WARNING: This firewall does NOT protect anyone - it is EASY to bypass[closed]

WARNING: Any program can easily receive and send data to anyone on the internet and this firewall will not warn you and will not stop it.

All you get with this firewall is a false sense of security.

Want to see a prove?

  1. Download and install Microsoft Virtual PC 2007.

  2. Set your firewall to block all traffic.

  3. Run Virtual PC, install a guest OS in it and boot it (see the Virtual PC help for info on how to do it).

Now, even though your firewall is telling you it is blocking ALL traffic, you can browse any website from the guest OS and send data to anyone on the internet. The firewall will not warn you and will not stop it.

The cause is that this firewall watches only user-space applications, not drivers. BUT, any malevolent program (e.g. a Trojan) can easily launch a driver on your Windows XP anytime!

The bottom line is, with this firewall, all you get is a false sense of security (and a much slower system). The authors of malware are laughing at you right now.

G’day,

I have PM’d egemen to respond. Look forward to his answer.

Cheers,
Ewen :slight_smile:

P.S. I’ve locked your two other identical posts and referred them to here.

Still I don’t see the problem, with the Virtual PC you install a pc in your pc right, everything is done in it, but not your data. As what I have understood of the Virtual PC it’s like a safe ‘thing’ to do everything you want in a safe area, the virus/trojan/spyware/etc. can’t do anything with your data 'cause it’s outside the area !!!

Hope I was right
Xan

your wrong … the virtual machine can be given access
to all your hardware including your HDD’s …

Hi,I cannot verify ms virtualpc but cpf will block vmware player.

[attachment deleted by admin]

I have tested Comodo’s firewall DOZENS of times and i have never seen it fail in any category nor seen it ever show signs of being vulnerable. This is a great and very very secure product.

Hi there,

Virtual machines are conceptually not different from other PCs in your network sharing your internet connection.

So when you install a Virtual Machine, it is as if a different PC in your network sharing the internet connection with you.

In this case, CFP, will not ofcourse, show you alerts for the applications inside the VM but network monitor rules will be applied.

To make sure CPF does not miss any packets, you must activate “Monitor other protocols than NDIS” option in attack detection settings, restart yor PC and retry. It should work as you expected or else let us know.

“WARNING: This firewall does NOT protect anyone - it is EASY to bypass”

Well it is not easy to implement or act as a virtual machine like VMWare or Virtual PC :slight_smile: So there is no reason to think CPF can be bypassed EASILY.

Egemen

here are 2 posts from Wilder’s on this post:

"Hello,

That post feels incorrect.

I have tried the mentioned thing using VMware Server and Sygate firewall.
When set to block, there was no traffic on the machine. As simple as that.

Maybe the poster forgot to monitor the virtual adapters. That’s an easy omission.

Plus, virtual machines have no access to “all” of the HDD unless allowed to access certain shares."

"No FW gives a total protection against leaks and a layered protection is always a better way to keep a computer safe…

There’s also many other FW bypass explained there:

Punching holes into firewalls

or
“Why firewalls shouldn’t be considered a ultimate weapon for network security”
or
“Secure TCP-into-HTTP tunnelling guide”

All leak tests are interesting because they shows how much a FW gives an internal protection sometimes as much as a HIPS …

But in a real life nobody should put all his eggs ins the same basket and rely in only one security program …"

Hope this data helps.

^^ Is that true or not? This assertion hasn’t been responded to yet.

I agree with you CFW, either ignores drivers or it doesn’t.

What’s the answer? Silence is an answer if this stays unanswered.

driver loading/launching is not a function of a firewall but HIPS. Firewalls are all about network activity. HIPS (the way that we use the definition) is about Kernel firewall that controls all access to kernel either at user or driver level. So v3 we have does have full driver control and no rootkit can install without you knowing about it.

Melih

First I would like to add some info from the guide of Virtual PC:

Secure each virtual machine Complete the following steps to help secure your virtual machines:

Enable a firewall on each virtual machine.

Apply the latest security patches and updates to the operating system and to the applications that are running on each virtual machine.

Use shared networking on each virtual machine until it is fully updated. Shared networking makes it possible for a virtual machine to access TCP/IP–based resources on the host operating system. For more information about shared networking, see Managing shared networking for virtual machines.

Install antivirus software on each virtual machine, as appropriate.

Implement additional security lockdown procedures on each virtual machine, as appropriate.

Second it is true that if you run the Virtual pc:

  1. As Shared Network (NAT) CFP will monitor all traffic in and out from the virtual machine!

  2. As Local only CFP will monitor all traffic in and out from the virtual machine!

  3. As an separate machine; meaning giving your virtual pc full access on your network card, CFP does only it’s job and does not monitor the traffic that goes in and out of your virtual pc, since the guest machine has a different IP from your real machine. Any firewall that would block this traffic does not perform stateful packet inspection (SPI). But none of those packets will ever arrive at your real/host pc!

So, in the bottom line, CFP does its work. Protects the machine were is installed!

ps. This implies only to Microsoft Virtual PC. For VMware the things are a little different.

Hope ti helps,
Panagiotis

This is a bit too technical for me but as far as I know a “personal” firewall secures one machine. Of course you have to take measures to secure any other machine be it physical or virtual, I guess.

I see many misunderstandings in this thread. This is not about virtual machines or MS Virtual PC at all. This is not about securing virtual network cards manually, securing virtual machines, or things like that. No.

The proof I provided is the following: There currently IS a way for any software to bypass the Comodo firewall with its default settings.

The only thing a Trojan needs to do is to install a driver LIKE the one that Virtual PC uses (the Trojan does NOT need to use Virtual PC or install a guest OS!). That step is easy. Then the Trojan can send any data VIA that Virtual-PC-like driver and Comodo will not detect it, will not warn you and will not stop it. And, of course, the Trojan can read any files on your disks.

A couple of additional notes:

  1. When you configure Virtual PC to verify my proof, in the Networking Settings dialog do not choose the option “Shared networking (NAT)”, nor “Local only”. Select the actual hardware network card you have installed on your computer.

There will be no “Virtual PC” network card to select for protection in Comodo.

  1. In Comodo, there is the following setting: Security → Advanced → Advanced Attack Detection and Prevention → Miscallaneous tab → “Monitor other NDIS protocols than TCP/IP”

If you enable it (note that it is NOT enabled by default) and restart your system, Comodo will be able to block traffic from the Virtual PC, BUT ONLY if you select the Block All level (so you can’t connect to the internet from your computer at all). However, if you select the Custom level (so that you can use internet on your computer again) and wait for a prompt from Comodo, no prompt will be displayed and traffic from Virtual PC will not be blocked! This is totally insufficient and unacceptable. The security issue is still there and I cannot prevent it (I need to connect to the internet sometimes).

  1. Someone wrote “I have tried the mentioned thing using VMware Server and Sygate firewall.
    When set to block, there was no traffic on the machine. As simple as that. Maybe the poster forgot to monitor the virtual adapters. That’s an easy omission.”

To that I reply: VMware is different software. I’m not sure why you didn’t follow my steps and why you didn’t test with the freeware Virtual PC. Moreover, VMware does install virtual adapters that do show in Comodo, but Virtual PC does not. There are no “Virtual PC” virtual adapters to select for protection in Comodo.

In conclusion, Virtual PC is free and you need less than one hour to verify my proof. If you prefer a false sense of security, it is your choice. I felt I was obligated to warn you. To me, sadly, Comodo fully complies with the definition of snake-oil security.

??? I have some questions.

  1. Which personal firewall blocks any of the services drivers that are in use Network connections? I happen to know none with this ability.
  2. Can you name at least 1 trojan that installs a driver in the network config?

ps. I understood perfectly the postings above. The problem is that I do not know if any personal firewall has such abilities. And believe me I have tested a lot of firewalls. :-\

I am preparing to test other firewalls. I will post if I find one that prompts the user when a Virtual-PC-like connection is about to take place. Comodo does many paranoid checks many of which cause quite a lot of false alarms and OS slow down, so that I thought Comodo would be able to detect any “leaks”. It doesn’s seem to. If no firewall currently can, then hopefully a new version of some will.

It’s not important whether there are any Trojans using Virtual-PC-like drivers. There may be or may be not. The point is there CAN be such Trojans (also, Google the term “zero-day exploit”). Security is a conservative discipline, where hand waving and false sense of security have no place.

Also, a suggestion to Comodo’s CEO: If you want serious security researchers to take your product seriously, you need to make its source code available for peer review. (Note that there is a substantial difference between the true Open-Source and the Source-Disclosed models – but please choose at least one of them, otherwise you can’t expect to gain any real credibility.).

Debunker

First of all, thank you for taking the time doing this test on Comodo firewall and we look forward to seeing the tests for the rest of the firewalls.

Secondly, I do agree with you there is no room for false sense of security. However, there is a fine line between what are real threats today and how to protect against them and how to protect ourselves in future. What you have pointed out is something we can protect against, but we have chosen not to do it as default on v2, if you follow Egemen`s instructions then you can protect against this. This might change in v3 depending on how we view the future of threats. Afterall, there is no 100% security, its about having a healthy balance between threats during lifecycle of the protection product and other threats.

thanks
Melih

hmmm… interesting…

Now, we could argue if the “The world is going to end” kind of way Debunk is expressing his concern might be over the top but he has a point.

Those paranoid persons (like me) usually use a firewall, anti-vir, anti-adware and whatnot to be safe. However, we all know that some might fail with a new kind of threat.
What is the last line of defense? It should be the firewall unless the virus/trojan found a new way to exploit an unknown flaw in the system.
Like using your browser in some new way without alerting your firewall even if it is properly setup.
Everybody should know that he/she can “mis”-configure a firewall to a point where it does not protect anything.
And I do see that CPF could protect against such an exploit and the only question remaining would be: Should it by default. Am I right?

If so, my answer would be: Yes, it should.

I do understand that this might cause problems for people with uhmmm less experience but… CPF isn’t easy for PC-newcomers anyway.
You might now answer: If you aren’t a newcomer, why didn’t you find that option yourself and enabled it? Well, because I thought I did not have to.
When I first installed CPF I thought I woud be safe for now. I did realize that I had to make some settings for certain stuff to work and that those settings could lead to more risks the more vague they were.
But some software, running on my machine, using my hardware, in specific my network… I would like to be warned about that by default.

Does it matter if I have created a trusted zone before? If so, maybe a warning before doing that?

Nevertheless (L)

Everybody should know that he/she can “mis”-configure a firewall to a point where it does not protect anything.

But some software, running on my machine, using my hardware, in specific my network… I would like to be warned about that by default.
[/quote]
I think ‘both’ points stated here are valid issues and worth noting!! (:KWL)