Serious Discussion Comodo Internet Security 2024 announced

Status
Not open for further replies.
F

ForgottenSeer 98186

but Contained files will always be blocked by the Firewall. The firewall acts synergistically with Containment.
@Pico is talking about when using VPN. That really shouldn't matter, but I suppose there is some corner case they are referring to. Inbound and outbound connections for sandboxed processes are permitted by default; users have to enable "block inbound" and "block outbound" for the sandbox.

1677970994230.png
 
Last edited by a moderator:
F

ForgottenSeer 98186

Free 'as is' and Comodo still created probably the strongest firewall out there. In all the years I used Comodo, It just worked. I never experienced any of the bugs, but I never tried digging deep into the software. I installed it and used it, later adopting Cruelsister's recommendations.
For those so inclined to figure out the sandbox, Comodo is overall the most effective 3rd party freeware localhost protection.
 

Pico

Level 4
Thread author
Feb 6, 2023
151
Don't mean to intrude, but Contained files will always be blocked by the Firewall. The firewall acts synergistically with Containment.
How is Comodo FW suppose to block traffic when it doesn't see or know about traffic like in case traffic through npcap or VPN tunnels?

@Pico is talking about when using VPN. That really shouldn't matter, but I suppose there is some corner case they are referring to. Inbound and outbound connections for sandboxed processes are permitted by default; users have to enable "block inbound" and "block outbound" for the sandbox.

View attachment 273348
No such settings in premium or pro.
 
  • Like
Reactions: Trident

ErzCrz

Level 21
Verified
Top Poster
Well-known
Aug 19, 2019
1,004
No such settings in premium or pro.
I'm not 100% certain but running containment set at "Restricted" doesn't allow the contained application to access network adapters whereas if it was run as Partially Limited (default), you'd see a Firewall prompt.
Partially Limited - The application is allowed to access all operating system files and resources like the clipboard. Modification of protected files/registry keys is not allowed. Privileged operations like loading drivers or debugging other applications are also not allowed. (Default)
Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications, like computer games, may not work properly under this setting.
 

Pico

Level 4
Thread author
Feb 6, 2023
151
Traffic which is not being monitored or captured by FW will not produce FW prompts.
So either in "Restricted" or in 'Partially Limited' traffic might be there.
 
  • Like
Reactions: Jack

Trident

Level 27
Verified
Top Poster
Well-known
Feb 7, 2023
1,630
Even if isolated apps are allowed to listen and send data, it is unlikely that they will be able to obtain anything. If Comodo can properly secure access to keyboard by preventing global hooks and screen/screenshots (I don’t think there is evidence that it doesn’t, correct me if I am wrong) there will be nothing that can be transmitted over the not-secured traffic. Apart from another piece of malware that will be just as restricted.
 

ErzCrz

Level 21
Verified
Top Poster
Well-known
Aug 19, 2019
1,004
The simplest option is to set the rule to Block that way it won't even run in the first place. I wonder if we'll get the same customisation options. The screenshots so far don't seem to indicate much. Anyway, it does some things well and others not.
 

Trident

Level 27
Verified
Top Poster
Well-known
Feb 7, 2023
1,630
The simplest option is to set the rule to Block that way it won't even run in the first place. I wonder if we'll get the same customisation options. The screenshots so far don't seem to indicate much. Anyway, it does some things well and others not.
But you guys can all try the OpenEDR. It’s for free, maintained and if you have less knowledgeable people you will be able to manage it for them.
 
  • Like
Reactions: Jack

Pico

Level 4
Thread author
Feb 6, 2023
151
Even if isolated apps are allowed to listen and send data, it is unlikely that they will be able to obtain anything. If Comodo can properly secure access to keyboard by preventing global hooks and screen/screenshots (I don’t think there is evidence that it doesn’t, correct me if I am wrong) there will be nothing that can be transmitted over the not-secured traffic. Apart from another piece of malware that will be just as restricted.
Malware would still be able to sniff around in your system and collect (some or all of) your (sensitive) data stored in the registry and in files on the file system and phone home that collected data.
Yes, best way is to block it completely when trapped so it has no change to run and collect your stuff and send home.

Not setting. Configuration. Research it.
I meant no such checkboxes are available in pro or premium so those protection settings cannot be activated/deactivated in pro or prmeium.
 

Trident

Level 27
Verified
Top Poster
Well-known
Feb 7, 2023
1,630
Malware would still be able to sniff around in your system and collect (some or all of) your (sensitive) data stored in the registry and in files on the file system and phone home that collected data.
Yes, best way is to block it completely when trapped so it has no change to run and collect your stuff and send home.
Highly sensitive data is not to be stored in the system registry. The registry is for settings and configuration and whilst *some* user data can be stored there (such as software activation data) attackers are unlikely to be interested - for them the registry is a place to maintain persistence.

Most of the attackers are interested in various browsers, crypto wallets, gaming clients and password manager repositories, most of them being in %UserData%.
This directory is absolutely crucial to be kept safe. I know how it can be achieved with Kaspersky Application Control, but I am not aware how to do it with Comodo.
 

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
In an attempt to add some clarity to the Comodo Containment/Firewall discussion, please consider:

1). An unknown file is run with the ability to gather information (password stealer, keylogger, Coinminer, RAT, etc) as well as transmit the information out. For the majority of these, once plopped into Containment the malware will not have the ability to acquire data, but more importantly the transmission of this data will be detected and blocked. An example of this could be seen in my last Comodo vs RAT video.

2). Another example can be seen with the legitimate SeaMonkey browser. Although distributed by the Mozilla organization, it for many years has not been signed (and thus always deemed Untrusted by CF). However recently it did get a valid certificate with an equally valid Countersignature; but even so as this was the initial application with this certificate before Comodo will trust these new builds of SeaMonkey the application must first be vetted by C. As this has not been done yet upon running the installer it will be automatically contained. Further, even when launching the installer and directing that the installer be trusted (at the initial popup) and accomplishing the install upon first run one will still be presented with a Firewall popup.

This last point may seem trivial but it is actually of extreme importance. In the bad old days I was employed by a company that was called in to do a postmortem breach analysis for a major retailer that used an extremely popular Enterprise Security program. It was finally determined that a true zero-day targeted trojan was installed on their systems that was pulse transmitting stolen data packages out (actually discovered by a new employee who, when delving through firewall logs, found it curious that stuff was being sent to Kazakhstan).

As lead in the investigation I was able to acquire the malware and for giggles tried it out on a Comodo protected system. CF alerted at the first peep and this detection would have saved the victimized organization many, many millions in damages (but costing me a substantial bonus, so I guess I'm glad they went with the Enterprise product instead).

3). I hope on reflection that it's intuitively obvious that the use or non use of a VPN won't have a bearing on this sort of malicious mechanism.

his Melihness should buy CruelsSister a set of priceless diamonds
Emeralds would preferable as they are a better match for my eyes...
 
F

ForgottenSeer 97327

@Pico is talking about when using VPN. That really shouldn't matter, but I suppose there is some corner case they are referring to. Inbound and outbound connections for sandboxed processes are permitted by default; users have to enable "block inbound" and "block outbound" for the sandbox.

View attachment 273348
You posted that you never used Comodo and ypu are able to show us these settings. Do you read user manuals of IT-programs as a hobby? :unsure:
 
  • Like
Reactions: Trident
F

ForgottenSeer 97327

And, finally, his "Melihness" has a message for all of you:

Optimizing for efficiency is considered bad practice since a few decades. Only for performance critical systems and processes optimization is recommended. So I understand this message from a CEO of security companies (security should be seamless for the user experience), but it is not generally applicable (considered a waist of time and resources with computing power doubling every two years. Although this third step might become relevant again (chip engineering is thought to be maxing out to 2-3 nm with current state of technology).
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top