Outpost 64 bit is partially much better than Comodo [Closed and locked]

Hello guys,
now that Outpost offers a great free firewall for Vista 64 bit I’m disappointed that Comodo’s 64 bit version is still flawed.
Did you wounder why it scores well at almost every leaktest but not so at SSTS ( http://www.matousec.com/downloads/ssts.zip )?

It’s because the x64 Comodo version is cheating, many hooks aren’t ring 0. Read about it here:

CIS fails the following SSTS leaktests that Outpost passes:
cpilsuite2 & 3, firehole, ddetest, keylog1 & 2 & 5 & 7
That means that several process modifications and also keylogger detection are fake.

Now the proof that Outpost passes the above mentioned leaktests, that its protection is not fake:

http://www.ld-host.de/uploads/thumbnails/717f5ae0424ddb6f0595be6639968aac.png


http://www.ld-host.de/uploads/thumbnails/05ea59b00748fac9b8f526c9e8ec814f.png


http://www.ld-host.de/uploads/thumbnails/bdadd3366eb4cc238ed2c25494c7441a.png


http://www.ld-host.de/uploads/thumbnails/334436755fb2ed9820365776fbdd4cb7.png


http://www.ld-host.de/uploads/thumbnails/c88a8dbf074fef45586d7bba910f0b4f.png


http://www.ld-host.de/uploads/thumbnails/0e11632a6f22d30f75bd9af71610b0b3.png


http://www.ld-host.de/uploads/thumbnails/c692b33562bcbb1512deff1ae7333ee2.png


http://www.ld-host.de/uploads/thumbnails/d79566c7cf8312218f2308a42dfd40c0.png

So please vote Yes

Download and run the Comodo test suite and you will see that Outpost free fails and gives a score of 300/340. Comodo firewall which I am using gets a 340/340 and Online Armor gets a 330/340.

Try to achive this with Outpost or Online Armor. Also what settings are you using for both programs. This test was done with Comodo firewall in Safe Mode and D+ in Clean PC Mode. Online Armor Free offers no dofferent modes so it was all stock. Outpost Free was tested using the firewall in Block Most and the HIPS was in Advanced Mode.

[attachment deleted by admin]

You didn’t get my point and so not the issue (read again).
Comodo doesn’t offer ring 0 hooking for all system calls that it claims to intercept, so if Matousec would test CLT with non-ring 0 unhooking it would score worse than Outpost.

You got it now? The leaktest protection is not REAL!

Edit: And I’m talking about the x64 version. You just didn’t read my post.

Is it only the 64 that is fake, or is the same with 32?

Only the 64 bit. The 32 bit version is great.

Differently from 32bit versions, X64 versions of Windows include a Kernel Patch Protection that should be cheated in order to provide ring0 protections. Apparently this is not an easy feat to achieve in a reliable way without compromising system stability (Although they do not impact much the final score, Matousec provide some tests about these aspects too and are mandatory to pass level 9, reaching level 10, and to pass level 10, reaching level 10+.)

Matousec unhooking tecniques are often updated during each new review sessions and made thereafter available to the general public in stss.zip latest releases in order to prove that even new implementations of non-kernel (ring 0) protections can be defeated thus superseding old leaktest versions that may be unable to prove the point for some products.

[code=Main.c from FTR.ZIP]
02/08/2007 - Version 3 was implemented to fight the protection of user mode hooks in Online Armor Personal Firewall 2.0.1.204.

24/01/2007 - Version 2 was implemented to reveal a bad approach of Outpost Firewall PRO 4.0 (1005.590.123)
to leak-tests. Many anti-leak features in prior versions of Outpost Firewall PRO 4.0 were implemented
improperly via ring3 hooks. FPR proved this. As a result, the vendor of Outpost implemented
new ring3 hook to intercept FPR, instead of solving the problem. FPR 2 shows that the solution
implemented in Outpost Firewall PRO 4.0 (1005.590.123) have been implemented only to pass FPR test,
not to solve the real problem in Outpost, which is improper usage of ring3 hooks. It is possible
that the next reaction of the vendor of Outpost will be another interception of this new FPR
using another ring3 hooks. In such case, it will be possible to modify FPR such that it will
be able to bypass the interception again.




stss.zip from Matousec is more updated than FTR.zip hosted on firewallleaktester.com so those who are willing to test the above claims separately on XP 64 and Vista 64 (which could eventually provide different results) should not take FTR.ZIP in account other than reading the comments in the source files, at most.

[url=https://forums.comodo.com/beta_corner_cis/comodo_internet_security_3861948459_beta_released_closed-t33533.0.html;msg246331#msg246331]Despite some regular members may think otherwise, in absence of a way to provide full kernel mode hooking in x64, adding more detection against matousec SSTS leaktests on Vista x64 would [b]really[/b] be considered cheating[/url] by matousec which AFAIK never tested 64 bit versions, thus apparently focusing the challenge and test improvements on 32bit versions whenever its available tests are actually compiled for 32bit (i386) hosts.

Ring 0 hooking will be included in CIS X64 in a future release. Exactly when is not yet know, but it will get there.

Ewen :slight_smile:

Thx for the info, panic. I hope it will be soon because of Outpost Free…

Now you got me worried. I tried this test and got lots of vulnerables.
I’m usinf latest Comodo in safe mode and Defense+ in Clean PC mode. Why did i get these results (190/340)?

Run CIS in Proactive mode, Firewall and Defense+ in Safe mode.
Remove any rules created for CLT (both Firewall and Defense+), then rerun the tests.

Thanks for the information CIS x64 has been giving me headaches. My Vista x64 crashed into bluescreen from time to time. I’m still using it though because I have no other choice.

No Ewen. No security vendor is allowed to hook kernel in x64 operating systems. It is not that we dont know how to do it. But it is marked as a malicious behavior by Microsoft(i.e. it will be considered as malware) and the next windows update will ruin your product if you do so.

We are limited to the interfaces Microsoft provides. Please be certain that COMODO was in the technical discussions of kernel patch protection enhancements provided in Vista SP1 with Microsoft and all the other security vendors. We hook in the kernel as much as possible in Vista SP1 x64 and later.

I do not think the firewall mentioned in this thread hooks in the kernel neither. The OP thinks it is because they are probably avoding unhooking used in matousec tests which is actually trivial to evade.

Hope this helps,

Egemen

Thanks for the reply.
If it’s true it’s sad :frowning:

I wounder how future HIPS scenery will look :-X

Well, I’m not an expert but maybe you should try to make unhooking of non ring 0 hooks as hard as possible.

@mods: Please close the poll :slight_smile:

Thread closed as per request

Mea culpa, mea culpa, mea maxima cullpa. :-[