Просмотр полной версии : Matousec's Firewall leak Tests of Individual Firewalls & Internet Suites

Ultima Weapon
24.11.2007, 03:00
Comodo Leak Test http://www.personalfirewall.comodo.com/images/cpf_logo.gifhttp://img517.imageshack.us/img517/3656/comodologoyu2.gif http://img413.imageshack.us/img413/3279/comodohackerproofmn8.gif
Online Firewall Leak Test (http://www.personalfirewall.comodo.com/onlinetest.html?currency=USD&region=Asia%20%26%20)

Try also with different Modes - 'Default' up to 'Paranoid or Maximum Settings'

What is Firewall Leak Testing?

Everyday, Internet users are being exposed to a lot of ubiquitous malware programs without their knowledge. Firewalls form the first line of the defense to answer to these threats. Network filtering and outbound application connection filtering are the two essential components that a robust and secure personal firewall must have, that most of the personal firewalls currently in the market claim to provide in some form. Unfortunately, malware programs are evolving rapidly. Many of such programs employ very advanced techniques to conceal their malicious activities so that they easily bypass the standard protection mechanism provided by the most personal firewalls. These techniques are commonly known as "leaks".

Comodo Firewall Pro has been tested against the full range of available leak testing software and has a 100% detection rate. Read the results for yourself by downloading 'Comodo Firewall Pro vs Leak Tests (pdf)'
Explanation of the different of "Leak" techniques or vulnerabilities fraudsters can use to compromise you PC.

There are many techniques that leak tests employ to break personal firewalls' standard protection mechanisms. The following list explains the different types of threats used by leak testing software.

This technique tries to present itself as a trusted application by renaming itself to a commonly known, safe application such as iexplore.exe. As a result, firewalls that do not verify application signatures fail to detect such attempts.
Related Trojans

W32.Welchia.Worm, The Beast
Related Leak Tests

LeakTest 1.2
Launching (Parent Substitution)

With this technique, a program launches a trusted program by modifying its startup parameters such as command line parameters, to access the Internet. This type of penetration bypasses the firewalls that do not apply parent process checking before granting the internet access.
Related Trojans

Related Leak Tests

Tooleaky, FireHole, WallBreaker, Ghost, Surfer,Jumper
DLL Injection

Being one of the most commonly used techniques by Trojans, this method tries to load a DLL file into the process space of a trusted application. When a DLL is loaded into a trusted process, it acts as the part of that process and consequently gains the same access rights from the firewall as the trusted process itself. Firewalls that do not have an application component monitoring feature fail to detect such attacks.
Related Trojans

The Beast, Proxy-Thunker, W32/Bobax.worm.a
Related Leak Tests

PCAudit, FireHole, PCAudit v2
Process Injection

This technique is the most advanced and difficult to detect penetration case that the most of the personal firewalls still fail to detect although it is used by Trojans in the wild. The attacker program injects its code into process space of a trusted application and becomes a part of it. No DLL or similar component is loaded that almost every personal firewall fails to detect this completely.

Related Trojans

Flux trojan
Related Leak Tests

Thermite, CopyCat
Default Rules

When a personal firewall is installed, by default, it tries to allow some vital specific traffic such as DHCP, DNS, netbios etc. not to interrupt the useful network activity. Doing so blindly may cause malicious programs to exploit these rules to access the Internet.
Related Trojans

Related Leak Tests

Race Conditions

While filtering the Internet access requests per application, personal firewalls need the process identifier (pid) of a process to perform its internal calculations. Attacker programs may try to exploit this fact by changing their process identifiers before personal firewalls detect them. A robust personal firewall should detect such attempts and behave accordingly.
Related Trojans

Related Leak Tests

Own Protocol Driver

All network traffic in Windows operating systems are generated by TCP/IP protocol driver and its services. But some Trojans can make use of their own protocol drivers to bypass the packet filtering mechanism provided by personal firewalls.
Related Trojans

Related Leak Tests

Outbound, Yalta (test avancй), MBtest
Recursive Requests

Some system services provide interfaces to applications for common networking operations such as DNS, Netbios etc. Since using these interfaces is a legitimate behavior, a Trojan can exploit such opportunities to connect to the Internet.
Related Trojans

Related Leak Tests

Windows Messages

Windows operating system provides inter process communication mechanism through window handles. By specially creating a window message, a Trojan can manipulate an application's behavior to connect to the Internet.
Related Trojans

Related Leak Tests


It is very important to test any personal firewall with its "out of the box" settings. A personal firewall may claim to provide the protection against leaking attempts while it fails to catch some of them with its default settings. Due to the fact that very few of the personal firewall users are able to know the correct configuration settings suitable for their system; and/or the required configuration settings are too noisy i.e. generating too many needlessly alarming alerts, users actually do not / can not have enough protection. Comodo Firewall Pro comes already preconfigured to enable this high level of protection without having to do anything, (of course, manual configuration is an option).


Various commandline test tools from Matousec to test dll injection etc

MATOUSEC (http://www.matousec.com/downloads/windows-personal-firewall-analysis/)

Host-based Intrusion Prevention Software (HIPS) Leaktests

a)Simple process termination leaktest. =Simple process termination leaktest. More than 16 methods to terminate a process.

b)Simple keylogger leaktest.

HOMEPAGE (http://www.syssafety.com/leaktests.html)


What is 'Firewall Leak Tester' ?

This website, on one hand, enables you to test your software personal firewall thanks to different test programs ('leaktests'), and on the other hand, shows a global vulnerabilities view of the most common personal firewalls in a summary page.
Firewall Leak Tester provides also documentation and advices to improve your security dramatically.

What Firewall Leak Tester is testing ?

Nowadays, threats from the Internet are growing, both from the inside and the outside.
To answer to a security need from Internet users (us), security software firms have created "personal firewalls", softwares acting like real hardware firewalls, but on user's computers.
These personal firewalls have network level filtering, that we will name "network filtering", and an outbound application filtering that we will name "software filtering".

Due to the fact that most of these personal firewalls offer reasonable protection against inbound attacks coming from the Internet, we will only study here their software filtering, outbound filtering that can be stressed by Trojans which try to initiate themselves by connecting to the outside to transmit data out.

To test this software filtering feature, many leaktests (""leak"" test) exist, they are programs created by different authors, each trying to bypass the personal firewalls with his own trick.

What is the purpose of Firewall Leak Tester ?

The purpose of this website is to inform users, to explain, and then to help improving your security.

1 - In a first part, if you are interested by the results themselves, you can check the scoreboard, use yourself the leaktests available on the left menu, and read the explanations available on the document page.

2 - In a second part, you can improve your security by reading the advices page and also the software page, to protect you againt every leaktest. Do not miss the reward page showing excellent sandbox softwares.

3 - Finally, you can check my personal software area on the left menu 'TOOLS', providing softwares I am doing on my spare time to improve Windows security.



The Internet's quickest, most popular, reliable and trusted, free Internet security checkup and information service. And now in its Port Authority Edition, it's also the most powerful and complete. Check your system here, and begin learning about using the Internet safely.


PC Security Hacker & More Testhttp://img413.imageshack.us/img413/7035/pcsecuritytestyf0.jpg


PC Security Test is a free program for Windows that checks computer security against viruses, spyware and hackers. With a few mouse clicks, users can easily control the efficiency of their protection software (anti-virus programs, spyware scanners and firewalls).
PC Security Test simulates virus, spyware and hacking attacks and monitors the responses of your protection software. Don't worry, no real viruses are involved ! After the tests are complete, PC Securtiy computes a security index and provides tips on improving PC security.
Download & Install
PC Security Hacker & More Test (http://www.pc-st.com/us/download.htm)


If you would like to simply generate some event traffic on your computer to test the event notification dialog and see some events in the log choose the simple probe.

If you would like the server to check a list of common ports on your computer to determine if it is able to obtain a connection to them use the port scan.
Simple Probe
Port Scan

Additional Scans
A number of other sites offer probing and scanning of your system.
Please note that these sites are not affiliated with Hackerwatch.org
Scan page at DSL Reports
Advanced Port Scanner at PCFlank.com


System Shutdown Simulator

This leaktest highlights a new vulnerability that exists when a user shuts down their computer and a program cancels the shutdown. For example, when installing new software, the installation program often asks the user to restart their computer to complete the installation. When the user allows the computer to be restarted, the installation program could potentially compromise the user's computer completely undetected by security software as these have already shutdown.

This security tool / leaktest is called System Shutdown Simulator (self-explanatory). It is available for download here:
System Shutdown Simulator(HomePage) (http://www.geocities.com/zeroday_software/)

XP user
24.11.2007, 08:38
PC Security Test
Comodo does NOT pass this test, even at 'Paranoid Mode'. Its registry protection doesn't seem to monitor the following:

HKLM\Software\Microsoft\Internet Explorer\Extensions
the test adds this:

which is not flagged by Comodo. It is an empty key, but anyway...

it adds virus1.exe, which is not flagged by Comodo. I was disappointed with this.

I you add those keys MANUALLY to 'Defense' - 'My Protected Registry Keys', Comodo passes 100% for all three sections of the test. I'm just wondering how many other surprises this product has to offer...


Ultima Weapon
24.11.2007, 10:28
Thank you very much for the expert advice.;) Il do it by the way.

27.11.2007, 09:31

You are not very font of Comodo I read?

XP user
27.11.2007, 10:08

You are not very font of Comodo I read?
This applies to version 3 only, which is not ready yet. ;)


27.11.2007, 10:37
aha thanx
version 2 is safer?

XP user
27.11.2007, 10:49
aha thanx
version 2 is safer?
Yes. It works as advertised, which is ALWAYS safer. ;)


27.11.2007, 14:18
Thanx. Curious to see what how v3 can improve than

Ultima Weapon
28.11.2007, 22:40
Matousec's Firewall leak Tests of Individual Firewalls & Internet Suites
Matousec Transparent Security
From the website:
What are leak tests? How does Firewalls perform against them?

Firewalls provides protection against both incoming and outgoing attacks. 'Outgoing' attacks occur when a virus, trojan or spyware attempts to make a connection to an outside server without the user's knowledge. To combat such threats, many personal firewalls employ a technique loosely called 'Outbound Application Filtering' which attempts to detect whenever any application or process tries to make an illegal outgoing connection. 'Leak Tests' are small programs explicitly designed to test the strength a personal firewall's 'Outbound Application Filtering'. Each test will attempt to bypass the firewall and make a connection to an outside server.

About Matousec
matousec.com was founded by David Matoušek in March 2006 by a small group of young people, mostly university students, who are interested in the Internet, security and other computer related topics. We focus on specific projects rather than offering general services. Our team consists of skilled people with a professional approach. Our experts excel in reverse engineering and low level and security programming for Microsoft Windows systems thus they are also great software testers.
Our main goal is to improve end-user security with our own security related projects and research. We want to participate in the global security research, to support bigger companies in their activities, to criticize security products and also to offer our own solutions and products. We want to establish the respected and reliable company with a positive influence on the global computer security. We also want to help young perspective people to make themselves visible in the endless world of the Internet.
Activities and offered services of people behind matousec.com include: computer related security consulting and research, testing and analysis of security products, analysis of computer viruses, worms, spyware and other malware, analysis of Internet and computer threats and vulnerabilities in security software, programming of security products especially analytical and penetration testing tools, web programming and design.
Our very first and flagship project is called Windows Personal Firewalls analysis. We hope this project will raise the quality of these security products that are used still by more and more users.
The name of our group matousec.com is a combination of a last name of David Matoušek and the English word security.
The picture in our logo is Japanese Kanji sign and it can be translated as look after, protect, defend, keep or preservation. Together with the sign for proof it means security. The pronunciation of matousec.com can be complicated for native English speakers. We pronounce the first syllable matousec.com as in math, the second syllable matousec.com as toe and the third comes together with the pronunciation from security. The top level domain extension matousec.com is read simply dot com as usual.

28.11.2007, 23:04
did you try the test yourself?

XP user
29.11.2007, 00:35
I don't like sites that promote leak-tests, or rank firewalls by the way they pass or don't pass leak tests. Leak tests have little or nothing to do with computer security. Besides, the culture in itself gives the false impression that as soon as malware is on your system, it can be controlled, contained, or whatever. Well, I have news for you: this is just not true in most cases. I wish the Security Industry stopped throwing dust in people's eyes...


Ultima Weapon
30.11.2007, 11:14
Firewall killer software to bypass firewalls, proxy servers and hide ip address (anonymous proxy)


GRC Leaktest
"Leaktest" from http://www.grc.com/lt/leaktest.htm. This is a free firewall leakage tester.