now that Outpost offers a great free firewall for Vista 64 bit I’m disappointed that Comodo’s 64 bit version is still flawed.
Did you wounder why it scores well at almost every leaktest but not so at SSTS ( http://www.matousec.com/downloads/ssts.zip )?
It’s because the x64 Comodo version is cheating, many hooks aren’t ring 0. Read about it here:
CIS fails the following SSTS leaktests that Outpost passes:
cpilsuite2 & 3, firehole, ddetest, keylog1 & 2 & 5 & 7
That means that several process modifications and also keylogger detection are fake.
Now the proof that Outpost passes the above mentioned leaktests, that its protection is not fake:
Try to achive this with Outpost or Online Armor. Also what settings are you using for both programs. This test was done with Comodo firewall in Safe Mode and D+ in Clean PC Mode. Online Armor Free offers no dofferent modes so it was all stock. Outpost Free was tested using the firewall in Block Most and the HIPS was in Advanced Mode.
You didn’t get my point and so not the issue (read again).
Comodo doesn’t offer ring 0 hooking for all system calls that it claims to intercept, so if Matousec would test CLT with non-ring 0 unhooking it would score worse than Outpost.
You got it now? The leaktest protection is not REAL!
Edit: And I’m talking about the x64 version. You just didn’t read my post.
Differently from 32bit versions, X64 versions of Windows include a Kernel Patch Protection that should be cheated in order to provide ring0 protections. Apparently this is not an easy feat to achieve in a reliable way without compromising system stability (Although they do not impact much the final score, Matousec provide some tests about these aspects too and are mandatory to passlevel 9, reaching level 10, and to passlevel 10, reaching level 10+.)
Matousec unhooking tecniques are often updated during each new review sessions and made thereafter available to the general public in stss.zip latest releases in order to prove that even new implementations of non-kernel (ring 0) protections can be defeated thus superseding old leaktest versions that may be unable to prove the point for some products.
[code=Main.c from FTR.ZIP]
02/08/2007 - Version 3 was implemented to fight the protection of user mode hooks in Online Armor Personal Firewall 126.96.36.199.
24/01/2007 - Version 2 was implemented to reveal a bad approach of Outpost Firewall PRO 4.0 (1005.590.123)
to leak-tests. Many anti-leak features in prior versions of Outpost Firewall PRO 4.0 were implemented
improperly via ring3 hooks. FPR proved this. As a result, the vendor of Outpost implemented
new ring3 hook to intercept FPR, instead of solving the problem. FPR 2 shows that the solution
implemented in Outpost Firewall PRO 4.0 (1005.590.123) have been implemented only to pass FPR test,
not to solve the real problem in Outpost, which is improper usage of ring3 hooks. It is possible
that the next reaction of the vendor of Outpost will be another interception of this new FPR
using another ring3 hooks. In such case, it will be possible to modify FPR such that it will
be able to bypass the interception again.
stss.zip from Matousec is more updated than FTR.zip hosted on firewallleaktester.com so those who are willing to test the above claims separately on XP 64 and Vista 64 (which could eventually provide different results) should not take FTR.ZIP in account other than reading the comments in the source files, at most.
[url=https://forums.comodo.com/beta_corner_cis/comodo_internet_security_3861948459_beta_released_closed-t33533.0.html;msg246331#msg246331]Despite some regular members may think otherwise, in absence of a way to provide full kernel mode hooking in x64, adding more detection against matousec SSTS leaktests on Vista x64 would [b]really[/b] be considered cheating[/url] by matousec which AFAIK never tested 64 bit versions, thus apparently focusing the challenge and test improvements on 32bit versions whenever its available tests are actually compiled for 32bit (i386) hosts.
No Ewen. No security vendor is allowed to hook kernel in x64 operating systems. It is not that we dont know how to do it. But it is marked as a malicious behavior by Microsoft(i.e. it will be considered as malware) and the next windows update will ruin your product if you do so.
We are limited to the interfaces Microsoft provides. Please be certain that COMODO was in the technical discussions of kernel patch protection enhancements provided in Vista SP1 with Microsoft and all the other security vendors. We hook in the kernel as much as possible in Vista SP1 x64 and later.
I do not think the firewall mentioned in this thread hooks in the kernel neither. The OP thinks it is because they are probably avoding unhooking used in matousec tests which is actually trivial to evade.