Just as a precaution the Vulnerable Process List in ERP includes some potential target files that I have already assigned to CFW File List as UNRECOGNIZED.
A little over the top maybe? Perhaps but for me in tandem with Comodo FW it's proven so far an excellent combo in and of itself.
Done the same thing EASTER in the NVT Vulnerables list. I mostly use NVT ERP for those exact alerts and first look at script alerts. I also love the ability to whitelist/blacklist command lines with wildcards. For me, the ERP vulnerable alert stands out, so I feel like I have a small amount of insurance against that type of attack, even though I am getting the Comodo alert too. Comodo will definitely do the job by itself however. cruelsister's settings are extremely well tested and verified. They are unbeatable, considering unrecognized are auto-sandboxed without an alert. Only possible mistake is a false allow from Comodo via Cloud Lookup...very unlikely (1 in 50,000 or something maybe).
One other thing about adding NVT ERP. I have trimmed the Trusted Vendors List of Comodo FW to only vendors of software that is on the system now. This is primarily because I don't install much software at the present time. However, because I have also turned off Cloud Lookup to eliminate the meager possibility of false allows from Comodo, everything I install almost is sandboxed the first time it is run. Not all that many would care to go with this setup probably, but it gets more complicated too. I have set CFW so that I can see the sandbox alert unlike cruelsister. Risky I know, but it means that the the time of first run, I can leave the block or unblock, and I have this choice (auto-sandbox will occur after a short time). The most complicated part of this is that "unblock" (only option on the alert I get) creates a rule for all [enabled] elements of Comodo FW to allow the application and changes the file to Trusted in the files list. For the generated HIPS rules, everything except 'create a process' is set to allow, while 'create a process' is set to ask. No security there, since the file is trusted. That's why I hate the "unblock" logic Comodo is using. I would like to be able to have a second chance at unboxed applications with the HIPs alerts. These are very pointed and say alot about the app's intentions. Comodo is still good in this scenario in that anything that tries to use a script engine will be blocked or blocked with an alert. Seems like most of the worst wants to do this at some point.
I have always been this way with security. I like to live on the edge and trust myself rather than trust the vendor, and I guess I have made myself the potential weak point in the chain
. Not sure why I am this way, but ERP helps immensely for gathering information since its alerts are better than what I get from Comodo from the sandbox. I also have 360 Total Security for signature detection. That uses the Bitdefender and Avira engines, although a little bit behind the the one in Bitdefender and [I have read] Emsisoft. Overall, I am very confident in the setup. Generally, if I weren't extremely good at seeing potentially dangerous software situations, I wouldn't do this...not to boast I hope. It's just that I have learned so much about what to look for and most importantly where it typically comes from in the first place.
For you, ERP I would think can add the ability to see when something is, for example, unsigned. The ERP alerts could be better, even without cloud service, but there is good information on them.
