Why I Am Abandoning Comodo Firewall

Edited on 12/6/2011 [at] 21:44 CST for clarification of test procedure.

I’m sorry to report that after several weeks of rigorous
testing, I must abandon Comodo as my firewall solution.

After an initially positive impression, I was sad to later
discover that Comodo Personal Firewall was not “Leakproof”.

That is to say, the firewall does not appear to check
the MD5 or other siganture of an application requesting
permission to pass traffic through the firewall prior to
granting network access.

This is really bad news, since any malicious program
can “masquerade” itself as a trusted application, plant
an exectuable in the target (application’s) directory,
and send whatever traffic it chooses on through to the
network.

I initially discovered this by using Gibson Research’s
“leaktest” utility, available at:

As a test, I used it to “impersonate” Mozilla Firefox.
I renamed leaktest.exe to the main executable,
firefox.exe, placed it in Firefox’s directory,
and attempted to connect to the GRC Leaktest server.
Much to my amazement, the firewall itself never
challenged this attempt, and leaktest was able to
contact the Leaktest server at GRC without any problems
at all. To be fair, I did get an “alert” that leaktest.exe
was a “malicious” program", (which it isn’t), but if I
ignored that, network access was granted by the
firewall, just as if it were a trusted application.

This behavior is not unique to leaktest.exe. I have
found that if I rename just about any internet
client’s executable to that of the target executable
and place it in the corresponding target application’s
directory, access to the network is not blocked by the
firewall, nor do I receive any alerts of any kind.

Yikes!!

Unfortunately, this is a key reason why firewalls from
companies like ZoneLabs put CPF to shame. Even in the
very early free versions, ZoneAlarm would raise an alert
to the user warning that the program that’s requesting
network access has changed. In short, ZoneAlarm never
leaked. See this information on the GRC website:

The information on that page is dated, but still very
valid today.

On a totally unrelated note, I have also discovered
that the “Defense+” service that’s supplied with CPF
does not get along well with Ahead Software’s InCD
Version 4. In order to enjoy full record speeds with
InCD, the slider under Defense+ settings must be set
to “Disabled”. This is also bad news. Not only is this
inconvenient, but it’s also easy to forget about the
slider position after a session of recording, leaving one
quite vulnerable.

Complete waste of time pointing to such outdated information at GRC, who needs to be read without the rose coloured specs :a0 Still, we’ve had conversations about hashing before, here’s something to read, should you be so inclined…

[attachment deleted by admin]

I repeated your tested and GRC leaktest was blocked although I had renamed it to firefox.exe.

It’s clearly possible that the OP didn’t realise that CIS needs to be configured/answered in a certain way to make this test valid repeatedly and/or that GRC’s leaktest application would be marked as safe (which it is) by CIS from the first instance that he ran it. And that it wouldn’t matter if he subsequently renamed it or not either, CIS would still recognise it as GRC’s leaktest application.

If your other firewall tells you, the application has changed, it allowed the application getting changed by something!

If something tries to change an application while you run comodo, you have the layer which prevents the application to become changed by something else.

If the admin user replaces files on his own, sure, he is allowed to. What would we be annoyed if we had to answer questions even when we do it ourself :smiley:

The firewall section should be administrated manually. Its not much work. Less work than doing tests :smiley:

You dont have to abandon the firewall, if you use it right. It doesnt leak if the layers work like they should.

It depends on your opinion. Get warned for changes (which is good), or avoid things to get changed (thats more good). Two different attempts.
But a warning method additional, is a good idea too.

the question is acceptable that the firewall is not in perfect order… >:-D


but to say that the comodo does not issue warning only because he changed the name of the file? and if it had changed the file to the Comodo alert the leaktest as an unknown application.

Thanks for replying.

Okay, you’ve convinced me, and I’m more than willing to take another
look at this issue and keep using this firewall.

However, if a file’s hash does somehow change, regardless of who’s
responsible for that change, it still seems like a good idea to have the
firewall alert me to that fact. One click on a popup alert would be all
that’s required to deal with the situation, and that single alert, if
unwanted, could be a firewall option.

Kind regards.

Thanks for replying.

Actually, I did more than rename it. The first thing I did was go
into Firefox’s directory and renamed the main executable from
firefox.exe to firefox.bak. I assume that a malware would have
just deleted it. Then I renamed leaktest.exe to firefox.exe and
placed it in the Firefox directory. Then I ran the leak test.

What I’m gathering from this thread is that since leaktest.exe
has become a trusted file, CF will allow it through, and that
the other layers of the firewall will prevent this scenario from
ever happening in the case of malware.

So the question remains… in light of all this, should the firewall
still raise an alert if the hash of leaktest.exe, masquerading as
firefox.exe in Firefox’s directory, is not the hash of the “real”
firefox.exe? (that the hash has changed since the rule was
created)

Kind regards.

i think CIS should alert when the hash changes but then it will again have lot of alerts every time a aplication is updated

Did you have a look at the link I posted earlier, it does discuss, at some length, whether hashing is used, or not…

Thanks for replying.

I understand about your concern over receiving too many alerts.

Way back when, I used to use ZoneAlarm. The way they implemented
this feature, you would only get an alert when the hash of the main
executable requesting firewall access has changed since the rule was
created or updated. As such, the only time I ever saw such an alert
was when I updated an Internet app to a newer version. I would
only get a single “Changed Program” alert when the updated executable
requested firewall access. I would allow the change, and that would
be the first and only alert I needed to deal with.

Hi. Thanks much for your posts.

Yes, I did have a quick look at the link you posted in your original message,
but the first time I did, I wasn’t very familiar with the forums, and only
saw three posts that didn’t go into much detail about how the hashing
was implemented. I now realize that I simply neglected to page forward,
where there were additional posts on this subject. I look forward to
viewing those tomorrow.

Kind regards.

Threats evolve and ofcourse comodo falls behind a short while, but always manages to catch up and score 100%. Funny how people would actually quit comodo over such bumps.

Thanks for referring me to that link. It’s a very
interesting read.

In general, what I see in the forums is a group of
users engaging in varying levels of disagreement
over whether CIS uses a hash or path/filename
criterion when determining whether or not to allow
firewall access. This appears to be complicated by
the fact that CIS is much more than just a firewall,
that user configurations may vary, interaction between
the firewall and Defense+ elements, and also the idea
that different versions produce different behaviors.

Although the conclusion may or may not be correct,
I can see how one would be led down the path/filename
school of thought, based on my own experiments.
The first time I ran Gibson’s Leaktest, it was
sitting in a temporary directory on my C: drive.
I can still run it from that location again and again,
and the result is always the same:

  1. I receive a cloud scanner alert informing me that
    Leaktest is a malicious application. (ignored)

  2. I get a firewall alert, asking me if I want to
    allow it to connect on the network.

However, if I rename it and place it in Firefox’s
directory, I only get the cloud scanner alert; the
firewall itself never asks for my permission, and
allows it to connect to the Leaktest server unchallenged.
This too is very repeatable.

So, on one hand, it seems like the path/filename could
play a big role in this scenario. However, though I
have no direct evidence to support this, I guess I could
also understand that CIS might be automatically
assigning a new hash to the changed, but trusted
executable, firefox.exe, based on user action/behavior
or some other unknown criteria.

As far as whether or not another layer of CIS would
prevent this all from happening in the first place
in the case of malware might be a separate discussion.

I suspect that the truth behind all of this will
become evident as I learn more about the inner workings
of CIS, and how the firewall element interacts with
Defense+. This is all a lot for me to take in at once,
so I’m going to have to ask for your patience.

BTW, I’m using the free version, so no anti-virus
is involved here.

This is with CIS Version 5.8.213334.2131, firewall in
custom policy, alerts on high, and Defense+ in safe mode.
I do not have “Create rules for safe applications” checked.

Kind regards.

The free version includes an antivirus if you choose. Just to clarify.

Hi there:

The AV is not showing itself anywhere on my system. Only the firewall
and Defense+. In addition, there was no installation option for this feature.

Do you need a key to unlock this feature?

I installed using the 35 Meg 32-bit installer downloaded from:

http://personalfirewall.comodo.com/.

I believe they’ve replaced this with a 60 Meg universal installer. Perhaps that’s
an issue?

Regards.

Download CIS premium from COMODO Internet Security 5.8.213334.2131 Released! It’s the first of the free products and includes the AV.

Hi ZBTSI,
The installation you have should still have the option.
In add/remove programs go to Comodo Internet Security, click uninstall/change, click next, click change and this gives you the option to tick the AV component to install.

Yes, I see it in there now. I’ll give it a whirl.

Thanks!

Regards.