comodo personal firewall

[Cloussau]

Ok here are a few screenshots of the gui for your interest
first one (slide2) is the basic front page which has tabs for all the fine detail info
the slider on the middle left is set at custom which means user defined rules in force
oops i hope you guys dont mind downloading the pics .
as you can tell this is not my field
slide 5 is the front page with 4 changes made to 4 tabs as indicated by arrows

[Cloussau]

next 3 pics are of gui with two of the three tabs down left side depressed and finally a pic of the alert popups

[Cloussau]

last pic thank god Eddy will be freaking out 

[Cloussau]

here`s the "sheilds up" opinion in case anyone is interested

   Your Internet port 139 does not appear to exist!
One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.
   
Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.
I must say in addittion that I have a 4 port router between helping out

for those wanting to know the resource usage see pic

[DavidR]

It certainly looks colourful and I like the identification of the parent application in the Outbound Connection alert. It would be interesting as to how it copes with the leek tests and the zabypass.exe and breakout.exe tests that have been used as Proof of Concepts of bypassing the firewall.

[sZc]

It certainly looks colourful and I like the identification of the parent application in the Outbound Connection alert. It would be interesting as to how it copes with the leek tests and the zabypass.exe and breakout.exe tests that have been used as Proof of Concepts of bypassing the firewall.

That's exactly why I posted this question in Cloussau's original thread dealing with Comodo firewall:

http://forum.avast.com/index.php?topic=17001.msg144630#msg144630

Quote by me:

Now, let's get back to the topic... is there any chance you can post those screenshots any time soon ? Also, please provide some more info on how Comodo is behaving when tested with ShieldsUp! and also with TooLeaky http://tooleaky.zensoft.com/

Thanks in advance Cloussau

Also, Cloussau, please enable VM Size (Virtual Memory Size) in your Task Manager, so we can see real memory usage that CPF.exe uses... 

Thanks !

[Cloussau]

ok ive done the too leaky test and because i happened to have Asquared installed alongside the intrusion test was stopped not only by A2 but also by CPF but i think it was outbound see pic and also is the other taskman screenshot

[Cloussau]

No i was wrong the too leaky alert was for incoming and when i turned A2 off I got 2 alerts from cpf which were both outgoing and incoming.
seems to have everything covered

[DavidR]

Want to try the zabypass.exe and breakout.exe tests that have been used as Proof of Concepts of bypassing the firewall. It would also be interesting to see if A² picks them up to.

ZAbypass - Hackingspirits.com Proof-of-Concept

[sZc]

No i was wrong the too leaky alert was for incoming and when i turned A2 off I got 2 alerts from cpf which were both outgoing and incoming.
seems to have everything covered

That's good to hear, really good. It looks like it deals with those things exactly as Kerio with Application Behaviour Blocking feature enabled and ZoneAlarm Pro. ZoneAlarm Freeware will not pass that test...

That's really good to hear Cloussau !

Btw, In your task manager, chose Processes TAB. Now go to VIEW (dropdown menu up there) and chose SELECT COLUMNS... Now put a checkmark on Virtual Memory Size box. Click OK and now you are able to see VM Size column. Resize your Task Manager window if needed to see everything...

Cheers !

[Cloussau]

I tried the ZAbypass exe but im a little confused because im not sure got the full gist of what it was supposed to prove a vulnerability. on executing i was transferred to a web page which didnt confirm or deny what had occurred.? getting late down here 11.30 pm and i got a 5am rise so im gonna call it quits for tonite and look at breakout exe (which i couldnt find) tomorrow .
hope this has been of some use 

[sZc]

Yes of course it is useful Cloussau !

Thank you for your effort !

I see that Comodo uses little bit more resources than Kerio... KPF.exe (Kerio) is at 9 Mb VM Size... but sure it looks like a wonderful firewall... and best of all, all those features for free. ZA free doesn't protect you on all fields as we all know...

[DavidR]

I tried the ZAbypass exe but im a little confused because im not sure got the full gist of what it was supposed to prove a vulnerability. on executing i was transferred to a web page which didnt confirm or deny what had occurred.?
hope this has been of some use

Yes it has been very helpful, it confirms that CPF is vulnerable to this DDE exploit also. I started a thread at the Outpost forums as it too is vulnerable, there is a lot of feedback there. Bypassing Personal Firewall - Proof-of-Concept

If you arrived at the website without your firewall or A² intervening, then your firewall has been bypassed (what browser did you use). You will have noticed that when you ran zabypass.exe there was a string of text (which you can change), that string is replicated at the PofC test page you were sent to.

This is a demo page and has been hosted to demonstrate how a personal firewall can be bypassed and a malicious program can communicate with its master by injecting the data via other trusted programs (here it is IE) in the system. No information are logged during the demo other than the hit count.

Obviously this could be more than a harmless string of meaningless text.

If you don't have your browser started then it is likely that it will detect this PofC, however if it is already started which is very likely in real life (and it is a Multi Tab browser) then it is very likely to get past.

Re: breakout.exe

As a matter of fact there are more programs that can bypass personal firewalls. Volker Birk, a member of the respected German Chaos Computer Club (CCC), presented a small program that establishes an internet connection, and Outpost (and probably any other PFW) simply doesn't see it.

The source code for the IE-version can be found on http://www.dingens.org/breakout.c , the executable on http://www.dingens.org/breakout.exe, the source code for Firefox on http://www.dingens.org/breakout-mozilla-firefox.c and the respective executable on http://www.dingens.org/breakout-mozilla-firefox.exe .

So breakout doesn't seem to be as flexible as zabypass which uses your default browser, breakout.exe is browser specific. Since a very large majority still use IE as their default browser it would work (bypass the firewall) for most people.

[sZc]

...
...
Yes it has been very helpful, it confirms that CPF is vulnerable to this DDE exploit also. I started a thread at the Outpost forums as it too is vulnerable, there is a lot of feedback there. Bypassing Personal Firewall - Proof-of-Concept

If you arrived at the website without your firewall or A² intervening, then your firewall has been bypassed (what browser did you use). You will have noticed that when you ran zabypass.exe there was a string of text (which you can change), that string is replicated at the PofC test page you were sent to.
...
...

Exactly, and even worse Kerio fails at that test too. So it tells us something new... Comodo Firewall didn't pass that test, but it can not be classified as worse than any other better known firewall out there. For sure it passes those tests better than ZA free.

[DavidR]

No one is saying it is any worse than or better than any other firewall, this is an exploit that is hitting virtually all firewalls with the exclusion of ZA Pro which picks it up. Not having ZA Pro or a second system I can't fully check it with a range of browsers as I have done with Outpost Pro.

Many firewalls are able to detect it if you don't have your browser open, once open if using a tabbed browser the likelihood is it will open in a new tab without intervention from the firewall.

If IE isn't set-up to open in a new windows (reuse existing window) then it can get past that as a new occurance of the browser isn't activated and as such won't be tested by the firewall's Hidden Process checks.