Help Passing Comodo Leak Test

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Put the setup to the test just now, but the score wasn't very good 260/340. What do I do to fix all these issues:

Fails were:
4. RootkitInstallation: ChangeDrvPath
6. Invasion: RawDisk
8. Invastion: FileDrop (System32 folder)
10. Injection: SetWinEventHook
11. Injection: Set WindowsHookEx
15. Injection: KnownDlls
28. Hijacking: Userinit
31. Hijacking: StartupPrograms

I thought I had much/most of this covered. Running Comodo Firewall/360 TS/EMET/NoVirusThanks. All elements got into the blocks, just missed a bunch. Not much overlap, so that was good. Upload test explains the fail categories.

I have this test if anyone would like to download it. Don't think it's up on Comodo servers anymore. Thanks for any help.
 

Attachments

  • CLT Results.txt
    2.7 KB · Views: 455

Hector1

Level 4
Verified
Well-known
Aug 4, 2015
152
Comodo Leak Test isn't designed for latest version of Comodo Firewall.
 
  • Like
Reactions: AtlBo
5

509322

Put the setup to the test just now, but the score wasn't very good 260/340. What do I do to fix all these issues:

Fails were:
4. RootkitInstallation: ChangeDrvPath
6. Invasion: RawDisk
8. Invastion: FileDrop (System32 folder)
10. Injection: SetWinEventHook
11. Injection: Set WindowsHookEx
15. Injection: KnownDlls
28. Hijacking: Userinit
31. Hijacking: StartupPrograms

I thought I had much/most of this covered. Running Comodo Firewall/360 TS/EMET/NoVirusThanks. All elements got into the blocks, just missed a bunch. Not much overlap, so that was good. Upload test explains the fail categories.

I have this test if anyone would like to download it. Don't think it's up on Comodo servers anymore. Thanks for any help.

Explain the steps you did in performing the CLT.

HIPS module must be enabled. It is a HIPS-only test.

CLT must be added to the File List and rated as Unrecognized.

In the execution alert, Allow, but afterwards if any additional HIPS alerts appear, select Block.

Here it was covered at MT: Question - Comodo leak test, failed own test?
 
Last edited by a moderator:

aliali

Level 2
Verified
Sep 7, 2016
76
Put the setup to the test just now, but the score wasn't very good 260/340. What do I do to fix all these issues:

Fails were:
4. RootkitInstallation: ChangeDrvPath
6. Invasion: RawDisk
8. Invastion: FileDrop (System32 folder)
10. Injection: SetWinEventHook
11. Injection: Set WindowsHookEx
15. Injection: KnownDlls
28. Hijacking: Userinit
31. Hijacking: StartupPrograms

I thought I had much/most of this covered. Running Comodo Firewall/360 TS/EMET/NoVirusThanks. All elements got into the blocks, just missed a bunch. Not much overlap, so that was good. Upload test explains the fail categories.

I have this test if anyone would like to download it. Don't think it's up on Comodo servers anymore. Thanks for any help.

disable auto sandbox

comodo.png


 
Last edited:
  • Like
Reactions: Andytay70 and AtlBo
W

Wave

Hi,

If I were you I really wouldn't worry about the first one especially, almost all software which utilizes device drivers these days will register and start it via usage of a Windows Service the normal way; this would be done via using the service manager - more advanced rootkits may attempt to perform a registry modification and then call NtLoadDriver, or just use NtSetSystemInformation, however it'd be rare to see this these days since advanced rootkits which really utilize those methods aren't in the wild as much as they used to be about 5 years ago. I've never even found a sample which does this sort of stuff, I've only learnt about it from personal tests with my own code.

Regarding the #8 for the System32 file drop, this is a protected directory by default and this means that any programs which are not running with administrative privileges will simply fail the operation of dropping to this folder - therefore, as long as you continue to apply basic and safe security practices (e.g. keeping User Account Control enabled and using it as it's intended to be used) then you'll be fine. As an example, make sure you only allow programs to run with administrative privileges if you are certain that they are safe and trusted; do the research prior to downloading it in the first place, actually.

The SetWinEventHook and SetWindowsHookEx ones are a bit tricky because you'd need to hook those functions to block them dynamically, or modify win32k.sys device driver (critical to the Windows OS - contains the GDI functions such as those ones) to patch up the exported functions to block it from affecting specific programs. A function like SetWindowsHookExA/W can definitely be abused (e.g. for injection attacks), however its used for logging the typed keystrokes on the system, more often than not. You'll need a HIPS product which supports blocking the usage of these 2 functions properly, or at least monitor it's usage, however you should know that normal Win32 programs will call this function because for features like the auto-minimize on the window drag (e.g. by default depending on configuration on the Windows OS, if you start moving the window of a program around quickly, all the others will be minimized) it uses this function to operate this functionality.

15. Injection: KnownDlls
28. Hijacking: Userinit
These are both two valid ones to consider but still rarely abused... SetWindowsHookEx has more chance of being abused than either of these two functions - not many people use them anymore. In fact, the most commonly seen injection method would be via getting the address of LoadLibraryA, allocating memory into a target process (via VirtualAllocEx), writing to the process' memory (via WriteProcessMemory) and then creating a thread into the target process remotely, causing it to call LoadLibraryA while passing in the parameter to the path of the DLL to inject (via CreateRemoteThread).

31. Hijacking: StartupPrograms
I would have assumed this would have already been covered?

-----------------
Are you sure that the Comodo HIPS is enabled? I do not use Comodo myself and thus do not know what the HIPS module supports however I am a guessing that their HIPS will cover a lot, if not all of the things on the Comodo Leak Test application...

Comodo Leak Test is old anyway, and a majority of the things on it are not really used anymore since malware is always evolving and adapting in the wild.

Hope this helped?

Stay safe,
Wave. ;)
 
  • Like
Reactions: AtlBo and aliali

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
In the execution alert, Allow, but afterwards if any additional HIPS alerts appear, select Block.

Did as you explained with the initial allow.

I had HIPS set in a limited way. CLT is unknown, so I guess I got responses correct. Only using it for some things right now. Good knowledge. I'll try again.

disable auto sandbox

Does auto-sandbox throw the test off for some of the tests?

I collected screen captures of the 360 events. There are four each time I run the test, and I choose block for each of them. These 4 blocks I guess are different from the missed tests. Uploaded the pic of them side by side in the order they appeared.

(e.g. keeping User Account Control enabled and using it as it's intended to be used) then you'll be fine. As an example, make sure you only allow programs to run with administrative privileges if you are certain that they are safe and trusted; do the research prior to downloading it in the first place, actually.

I see about this. I did have to enter the password to run the test program. I guess all the test scripts have admin access after that. Thanks alot for that.

Going to run the test again shortly.


360 Alerts.png
 
5

509322

CFW has HIPS.

360TS has HIPS.

One can affect\interfere with the other.

Anyhow, most times the CFW CLT test results are low because there is a particular way that it should be run - and testers do not run it correctly.

It is outlined in the link in my post.
 
  • Like
Reactions: AtlBo

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Got the score up to 320/340 by marking the file as unrecognized, even with auto-sandboxing enabled. Enabled all the HIPs rules to get from 310 to 320. All but one of the 360 blocks were eliminated and replaced with the CFW HIPS. Causes me to wonder if 360 catches things later as in might be a problem blocking some things. Missed Drive Paths and Known dlls. Gotta work on those.

Not that this test is any great measure. You guys out there know better than I, but I at least feel better that I could see some holes in CFW that I could partly patch. HIPS rules activating only for unrecognized, so I guess I can live with all those alerts. Not like I add programs constantly or anything.

Appreciate all you guys' help with this. Thanks Jeff_T :). The linked thread did have the answers.
 
  • Like
Reactions: Wave
5

509322

Got the score up to 320/340 by marking the file as unrecognized, even with auto-sandboxing enabled. Enabled all the HIPs rules to get from 310 to 320. All but one of the 360 blocks were eliminated and replaced with the CFW HIPS. Causes me to wonder if 360 catches things later as in might be a problem blocking some things. Missed Drive Paths and Known dlls. Gotta work on those.

Not that this test is any great measure. You guys out there know better than I, but I at least feel better that I could see some holes in CFW that I could partly patch. HIPS rules activating only for unrecognized, so I guess I can live with all those alerts. Not like I add programs constantly or anything.

Appreciate all you guys' help with this. Thanks Jeff_T :). The linked thread did have the answers.

Passing this Leak Test is a fairly accurate indicator of the HIPS. Then again, getting a 100 % score on a leak test is just one measure - and there's a whole bunch of variables not tested. With leak tests you can get false positives\negatives.
 
  • Like
Reactions: AtlBo and Wave

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top