Respectively, the rules for it can be more restrictive than this, as in my DNS rule I also restricted svchost to remote IP addresses cloudflare (1.1.1.1, 1.0.0.1).
DNS providers (1.1.1.1, 1.0.0.1, whatever) are not direct IP addresses (they are just DNS resolvers). Therefore, at Comodo, any malware can use svchost to connect to any IP, using any DNS resolver. For example, one of your rules is: "
C:\Windows\System32\svchost.exe Allow UDP Out Any 1.0.0.1 Any 53 DNS-Cloudflare"... means that in your Comodo a malware using svchost can connect to any IP trough 1.0.0.1
At Comodo, the only way to customize svchost is by customizing IPs, not the DNS resolver, but the direct comm between svchost and any specific IP. And that's impossible to be done, because daily your device uses thousands of different IPs.
I could have done the same, for example, for Windows time to remote port 123, and/or remote HTTP (port 80),
Again, limiting the port won't limit any IP.
At Comodo, any malware using Windows Services, svchost or any file labeled as "safe"/"trusted"... the malware will have comms to any IP.
And again, in this example also you can't customize IPs at Comodo for Windows Time or for other Windows Service because Microsoft IPs change weekly.
Btw, even though in Comodo, svchost rules can not be tied to specific services it hosts, I believe this is not a security issue.
I do respect your opinion! But I disagree. IMHO is a major flaw! At Comodo, any malware can exploit a "safe"/"trusted" file, having comms to any IP.
Comodo firewall is a placebo.
That's because any svchost rule in comodo will affect
all services it is hosting. Windows firewall w/Advanced security has the option to tie svchost rules to specific services it hosts, but one can also create rules that affect all services:
View attachment 285396
Therefore the rule created this way would apply to all running svchost processes in Windows.
Here is not the right thread, but I ensure you that Windows Firewall and several other third-party firewall, they not just have a better GUI than Comodo, but they allow the complete customization of any file (including Windows Services, svchost, etc etc etc).
As for malicious processes harnessing svchost or any other Windows process for comms, well it should be contained in the sandbox with the Cruel setup or similar, thereby mitigating or eliminating that threat.
Again, with all due respect, I disagree.
Comodo is built in modules. And you and me are talking specifically about Firewall. And Comodo Firewall has dangerous breaches. It's unacceptable to justify or to minimize or to omit any security breach in Comodo Firewall by pointing to another module.
That said, it's always important to remember that the Comodo Containment module itself has several security breaches.
Assuming Melih is in charge, I would like to see him either:
- Spearhead an initiative to investigate and fix all reported bugs and shortcomings and provide a free version, or
- Spearhead an initiative to investigate and fix all reported bugs and charge a fee (freemium) for it, or
- Announce and discontinue the development of the free version and post a disclaimer to "use at your own risk"
Totally agree with you! Excellent comment.
And also it'll be nice to see Comodo incorporating a strong real antivirus/antimalware, with new modules based in virus/malware detection (not "blocker", "deny-all", "zero-trust" blah blah blah).
However, based on the past 20 years, it's easier to discover that The Earth is flat, than to see Comodo fixing bugs or incorporating modern technologies.
www.wilderssecurity.com
