Online Armor bugged by Buffer Overflows and it's SLOW response time ...

Well, they had a problem

and it took them almost a year to fix it 88)

Date Reported 2008-10-04 Release Date 2009-06-04


What they say is if you ■■■■■■ oamon.sys driver with a rabbish parameters it is possible to invoke a BSOD. But OA doesn’t allow to contact its drivers under normal conditions. To be able to connect oamon.sys you need first to unload OA. This is why this “bug” was never considered as a real bug. But when timetable allowed it was tuned.

To say the truth, those guys at ntinternals seem to have nothing to do :slight_smile:

I remember 3 years ago OA didn’t have a firewall. Also I remember something 5 years ago, 10 years ago. Actually, this is very easy to compare. Out of the box OA passes 99% of matousec and 100% of any other credible tests you can find out. Comodo cannot perform that well out of the box and as for me it is much harder to setup properly. But tastes differ. I understand that the main argument for some people is “free”.

As for testmysecurity. Gosh, their results didn’t update for AGES.

comodo will not pass 100% of matousec tests because they said some of the things that are tested are not important.


Hi Guys,

We have reviewed the results. Dont worry. There are 3 issues to be highlighted here.

1 - There is a single bug in CIS/CFP which affects the previsous versions too.
This bug allows CFP/CIS to fail to detect a special type of handle duplication operation. And thats why it cause CFP/CIS to fails the following tests:

Kill1.exe kill2.exe: kill9.exe kill12.exe crash1.exe crash2.exe crash3.exe crash4.exe crash5.exe crash6.exe

Do not worry. We have fixed the bug and you will be receiving the update on Tuesday(2/12/2008).

2 - There are errors in the test report:

CFP/CIS does not fail the following tests: kill3b.exe kill3f.exe kill3e.exe kill5.exe SSS2.exe SSS3.exe

It is unclear why CFP is reported as failed in these tests. You might try yourself and see. Attachment contains ssts.conf file with which you can test CFP/CIS.

CFP/CIS intercepts system shutdown privilege elevation requests and hence effective blocks sss2.exe and sss3.exe tests.

CFP/CIS can not be terminated by any of those kill tests.
3 - There are some insignificant tests that do not pose any real threat and hence we will not do anything about them.

CFP/CIS is marked as failed in the following tests: SSS.exe i.e. System Shutdown Simulation tests.

It has been scored 50% because CFP/CIS does not intercept system shutdown requests. This is the testing methodology of the tester.

System shutdown poses no real threat. The malware waits for system shutdown to perform its harmful actions. So whether you intercept or not, it can attack the user when the user manually logs out. Original System Shutdown Simulation tests do care about this fact.
So we do not plan to add this redundant protection to pass any tests.

socksnif.exe: This test is designed to test if a malware can snif your network connection or not.

If “\Device\Afd\EndPoint” is added to the Defense+ My Protected Files list, this can be easily intercepted. Adding this entry to the protected files means, making Defense+ to alert you for each and every application which tries to access Windows Sockets.

However, we do not plan to add this to our default protected files. Because

  • It poses no real threat. Malware can not sniff your everyday bank transactions because everything is already SSL encrypted,
  • This is basically no different than sniffing your network traffic from another computer,
  • It will increase the number of popups unnecessarily,

crash7.exe: This test tries to allocate all the memory of the computer to crash applications including the security software

It might be possible for an application to crash if there is no more computer memory available. This is usually a random case. We do not plan to make any changes to pass this test because

  • The crash can be random, intermittent and ubiquitous
  • Assuming CFP/CIS processes also crashed, there is no real threat to the system because by terminating CFP/CIS, malware will not gain any advantage for byapssing Defense+.

So in summary: by terminating CFP/CIS, Defense+ will not be able to be bypassed.


The point is: We build security products, our philosophy is to build a top notch security product to "secure our users against threats". Our priorities are to protect against malware and NOT to pass some tests for marketing gains! Our instructions to our developers is not "come on guys lets figure out how we can pass these tests" but "to protect our users from threats". Egemen would not talk to me if this was our strategy! Smiley Our belief is that if we build our security products to offer the best security possible, everything else will follow. We do NOT and never have had any strategy to go out of our way to pass this test or that test so that we can use it as a marketing gimmick!
EDIT: in this latest test, CIS "failed" kill3f.exe, crash7.exe, SSS.exe, and socksnif.exe According to egemen above, CIS failing crash7.exe, SSS.exe, and socksnif.exe are okay.

Now, kill3f.exe (from last test):

Quote from: egemen on November 29, 2008, 12:22:29 PM
2 - There are errors in the test report:

CFP/CIS does not fail the following tests: kill3b.exe kill3f.exe kill3e.exe kill5.exe SSS2.exe SSS3.exe

It is unclear why CFP is reported as failed in these tests. You might try yourself and see. Attachment contains ssts.conf file with which you can test CFP/CIS.

So, CIS really did score 100% I guess…

Perhaps you need to understand that what is meant by “layered security architecture” and how in the layered security architecture the security works together to achieve protection (In CIS, in this case: Firewall, AV and Defense+, Being Prevention, Detection and Cure :)) - OA does NOT have a layered approach , I don’t think they even have 64bit version! :slight_smile:

CIS has a an AV which allows Comodo to skip some checks in Defense+, AV is a HUGE differentiator. So far, there has been no reports of actual THREATS bypassing CIS in the “default configuration” - Users DON’T need to switch to Proactive Security for example to get the highest security, This just results in MORE pop ups and this setting is aimed for Advanced Users, Hence Proactive can replace ANY AV. Default configuration when installing AV And Firewall is good enough, it is acceptable security and acceptable user experience, and both need to be followed when you are a Security Vendor. The Firewall, Defense+ and AV (Including Buffer overflow protection) all work together in harmony to protect the user. Is it there to prevent permanent damage. CIS has other configurations, You install just Firewall, Then Firewall Security Policy will be applied, hence CIS is still strong. So in default configuration, Yes checkpoints are kept to prevent permanent damage. Keylogger for example isn’t checked, Assume a keylogger is executed and trying to send info over the internet to a hacker, The Firewall will catch it anyway - Permanent damage is prevented and checkpoints are kept to prevent this.

If you know of malware in the wild that does bypass CIS by default please let Comodo know. Anyway instead of testing the detection of AV and testing “Leak Tests” against Firewall and HIPS, I’m really looking forward to AMTSO tests: - To really test protection cause testing just AV detection and leak tests etc is just DEAD…


Here is an email I sent to Matt ( when he was testing CIS in proactive, Thanks for replying Matt btw. :slight_smile:

-----Original Message-----
From: Josh [mailto: xxx[at]xxx]
Sent: Wednesday, May 27, 2009 4:56 AM
To: Matt (
Cc: melih
Subject: Comodo Reviews (From Comodo Forum Global Moderator)


Hi! This is Josh (I am known as /3xist /on Wilders Security Forums, Your
Forums, and I am a Global Moderator on the Comodo Forums whereby I have
been a member for 2 years, and moderating for little over one year. We
have had some communication in the past, we passed a few PM’s, and when
you started the forums I was a moderator (Based on me
asking) but unfortunately, I had to let that position on your forum go
because I just needed time on the Comodo Forums and have just a “one”
focus on there. :slight_smile:

Anyway… I’ll get to the point. First of all, I am NOT a Comodo
Employee in any way. I am simply a volunteer Comodo Forum Moderator who
goes by day to day, learning from Comodo, Helping others, and expanding
my knowledge. I have done this for the past 2 years or so and I consider
my self a Comodo Guru you can say (Ok… Ok… Just experienced!). I
would like to point out the Configuration in Comodo, That you have used
in your past 2 Reviews (Comodo 3.9 Prevention Tests and also how to
clean the patching virus) that would be Proactive Security. I would
just like to further explain this configuration, and why the default
configuration when you install Comodo Firewall & Antivirus is good
enough Internet Security. The reality is, Proactive Security is good
enough for any experienced user. Proactive Security can REPLACE and
Antivirus out there, including Comodo for a Advanced user. They wouldn’t
need the Antivirus in Comodo Internet Security or any other “detection”
based solution, let a lone “prevention” solutions (There is very few
prevention solutions out there, since security vendors/products rely on
detection as first line of defense which needs to change). The only
reason why a experienced user in Proactive Security would need an
Antivirus is to improve USABILITY and reduce pop ups, but hey… We are
talking about a experienced user here, So we can eliminate that
assumption. Now for an Average user to use Proactive Security, it’s a
disadvantage for them compared to an experienced user - They will get
more pop ups
. I’ll talk about this more later.

In Proactive Security, Everything is Enabled in Comodo Internet
Security. For the default configuration, In the Internet Security
Configuration, things are configured a little bit more differently. From
Help File:

* Image Execution Control is disabled.
* Computer Monitor/Disk/Keyboard/DNS Client access/Window Messages
  are NOT monitored.
* Only commonly infected files/folders are protected against infection.
* Only commonly exploited COM interfaces are protected.
* Defense+ is tuned to prevent infection of the system.

As you can see, Internet Security Configuration some things are
disabled. A few more experienced users go “What! why are all these
disabled? To reduce pop ups? To claim false sense security!” Well…
Whatever /they /claim is NOT true and I’ll be doing a Sticky in the
Comodo Forums on why the default configuration in Comodo Internet
Security is good enough. Let’s look at Keyboard, and what if AV does not
detect the program (If a keylogger software is trying to install): All
keyloggers try to install themselves permanently. If they try to do so,
they will be prevented by CIS. Assume the keylogger is executed and by
chance at the same time, there is banking information on a website, the
Firewall will catch it anyway. Here the point is permanent damage needs
to be prevented
and checkpoints are kept to prevent this damage.
Overall, All those checks (Image Execution, Disk, DNS Client, Windows
Messages, Computer Monitors) are disabled because again, permanent
damage needs to be prevented
. When you have an AV installed, it is a
HUGE difference and this allows Comodo to skip some checks in Defense+.
Permanent damage prevented meaning checks like Protected Files, Registry
Keys which MUST be and are protected by default, Point is; all viruses
try to install them selves permanently. No expections, And CIS by
default is there to prevent this damage.

Now, there are 4 default configurations in CIS you might of noticed. All
these configurations (Whether you install just Firewall, Just AV or
both) are configured to suite that configuration chosen, You choose just
Firewall then “Firewall Security” policy will be applied. So in any
case, CIS is still strong. Proactive is for ADVANCED users. I also would
like to point, because Image Execution Control is enabled in Proactive,
Buffer Overflow Protection won’t be the first Alert if a malware or
legit app is doing BO. You will get a Image Execution Alert, If you
allow that, THEN you get a BO Alert… It’s just more pop ups for the
average users, So really! default configuration is fine and WILL prevent
damage (permanent damage). So in future, I would like to see CIS tested
with all defaults please Matt. :slight_smile:

CIS is designed to work in harmony, You get an AV Alert, You will NOT
get a Defense Alert. You get a Buffer Overflow protection Alert via D+,
D+ HIPS wont annoy you either. As always, CIS puts Prevention first and
detection second. :slight_smile: And yep, Defense+ is getting more usable and this will
continue. :slight_smile:

Thank you very much for your Reviews Matt! They have been a pleasure to
watch and proves useful. About the high memory usage and CPU during AV
Updates, Next CIS version will fix this, Where also size of signatures
will be reduced and memory consumption. It is the top priority right
now. Also in next version with this fix is SMART MODE, Smilar to Parent
Control Mode you were playing with, And Family Signatures (More!) to
improve family detection and this will raise AV Detection even higher.

Sorry if I bragged and raffled on, This is a long email and wanted to
take time to explain a few things for you! :slight_smile: Thanks again and I also
copied Melih, Comodo CEO, on this if he would like to add anything if he
wishes too, etc.[/b]


So I downloaded OA, I immediately lost my internet connection while installing… Thanks for NOT warning btw.
I trust everything on this computer. Well yeah, it was protected by Comodo, what do you expect :wink:
Indexing all executables, good thing :-TU, but stumbled across a bug it seeems, it got stuck on c:\program files\empire total war\update.exe
no reaction after some minutes, so I stopped it…
left everything into standard protection…

First remarks :
it started up and waited… and waited… oh yeah, learning mode is finally finished…
it launches 2 icons standartly, I definitely don’t like this
3 services… ok, that’s still possible and it’s not that High amount of recources that it’s using…
When you run a safe application, flagged as trusted by OA, why do you still give a pop-up for this, OMG
Tried to install, failed… retried, worked… What’s this about ?

Putting it to the test :

Self defense:
downloaded icesword, opened it and got a pop-up, allowed it of course without remembering the decision and came upon another bug/…
Please see this pic, it aint so nice (pc froze also, every task I asked it to do went extremely slow)

→ tried to kill OA’s services
No questions asked and I was capable of destroying it’s services, only oasrv.exe survived
well, and my computer pretty much hung for a minute…

downloaded a test from to see if OA still worked, ran pcflank, and it failed…
“Your firewall has failed the test” you can see the results : etc…

So i thought, perhaps this one is to hard for OA ;), so I took a firewall test only : COT
Well, that’s a FAIL for both… So I consider OA’s self defense as broken…


I’m not going to test any further for the moment as I have to go to school :frowning:

So overall, it has some potential, but it still has a lot of bugs. Perhaps you can hire those Ntinternals guys ?


This topic is open for discussion again. please do not poison this one again.


I can hire those guys, of course, but I don’t know what they could do for me, unfortunately.

About the bugs. Generally, even “Hello World” program can have the bugs. Industrial standards allow 1 bug per 10 000 lines of the code and find it acceptable. Unfortunately, MS doesn’t document the techniques most kernel hooking security uses, so it is very difficult task to be in security and to be free of the bugs. For example, in Vista SP2 some functions has different parameters number comparing to Vista SP1, s any security that hooks that function becomes buggy with SP2 release (this is just an example of what happened recently). I try to avoid “bugs” topic because you can visit any support forum of any software and find a LOT of the bugs. Not to say Comodo is not an exception. But if you like I can post a collection of some very interesting bugs in Comodo (despite of thinking this is sensless task). So, do you still wish me to prepare a collection and post it here or we just give this topic away ?

The Nice thing about CIS is that if you kill Cmdagent, this is hard to do, the firewall and D+ (not sure about AV) will keep working, and giving you popups as long as cfp.exe is running, if that termanated also then Default Block kicks in!


Please prepare CIS only bugs.


LOL. I love posts like this. You completely left out your OS and all your other specs. Did you COMPLETELY UNINSTALL CIS. We all know it never uninstalls completely. You say you lost your connection while installing. Well why were you connected while installing? What version of OA were you installing? Was it OA Free or Paid? Obvisously you did not read the the “trust everything” notice clearly. It clearly states “This will take a long time”. It took about 10 minutes for me. Also you do not like 2 icons.aaaaaaaaaaaaaawwwwww poor baby. They are not the same. One is OA and one is the firewall activity which can be easily disabled. I dont like the up and down traffic arrows in CIS. Avast installs 2 icons. You obliviously did not get it properly installed so how can you ever try to run any test. I have installed and used every single firewall and av out there. Never any problems with any of them. I got a 340/340 on the Comodo test with OA Paid and now 20.

CIS bugs…OMG how long do you have. Months. Hell just look at the uninstaller thread. I have never seen a forum more flooded by questions. CIS is good but it is not for a novice or newbie.

Hmm, I love fanboys.

  • Windows XP SP3
  • No other security suites installed
  • CIS uninstalled with revo uninstaller + the batch file from the community
  • I’m free to do with my computer what I do. When I feel like looking at my e-mail when installing a program, I’m free to do so.
  • I didn’t know “this might take a while” is longer then Half and hour. If so, the program is useless.
  • Luckely I have some taste, if I don’t like 2 icons, I don"t like them. I’m not going to change that because a OA fanboy is telling me to
  • You can disable the up and down arrows easier then you can disable the extra icon from OA
  • OA worked, I’ve ran tests to make sure. I’ve got a 100% score on the comodo test suite as well. You won’t get this with half a product.
  • I’ve used the free version btw
  • It’s already from my computer, it’s to chatty for me :slight_smile:


ps : at least Comodo gives changelogs :wink:

I am far from a fan boy. I used CIS for a month. But switching back and fourth from install mode is dumb. That should be automatic. Programs are not listed alphabetically in the firewall and D+. This has been this way ever since Comodo 3.0 came out. When you have over 200 programs installed on a pc how are you suppose to find something. OA,ZAP,Outpost,KIS,NIS and PC Tools all lists things in proper order. Alphabetically. OA chatty…your too much. Install CIS on your Mothers pc or any other family member and they will be calling you everyday. My Girlfriend installed it,stock and could not stand it. “allow” ,Block" Installeder/Updater. How are newbies suppose to know what to do. I used CIS and installed it perfectly find. version 509. It ran very well but the av needs tons of work. Until you can install OA flawlessly then your post is flawed. BTW you never stated what version of OA?

For the record, I do have CIS installed on my mothers pc
Latest OA version fresh from the website.

And again, OA was installed fine.


Did you install CIS on your mothers pc or did she install it? Did you have to customize it for her and eductae her about it? I asked you now 3 TIMES. What version of OA? The latest version is

Just a question.

You say Comodo’s AV is flawed, why aren’t you using OA’s antivirus ? Why are you using Avira free ?


I’ve installed it, and made a certificate for Auslogics. That’s all, I’ve put it into safe mode and it runs fine.


Wow, we have an expert here ! He can read stuff.

Honestly, you can shutdown avira’s realtime if you want. The hips of OA should be enough to protect you, given how smart you are.

And oh yeah : matousec is testing some things that actually don’t exist. They’re doing stuff like ntinternals would do. Strange heh ?