App Review A Comodo Firewall Beta 2 Quick Dance

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
cruelsister
F

ForgottenSeer 103564

5). Finally, a person just making an initial foray into the Wonderful World of Malware should never (never, ever) be dissuaded by telling them it is much too dangerous to attempt, as this only inhibits the quest for knowledge.
MalwareTips...

1st tip should be, don't play with live malware.

You have been here long enough to remember the moderator littlebits. Do you remember when he was curious about a ransomware and ran it in a VM and it escaped onto the host and encrypted half of his personal work files. I do, and littlebits was not an average user or new to these things.

Encouraging users that have no business messing with these dangerous things is irresponsible at best.

Had a lab person in another thread stating encouraging children to play with malware as young as 4 years old so they can learn was ok. I told him he should just hand that 4 year old the car keys while he was it, it's the same concept, handing them dangerous items.

How some users can consider themselves professional while stating it's ok to play with live malware at home, on your personal network, on a public ISP is beyond my ability to comprehend.
 

Xeno1234

Level 13
Jun 12, 2023
628
I don’t think there is anything wrong with encouraging people to learn about malware if that’s their interest. Many people in Cybersecurity do malware analysis on a VM.

The problem with encouraging is that sometimes, there isn’t enough knowledge given to that person about running malware in a VM to ensure full protection. That’s why, for me, I always ask what I should do to ensure malware doesn’t escape and compromise me
 
F

ForgottenSeer 103564

I don’t think there is anything wrong with encouraging people to learn about malware if that’s their interest. Many people in Cybersecurity do malware analysis on a VM.

The problem with encouraging is that sometimes, there isn’t enough knowledge given to that person about running malware in a VM to ensure full protection. That’s why, for me, I always ask what I should do to ensure malware doesn’t escape and compromise me
That is because there is no such thing as full protection when it comes to this. VM's all have their share of bugs and vulnerabilities. A user can not control what happens with a sample if connected to the Internet. So the only safe "for everyone else" method of testing is to create an isolated lab as I spoke of in the other thread, in which I also pointed out is pointless because many malware need to connect to a C&C server and or are virtual machine aware.
 
F

ForgottenSeer 103564

@ Ultimate Vision so who were you in 2014 littlebits has been gone 2014 ish
How many accounts do you have, ?
and why did you change user names ?
I was here in 2014 and can recall littlebits ransomware,
I only have one account and the staff is aware of me. I used to be the malware hub moderator years ago by the user name illumination. I have been gone from the forum a few years. I have been a member here on and off since 2012 though.
 
F

ForgottenSeer 100397

3), As to the ability of any viewers of either MalwareTips (or the pathetic few for my videos) to follow such discussions are concerned, one must understand that they are in no below average in Security knowledge, as even the Newest of the Newbie is elevated above the Masses by their quest for understanding.
5). Finally, a person just making an initial foray into the Wonderful World of Malware should never (never, ever) be dissuaded by telling them it is much too dangerous to attempt, as this only inhibits the quest for knowledge.
I appreciate all your hard work. Thank you!

3. I have to disagree. Many users install software without understanding it, solely based on recommendations or popularity. While a default-deny setup may work in certain situations, one should not recommend it to most users or those who do not know of it. It's better to offer recommendations that include the setup's pros and cons, along with basic steps and security tips for effective use.
5. I strongly disagree. It can be dangerous, and users who are interested in gaining knowledge may put themselves and others at risk. Any recommendations on this topic should include detailed steps and cautions. I believe MT should moderate discussions or recommendations related to this.

Someone's love for @cruelsister knows no bounds. I sometimes share a playful joke pertaining to a post or thread. When I share a joke in her thread, it inevitably gets reported. I'm cool with the situation, but I really hope he/she doesn't target or put a contract on me... Unidentified and unverified live in containment here, without access to streaming services, mornings and evenings dedicated to devoutly praying to rhythmCF :)
 

ErzCrz

Level 19
Verified
Top Poster
Well-known
Aug 19, 2019
947
@cruelsister I have a quick CF Configuration question.
So I set up CF as yours though I enable IPv6 filtering. I end up getting hundreds of blocks for Edge for ports 443,53,5353,1900,1900, ICMP etc and then loads for svchost with similar ports and then some explorer, searchost etc connecting out to 443, 80 etc and I end up with thousands of blocks in a day.

Is it simplest and safe to just to unblock for selected components which is a allow all rule or have them treated as web browser or outgoing only?
I've gone down the route of creating allow rules for each port and protocol but it's a lengthy process just to clear log spam and not sure if it's neccessary.

Also, am I right in thinking regarding svchost which i get an alert for DHCP 546 when connecting to my router that even if I have it as an allowed application, it would be blocked via firewall if the parent process is untrusted/malware?

In between installs at the moment but will ahare example if needed.

Thanks.

EXAMPLE:
1701081349719.png
 
Last edited:

cruelsister

Level 42
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,127
Hi E! Although the absolute benefit of enabling IPv6 for various reasons (especially with a router) may not really increase protection with CF installed, you shouldn't have to need to play whack-a-mole with Edge (also the less rules created for CF the better).

However I currently have 2 production systems (one with the current released 8012 build and the other with Beta2) running and both have IPv6 enabled without such issues. But as this is not the case with you, I wonder if this happened: every so often MS will released updated versions of their stuff which must first be vetted by Comodo, and running these things prior to Comodo finding them safe will plop these things into the Untrusted category (seen most often with SmartScreen).

That being said, I'd like you to try this:
1). On up with the Classic interface and clear anything listed as Blocked or Untrusted.
2). Back up your current configuration in case you want to revert.
3). Go into Firewall settings and check the Filter IPv6 box (which you already have done, actually)
4). Check the Create Rules for Safe Application box
5). Reboot
6), On reboot open Edge, confirm you don't get an Untrusted alert and see if you are still getting the Firewall blocks.

I really really hop that this helps...

m
 

ErzCrz

Level 19
Verified
Top Poster
Well-known
Aug 19, 2019
947
Hi E! Although the absolute benefit of enabling IPv6 for various reasons (especially with a router) may not really increase protection with CF installed, you shouldn't have to need to play whack-a-mole with Edge (also the less rules created for CF the better).

However I currently have 2 production systems (one with the current released 8012 build and the other with Beta2) running and both have IPv6 enabled without such issues. But as this is not the case with you, I wonder if this happened: every so often MS will released updated versions of their stuff which must first be vetted by Comodo, and running these things prior to Comodo finding them safe will plop these things into the Untrusted category (seen most often with SmartScreen).

That being said, I'd like you to try this:
1). On up with the Classic interface and clear anything listed as Blocked or Untrusted.
2). Back up your current configuration in case you want to revert.
3). Go into Firewall settings and check the Filter IPv6 box (which you already have done, actually)
4). Check the Create Rules for Safe Application box
5). Reboot
6), On reboot open Edge, confirm you don't get an Untrusted alert and see if you are still getting the Firewall blocks.

I really really hop that this helps...

m
Nice one, thanks! I'll give this a go later :D I think it's the case that I didn't have the Create rules for safe applications ticked.

Also regarding my question about svchost, that a safe rule would be ignored if the parent process was malware, correct?

Thanks so much, your epic :D
 

ErzCrz

Level 19
Verified
Top Poster
Well-known
Aug 19, 2019
947
Hi E! Although the absolute benefit of enabling IPv6 for various reasons (especially with a router) may not really increase protection with CF installed, you shouldn't have to need to play whack-a-mole with Edge (also the less rules created for CF the better).

4). Check the Create Rules for Safe Application box
5). Reboot
6), On reboot open Edge, confirm you don't get an Untrusted alert and see if you are still getting the Firewall blocks.
Thanks again, this fixed the issue :D Running well protecting me in the background for anything unknown ;) You rock!
 

ErzCrz

Level 19
Verified
Top Poster
Well-known
Aug 19, 2019
947
@ErzCrz, Including "Create rules for safe applications" will overcrowd the rules section and potentially strain system resources.
I don't chop and change programs that much. What I might just try is just Unblock edge, explorer svchost etc for Components shown by blocked by column which would also work and not create rules for every program I run. Will give it a shot ;)
 
F

ForgottenSeer 100397

I don't chop and change programs that much. What I might just try is just Unblock edge, explorer svchost etc for Components shown by blocked by column which would also work and not create rules for every program I run. Will give it a shot ;)
Sometimes, the "Blocked Applications" feature on the main interface lists trusted applications as unrecognized because of a bug.
 
  • Wow
Reactions: simmerskool

ErzCrz

Level 19
Verified
Top Poster
Well-known
Aug 19, 2019
947
Sometimes, the "Blocked Applications" feature on the main interface lists trusted applications as unrecognized because of a bug.

Example of what is blocked if I leave Create Rules for Safe unchecked.

1701137052260.png

1701137105141.png

Creating rules for safe applications creates rule (Allow Outgoing)
1701137551463.png

Unblocking manually creates rule: (Allow incoming & Outgoing)
1701137347376.png

So solution is to auto create rules or just amend them as outgoing. I wonder how much it'll really affect system resources.
 

Vitali Ortzi

Level 22
Verified
Top Poster
Well-known
Dec 12, 2016
1,151
Hi @Ultimate Vision

Please, allow me to share with you my point of view regarding Comodo:

1. Comodo always was a mediocre product, so its market-share always was negligible.

2. One day, an "anonymous character" played with containment and some settings, and presented it as the "ultimate security solution", "no additional software needed", "unbeatable"... blah blah blah.
By the way, that anonymous character presented him/herself as an "expert", he/she made videos with nice music, he/she always was very polite and a tolerant person... and basically that's it, everyone liked that anonymous person, and without understanding technical information or independent tests, everybody simply "trusted" that anonymous character.
That's the word: TRUST.
I never saw anyone here at MalwareTips questioning whether the anonymous character was a fake expert, or a Comodo payed influencer, or if his/her videos were fake, or if Comodo' settings were wrong, or if etc, etc, etc.
Participants at MalwareTips simply TRUSTED that anonymous character and his/her videos + posts.
And thus... a myth was born!
And as you know, trust + myths = fanatics.

3. The "Myth Of Comodo" and its "Magical Containment Settings" grew and grew.
However, the average user remained uninterested in Comodo, so Comodo' market-share always remained negligible... in real life the Magical Containment Settings never saved Comodo from its mediocrity.
In this context, Comodo' Magical Containment Settings were used only by a small group of fanatics.

4. About 3 years ago, problems started. Comodo became an abandonware, full of old bugs, not even compatible with Windows 11.

5. The current so-called new Beta is simply the old Comodo, same old bugs, but with a "lifted face", purely cosmetic.

6. On these days the myth of Comodo' Magical Containment Settings is maintained by the same anonymous character as always, and by a very small group of fanatics.
Their Mantra is: "I never experienced bugs, it always worked for me." But like every religion, Comodo' fanatics have their "holy Jihad", therefore they have the compulsion to impose their fanatical beliefs on us (the "infidels"). That's why Comodo' fanatics have a second mantra: "If it works for me, then it works for everyone."

For many years I was a Comodo' user and I liked it (despite being aware of its problems). Therefore, I personally have nothing against Comodo.
I also don't care about fanatics in general, I don't fight them, I just run away from fanatics, I want to stay away from any kind of fanaticism.
But always I was worried that average users would read incorrect things from Comodo fanatics. So I decided to participate at Comodo' posts, alerting average users about the danger of fanatical Comodo' mantras.
However, over time it became clear to me that almost no one is interested in Comodo, or in its Magical Containment Settings, nor is anyone interested in what Comodo' fanatics say.
Comodo and its fanatics are dinosaurs on the way to extinction.

I decided to participate in this post because of you, I saw myself reflected in your comments, I identified myself with your messages, I know that you are a participant with useful content to share, and I'm sure that you have many good things to share with many other participants here at MalwareTips. So, yeah, please forget about Comodo, forget about the fanatics, don't waste your time on them, but please continue to share with us your interesting thoughts and information related to any other security topic other than Comodo.
Its one of the most performance friendly default isolation tech and most convenient
Yes you would be more secure running an actual hypervisor over isolation of parts of the os like comodo but since most malware isn't targeting comodo specifically it's good enough to stop all known malware with the right settings

if you give an actual pentester to breakdown how it works and fuzz it's weakness he obviously would be able to exactly how they escape much higher restricted sandboxes
So only skidder proof not an attacker who has skill and time to specifically attack it
For those probably better using a different security approach and would know the least attack surface the better so they wouldn't install any security rather secure by reduction of surface area



Obviously comodo has plenty of cons
Mostly because of low market share and it's true there are obvious reasons why the market share of comodo reached this point


But I'm still using it to protect against attacks on my family PC
best security software per amount of time needed to check false alarms on their ends as it allows known trusted programs and disallow even some signed stuff that could have stolen certs wich isn't recognized by comodo


No free product has ability to block stolen cert malware while having somewhat minimal amount of false positives for an office user
 
Last edited:
F

ForgottenSeer 100397

Example of what is blocked if I leave Create Rules for Safe unchecked.

1701137052260-png.279896
If I'm not mistaken... Comodo automatically allows connections from trusted applications, so the four blocked connections won't affect them. You can confirm that Comodo trusts those four applications by checking the "File List" in settings.
 
Last edited by a moderator:
F

ForgottenSeer 103564

No free product has ability to block stolen cert malware while having somewhat minimal amount of false positives for an office user

Going to show my age and how long I have been around the company on and off. Things one remembers, certainly reminded by your statement.

 

ErzCrz

Level 19
Verified
Top Poster
Well-known
Aug 19, 2019
947
If I'm not mistaken... Comodo automatically allows connections from trusted applications, so the four blocked connections won't affect them. You can confirm that Comodo trusts those four applications by checking the "File List" in settings.
Connections seem to be fine just hundreds in the logs within minutes if I don't create a rule.
Decided I'll just leave the automatically created Allow Outgoing rules for those that popped up in Blocked Applications and delete the others generated with the exception of default rules and turn back off the Create rules for safe applications. I can then just copy the rule for any others that subsequently show up being blocked. That way a rule isn't created for every application as this is only the case with a half a dozen applications ;)
 

ErzCrz

Level 19
Verified
Top Poster
Well-known
Aug 19, 2019
947
I won't wade into the discussion but I use CF/CIS because Containment/sandboxing works. You can do the same with the likes of other paid for products. CF sits there on my machine mainly to Contain any undetected malware from doing any damage to my system or stealing my data. I like the default deny approach and I do bounce between products. I can do the block at first sight with the likes of Microsoft Defender as easily as I can with CF hence my current configuration has me using the Hard_Configurator CD FWH CFA Enabled approach but I always end up going back to CF to give it another try when I hear about yet another data breach or virus infection.

There are a number of different approaches and many other sandboxing options out there such as Cyberlock, Avast Premium which has a sandboxing feature and Windows own sandbox if you have Pro. You can even go down the block on first sight for Microsoft Defender enabled via ConfigureDefender / DefenderUI but at the end of the day you go with what works for you and a proper backup / encryption is an integral part of PC Security layers.

------

Anyway, the changes I made have resolved my query about the firewall blocks in CF, thanks again @rhythm @cruelsister :D
 

Vitali Ortzi

Level 22
Verified
Top Poster
Well-known
Dec 12, 2016
1,151
Going to show my age and how long I have been around the company on and off. Things one remembers, certainly reminded by your statement.

There were other as worse issues on comodo
so although this specific one is over more then 10 years ago and unsure if it's only certs for sites or to sign actual executables
Still wouldn't recommend comodo to someone who would be a target
its a script kid proof product not an actual adversary proof
there were white papers by both google zero and another group showing issues with their sandbox approach (still would have to specifically target it with a crafted exploit aka skid proof )
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top