- Apr 13, 2014
- 254
Comodo Firewall 10 Setup
- Thread starter cruelsister
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- Apr 13, 2014
- 254
Comodo Firewall also has flaws, I've tested with other malware, and it has allowed them to run and infect. For example, the malware embedded in CCleaner ran freely even with @cruelsister great settings 
A User on Youtube shared his concerns about the following problems with Comodo Firewall and already asked @cruelsister about it.
Link to the video over here
A User on Youtube shared his concerns about the following problems with Comodo Firewall and already asked @cruelsister about it.
Link to the video over here
Meph Andr2 said:
Last edited:
- Jan 29, 2017
- 1,201
Nothing stopped the compromised CCleaner when it was released. Such is life.
It is why when i install Comodo, i always delete the TVL and rebuild it myself and run Comodo at paranoid. The ccleaner issue wouldn't bypass my setting.
Please don't post 4 year old tests. They are obsolete and invalid.
- Jul 3, 2015
- 8,153
Umbra, if you run it at paranoid, why do you also set it to make rules for trusted applications?
hehehe maybe you forgot/missed the discussion about a malware added by accident in the cloud look up, right?
In the HIPS setting, "Create rules for trusted application" is influenced by:
1- i decide what is trusted
2- i wiped the TVL, so only my few trusted vendors are in it.
3- Paranoid Mode ignore the Comodo Safe List and the cloud look up as well.
So basically i have less popups from any softs from my TVL.
- Jul 3, 2015
- 8,153
Hi, I didn't forget the discussion about Comodo false negatives, but I am still struggling to understand how your method works. Maybe it is the solution to a problem I was having.
Let's go step by step:
I do not enable "Create rules for trusted application".
And I have Microsoft Windows on my TVL.
If I am in paranoid mode, I will still get a prompt when a windows process runs, and surely I will get a prompt when an unknown process runs.
Now, I go and enable "Create rules for trusted application" . How does this change things?
Point 3 takes prevalence, i still get prompts from Windows' processes if they aren't yet on the HIPS rules,so my setting will bombard you of prompts the first few hours/days (but i assume less than unticking the box) then once all is set you will only have occasional prompts if you run some windows tools or some processes are executed.
Comodo's Myths & Facts
Comodo's Myths & Facts
- Jul 3, 2015
- 8,153
What is important with Comodo HIPS are the rulesets, you have to make your own ones and applied them respectively to specific applications.
- Apr 13, 2013
- 3,224
Allow me to butt in here to discuss the CCleaner malware:
1). This thing was both SIGNED (legitimately) and available for download from the company's own servers.
2). CCleaner in itself was not (kinda-sorta) the actual malware! What it did was to connect to a non-Piriform server to download the payload(s) which were targeted to specific organizations (specialized secondary payloads). Infection would have only occurred after the payload was downloaded and run, and for a number of arcane reasons this (these) payload(s) are not available for testing. However I did not catch a hint that the payload(s) themselves were signed- and if they were not they would have been treated like any other malware and contained.
Anyway, the actual payloads would only infect the targeted machines to the extent of creating a backdoor for espionage related data acquisition. But as this backdoor was not part of the initial CCleaner installation cascade there is no reason to believe that the Firewall, if set as I suggest, would not have precluded Outbound connections and thus stopped the handshake needed for the data acquisition queries to proceed.
That it was targeted only should actually be intuitively obvious- the acquisition of the Private Key to sign AND getting the FTP credentials to upload the trojan to a legitimate server is neither easy nor inexpensive. The difficulty (and expense) of doing this makes it pointless for widespread dissemination to Riffraff like us (the more disseminated publicly, the higher the odds for early detection). High quality stuff like this has a purpose and that purpose is never going to be shaking down Mooks for a couple of bucks.
Finally, for those paranoid I did post a couple of videos a few years ago (God! have I really been doing this for that long? Someone needs a Life...) about a Nightmare Scenario where an exceptionally Highly Signed malware can penetrate even a Restricted TVL.
But as Umbra properly states the Comodo TVL can be modified to preclude installation by any but a few vendors for those concerned. And sadly there is another video on how to do this.
But the really important point is that Comodo gives one the ability to include these restrictions. Does anyone else?
1). This thing was both SIGNED (legitimately) and available for download from the company's own servers.
2). CCleaner in itself was not (kinda-sorta) the actual malware! What it did was to connect to a non-Piriform server to download the payload(s) which were targeted to specific organizations (specialized secondary payloads). Infection would have only occurred after the payload was downloaded and run, and for a number of arcane reasons this (these) payload(s) are not available for testing. However I did not catch a hint that the payload(s) themselves were signed- and if they were not they would have been treated like any other malware and contained.
Anyway, the actual payloads would only infect the targeted machines to the extent of creating a backdoor for espionage related data acquisition. But as this backdoor was not part of the initial CCleaner installation cascade there is no reason to believe that the Firewall, if set as I suggest, would not have precluded Outbound connections and thus stopped the handshake needed for the data acquisition queries to proceed.
That it was targeted only should actually be intuitively obvious- the acquisition of the Private Key to sign AND getting the FTP credentials to upload the trojan to a legitimate server is neither easy nor inexpensive. The difficulty (and expense) of doing this makes it pointless for widespread dissemination to Riffraff like us (the more disseminated publicly, the higher the odds for early detection). High quality stuff like this has a purpose and that purpose is never going to be shaking down Mooks for a couple of bucks.
Finally, for those paranoid I did post a couple of videos a few years ago (God! have I really been doing this for that long? Someone needs a Life...) about a Nightmare Scenario where an exceptionally Highly Signed malware can penetrate even a Restricted TVL.
But as Umbra properly states the Comodo TVL can be modified to preclude installation by any but a few vendors for those concerned. And sadly there is another video on how to do this.
But the really important point is that Comodo gives one the ability to include these restrictions. Does anyone else?
- Aug 17, 2013
- 1,905
I assure you I can tell the difference lol. When the AV is bypassed malware can download the payload/s going straight through the firewall. and, once the payloads install they also connect out going straight through Eset's firewall both ways in and out. Please do some research.I think you cant understand the different bteween bypassing the firewall and the real-time or antivirus protection.
These tests show the Eset AV bypassed (on default settings)not the firewall what is the job of the firewall? protecting against hackers and inbound connections or blocking the samples??:notworthy:
Also, they are testing the comodo with cs settings(proactive settings)! while testing Eset or other Avs on default settings!even 5 years old kid can understand it's not fair!
You can simply Set Eset firewall in interactive mode(same of other Avs) and it will ask for every conecntion also you can tweak the Hips to wrok as an Anti-Exe(or more)the protection is there
Tweak the Eset HIPS and provided settings(like what they did for comodo)and you will not see any red color anymore
Please, simple questions:
1) With CS' settings in CF, does ViruScope option need to be enabled? Is it adding anything to CS' settings?
2) If I disable HIPS, will this also disable "Protected Data Folders"?
3) Website Filtering? On? Off? Does this option add anything relevant to CS' settings?
4) Enable or disable Cloud Lookup with CS' settings?
5) I can understand CS' opinion about "CF is enough, doesn't need an AV or AM". However, what about browsers? How to deal with phishing, scams, fake websites, tracking, spying, privacy issues etc? Don't we need an AV or AM to take care of this browsers garbage and other online-dangers?
Thank you!
1) With CS' settings in CF, does ViruScope option need to be enabled? Is it adding anything to CS' settings?
2) If I disable HIPS, will this also disable "Protected Data Folders"?
3) Website Filtering? On? Off? Does this option add anything relevant to CS' settings?
4) Enable or disable Cloud Lookup with CS' settings?
5) I can understand CS' opinion about "CF is enough, doesn't need an AV or AM". However, what about browsers? How to deal with phishing, scams, fake websites, tracking, spying, privacy issues etc? Don't we need an AV or AM to take care of this browsers garbage and other online-dangers?
Thank you!
- Jan 29, 2017
- 1,201
1. CS shows ViruScope enabled.
2. Firewall and Containment settings should protect your system.
3. CS shows Website Filtering enabled.
4. I use the default settings.
5. Website filtering should handle most of those concerns. AV has no effect on the threats you enumerated.
Ref
That all said a basic AV running alongside CF is fine. CS has mentioned Avast Free, Qihoo 360, and Kaspersky Free IIRC. For me, I just allow Windows Defender to do its thang in the background.
- Dec 29, 2014
- 1,716
Answers below. These are just my impressions at the current time:
No, it doesn't do anything at the present time. I leave it on, because Comodo use the Recognizer in VS to gather information on malware behaviors. It isn't even functional. Viruscope has been on a VERY slow development cycle.
Yes. You can verify this by going to Settings->HIPS settings->Monitoring settings (just below Enable HIPS). You can see the Protected file/folder setting is there, so it is HIPS that monitors them.
Haven't ever seen it do anything. Another Comodo project.
If you use the standard Trusted Vendor List (aren't relying on your own changes to the list), then leave Cloud Lookup on. It's actually fairly powerful, and I think where Comodo will focus improvements.
A-V-I use an a-v with Comodo in case I make a mistake. The Comodo sandbox will tell you that Comodo doesn't like the app or that it isn't signed or is signed improperly. However, if anything gets by that a good a-v will help. Personally, for free Avast is probably the best for this because of the internet blocking it does from the program. Don't' forget that Avast free is has great features and protection and the use of the cloud is intense for a free a-v. The companion browser extension is extrememly good too. Bitdefender Free is just plain amazing detection. I think the internet protection is even better than Avast (detecting bad sites/bad downloads), but I am not sure about this. Haven't had a chance to use BD Free, and I am going from memory of a video review. Just can't recall if it was Free or BDIS.
Browser-Use a good content/ad blocker like uBlock Origin. If you really want to go all the way, you can run the browser contained by clicking on the Comodo widget to start it. Avast has a very nice content advisor browser extension, also.
As for other malware, Comodo is supposed to have your back with script monitoring. I'm not sure about this, and I am hoping @cruelsister will test Comodo against command line reliant malware with only the command line heuristics module enabled. Until the time this occurs, I will be using NVT EXE Radar Pro. However, Avast hardened mode set to the highest will block alot of malware activity. VoodooShield Free could be a good lightweight replacement for NVT ERP if you are worried about scripts. Comodo + Avast will be very good though...
No, it doesn't do anything at the present time. I leave it on, because Comodo use the Recognizer in VS to gather information on malware behaviors. It isn't even functional. Viruscope has been on a VERY slow development cycle.
Yes. You can verify this by going to Settings->HIPS settings->Monitoring settings (just below Enable HIPS). You can see the Protected file/folder setting is there, so it is HIPS that monitors them.
Haven't ever seen it do anything. Another Comodo project.
If you use the standard Trusted Vendor List (aren't relying on your own changes to the list), then leave Cloud Lookup on. It's actually fairly powerful, and I think where Comodo will focus improvements.
A-V-I use an a-v with Comodo in case I make a mistake. The Comodo sandbox will tell you that Comodo doesn't like the app or that it isn't signed or is signed improperly. However, if anything gets by that a good a-v will help. Personally, for free Avast is probably the best for this because of the internet blocking it does from the program. Don't' forget that Avast free is has great features and protection and the use of the cloud is intense for a free a-v. The companion browser extension is extrememly good too. Bitdefender Free is just plain amazing detection. I think the internet protection is even better than Avast (detecting bad sites/bad downloads), but I am not sure about this. Haven't had a chance to use BD Free, and I am going from memory of a video review. Just can't recall if it was Free or BDIS.
Browser-Use a good content/ad blocker like uBlock Origin. If you really want to go all the way, you can run the browser contained by clicking on the Comodo widget to start it. Avast has a very nice content advisor browser extension, also.
As for other malware, Comodo is supposed to have your back with script monitoring. I'm not sure about this, and I am hoping @cruelsister will test Comodo against command line reliant malware with only the command line heuristics module enabled. Until the time this occurs, I will be using NVT EXE Radar Pro. However, Avast hardened mode set to the highest will block alot of malware activity. VoodooShield Free could be a good lightweight replacement for NVT ERP if you are worried about scripts. Comodo + Avast will be very good though...
Hi @Telos! Thank you for your answer.
It is true that in the original CS' video (you attached), CF' settings are those you pointed. However, at CS' Youtube Channel, you can see other videos with different settings in CF, related specifically to my questions. By the way, that is the reason of my questions (taking into account other CS' videos with different settings).
Now, with regards to "AV has no effect on the threats you enumerated", most of the AV/AM I tested somehow take care on the on threats I enumerated.
But once again @Telos, thank you for your answer.
I repeat my questions, hoping someone else here wants to answer:
1) With CS' settings in CF, does ViruScope option need to be enabled? Is it adding anything to CS' settings?
2) If I disable HIPS, will this also disable "Protected Data Folders"?
3) Website Filtering? On? Off? Does this option add anything relevant to CS' settings?
4) Enable or disable Cloud Lookup with CS' settings?
5) I can understand CS' opinion about "CF is enough, doesn't need an AV or AM". However, what about browsers? How to deal with phishing, scams, fake websites, tracking, spying, privacy issues etc? Don't we need an AV or AM to take care of this browsers garbage and other online-dangers?
- Jul 3, 2015
- 8,153
The main thing with Comodo is to make sure it is actually working. Sometimes it doesn't block, and sometimes the blocking is inconsistent. If it works, it is good.
Try executing unusual files, and if they are allowed to run, check in the file list. If they are unrecognized, but Comodo let them run, I think you may have a problem.
Try executing unusual files, and if they are allowed to run, check in the file list. If they are unrecognized, but Comodo let them run, I think you may have a problem.
Hi @AtlBo, thank you for your answers:
Here I am confuse.
I disabled HIPS following CS' settings.
However, my "protected folders" are still there.
Again: By disabling HIPS, will this also disable "Protected Data Folders"?
I tested both, Avast AV and the AVAST add-on, and in my ignorant opinion both are terrible detecting browser online-dangers.
I tested the BD add-on along 6 months, comparing with other security add-ons. And I found BD add-on the best one, not perfect, but catching more pests, without affecting browsing performance.
I just want to understand how CS deals with browsers security, using just CF.
I use UMatrix. But I don't use hosts files. I just block everything with UMatrix.
Of course, I also have other security/privacy add-ons & settings.
Here I am confuse.
I disabled HIPS following CS' settings.
However, my "protected folders" are still there.
Again: By disabling HIPS, will this also disable "Protected Data Folders"?
I tested both, Avast AV and the AVAST add-on, and in my ignorant opinion both are terrible detecting browser online-dangers.
I tested the BD add-on along 6 months, comparing with other security add-ons. And I found BD add-on the best one, not perfect, but catching more pests, without affecting browsing performance.
I just want to understand how CS deals with browsers security, using just CF.
I use UMatrix. But I don't use hosts files. I just block everything with UMatrix.
Of course, I also have other security/privacy add-ons & settings.
- Dec 29, 2014
- 1,716
On these:
Yes, disabling HIPS will disable protected files and folders protection. You can see the "Protected Files and Folders" setting is there at the settings location above, so it is HIPS that monitors files and folders and provides this protection. If you look at each of the protections in the list, you can see what HIPS actually monitors specifically. Each HIPS alert will be of one of the types with the check boxes. These are the actions that HIPS blocks, (until you allow). In the list, you can see all the check boxes for each protection, and one of them is "Protected Files and Folders". If the Comodo HIPS module is deactivated, however, Comodo will not be monitoring using any of the HIPS block protections listed, even if they are checked and including "Protected Files and Folders". This is true, even if you have configured some files and folders to be monitored. HIPS must be on to have that monitoring.
Seems pretty good to me, but haven't ever done any testing. I did see MalwareBlocker's YouTube video where I think it blocked 5/10. Not very good, true, but I haven't ever been abused running avast. I like the extension. It's not much, but I don't want a dramatic extension for website recommendations.
Have you looked at Bitdefender? This video seems impressive with the internet blocks for a free program:
I believe she handles that with extensions mostly. She is super confident that Comodo will catch malware when it attempts to run. It's easy to understand this, because even memory based malware has limited potential to do damage if it can't drop a file somewhere without being detected. Now if it's running as part of your browser, masquerading as the browser, like a rogue extension, things can become problematic. Since the malware would likely want to drop something, the only defense Comodo would have is "Command-line Heuristics". This is because your browser is automatically whitelisted, so malware running as part of it can basically do anything. This is really the only scenario you need to be aware of as far as the browser and Comodo go. Make sure you are getting safe and reputable extensions and you can also run the browser in a sandbox like sandboxie (also MS Office Applications). This is the best defense.
BTW, I use Qihoo 360 Total Security on a few PCs. If you block a few Qihoo processes, the ads are non-existent. I can't recommend it because of them, but 360 has a good sandbox. Problem is it doesn't love Chrome. Big problem I know. Anyway if you ever try Q360 make sure to activate the Bitdefender and Avira definitions.
Yes, disabling HIPS will disable protected files and folders protection. You can see the "Protected Files and Folders" setting is there at the settings location above, so it is HIPS that monitors files and folders and provides this protection. If you look at each of the protections in the list, you can see what HIPS actually monitors specifically. Each HIPS alert will be of one of the types with the check boxes. These are the actions that HIPS blocks, (until you allow). In the list, you can see all the check boxes for each protection, and one of them is "Protected Files and Folders". If the Comodo HIPS module is deactivated, however, Comodo will not be monitoring using any of the HIPS block protections listed, even if they are checked and including "Protected Files and Folders". This is true, even if you have configured some files and folders to be monitored. HIPS must be on to have that monitoring.
Seems pretty good to me, but haven't ever done any testing. I did see MalwareBlocker's YouTube video where I think it blocked 5/10. Not very good, true, but I haven't ever been abused running avast. I like the extension. It's not much, but I don't want a dramatic extension for website recommendations.
Have you looked at Bitdefender? This video seems impressive with the internet blocks for a free program:
I believe she handles that with extensions mostly. She is super confident that Comodo will catch malware when it attempts to run. It's easy to understand this, because even memory based malware has limited potential to do damage if it can't drop a file somewhere without being detected. Now if it's running as part of your browser, masquerading as the browser, like a rogue extension, things can become problematic. Since the malware would likely want to drop something, the only defense Comodo would have is "Command-line Heuristics". This is because your browser is automatically whitelisted, so malware running as part of it can basically do anything. This is really the only scenario you need to be aware of as far as the browser and Comodo go. Make sure you are getting safe and reputable extensions and you can also run the browser in a sandbox like sandboxie (also MS Office Applications). This is the best defense.
BTW, I use Qihoo 360 Total Security on a few PCs. If you block a few Qihoo processes, the ads are non-existent. I can't recommend it because of them, but 360 has a good sandbox. Problem is it doesn't love Chrome. Big problem I know. Anyway if you ever try Q360 make sure to activate the Bitdefender and Avira definitions.
Last edited:
Similar threads
