Serious Discussion Comodo Internet Security 2024 announced

[goodjohnjr]

It is not the upcoming version, but here is the most recent Comodo Internet Security Premium 12.2.4.8032 test that I have seen:

Comodo Internet Security Premium Tested 2.23.23:

 

[gery79]

not bad

 

[cruelsister]

True, but knowing that trapped (contained) malware might be able to phone home doesn't feel good.

Don't mean to intrude, but Contained files will always be blocked by the Firewall. The firewall acts synergistically with Containment.

 

[ForgottenSeer 98186]

but Contained files will always be blocked by the Firewall. The firewall acts synergistically with Containment.

@Pico is talking about when using VPN. That really shouldn't matter, but I suppose there is some corner case they are referring to. Inbound and outbound connections for sandboxed processes are permitted by default; users have to enable "block inbound" and "block outbound" for the sandbox.

 

[ForgottenSeer 98186]

Free 'as is' and Comodo still created probably the strongest firewall out there. In all the years I used Comodo, It just worked. I never experienced any of the bugs, but I never tried digging deep into the software. I installed it and used it, later adopting Cruelsister's recommendations.

For those so inclined to figure out the sandbox, Comodo is overall the most effective 3rd party freeware localhost protection.

 

[Pico]

Don't mean to intrude, but Contained files will always be blocked by the Firewall. The firewall acts synergistically with Containment.

How is Comodo FW suppose to block traffic when it doesn't see or know about traffic like in case traffic through npcap or VPN tunnels?

@Pico is talking about when using VPN. That really shouldn't matter, but I suppose there is some corner case they are referring to. Inbound and outbound connections for sandboxed processes are permitted by default; users have to enable "block inbound" and "block outbound" for the sandbox.

View attachment 273348

No such settings in premium or pro.

 

[ErzCrz]

No such settings in premium or pro.

I'm not 100% certain but running containment set at "Restricted" doesn't allow the contained application to access network adapters whereas if it was run as Partially Limited (default), you'd see a Firewall prompt.

Partially Limited - The application is allowed to access all operating system files and resources like the clipboard. Modification of protected files/registry keys is not allowed. Privileged operations like loading drivers or debugging other applications are also not allowed. (Default)

Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications, like computer games, may not work properly under this setting.

 

[ForgottenSeer 98186]

No such settings in premium or pro.

Not setting. Configuration. Research it.

 

[Pico]

Traffic which is not being monitored or captured by FW will not produce FW prompts.
So either in "Restricted" or in 'Partially Limited' traffic might be there.

 

[Trident]

Even if isolated apps are allowed to listen and send data, it is unlikely that they will be able to obtain anything. If Comodo can properly secure access to keyboard by preventing global hooks and screen/screenshots (I don’t think there is evidence that it doesn’t, correct me if I am wrong) there will be nothing that can be transmitted over the not-secured traffic. Apart from another piece of malware that will be just as restricted.

 

[ErzCrz]

The simplest option is to set the rule to Block that way it won't even run in the first place. I wonder if we'll get the same customisation options. The screenshots so far don't seem to indicate much. Anyway, it does some things well and others not.

 

[Trident]

The simplest option is to set the rule to Block that way it won't even run in the first place. I wonder if we'll get the same customisation options. The screenshots so far don't seem to indicate much. Anyway, it does some things well and others not.

But you guys can all try the OpenEDR. It’s for free, maintained and if you have less knowledgeable people you will be able to manage it for them.

What is EDR? Endpoint Detection & Response Explained

OpenEDR: Empower organizations with cutting-edge incident response and threat-hunting. Enabling security teams to investigate and mitigate security threats.

www.openedr.com

 

[Pico]

Even if isolated apps are allowed to listen and send data, it is unlikely that they will be able to obtain anything. If Comodo can properly secure access to keyboard by preventing global hooks and screen/screenshots (I don’t think there is evidence that it doesn’t, correct me if I am wrong) there will be nothing that can be transmitted over the not-secured traffic. Apart from another piece of malware that will be just as restricted.

Malware would still be able to sniff around in your system and collect (some or all of) your (sensitive) data stored in the registry and in files on the file system and phone home that collected data.
Yes, best way is to block it completely when trapped so it has no change to run and collect your stuff and send home.

Not setting. Configuration. Research it.

I meant no such checkboxes are available in pro or premium so those protection settings cannot be activated/deactivated in pro or prmeium.

 

[Trident]

Malware would still be able to sniff around in your system and collect (some or all of) your (sensitive) data stored in the registry and in files on the file system and phone home that collected data.
Yes, best way is to block it completely when trapped so it has no change to run and collect your stuff and send home.

Highly sensitive data is not to be stored in the system registry. The registry is for settings and configuration and whilst *some* user data can be stored there (such as software activation data) attackers are unlikely to be interested - for them the registry is a place to maintain persistence.

Most of the attackers are interested in various browsers, crypto wallets, gaming clients and password manager repositories, most of them being in %UserData%.
This directory is absolutely crucial to be kept safe. I know how it can be achieved with Kaspersky Application Control, but I am not aware how to do it with Comodo.

 

[cruelsister]

In an attempt to add some clarity to the Comodo Containment/Firewall discussion, please consider:

1). An unknown file is run with the ability to gather information (password stealer, keylogger, Coinminer, RAT, etc) as well as transmit the information out. For the majority of these, once plopped into Containment the malware will not have the ability to acquire data, but more importantly the transmission of this data will be detected and blocked. An example of this could be seen in my last Comodo vs RAT video.

2). Another example can be seen with the legitimate SeaMonkey browser. Although distributed by the Mozilla organization, it for many years has not been signed (and thus always deemed Untrusted by CF). However recently it did get a valid certificate with an equally valid Countersignature; but even so as this was the initial application with this certificate before Comodo will trust these new builds of SeaMonkey the application must first be vetted by C. As this has not been done yet upon running the installer it will be automatically contained. Further, even when launching the installer and directing that the installer be trusted (at the initial popup) and accomplishing the install upon first run one will still be presented with a Firewall popup.

This last point may seem trivial but it is actually of extreme importance. In the bad old days I was employed by a company that was called in to do a postmortem breach analysis for a major retailer that used an extremely popular Enterprise Security program. It was finally determined that a true zero-day targeted trojan was installed on their systems that was pulse transmitting stolen data packages out (actually discovered by a new employee who, when delving through firewall logs, found it curious that stuff was being sent to Kazakhstan).

As lead in the investigation I was able to acquire the malware and for giggles tried it out on a Comodo protected system. CF alerted at the first peep and this detection would have saved the victimized organization many, many millions in damages (but costing me a substantial bonus, so I guess I'm glad they went with the Enterprise product instead).

3). I hope on reflection that it's intuitively obvious that the use or non use of a VPN won't have a bearing on this sort of malicious mechanism.

his Melihness should buy CruelsSister a set of priceless diamonds

Emeralds would preferable as they are a better match for my eyes...

 

[Trident]

@cruelsister you are such a character

Was this popular enterprise program Symantec Endpoint Protection in the “bad” old days?

It’s great that signatures are not trusted blindly at Comodo.

 

[Pico]

How can Comodo FW block VPN traffic when it is not even able to block VPN traffic of trusted apps?

 

[ForgottenSeer 97327]

@Pico is talking about when using VPN. That really shouldn't matter, but I suppose there is some corner case they are referring to. Inbound and outbound connections for sandboxed processes are permitted by default; users have to enable "block inbound" and "block outbound" for the sandbox.

View attachment 273348

You posted that you never used Comodo and ypu are able to show us these settings. Do you read user manuals of IT-programs as a hobby?

 

[Trident]

You posted that you never used Comodo and ypu are able to show us these settings. Do you read user manuals of IT-programs as a hobby?

I do it
I love to read manuals. Haven’t read the Comodo one though.

 

[ForgottenSeer 97327]

And, finally, his "Melihness" has a message for all of you:

3 Steps to Software Development | MELIH ABDULHAYOGLU

melih.com

Optimizing for efficiency is considered bad practice since a few decades. Only for performance critical systems and processes optimization is recommended. So I understand this message from a CEO of security companies (security should be seamless for the user experience), but it is not generally applicable (considered a waist of time and resources with computing power doubling every two years. Although this third step might become relevant again (chip engineering is thought to be maxing out to 2-3 nm with current state of technology).