Type (8) and Code (0)??[Solved]

OK . . . lemme see if I can 'splain this in an organized fashion so that you can understand what I did, and then I’ll attach that config report . . . ACTUALLY I’VE ATTACHED TWO, and I’ll explain why I did that in a minute.

Step 1: In Comodo in Network Security Policy, I removed “E:\Downloads\Downloads Completed\Leak Test.exe” and “E:\Downloads\Downloads Completed\explorer.exe”. Both of these entries were from a previous tests I had done where I had gotten the alert and told it to block and remember (the explorer.exe was what I renamed Leak Test.exe in a second test). I removed them because I wanted to get the alert, just to see if it would do it. And I thought that if the blocking remained then it would block but I wouldn’t get an alert, which I confirmed with another test later.

Step 2: I ran the GRC Leak Test, got the Firewall alert, and told it to block and remember, and Leak Test announced that Comodo had passed.

Step 3: I renamed Leak Test.exe to explorer.exe and ran the GRC leak test again. And again I got the alert, and again I responded with block and remember, and Leak Test announced that Comodo had passed.

Step 4: Just to verify that I wasn’t getting a “false positive” on the passing, I ran the Leak Tests again only this time I checked “allow” and Leak Test announced that my firewall had been “penetrated”, i.e. failed.

END OF TESTS

I can duplicate these circumstances and tests and post screenshots if that would help, but I think the config reports will show you what I did.

The reason I’ve attached two config reports is to show you how it was BEFORE I removed the Leak Test entries from Network Security Policy (CFP_Report before removing leak tests.txt) and AFTER (CFP_Report AFTER removing leak tests.txt), as stated in Step 1. As you can see, there are 26 Network Security Policies before, and 24 after removal of the two leak tests (the second being the renamed . . . explorer.exe . . . one).

Thanks for all your help (nice script by the way . . . my compliments), and my suspicion is that I have this all wrong. Am reading through the manual (RTFM), but it’s for version 2 and as I understand it hasn’t been updated for version 3. I have noticed that the screenshots in the manual are VERY different from version 3. Version 3 must have been a considerable overhaul of the GUI.

Nevertheless, I’m assuming the principles discussed in the manual are the same for version 3.

THANKS again!!!

Oh . . . and one more thing. I DIDN’T change any other settings in this exercise.

[attachment deleted by admin]

Sorry I got confused before and I assumed you were testing ICMP echo request usring GRC | ShieldsUP! — Internet Vulnerability Profiling  

The leaktest you run was meant to test if outbond connection trigger an alert.

Step 3 is actually valid only for CFP 2.4

In fact CFP V2 didn’t have a full featured hips and thus it was not possible to monitor file integrity in realtime.
For this reason when a firewall rule was created that rule was bound to a file hash signature.

When that app attepted a connection CFP V2 checked if the file were changed meantime comparing the hash signature of the launched app with the one previously stored.

If those signature did not match then CFP V2 triggered an alert.

V3 is different since D+ alerts everytime a protected file (eg all executables) is written (or moved).
Those alerts you get the same moment those files are created/moved are to supersede old V2 hash checks.

Since explorer.exe is a Trusted application and CFP V3 protect you from any indirect tampering of explorer.exe you’ll not get those protected file alerts.

So for example if you have firefox.exe and you previously created a policy to allow it to connect to the internet,
If you rename leaktest.exe to firefox.exe and replace the real firefox.exe with it you won’t get any alert and the renamed leaktest.exe will be allowed to connect to the internet.

This will happen because you used explorer.exe that is a Trusted application.
If any other untrusted app attempts to move/copy/create a file you’ll get an alert.

Wait a minute . . . wait a minute . . .

In Step #3 that I did, I DID get a firewall alert, blocked and remembered, and passed the test.

If it was only valid for v2, then why did I get a firewall alert??

Plus, even though explorer.exe is a trusted app, isn’t that according to the path %windir%\explorer.exe?? And when I renamed Leak Test.exe, then the path was E:\Downloads\Downloads to Do\explorer.exe . . . which is an entirely different path. So unless V3 sees explorer.exe as a trusted app independent of the path, then it SHOULD alert to it, shouldn’t it. And if it does see explorer.exe as trusted independent of the path, then again WHY did I get a firewall alert??

And as far as stealth ports goes (Shields Up), all my ports showed up stealth when I tested it (which didn’t involve any pinging anyway, as I’m sure you know).

Anyway, my two questions on the step #3 issue are:

1. Why did I get a firewall alert??

2. Is the trusted app mechanism dependent on the path or not??

Policy mechanism is dependent on the path so in your specific case you had an alert for that reason (there was no rule for an explorer.exe in that path).
If there was an allow firewall policy matching that path no firewall alert would have been triggered.

BTW Grc shieldsup “all services ports” does a ping test too.

Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.

and

For the GRC Shields Up test, I should have said " . . . which didn’t involve any pinging BY ME . . . " to be more accurate. The stealth test relies on inbound pings . . . correct??

OK . . . I think I have this all straight. Thanks again for 'splainin it, to both you and Soyabeaner. Back to RTFM.

BTW, did you ever have a chance to look at the config reports?? Any comments/tips??

[2] Allow            IP      Out    From  IP Any  To  IP Any  Where Protocol Is Any

This rule should prevent you to surf onternet. :o guess avira web shield is bypass that but it is not something I would expect. ???
You should purge your D+ and firewall rulleset and let FP remove policies for deleted apps.

I have absolutely no idea what you’re talking about here.

But I did do the purge.

You have a global firewall rule that block all outbound connections.

If this is what you’re talking about:

Global Rules
=========================================================================================
INFORMATION: There are 6 Global Rules reported In CFP Configuration Tree


[0] Allow            IP      Out    From  IP Any  To  Zone [Loopback Zone]  Where Protocol Is Any
[1] Allow            IP      In     From  Zone [Loopback Zone]  To  IP Any  Where Protocol Is Any
[2] Allow            IP      Out    From  IP Any  To  IP Any  Where Protocol Is Any
[3] Allow           ICMP     In     From  IP Any  To  IP Any  Where ICMP Message Is FRAGMENTATION NEEDED {3.4}
[4] Allow           ICMP     In     From  IP Any  To  IP Any  Where ICMP Message Is TIME EXCEEDED {11.0}
[5] Block & Log      IP      In     From  IP Any  To  IP Any  Where Protocol Is Any

then it looks like [2] is ALLOW OUT and not BLOCK. The BLOCK, [5], seems like it’s blocking all INBOUND connections. So it looks like I’m ALLOWING outbound connections, not BLOCKING them. Or am I reading this wrong or misunderstanding you??

:-[

Yep what’s more I even pasted it and read it the wrong way :o
Guess pulling an all-nighter won’t do me any good :-X

Phewwww . . . I thought for a minute there I had it backwards.

Now I’ve got to see if I can digest the two pages of this thread . . . I think I have it, but apparently we both need some sleep.

It’s been a crooked journey, but thanks for all the responses and the lessons . . . and the patience.

You’re welcome.
I’ll lock this topic and mark it as [Solved]