Not sure if this is a weakness or not or if it can be protected, but if you remove in the registry the start up for CPF then it will not be loaded and on reboot anything can connect out. There is no obvious warning that it is not running.
CMDagent is still running but it does not stop a program connecting.
Isn’t it true that with your option you can stop every piece of software working? And who, in a sane mind, wants to delete the startup of their security software?
a trojan
Hi,
Have you actually attempted to do this? As CPF protects all its registry keys and files from modification or deletion. Also, CPF should display a message.
Mike
CPF does not protect startup entry, nevertheless, CPF service will be running.
I guess, that developers forget to add reg protection for the HKLM startup key.
You can connect to the net accroding to rules, but apps without the rules can not.
You can try some online test, like Shields Up and you will see, that CPF is still working.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CmdAgent]
"Start"=dword:00000004
When you create a reg file like this, reg protection will not allow it to add to reg.
I disabled startup and I was still stealthed and leak test also did not pass (screen).
When I properly exit firewall, I get ports closed, so I am not behind a router (screen).
Yes quite easy to do using a reg cleaner program. CPF did not notice.
Been playing around with the registry today. Whilst I could not delete a key I was able import one into the app set. Don’t know enough to do it properly but from the bit I did there was no protest from CPF.
The other point that occurrs to me is that you are able to import a complete rule set from another version. Cannot see that there is any check to see that is authentic. And in a similar vein, I use a registry backup program to go back to an earlier version. Again there is nothing from CPF so presumably there is a point where it fails to monitor the registry. Probably applies to the roll back programs as well.
Just feel that storing all the rules in the registry is exposing a vulnerability.
It does not monitor startup item(If block all outgoing connections while booting is enabled, ths wont pose any threat), but you should not be able to import or delete anything if protection is enabled. If you can, please let us know how to reproduce so that we can look for special circumstances in 2K.
Because most of the users using reg cleaners complain that CPF does not allow them.
Storing in a file is not different from storing in registry. It is even easier to protect registry. Rules are not the only problem. You have to use registry for installing the services, drivers etc. No rootkit would try to add a rule while it can disable all the services if it is going to use the registry modification to bypass the firewall.
So by using a file for rules, you can not protect your system from real world rootkit writers.
Egemen
Hi
I tried it again today using RegCleaner. I did a search in it for Comodo and it found 70 entries. All these were deleted without protest from CPF. Doing a second search found that 37 had been retained. On a reboot CPF was not running although CMDAgent was, but there was no protection apparent. I was able to run a browser and connect that has never had permission and Comodo has no knowledge of. IE which is blocked was allowed to connect.
Let me know if you want any further info.
When Block all outgoing connections while booting option is enabled, this should not be a case(I mean the deleting CPF startup entry). For the regcleaner case, let us try and see whats going on.
Thx for the feedback,
Egemen
I tried it again with that option checked and it had no effect.
What key did it delete? Can you please paste here the key CPF failed to protect and regcleaner reports deleted?
Thx,
Egemen
I have sent you a PM with the two files - before & after
