Advice Request Comodo Firewall Proactive Security Config?

[Prayag]

Can anyone elaborate me all the benefits I will get after changing internet security config to proactive security config in comodo firewall in the firewall's capability?
I will be waiting for all your replies.

 

[Arequire]

I'd suggest using these exact settings for Comodo Firewall (you'll be able to see in the video why the Firewall/Internet Security configuration is a bad idea):

Firewall Security:

• Image Execution Control checks only applications that are not started manually by the user.
• Computer Monitor/Disk/Keyboard is NOT monitored.
• Only commonly infected files/folders are protected against infection.
• Only commonly exploited COM interfaces are protected.
• Defense+ is tuned to prevent infection of the system and detect Internet access request leaks even if it is infected.

Internet Security:

• Image Execution Control is disabled.
• Computer Monitor/Disk/Keyboard/DNS Client access/Window Messages are NOT monitored.
• Only commonly infected files/folders are protected against infection.
• Only commonly exploited COM interfaces are protected.
• Defense+ is tuned to prevent infection of the system.

Proactive Security - This configuration turns CIS into the ultimate protection machine. All possible protections are activated and all critical COM interfaces and files are protected.

In a nutshell, Firewall Security and Internet Security leave too many open doors that allow malware to infect the system. Proactive configuration closes those doors.

 

[hirudora56]

Great tutorial. Proactive mode is good for those who only plan to use softwares by verified publishers. During the time I used CIS, it couldn't recognize a lot of software. And there things get complicated. Comodo's signature base is pathetic.

 

[ravi prakash saini]

@Saikat Kundu my knowledge in IT is very limited so I would like to know about the antivirus which allow the software from unverified publisher to run

 

[Hector1]

You have one single config: proactive. Please ignore the other

 

[hirudora56]

@Saikat Kundu my knowledge in IT is very limited so I would like to know about the antivirus which allow the software from unverified publisher to run

Different AV engine uses a different approach. Comodo goes for a whitelist approach. Comodo has a large database of verified publisher. Any executable outside of that or without verified digital signature is either blocked or asked for action depending on settings. One can try to install a legitimate program without a signature but comodo will flag it as unknown. Now it is upto user to decide whether it is safe or not. I personally don't like this approach. Yes it can be very secure with proactive setting. But i like ESET or KIS's approach better. On access ESET will scan the whole executable package & detect any malicious or adware component within it. Even the free version of CCleaner has a google toolbar in it, which ESET flags.

 

[ravi prakash saini]

but I am under the impression even newer version of Windows do not allow software from unverified publisher to install. however it let itself to be overridden by the user

 

[hirudora56]

Windows will prompt UAC for any executable whether it is from verified or non verified publisher. And if you click yes, it will install it. Windows smartscreen sometime filters malicious & unverified softwares. But I have a lot of work related software which don't have a verified signature running with no problem.

 

[ravi prakash saini]

I would not use any security software which allow software from unverified publisher to run.
I love those security software which blocks unverified software and let me whitelist them. comodo with any security config allowed it.
in nutshell my point are
if I know what I am doing I can whitelist any software in any security suite
if I do not know what I am doing then my security software must be on maximum protection setting.

 

[ravi prakash saini]

@Prayag now you are on MT so I expect you do small homework.
just activate all the three configuration one by one and note down the changes in all the settings. I hope once you are finished you will have clear picture

 

[hirudora56]

You are right to an extent. Normal home user can go by this rule. But people who needs obscure softwares, for some specific tasks will have problem. I use some softwares & scripts on daily basis, which are not verified but need to make sure if it has any rogue component in it. And one can not be too educated about all the files the execute. And basically all the mainstream AV will let an unverified exe run if it doesn't have any malicious code in it.

 

[S3cur1ty 3nthu5145t]

Can anyone elaborate me all the benefits I will get after changing internet security config to proactive security config in comodo firewall in the firewall's capability?
I will be waiting for all your replies.

When it comes to advanced sections of any Software, it is always best to utilize the manual or guides presented by the Vendor.

Comodo Preset Configurations, Firewall Security | Comodo Internet Security

 

[Prayag]

@Prayag now you are on MT so I expect you do small homework.
just activate all the three configuration one by one and note down the changes in all the settings. I hope once you are finished you will have clear picture

yeah,the same idea came to me earlier today,but as i do not have any spare time today,I will do this tomorrow.
And thanks for the suggestion.
It looks like we have read each other's mind(quite an awesome thing,right).

 

[ravi prakash saini]

@Prayag when I think my intention is clear to you I can say what I wanted to say. I want every member of MT capable enough that he gives answers only and ask no question and then we discuss everything through answers with technical facts

 

[AtlBo]

Great tutorial. Proactive mode is good for those who only plan to use softwares by verified publishers. During the time I used CIS, it couldn't recognize a lot of software. And there things get complicated. Comodo's signature base is pathetic.

+1 x 100. This is really true. Hopefully, future versions of CF/CIS will do a better job of recognizing non-dangerous unsigned programs. If it's unsigned or not from a Trusted Publisher, usually it will be sandboxed. Cloud Lookup may whitelist an app in this situation, but it's rare, and Comodo has on occasion whitelisted malware too. However, personally I woudn't recommend using CIS/CF other than in Proactive in spite of the difficulties.

Lately, I have been trying to inform others the complications of using Proactive mode and then using the "Unblock Applications" element on the widget. Proactive will auto-contain (sandbox) unrecognized (unsigned app or app signed by a non-trusted vendor) software. Cloud Lookup will stop this sometimes, but usually it will be sandboxed. Once sandboxed, if a user uses the "Unblock Applications" element on the widget to unblock, then all CIS/CF rules including Firewall, HIPs, and Containment will be set to allow for the process. Also, it will be granted "Trusted" privilege in the files list. Many times you want to run the app outside containment but then still have HIPs warnings. "Unblock Applications" on the widget turns off everything for any app unblocked using the dialog, including again Firewall, HIPs, and containment/sandbox (no matter what all of them set to allow).

Options here are first, to unblock the application using the widget and then change the allow rules that are created to match your desire. So if you unblock (from the widget) because you want the Containment block to be removed but you still want HIPs monitoring, you must change the HIPs allow rule created when you chose the widget ublock to ask. You can also edit the Firewall rule to ask or block if you like. Then go to the Files list and click on the small magnifying glass in the file names column and type the file name. Find the file and change its status back to unrecognized. Finally, go to the sandbox rule and change it from Application ->Trusted->Ignore to Application->unrecognized->Ignore or create one if you can't find the rule. Now the app will run outside the container but with HIPs/Firewall on or as you have set them. The other way is to do all the above when you see the sandbox alert and just ignore the widget "Unblock Applications". Only difference is you won't have to change the file status from "Trusted" to "Unrecgonized" in the files list because it will still be listed unrecognized.

This only happens occasionally so it's not that big of a deal. Proactive is from the security perspective much much better.

 

[Deleted member 178]

Windows smartscreen sometime filters malicious & unverified softwares. But I have a lot of work related software which don't have a verified signature running with no problem.

because your softs are surely whitelisted; now try to cut internet and re-run the soft, i guess you will have an alert.

 

[kamla5abi]

+1 x 100. This is really true. Hopefully, future versions of CF/CIS will do a better job of recognizing non-dangerous unsigned programs. If it's unsigned or not from a Trusted Publisher, usually it will be sandboxed. Cloud Lookup may whitelist an app in this situation, but it's rare, and Comodo has on occasion whitelisted malware too. However, personally I woudn't recommend using CIS/CF other than in Proactive in spite of the difficulties.

Lately, I have been trying to inform others the complications of using Proactive mode and then using the "Unblock Applications" element on the widget. Proactive will auto-contain (sandbox) unrecognized (unsigned app or app signed by a non-trusted vendor) software. Cloud Lookup will stop this sometimes, but usually it will be sandboxed. Once sandboxed, if a user uses the "Unblock Applications" element on the widget to unblock, then all CIS/CF rules including Firewall, HIPs, and Containment will set to allow for the process. Also, it will be granted "Trusted" privilege in the files list. Many times you want to run the app outside containment but then still have HIPs warnings. "Unblock Applications" on the widget turns off everything for any app unblocked using the dialog, including again Firewall, HIPs, and containment/sandbox (no matter what all of them set to allow).

Options here are first, to unblock the application using the widget and then change the allow rules that are created to match your desire. So if you unblock (from the widget) because you want the Containment block to be removed but you still want HIPs monitoring, you must change the HIPs allow rule created when you chose the widget ublock to ask. You can also edit the Firewall rule to ask or block if you like. Then go to the Files list and click on the small magnifying glass in the file names column and type the file name. Find the file and change its status back to unrecognized. Finally, go to the sandbox rule and change it from Application ->Trusted->Ignore to Application->unrecognized->Ignore or create one if you can't find the rule. Now the app will run outside the container but with HIPs/Firewall on or as you have set them. The other way is to do all the above when you see the sandbox alert and just ignore the widget "Unblock Applications". Only difference is you won't have to change the file status from "Trusted" to "Unrecgonized" because it will still be unrecognized.

This only happens occasionally so it's not that big of a deal. Proactive is from the security perspective much much better.

wow that is a very good overview of what CFW does if you click "unblock application" after the sandbox alert kicks in, and what that means you must do if you only want it to run outside sandbox but still have other protections enabled for the file (just to make sure its really safe). Or any other combination of protection enabled.

It seems to me that comodo should change the sandbox alert to make it more user friendly, instead of having to go through all those steps to accomplish things. If they were to include a check list type option that would make it easier i think. In that you can choose which protection to turn off, and which to leave on. So you can uncheck/turnoff the autosandbox protection, but leave the other protections enabled for that instance of the program. Then if you run it and see theres no malware inside then you can choose to uncheck the other protections on subsequent runs of the file.

 

[AtlBo]

It seems to me that comodo should change the sandbox alert to make it more user friendly, instead of having to go through all those steps to accomplish things.

Yes I agree or maybe the sandbox block could have the option to leave HIPs/Firewall on and then instructions on the same alert to use the "Unblock Applications" to allow the app to run out of the sandbox. I can see why they want it to be something extra for someone to allow an app/file outside the sandbox.

Keep an eye on videos. @cruelsister posted recently that she will be putting together a video on Comodo HIPs. She might have some tips. There is the "Paranoid" setting for HIPs which means they are on for all processes, but I think that means that even trusted applications generate HIPs prompts. However, once those applications have rules in place, things quite down from what I have heard. @Umbra says he would only run Comodo with HIPs in "Paranoid"...

 

[Deleted member 178]

@Umbra says he would only run Comodo with HIPs in "Paranoid"...

Yes.

 

[shmu26]

Lately, I have been trying to inform others the complications of using Proactive mode and then using the "Unblock Applications" element on the widget. Proactive will auto-contain (sandbox) unrecognized (unsigned app or app signed by a non-trusted vendor) software. Cloud Lookup will stop this sometimes, but usually it will be sandboxed. Once sandboxed, if a user uses the "Unblock Applications" element on the widget to unblock, then all CIS/CF rules including Firewall, HIPs, and Containment will be set to allow for the process. Also, it will be granted "Trusted" privilege in the files list. Many times you want to run the app outside containment but then still have HIPs warnings. "Unblock Applications" on the widget turns off everything for any app unblocked using the dialog, including again Firewall, HIPs, and containment/sandbox (no matter what all of them set to allow).

Yes, today I really noticed this, when I "unblocked" a couple basic Windows processes that got snagged for some reason. You can end up with too much permissions.