vmware as leak test?


I searched around but so far did not find any reference to vmware. I am not sure whether the following should be catched by Comodo or is an example where someone with administrative rights allows a piece of software to install on a level too deep (ring0?) for a PFW to catch it.

In short, I have installed VMware player 2.0.0-45731 in bridged mode on Windows XP SP2 running a full blown Linux VoIP PBX. I can from the outside connect to it through ssh, http, make calls through it, etc. and comodo does not give me a single hint that this is happening. No popups of comod (related to the connections), nothing in the logs, no sign of presence in the connections, etc.

Of course, vmware player is a complex piece of software which exhibits its presence through various other mechanisms. E.g. it installs at least two additional virtual network adapters vmnet1 and vmnet8 for host-only and NAT network access to the virtual appliance. Comodo is catching this traffic. But its not hard to imagine a malicious piece of software which omits this.

My main concern here is the driver which gets installed in your existing network adapter’s stack. It is called ‘VMware Bridge Protocol’ and can be found in the properties of your regular network adapter.
I guess it is responsible that within the virtual appliance I can setup which IP address I like to and send traffic in and out without Comodo giving me a hint.

Yes I know all this is happening somewhere deep in the operating system. But shouldn’t Comodo at least show such connections?


I think (but don’t hold me to it) that this may be because it’s bridged; that this in effect bypasses local firewall through the virtual environment.


Comments: deleted I got bad Info after reviewing my documentation last night

Hi Opus Dei, Little Mac

Opus Dei, where did you quote the first two paragraphs from? They were not written by me and I strongly disagree with many statements there. Never mind!

However, I just found that I did not make my homework. This topic has already been dealt with. Although in the ‘Help’ forum where people might miss it:

You can find much better explanations there including screen shots and people who agree.

Of course I am not really concerned by vmware. I do not think that Vmware Inc. wants to shoot into its foot.
But I can easily imagine some malware using the same technique as vmware to totaly bypass Comodo (and probably many other PFWs).

Yes, you are right. But forget about the virtualisation for a moment! Is it so hard for some blackhats to write a bridging driver?
But maybe this is simply a matter of definition: Is something like that in scope or out of focus of a PFW?


I’m sure the blackhats could write a bridging driver if they wanted. But you’d have to look at order of operation; if it needed to connect prior to creating the bridge, then it would be caught. In general, I think it’s probably outside the scope of a common PFW; you’re looking at the need for an even more complex, extra-ordinary PFW. Probably one including a HIPS to catch the activity when the process(es) try to grab CPU time.

I did post one suggestion in the other thread; I don’t know whether it will be of any assistance or not, but it’s worth a shot…