- Jan 6, 2017
- 835
Hello. I was wandering what is better if you donwload CIS 10. Leave it with default setting or enable the proactive defence?
CIS 10 Config: Default or Proactive?
- Thread starter Rengar
- Start date
Please provide comments and solutions that are helpful to the author of this topic.
- Status
- Dec 29, 2014
- 1,716
Using the Comodo Firewall (similar), it is effective to set on Proactive and then go into sandbox settings and set the "All Processes/unrecognized" rule to "Restricted". Then make sure Auto-sanboxing is enabled. The Trusted Vendors list is long but it's a good list. You won't get too many alerts.
- Jul 3, 2015
- 8,153
it really depends on the level of security you are looking for.
If you want the highest level, do like @AtlBo says.
But the firewall config is good, too, especially if you enable autosandbox. It might give you less troubles that way. This is because the autosandbox will not interfere with system files and trusted programs.
If you want the highest level, do like @AtlBo says.
But the firewall config is good, too, especially if you enable autosandbox. It might give you less troubles that way. This is because the autosandbox will not interfere with system files and trusted programs.
- Jan 6, 2017
- 835
Thanks for your reply but im talking about Comodo Internet Security and not for the standalone firewall
- Jul 3, 2015
- 8,153
doesn't matter, because CIS is the same as standalone firewall, except that it also has the AV component
The AV component is virtually worthless as protection, it is really only there to make ignorant consumers happy. You don't want a configuration that relies on such a weak AV for protection, so go with firewall config or proactive config.
The AV component is virtually worthless as protection, it is really only there to make ignorant consumers happy. You don't want a configuration that relies on such a weak AV for protection, so go with firewall config or proactive config.
- Apr 13, 2013
- 3,224
Totally agree with shmu- The Comodo AV may catch stuff on occasion, but even a blind squirrel will find a nut sometimes. And remember that even CF has a Cloud AV and Valkrie, so the only thing you will miss is the Local AV scanner. The really important thing to do is enable the sandbox at either the Restricted or Untrusted (if you are an old hand) level. If you really want to have an AV, go with something like Qihoo or Avast for local scans.
About the configuration- By all means change to Proactive. This will increase the baseline protection significantly with stuff like shutting off the pathway to screwing with Com interfaces, a common attack pathway.
About the configuration- By all means change to Proactive. This will increase the baseline protection significantly with stuff like shutting off the pathway to screwing with Com interfaces, a common attack pathway.
- Jul 3, 2015
- 8,153
thanks for this peek under the hood
is this security advantage of proactive config relevant only if unknowns are virtualized, or also if they are Restricted or Untrusted ?
- Dec 8, 2014
- 206
CFW has File Lookup Services (FLS), not Valkyrie.
COM interfaces protection is not limited to Auto-Sandbox (but average user finds such alerts confusing when Auto-Sandbox is not used). You also get better coverage with Proactive Security configuration. It's a good addition if you consider: more applications you install = wider attack surface.
COM interfaces protection is not limited to Auto-Sandbox (but average user finds such alerts confusing when Auto-Sandbox is not used). You also get better coverage with Proactive Security configuration. It's a good addition if you consider: more applications you install = wider attack surface.
- Jul 3, 2015
- 8,153
great explanations.
So let's say I am on firewall config, and I enable autosandbox.
I set autosandbox to restricted for unknown files.
And not only that, but whenever I get a prompt from HIPS, I block at the first prompt, i.e., the initial execution of the file.
Will I still have better protection if I switch to proactive config, and if so, why?
- Dec 8, 2014
- 206
Yes. You get a more secure posture if you are using Proactive Security configuration. It depends on which application is used. It's very very possible that you will get an alert for something that's not a process execution and a trusted application will be used (task scheduler, task kill and so on) in such a chain of events. There is a common misconception that you get new processes and similar stuff but you can avoid these by utilizing COM. It's not something to be ignored.
Last edited:
- Jul 3, 2015
- 8,153
so the extra COM protection of proactive config is useful in preventing exploits?
- Dec 8, 2014
- 206
I wouldn't call it that way but yes, kind of.
- Dec 29, 2014
- 1,716
Is "COM protection" referring directly to the choice of the HIPS setting for COM alerts? I haven't studied the "Firewall" config to be able to follow how Proactive is better, although I can understand it is.
Maybe it's too much, but I am curious if it would be helpful to rank the danger level of CF/CIS HIPS alerts? I'd love to see a really great breakdown of this and the contexts and risks of choices with CF. Like I'd love to be able to know when I have an option beyond what I am seeing now, such as Auto-sandbox is about to kick in.
Been thinking some about this, and the sky is the limit with Comodo for really outstanding alerts system. I hope there is work in this area, because I do like CF in its current state too.
Maybe it's too much, but I am curious if it would be helpful to rank the danger level of CF/CIS HIPS alerts? I'd love to see a really great breakdown of this and the contexts and risks of choices with CF. Like I'd love to be able to know when I have an option beyond what I am seeing now, such as Auto-sandbox is about to kick in.
Been thinking some about this, and the sky is the limit with Comodo for really outstanding alerts system. I hope there is work in this area, because I do like CF in its current state too.
- Jul 3, 2015
- 8,153
just trying to understand how this works.
The general rule of thumb with COMODO HIPS is that a trusted process will not produce alerts.
So how does task scheduler (as an example) produce COM-related alerts, when it is a trusted process?
- Dec 8, 2014
- 206
COM protection is not exclusive to COM interfaces. You could get alert for a protected registry key and not a COM alert depending on the case. You could say that strength is directly influenced by (number of) protected objects.
The reasoning behind is that, by auto-sandboxing, you are silently guided to a good approach because alert is silently auto-answered.
** where text with italics means a simplified explanation for better understanding
In my previous post, I considered your scenario and explained why it's better to switch to Proactive Security configuration if action (intended word : action, not executable to avoid possible misconception) jumps out of Sandbox. Thus, you will not get alert because it's trusted and COM protection is a good addition. Also, more protected objects = lower probability to use such action to jump out of Sandbox.
- Dec 29, 2014
- 1,716
So then HIPS approvals actually weaken Auto-sandbox (Restricted) protection, and A/S is not a complete override? I was thinking of A/S as a virtualization fallback add-on where only the sandbox rules apply. Fortunately, I haven't been creating many HIPS rules, since I really wasn't sure how to view this interaction.
Well I am using CFFW 8 and F-Secure Ultra-light. I am using C.S settings. Thanks C.S.
I disabled Hips and Viruscope since I am running F-Secure Ultra-light.
I am only using F-Secure AV Cloud Support, as I figured the 235MB download offline AV would slow things down.
I disabled Hips and Viruscope since I am running F-Secure Ultra-light.
I am only using F-Secure AV Cloud Support, as I figured the 235MB download offline AV would slow things down.
- Dec 8, 2014
- 206
If you'd get alerts for every action of sandboxed applications then yes, it would weaken. It's human error mostly because you cannot interpret every HIPS alert.So then HIPS approvals actually weaken Auto-sandbox (Restricted) protection, and A/S is not a complete override? I was thinking of A/S as a virtualization fallback add-on where only the sandbox rules apply. Fortunately, I haven't been creating many HIPS rules, since I really wasn't sure how to view this interaction.
Luckily, it doesn't work like that although some users (wrongly) suggest/want it. Instead, you do not get HIPS alerts for sandboxed applications. Even if you create bad rules, these are ignored by Sandbox.
Last edited:
- Dec 29, 2014
- 1,716
Thanks vivid. The HIPS rules are only in effect for non-sandboxed. Think I understand now, and I was hoping this was the case.
- Jan 6, 2017
- 835
How do you know all this staff??
- Status
