Rebsat

Level 5
Verified
Joined
Apr 13, 2014
Messages
238
Operating System
Windows 7
Antivirus
Avast
Comodo Firewall also has flaws, I've tested with other malware, and it has allowed them to run and infect. For example, the malware embedded in CCleaner ran freely even with @cruelsister great settings :eek:

A User on Youtube shared his concerns about the following problems with Comodo Firewall and already asked @cruelsister about it.
Link to the video over here


Meph Andr2 said:
Thanks for your response and the video. Comodo Firewall also has flaws, I've tested with other malware, and it has allowed them to run and infect. For example, the malware embedded in CCleaner ran freely even with your great settings. Since Piriform was trusted it was allowed to run, a threat was only blocked when the signature was submitted to Comodo by their own users. More malware is behaving this way, so their behavioral engine needs more work, especially that malware that abuses resources such as memory and CPU is allowed to run in containment to the point of crashing the device. It is confirmed that Comodo heavily depends on signatures to block and remove malware, lots of the signatures in Comodo are submitted by their own users, just look at the forums and you'll see. I haven't found an excellent antimalware that doesn't depend on signatures and with a solid behavioral engine, have you found one?
 
Last edited:

shmu26

Level 71
Content Creator
Verified
Joined
Jul 3, 2015
Messages
6,023
Operating System
Windows 10
It is why when i install Comodo, i always delete the TVL and rebuild it myself and run Comodo at paranoid. The ccleaner issue wouldn't bypass my setting.
Umbra, if you run it at paranoid, why do you also set it to make rules for trusted applications?
 
Likes: Rebsat

Umbra

Level 85
Content Creator
Verified
Joined
May 16, 2011
Messages
18,708
Operating System
Windows 10
Antivirus
Umbra, if you run it at paranoid, why do you also set it to make rules for trusted applications?
hehehe maybe you forgot/missed the discussion about a malware added by accident in the cloud look up, right?

In the HIPS setting, "Create rules for trusted application" is influenced by:

HIPS trusts the applications if:
1- The application/file is rated as 'Trusted' in the File List
2- The application is from a vendor included in the Trusted Software Vendors list
3- The application is included in the extensive and constantly updated Comodo safelist.
1- i decide what is trusted
2- i wiped the TVL, so only my few trusted vendors are in it.
3- Paranoid Mode ignore the Comodo Safe List and the cloud look up as well.

So basically i have less popups from any softs from my TVL.
 

shmu26

Level 71
Content Creator
Verified
Joined
Jul 3, 2015
Messages
6,023
Operating System
Windows 10
hehehe maybe you forgot/missed the discussion about a malware added by accident in the cloud look up, right?

In the HIPS setting, "Create rules for trusted application" is influenced by:



1- i decide what is trusted
2- i wiped the TVL, so only my few trusted vendors are in it.
3- Paranoid Mode ignore the Comodo Safe List and the cloud look up as well.

So basically i have less popups from any softs from my TVL.
Hi, I didn't forget the discussion about Comodo false negatives, but I am still struggling to understand how your method works. Maybe it is the solution to a problem I was having.
Let's go step by step:
I do not enable "Create rules for trusted application".
And I have Microsoft Windows on my TVL.
If I am in paranoid mode, I will still get a prompt when a windows process runs, and surely I will get a prompt when an unknown process runs.
Now, I go and enable "Create rules for trusted application" . How does this change things?
 

Umbra

Level 85
Content Creator
Verified
Joined
May 16, 2011
Messages
18,708
Operating System
Windows 10
Antivirus
Point 3 takes prevalence, i still get prompts from Windows' processes if they aren't yet on the HIPS rules,so my setting will bombard you of prompts the first few hours/days (but i assume less than unticking the box) then once all is set you will only have occasional prompts if you run some windows tools or some processes are executed.

Comodo's Myths & Facts
 

shmu26

Level 71
Content Creator
Verified
Joined
Jul 3, 2015
Messages
6,023
Operating System
Windows 10
Point 3 takes prevalence, i still get prompts from Windows' processes if they aren't yet on the HIPS rules,so my setting will bombard you of prompts the first few hours/days (but i assume less than unticking the box) then once all is set you will only have occasional prompts if you run some windows tools or some processes are executed.

Comodo's Myths & Facts
Thanks, Umbra!
 

Umbra

Level 85
Content Creator
Verified
Joined
May 16, 2011
Messages
18,708
Operating System
Windows 10
Antivirus
What is important with Comodo HIPS are the rulesets, you have to make your own ones and applied them respectively to specific applications.
 

cruelsister

Level 36
Content Creator
Verified
Joined
Apr 13, 2013
Messages
2,575
Allow me to butt in here to discuss the CCleaner malware:

1). This thing was both SIGNED (legitimately) and available for download from the company's own servers.
2). CCleaner in itself was not (kinda-sorta) the actual malware! What it did was to connect to a non-Piriform server to download the payload(s) which were targeted to specific organizations (specialized secondary payloads). Infection would have only occurred after the payload was downloaded and run, and for a number of arcane reasons this (these) payload(s) are not available for testing. However I did not catch a hint that the payload(s) themselves were signed- and if they were not they would have been treated like any other malware and contained.

Anyway, the actual payloads would only infect the targeted machines to the extent of creating a backdoor for espionage related data acquisition. But as this backdoor was not part of the initial CCleaner installation cascade there is no reason to believe that the Firewall, if set as I suggest, would not have precluded Outbound connections and thus stopped the handshake needed for the data acquisition queries to proceed.

That it was targeted only should actually be intuitively obvious- the acquisition of the Private Key to sign AND getting the FTP credentials to upload the trojan to a legitimate server is neither easy nor inexpensive. The difficulty (and expense) of doing this makes it pointless for widespread dissemination to Riffraff like us (the more disseminated publicly, the higher the odds for early detection). High quality stuff like this has a purpose and that purpose is never going to be shaking down Mooks for a couple of bucks.

Finally, for those paranoid I did post a couple of videos a few years ago (God! have I really been doing this for that long? Someone needs a Life...) about a Nightmare Scenario where an exceptionally Highly Signed malware can penetrate even a Restricted TVL.
But as Umbra properly states the Comodo TVL can be modified to preclude installation by any but a few vendors for those concerned. And sadly there is another video on how to do this.

But the really important point is that Comodo gives one the ability to include these restrictions. Does anyone else?
 

ZeroDay

Level 26
Verified
Joined
Aug 17, 2013
Messages
1,551
Operating System
Linux
Antivirus
I think you cant understand the different bteween bypassing the firewall and the real-time or antivirus protection.

These tests show the Eset AV bypassed (on default settings)not the firewall what is the job of the firewall? protecting against hackers and inbound connections or blocking the samples??:notworthy:
Also, they are testing the comodo with cs settings(proactive settings)! while testing Eset or other Avs on default settings!even 5 years old kid can understand it's not fair!
You can simply Set Eset firewall in interactive mode(same of other Avs) and it will ask for every conecntion also you can tweak the Hips to wrok as an Anti-Exe(or more)the protection is there:)

Tweak the Eset HIPS and provided settings(like what they did for comodo)and you will not see any red color anymore;)
I assure you I can tell the difference lol. When the AV is bypassed malware can download the payload/s going straight through the firewall. and, once the payloads install they also connect out going straight through Eset's firewall both ways in and out. Please do some research.
 
Joined
Oct 29, 2017
Messages
82
Please, simple questions:

1) With CS' settings in CF, does ViruScope option need to be enabled? Is it adding anything to CS' settings?

2) If I disable HIPS, will this also disable "Protected Data Folders"?

3) Website Filtering? On? Off? Does this option add anything relevant to CS' settings?

4) Enable or disable Cloud Lookup with CS' settings?

5) I can understand CS' opinion about "CF is enough, doesn't need an AV or AM". However, what about browsers? How to deal with phishing, scams, fake websites, tracking, spying, privacy issues etc? Don't we need an AV or AM to take care of this browsers garbage and other online-dangers?

Thank you!
 

Telos

Level 12
Verified
Joined
Jan 29, 2017
Messages
599
Please, simple questions:
1. CS shows ViruScope enabled.
2. Firewall and Containment settings should protect your system.
3. CS shows Website Filtering enabled.
4. I use the default settings.
5. Website filtering should handle most of those concerns. AV has no effect on the threats you enumerated.

Ref

That all said a basic AV running alongside CF is fine. CS has mentioned Avast Free, Qihoo 360, and Kaspersky Free IIRC. For me, I just allow Windows Defender to do its thang in the background.
 

AtlBo

Level 26
Verified
Joined
Dec 29, 2014
Messages
1,542
Antivirus
Qihoo 360
Answers below. These are just my impressions at the current time:

With CS' settings in CF, does ViruScope option need to be enabled? Is it adding anything to CS' settings?
No, it doesn't do anything at the present time. I leave it on, because Comodo use the Recognizer in VS to gather information on malware behaviors. It isn't even functional. Viruscope has been on a VERY slow development cycle.

2) If I disable HIPS, will this also disable "Protected Data Folders"?
Yes. You can verify this by going to Settings->HIPS settings->Monitoring settings (just below Enable HIPS). You can see the Protected file/folder setting is there, so it is HIPS that monitors them.

3) Website Filtering? On? Off? Does this option add anything relevant to CS' settings?
Haven't ever seen it do anything. Another Comodo project.

4) Enable or disable Cloud Lookup with CS' settings?
If you use the standard Trusted Vendor List (aren't relying on your own changes to the list), then leave Cloud Lookup on. It's actually fairly powerful, and I think where Comodo will focus improvements.

5) I can understand CS' opinion about "CF is enough, doesn't need an AV or AM". However, what about browsers? How to deal with phishing, scams, fake websites, tracking, spying, privacy issues etc? Don't we need an AV or AM to take care of this browsers garbage and other online-dangers?
A-V-I use an a-v with Comodo in case I make a mistake. The Comodo sandbox will tell you that Comodo doesn't like the app or that it isn't signed or is signed improperly. However, if anything gets by that a good a-v will help. Personally, for free Avast is probably the best for this because of the internet blocking it does from the program. Don't' forget that Avast free is has great features and protection and the use of the cloud is intense for a free a-v. The companion browser extension is extrememly good too. Bitdefender Free is just plain amazing detection. I think the internet protection is even better than Avast (detecting bad sites/bad downloads), but I am not sure about this. Haven't had a chance to use BD Free, and I am going from memory of a video review. Just can't recall if it was Free or BDIS.

Browser-Use a good content/ad blocker like uBlock Origin. If you really want to go all the way, you can run the browser contained by clicking on the Comodo widget to start it. Avast has a very nice content advisor browser extension, also.

As for other malware, Comodo is supposed to have your back with script monitoring. I'm not sure about this, and I am hoping @cruelsister will test Comodo against command line reliant malware with only the command line heuristics module enabled. Until the time this occurs, I will be using NVT EXE Radar Pro. However, Avast hardened mode set to the highest will block alot of malware activity. VoodooShield Free could be a good lightweight replacement for NVT ERP if you are worried about scripts. Comodo + Avast will be very good though...
 
Joined
Oct 29, 2017
Messages
82
5. Website filtering should handle most of those concerns. AV has no effect on the threats you enumerated.
Hi @Telos! Thank you for your answer.

It is true that in the original CS' video (you attached), CF' settings are those you pointed. However, at CS' Youtube Channel, you can see other videos with different settings in CF, related specifically to my questions. By the way, that is the reason of my questions (taking into account other CS' videos with different settings).

Now, with regards to "AV has no effect on the threats you enumerated", most of the AV/AM I tested somehow take care on the on threats I enumerated.

But once again @Telos, thank you for your answer.
I repeat my questions, hoping someone else here wants to answer:
1) With CS' settings in CF, does ViruScope option need to be enabled? Is it adding anything to CS' settings?
2) If I disable HIPS, will this also disable "Protected Data Folders"?
3) Website Filtering? On? Off? Does this option add anything relevant to CS' settings?
4) Enable or disable Cloud Lookup with CS' settings?
5) I can understand CS' opinion about "CF is enough, doesn't need an AV or AM". However, what about browsers? How to deal with phishing, scams, fake websites, tracking, spying, privacy issues etc? Don't we need an AV or AM to take care of this browsers garbage and other online-dangers?
 

shmu26

Level 71
Content Creator
Verified
Joined
Jul 3, 2015
Messages
6,023
Operating System
Windows 10
The main thing with Comodo is to make sure it is actually working. Sometimes it doesn't block, and sometimes the blocking is inconsistent. If it works, it is good.
Try executing unusual files, and if they are allowed to run, check in the file list. If they are unrecognized, but Comodo let them run, I think you may have a problem.
 
Likes: AtlBo
Joined
Oct 29, 2017
Messages
82
Hi @AtlBo, thank you for your answers:

Yes. You can verify this by going to Settings->HIPS settings->Monitoring settings (just below Enable HIPS). You can see the Protected file/folder setting is there, so it is HIPS that monitors them.
Here I am confuse.
I disabled HIPS following CS' settings.
However, my "protected folders" are still there.
Again: By disabling HIPS, will this also disable "Protected Data Folders"?

The companion browser extension is extrememly good too.
I tested both, Avast AV and the AVAST add-on, and in my ignorant opinion both are terrible detecting browser online-dangers.

Bitdefender Free is just plain amazing detection. I think the internet protection is even better than Avast (detecting bad sites/bad downloads), but I am not sure about this. Haven't had a chance to use BD Free, and I am going from memory of a video review. Just can't recall if it was Free or BDIS.
I tested the BD add-on along 6 months, comparing with other security add-ons. And I found BD add-on the best one, not perfect, but catching more pests, without affecting browsing performance.

I just want to understand how CS deals with browsers security, using just CF.

Browser-Use a good content/ad blocker like uBlock Origin.
I use UMatrix. But I don't use hosts files. I just block everything with UMatrix.
Of course, I also have other security/privacy add-ons & settings.
 
Likes: AtlBo

AtlBo

Level 26
Verified
Joined
Dec 29, 2014
Messages
1,542
Antivirus
Qihoo 360
On these:

HIPS->HIPS settings->Monitoring settings (just below "Enable HIPS")
Yes, disabling HIPS will disable protected files and folders protection. You can see the "Protected Files and Folders" setting is there at the settings location above, so it is HIPS that monitors files and folders and provides this protection. If you look at each of the protections in the list, you can see what HIPS actually monitors specifically. Each HIPS alert will be of one of the types with the check boxes. These are the actions that HIPS blocks, (until you allow). In the list, you can see all the check boxes for each protection, and one of them is "Protected Files and Folders". If the Comodo HIPS module is deactivated, however, Comodo will not be monitoring using any of the HIPS block protections listed, even if they are checked and including "Protected Files and Folders". This is true, even if you have configured some files and folders to be monitored. HIPS must be on to have that monitoring.

I tested both, Avast AV and the AVAST add-on, and in my ignorant opinion both are terrible detecting browser online-dangers.
Seems pretty good to me, but haven't ever done any testing. I did see MalwareBlocker's YouTube video where I think it blocked 5/10. Not very good, true, but I haven't ever been abused running avast. I like the extension. It's not much, but I don't want a dramatic extension for website recommendations.

Have you looked at Bitdefender? This video seems impressive with the internet blocks for a free program:


I just want to understand how CS deals with browsers security, using just CF.
I believe she handles that with extensions mostly. She is super confident that Comodo will catch malware when it attempts to run. It's easy to understand this, because even memory based malware has limited potential to do damage if it can't drop a file somewhere without being detected. Now if it's running as part of your browser, masquerading as the browser, like a rogue extension, things can become problematic. Since the malware would likely want to drop something, the only defense Comodo would have is "Command-line Heuristics". This is because your browser is automatically whitelisted, so malware running as part of it can basically do anything. This is really the only scenario you need to be aware of as far as the browser and Comodo go. Make sure you are getting safe and reputable extensions and you can also run the browser in a sandbox like sandboxie (also MS Office Applications). This is the best defense.

BTW, I use Qihoo 360 Total Security on a few PCs. If you block a few Qihoo processes, the ads are non-existent. I can't recommend it because of them, but 360 has a good sandbox. Problem is it doesn't love Chrome. Big problem I know. Anyway if you ever try Q360 make sure to activate the Bitdefender and Avira definitions.
 
Last edited: