of MSHTA.exe (which is apparently how they export their test; you do the hard part for them by downloading the app, and it uses MSHTA to get out). However, if it is on Learn, it will automatically approve.
The test failed on mine; it errored out (a runtime error for iexplorer.exe) and could not complete, nor was it able to open the browser. Perhaps because I don’t use Internet Explorer, which is how the MSHTA vulnerability is exploited.
But you don’t use IE, do you, Rucia? Don’t you use Firefox, or something?
LM
Hi LM,
Yes the component monitor is in learn mode, but i’ve now switched that to ‘on’.
Yes i do use FireFox and sometimes SlimBrowser. SlimBrowser is simply a shell for IE, it uses the same Trident rendering engine and library files with a heck load of more functions than IE will ever have. My brother had been using this machine at the weekend, and he set SlimBrowser as the default browser >:( so i assume that had an effect as well.
Remember to delete the mshta.exe in system32 folder…
Unless your version of Win XP is using it; some do require it, depending on the specifics of the system. Deleting it without knowing may cause some instability. Better to use a stop program, where it can be restarted if it causes problem.
LM
going, going, GONE.
I’m using XP Pro SP2, but i copied it to my backup HDD just in case
Thank you AOwl, that saves me $30!
What are your thoughts concerning Byte Crusher’s Window Zones? http://www.bytecrusher.com/
Sue
All
Do not delete MSHTA.EXE it is a required system component. You need it to run the Add/Remove Programs applet for one. If you have deleted it, then unless you had previously disabled the System File Checker, then SFC probably put it back a few seconds after you deleted it. If not, please post.
I didn’t delete MSHTA.exe from my system. I went into Comodo looking for it there to delete it an it isn’t appearing even though I authorized it (without checking the remember box) yesterday.
Sue
No worries, its back there now. I don’t know how to disable SFC, besides i can’t think of any reasons why i’d want to.
I haven’t deleted it completely yet.
It’s in recycle bin… ;D
I have used the add/remove programs without it…
I removed it from three places.
windows\system32
windows\ie7
windows\system32\dllcache
I thought they where infected by the greenborder thing…
I will put them back and see if they continue to try to get out on internet as they did yesterday.
Here is a quote from auditmypc.
"mshta.exe (Microsoft HTML Applications) - Details
The process called mshta.exe, is used within Windows to allow the running of HTML Applications (.HTA Files). Mshta.exe is not required for Windows to work correctly. If you find that it is causing problems from your system, you should terminate it.
mshta.exe is flagged as a system process and does not appear to be a security risk. However, removing Microsoft HTML Applications may adversly impact your system."
How do we alert the team at Comodo that mshta.exe is not showing even though we authorized it?
Ideally, if the audit log showed the tree of what it called when it ran, that would be great. A wonderful little utility called “What’s Running” does that for programs and services that are running, but we need that kind of audit trail to clean up Comodo, especialy after the Green Border incident.
Thanks!
Sue
Kail, I think that the file only affect add/remove program if you are on Win 2000.
As it seem, I’m not the only one concerned about mshta.exe
What do you think guys?
Anyone from Comodo that has something to say about this?
Read this, and you might understand my suggestion about deleting/renaming that file…
There is even a program to toggle it on/off
Is it yet another way for hackers to steal our underwear… :o
Mike Healan
http://www.spywareinfo.com/articles/htasploit/
Members of the SWI support forums have uncovered a very nasty flaw, already being exploited by malicious hackers, that allows trojans and other malicious software to be introduced onto a machine via Internet Explorer despite security settings.
A file is dropped onto the infected system using ActiveX drive by, the file is run, and then immediately loads the Windows application MSHTA.EXE from the Windows folder. MSHTA.EXE is put into “hot standby”, ready to accept HTA scripting within a web page and then EXECUTE what is embedded IN the page as if it were a program. In other words, this flaw makes it possible for a malicious website to embed trojans, worms and/or viruses directly into a web page and infect visitors using Internet Explorer.
Kevin McLeavy, developer of the BOClean anti-trojan program, has long regarded MSHTA as a serious security threat. "While Microsoft has, since our ‘big stink’ back in 2001, disconnected MSHTA from being INVOKED by Internet Explorer, it will STILL run what is presented to it when started on a local machine in the ‘local machine’ or ‘my computer zone’ since this is done on some corporate networks for the convenience of the glass room geeks.
“In other words, this completely bypasses the security zone structures and patches of Internet Explorer BECAUSE MSHTA is ALREADY RUNNING in the ‘local’ zone … therefore, when presented with [an HTA] script, it will p**** it and run it, despite firewall, and IE restrictions…”
This is a severe security risk, and it is recommended that MSHTA be disabled entirely unless you specifically need it to run. Privacy Software Corporation has developed HTAStop, a small program that allows you to quickly disable or enable Windows’ ability to run HTA scripts directly and even renames mshta.exe. HTAStop is located at http://www.nsclean.com/htastop.html.
It does appear that Windows XP makes use of HTA scripting for various parts of the help system and control panel. If you have problems while using Windows XP after using HTAStop, use it to toggle scripting back on.
The flaw cannot be exploited until after the original trojan has been installed, whether by ActiveX driveby or other methods. It is recommended that you verify that your security settings for the “Internet Zone” are set to prompt or disable for ActiveX that is signed and marked as safe. ActiveX that is unsigned or not marked as safe for scripting should be blocked entirely. If the author cannot be bothered to certify their software, you should not trust it to run on your hardware.
My personal advice is to stop using that Microsoft browser that is bundled into every version of Windows. It doesn’t work as well as other browsers, it lacks many basic features available in every competing browser, and it is inherently unsafe and targeted by all known browser hijackers. Lock it away behind the firewall and use a real browser.
That Green Border company should warn people instead of using this security issue.
It was used in exactly the same way on W2k Pro, as it is on my XP Pro system now. Although, it does look aesthetically more appealing in XP, I’ll give you that. But, it’s the same thing on W2k as it is on XP.
According to the web site of the folks who make the mhtsa disabling tool, Microsoft has built Win XP to use it for it’s menus, including the control panel. so without it, you can’t use Windows properly. They reccomend disabling it except for when you need to use it in such cases. That can make using basic functions in Windows very cumbersome.
Sue