Testing firewall with leak tests

Hi Comodo team!

This version seems to work too much well, so I have decided to do my 2 main test against the firewall component only.
I’m again, What a disappointing surprise, the firewall fails both test!!! :cry:

  • Testing system:
    OS: Windows 10 Home 1903 (but it fail in any Windows version)
    CIS: v12.2.2.7036 RC but only Firewall component is Enable as Custom Ruleset and COMODO - Proactive Security. All others components (antivirus, HIPS, etc… are disabled).

  • Firewall configuration: Maximum custom protection (manual firewalls rules), not even Windows update or telemetry services or any other service from Microsoft can connect to Internet (only Cortana can, because like her :wink: ) or any application that is not authorized manually can connect to Internet.

  • The LeakTests:

    1º CLT Firewall Test by Comodo. Run last option BITS Hijack and ends with the message (your system is Vulnerable)… Arrrrchhhhh!!!

    2º DnsTest by Jarkko. Ran it and ends with the message: your computer has made successful recursive Dns to Microsoft. Arrrrchhhhh!!!

What happen, Comodo Team?, Each new version of Comodo fails the same tests again and again…

Please, before release the final version for this series fix these 2 holes, please…

Anyway, thank you for your hard work, guys but fix it!

How to fix a DNS leak:

The solution is to ensure that once connected to the anonymity network, you are using ONLY the DNS server/s provided by the anonymity service. As this problem affects predominantly windows clients, only solutions for Windows appear here.

e.g. OpenVPN or TOR


VPN users are extremely cautious about the privacy and security of their online activity and are more concerned about DNS leaks. Hence, users are advised to verify the traffic originating from their computer is routed through a secure VPN network so that no monitoring entity can track down the user’s real IP address. Experts also recommend VPN users to change the computer network settings to use a static IP address to ensure that the new DNS settings are given high priority and not modified without intimation.

The Comodo Leaktest will crash when running it on Windows 10 1809 (17763.1158). This test was never updated to make sure it will run on more recent versions of Windows

I don’t know how DNSTest by Jarkko works but is no longer to be found for download.

speaking of leaks in comodo firewall, I have CFW set to block traffic to all of my applications whenever my VPN disconnects. My VPN’s client has a killswitch on the most aggressive setting, but the killswitch doesn’t work when the VPN’s client isn’t running. CFW has never failed to block traffic when my VPN’s client isn’t running.

Thank you @prodex, but I not talking about the dns-leak from your IPS.

I’m talking about that CIS don’t block a PUA o similar to connect to the DNS service and connect to internet. It’s a leak in the firewall!

I tried running CLT on Win 10 1909 (18363.778), which has the same engine as 1903, and disabled AV, HIPS, Containment and VirusScope and it also crashes so I cannot test.

Ok, you are right Comodo Leaktest has a weird behavior, for me some times works others no works, so I cannot be sure that it is working well anymore.

But DNSTester it is working well, because when I have change the firewall to ‘Block All’, then DNSTest tell me that cannot connect to internet (what is the correct behavior!!).

Already I had reported the same issue for CIS version 8 and it was fixed by Comodo team (below you can find it) in the next CIS version or in the next release (I don’t remember now which version). The executable dnstester.exe mentioned in the below formal defect is the DNSTest by Jarkko :


@Nilhar. I could not find a download link of DNSTest by Jarkko with a quick search.

I know, but I was assuming, you want an anonymous internet connection.

Sounds like Your entire system is vulnerable. Of course a system shouldn’t be vulnerable at all. But I didn’t have any problems as long as I used Comodo.

The attachment shows the weak point of my system with one of my firewall custom rules, attechment ‘clt2.jpg’ is tested with another custom ruleset of firewall. I have rather a lot of rulesets ( :slight_smile: ), depending on what I’m up to.

I have split all posts regarding leak testing from the RC beta topic into this separate topic. The reason it ‘fails’ is because you disabled HIPS which is what you need to have enabled to prevent applications from accessing the DNS/RPC client service to perform DNS requests. By default svchost is allowed all outgoing network connections, so setting the firewall to custom ruleset will not stop DNS requests made by svchost. HIPS is also needed for many of the tests performed by CLT, so just testing the firewall with all other components disabled, will cause multiple failures as the firewall alone will not stop such techniques of the tests.


Maybe I sent it by private message to someone of Comodo team… If you want it send me a private message…

I have ran the CTL only with the Firewall and HIPS components and all the leaks were stopped by the HIPS components, so with this version seems that we have a full protection.

WoW, You are totally right! Using the HIPS component enabled I can see the call to DNS/RPC Client and stop it. I did not remember that the Jarko’s technique only can be stopped having the HIPS enable… I’m no going to forget…

Understand that the key is that by default svchost is allowed all outgoing network and is not possible use a custom firewall rule to avoid this behavior, right?

All this happen because the way that CIS was designed or because the way that Windows works (curiosity) :)?

Thank you @futuretech for your complete explanation…

I mean you can remove the default firewall application rules, but you will eventually get alerts for svchost wanting to make outgoing connections, which you going to need to allow anyways.

Does CLT not fit to, OS=Windows 10, 1909 (BUILD 18363.752) or has CTL problems with this OS?

I have set CLT to compatibility mode. No chance to improve it or I don’t have the knowledge.

Compare with:

Are you testing it with Containment enabled? Because HIPS does not monitor apps running inside Containment which will cause CLT to fail. It will only show a complete score under Containment if you select the Run Restricted setting for all Unknowns at Untrusted Level.

The same results. Should I restart the PC after disabling the Containment?
After a restart Autocontainment will be enabled, I think.

Either disable it permanently or set to Run Restricted - Untrusted, also make sure you are under Proactive Security profile, CLT.exe is rated as Unknown by File Rating, and CLT should not be running under compatibility mode, run it normally.

I tried it just with permanent enabled. Later on I will try it with your proposel. Thank you for helping.

If you use Run Restricted - Untrusted setting you will need to disable UAC so it will not interfere with the restriction level (not sure if it’s possible to completely disable UAC under Windows 10). Also try to remove all instances from CLT.exe from Comodo File List (check if it was rated as Trusted, sometimes the Cloud Lookup will rate it as Trusted).