Some LeakTest bypass the Firewall with maximum protection active [M1449]

A. Some LeakTest bypass the Firewall configuration with the maximum protection active.

Can you reproduce the problem & if so how reliably?:

Yes. I have the following rule in my rule sets for the sandbox:
Action: Run virtually (Fully Virtualized)
Target: All applications
Reputation: Unrecognized
Location: any ; Origin: any
Options: I have enabled all firewall options to maximun with custom rulest active (any application that tried to access internet has to request access to)

I have tested all mautosec leaktest with the last version of CIS and 4 of his executable break out the cis security. 3 of them pass the firewall and sent information using my default browser and the other can shoutdown my pc even it has executed fully virtualized ( executable name SSS3.exe).

I have attached a zip file with captures of my CIS configuration and the result of the leaktest for the excutables: inject1.exe, Newclass.exe and dnstester.exe.

If you can, exact steps to reproduce. If not, exactly what you did & what happened:

Explained above.

One or two sentences explaining what actually happened:

Some leaktest programs from matousec proactive secutity challenge project can pass the firewall rules even with all options to the maximun security and fully virtualized as you can see in the attached pictures.

One or two sentences explaining what you expected to happen:

I’m expected that CIS-Firewall ask me about these programs to try to access to internet.

If a software compatibility problem have you tried the advice to make programs work with CIS?:

NA

Any software except CIS/OS involved? If so - name, & exact version:

No

Any other information, eg your guess at the cause, how you tried to fix it etc:

NA

B. MY SETUP

Exact CIS version & configuration:

CIS 8.1.0.4426 up to date.

Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:

Antivirus - stateful, Autosandbox - enabled (fully virtualized), Firewall - enabled (custom ruleset), HIPS - enabled (safe mode)

Have you made any other changes to the default config? (egs here.):

Yes. I have raised the level of the firewall. (attached is my firewall configuration)

Have you updated (without uninstall) from CIS 5, 6 or 7?:

Yes, I have updated from version 7 to version 8 (last version) without probems.
if so, have you tried a a a clean reinstall - if not please do?:
NA

Have you imported a config from a previous version of CIS:

NO
if so, have you tried a standard config - if not please do:
NA

OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:

Windows 7 Ultimate, SP1 (windows update to up date), 64 Bit, UAC disabled, Administrator, Real Machine used for the test.

Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:

a=none b=none

[attachment deleted by admin]

If possible, could you please attach mentioned tests and a link to the testing methodology?

Thank you.

You can find it at matousec.com:
Downloads
Testing levels
Summary report for CIS7 (CIS8.0-8.1 not tested yet)

Can you please attach the diagnostics file (instructions on how to do this provided here) and the KillSwitch Process List (instructions on how to do that provided here) and put the resulting file in a zip file. Both should then be attached to your post.

Once you attach these files i can forward this report

Thanks

Hello wasgij6
It done!

I have repeated each test for the newclass, dnstester and inject1 and I have created a diagnostics file and KillSwitch Process List for each of them and I have reset the sandbox for each test.
Again, they can pass the firewall and accesses to the internet without ask me. Even I think that one of them was able to create a process out of the sandbox (I am not 100% sure about this last)
By the way, the newclass and dnstester cannot pass the firewall with the version 7.

Regards.

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Hi Nilhar

If possible, could you please attach the testing tools,i try some leaktest tools ,but can’t reproduce.

thanks

For some strange reason which I forgot to mention – I cannot seem to access the mentioned links. The stars are not aligning in my favor.
Hopefully, someone will attach mentioned test applications.

Thank you.

I have checked the links and they are working right now.

@Flykite if the links aren’t working well for you, tell me and I will send you the files in a private email, because these files slouldn’t be attached in a message here.

Regards…
Nilhar

Just to be safe send Flykite the files via email

@Nilhar, PM sent.

Thanks.

Tested again with the version 8.2.0.4508.

Bugs still present. :embarassed:

I think that I have found what is happen with this bug.

After re-testing a lot of time all these leak test, I have found one interesting thing, the problem is with the sandbox option.
I mean, when the sandbox option is disabled, CIS behavior is normal, so the firewall/HIPS ask me that one program is trying to get access to my internet(the CIS firewall ask me about to the program to get
access to the DNS client services), but when the sandbox option is active, the program run in the sandbox (good thing) but then, the program can get access to the DNS client Service without ask me nothing.

My conclusion:
How is possible with the sandbox option enabled, the unrecognized application can get access to the internet?
Maybe is possible that when the Sandbox option is enabled, from the HIPS option some resources internally are disabled or limited?
I think that the CIS firewall and his HIPS component behaviour has to be the same in any case, no matter if the application is running in the sandbox or not.
Please moderator, could you transmit this information to the comodo developer team about this issue?
Thank you.

The default setting for auto sandboxed files (unrecognized) is partially limited.
You can edit this rule, to make it Limited, or greater.
I set mine to Limited.

The default setting is Fully Virtualized with no restrictions though, I think it has been that since version 7… or was it version 8? I can’t remember, terrible memory.

Yes, I know it, but I tried with all options from the sandbox:
Default, Partially limited, Limited, Restricted and Untrusted ( I think that is the most limited option)
And I have tried all these previous options with this other option: with enable file source traking active and without.

And the result is always the same, the program ran in the sandbox but it can get access to internet.

Seems that when you enabled the sandbox, the HIPS options is automatically disabled, partially or totally disabled, exactly I don’t know it. But I think that a sandboxed program should be follow the rules from the Firewall/HIPS options as any other trusted/ not sandboex program do.

That is my conclusion…

@Sanya
care to try again?

[attachment deleted by admin]

Would love to, we’re talking defaults no?

Freshly installed, Internet Security Config 100% default

[attachment deleted by admin]

Two variants. Turn on alerts or choose to block requests. Screenshots.

[attachment deleted by admin]

The problem is not with the firewall options. I have the firewall on custom and the turn on enabled option. The issue here is that any sandboxed program, can ignore in some cases the firewall rules and get access to internet (in this case, it is ignoring the HIPS rules) without ask me nothing…
In this point, you can ask yourself, can a sanboxed program have more privilegies than a trusted program that can be limitet for your own firewall rules?
I don’t think so! Clearly, there is an issue within the sandbox options and the firewall/HIPS options.