I have discovered a simple design issue in Windows that can circumvent the protection of some security software today.
This security tool / leaktest is called System Shutdown Simulator (self-explanatory). It is available for download here:
This leaktest highlights a new vulnerability that exists when a user shuts down their computer and a program cancels the shutdown. For example, when installing new software, the installation program often asks the user to restart their computer to complete the installation. When the user allows the computer to be restarted, the installation program could potentially compromise the user’s computer completely undetected by security software as these have already shutdown.
A selection of Security Vendors were notified on the 12/11/07 (list kindly supplied by gkweb of firewallleaktester.com). SySafety was contacted earlier however, on the 10/11/07.
A response has been received from SoftSphere Technologies (DefenseWall HIPS), SySafety (SSM) and Tall Emu (Online Armor).
If you have any issues please contact me at: zeroday_software [ at ] yahoo.com (:HUG)
The latest release is 1.0.20
Looks like Comodo is passing everything here. I even downloaded this and extracted before I installed comodo 3… Then let comodo defense + create a list for me. When I hit the shutdown button it cleared the sys tray (comodo & antivir icons) but I passed the tests . ADmin account with full priviledges as always here. Unless I didnt do something right. lol
Edit: Meant that the simulator failed to get the outbound ping through.
I ran the test also. The outbound ping was succesfully intercepted, but the autostart key creation was not. Can a Comodo dev look to this ?
Later EDIT: Well, it seemed the HKCU\MS\Windows\Curr. ver\run was not added to my protected reg keys, or at least I haven’t seen it. I"ve added it manually, I’ve deleted sss.exe from computer security policy and now the test is passed. Now, I don’t know if that registry entry exists by default or not.
.266 had a bug which prevented “\Run” key to be added to the protected key list. Since this was a serious issue, we immediately updated it to .268.
CFP is immune to these types of timing attacks. No need to worry. Just install .268 version so that you will have the registry key added for protection.
No worries here. I just thought it was probably a key that I needed to add myself and hadn’t thoroughly checked all the features. Been awhile since I looked at this version.
Hi, I’m updated to .268 and *\Software\Microsoft\Windows\CurrentVersion\Run is not in the protected list. There’s however a …\Load in the list that as far as I know doesn’t really exist. See attached image:
Just wondering if anyone else has tried this test against Comodo Pro 3.0 recently? Someone in Wilders Security Forum has claimed that Comodo failed the test and after reboot although the icon appears in the Task Bar, Comodo is not running. They also claim uninstalling and then installing Comodo again doesn’t fix it.
In response to your post I have tried it and fully passed it. Avira blocked the eicar file creation although the tray icon was closed and cfp v3 alerted me about the autorun registry key creation and about the outbound ping request as well. I can say tha CFP is not voulnerable to this leak test as Egemen has already stated it.
:■■■■
Can a Comodo dev look to this ?