Advice Request COMODO Firewall Settings + Protected Objects & Ransomware?

[itssaulgoodman]

Hi all,

I know that COMODO Firewall (CF)'s default settings are useless and that CurelSister's settings are rock solid. However, I recently came upon another CF configuration video and the settings the user set seems pretty solid as well:

Are the settings used in the above video as good as CruelSister's or good enough to withstand ransomware in 2020? (I don't keep any files locally, I keep everything synced using cloud storage and I keep that cloud storage solution away from the system since I've seen that ransomware can hit it as well).

Secondly, on 2 of my Windows 10 systems, I have Kaspersky Security Cloud Free (KSCF) + CF (with above video settings). Having KSCF bars me from using Windows's Controlled Folder Acess or CFA (yes, I know it isn't the be all end all solution for ransomware... but on my one of my Win 10 systems I have Emsisoft + CF and I managed to enable CFA by turning off a setting in Emsisoft and like it.) This leads me to the question - if I add folders to CF's "Protected Objects", will it act like Window's CFA or not?

I couldn't find much on these topics and since I'm no security wiz, I thought I'd ask here. Any and all help is greatly appreciated. Thank you.

 

[Vitali Ortzi]

It is as secure as cruel but worse for usability .
Technically it might make you in the long run whitelist so many files that when actual malware hits it would be whitelisted.
As long as you don't blindly whitelist files you are good to go.
The only difference with Cruel is that she uses the container on restricted over block (still very hard to bypass especially with the lower attack surface it has disabling components such as virus scope and using script analysis to further harden itself )

For example let's say I'm a kiddo who downloaded a packed keygen in your settings it won't run .
But in cruel it will run contained in restricted mode without any compromise to the host while still having some usability (can create the key but without compromising the host).

 

[itssaulgoodman]

It is as secure as cruel but worse for usability .
Technically it might make you in the long run whitelist so many files that when actual malware hits it would be whitelisted.
As long as you don't blindly whitelist files you are good to go.

I generally just let COMODO handle it and don't whitelist or unblock files unless it's from something I know (Mircosoft Office Update, Zoom download, etc...) Could the same be said for Cruel's? Or does her method configure it differently so that you gain usability + solid security from CF? (Sorry for my lack of knowledge, I've seen her setup video, but don't know the full "story", if you will, behind it).

 

[itssaulgoodman]

It is as secure as cruel but worse for usability .
Technically it might make you in the long run whitelist so many files that when actual malware hits it would be whitelisted.
As long as you don't blindly whitelist files you are good to go.
The only difference with Cruel is that she uses the container on restricted over block (still very hard to bypass especially with the lower attack surface it has disabling components such as virus scope and using script analysis to further harden itself )

For example let's say I'm a kiddo who downloaded a packed keygen in your settings it won't run .
But in cruel it will run contained in restricted mode without any compromise to the host while still having some usability (can create the key but without compromising the host).

Ah, well that makes more sense. Thanks for clearing it up - I guess I'll switch to Curel's setup, as it's most revered by the security community.

Also, as you seem knowledgeable here, do you know if COMODO's "Protected Objects" act like Window's Controlled Folder Access feature?

 

[Vitali Ortzi]

Ah, well that makes more sense. Thanks for clearing it up - I guess I'll switch to Curel's setup, as it's most revered by the security community.

Also, as you seem knowledgeable here, do you know if COMODO's "Protected Objects" act like Window's Controlled Folder Access feature?

Since I'm not using comodo .
And my knowledge about comodo is very limited in order to not mislead you .
I will let cruel sister answer your questions .
Anyway I would recommend lower the trusted vender list if you're looking for further improvements.

 

[itssaulgoodman]

Since I'm not using comodo .
And my knowledge about comodo is very limited in order to not mislead you .
I will let cruel sister answer your questions .
Anyway I would recommend lower the trusted vender list if you're looking for further improvements.

Makes sense. Thanks for the advice!

I guess I'll tag @cruelsister to this thread and see if she can shine any light on COMODO's Protected Objects.

 

[cruelsister]

Hi Lightmen! Viewing the setup used on the video, from a malware protection standpoint it really can't be faulted, however from a usability standpoint it is a tad aggressive (as Vitali correctly implies). Essentially the Containment settings make CF an anti-exe. Personally if I was to go this route I would go a bit further by wiping out all the Vendors on the Trusted Vendors list, then removing everything that pops up on the Unrecognized Files list.

After a reboot rechecking the Trusted Vendors list will only show a Comodo listing as well as a couple of things from Microsoft - files that are directly signed as well as stuff that was "group" signed via the MS Catalog Store. This last bit (the Catalog Store files) is interesting in that although things like Outlook,exe are singed directly, Right Clicking on something like Regedit.exe or cetutil.exe will not show any digital signature (you would need something that will actually look into the Catalog Store to verify signatures- eg Get-AuthenticodeSignature command used by Sysinternals Sigcheck, or employed directly in Powershell.

Finally, your suggestion to use Protected files and Folders within Comodo as a ransomware defence does indeed seen like a great idea but sadly will not work (not needed anyway with Containment enabled).

Sorry if I went a bit in the Weeds, but hope this helped!

M

 

[itssaulgoodman]

Hi Lightmen! Viewing the setup used on the video, from a malware protection standpoint it really can't be faulted, however from a usability standpoint it is a tad aggressive (as Vitali correctly implies). Essentially the Containment settings make CF an anti-exe. Personally if I was to go this route I would go a bit further by wiping out all the Vendors on the Trusted Vendors list, then removing everything that pops up on the Unrecognized Files list.

After a reboot rechecking the Trusted Vendors list will only show a Comodo listing as well as a couple of things from Microsoft - files that are directly signed as well as stuff that was "group" signed via the MS Catalog Store. This last bit (the Catalog Store files) is interesting in that although things like Outlook,exe are singed directly, Right Clicking on something like Regedit.exe or cetutil.exe will not show any digital signature (you would need something that will actually look into the Catalog Store to verify signatures- eg Get-AuthenticodeSignature command used by Sysinternals Sigcheck, or employed directly in Powershell.

Finally, your suggestion to use Protected files and Folders within Comodo as a ransomware defence does indeed seen like a great idea but sadly will not work (not needed anyway with Containment enabled).

Sorry if I went a bit in the Weeds, but hope this helped!

M

Thanks for your reply! Yeah, for simplicity's sake, I just went with your settings instead. It seems cumbersome for novices such as myself to go in-depth with Trusted Vendors, etc.

I know I asked this on your profile page, but might as well ask here too (since my posts need to be approved by a moderator either way it seems): if you leave HIPS enabled do you ruin the solidity for your configuration or it doesn't matter if you leave HIPS on or off?

Thanks.

 

[WhiteMouse]

@Lightmen77 : Comodo settings in that video will block Office from updating to a newer version.

 

[itssaulgoodman]

@Lightmen77 : Comodo settings in that video will block Office from updating to a newer version.

Already ditched those settings and opted for Curel's (less going in-depth to things I don't know, haha). But yeah, it got annoying having to allow it to go through every time Office wanted to update (although, after a certain point, updates just went through without COMODO intervening but I guess with Cruel's this won't be a problem).