Serious Discussion Comodo Internet Security 2024 announced

[Trident]

chip engineering is thought to be maxing out to 2-3 nm with current state of technology

This is a bit off-topic as it has nothing to do with Comodo, but even though the Moore’s law might be about to run its course, there are still many improvements that can be made, by adding more cores, more processors dedicated to tasks (such as Media Engines, neural engines and others).

Optimising performance of AVs mostly consists of off-loading various tasks to the cloud (such as some complex AI classifiers that would take ages to run locally).

 

[Pico]

Moore’s low

How low can he go?
Sorry I'm in a funny mode.

 

[Trident]

How low can he go?
Sorry I'm in a funny mode.

Thanks for bringing it to my attention. I am on an iPhone (keyboard can’t be enlarged unlike on Android and my fingers are quite big…

 

[ForgottenSeer 98186]

You posted that you never used Comodo and ypu are able to show us these settings.

Did you bother to look at what I posted? It is the settings pane of a Comodo product that was end-of-lifed years ago.

Do you read user manuals of IT-programs as a hobby?

I do read manuals plus other documents, such as EULAs and Terms of Service.

What is your point? That if I post an image of some settings in a manual is freely given on the open web, then I must use that product?

Try harder.

 

[ForgottenSeer 98186]

Optimizing for efficiency is considered bad practice since a few decades. Only for performance critical systems and processes optimization is recommended. So I understand this message from a CEO of security companies (security should be seamless for the user experience), but it is not generally applicable (considered a waist of time and resources with computing power doubling every two years. Although this third step might become relevant again (chip engineering is thought to be maxing out to 2-3 nm with current state of technology).

None of your response makes any sense and it has nothing to do with what "his Melihness" is saying.

 

[ForgottenSeer 98186]

How can Comodo FW block VPN traffic when it is not even able to block VPN traffic of trusted apps?

Filtering:

1. File= untrusted
2. Auto-Containment
3. Auto-denied access to network by firewall

A process whose network traffic is encrypted by a VPN does not bypass localhost firewall filtering.

Look here. @cruelsister deliberately performed the RAT tests with the firewall default settings, which is to notify the user with connection alerts. When she says in her post above "but more importantly the transmission of this data will be detected and blocked" she means "detected" (from an untrusted process) and "blocked" by firewall filtering. The response will be either for the user to manually block or auto-blocking by settings\configuration. Containment does not trust ANY processes that are spawned by an untrusted file. If the parent file\process is untrusted, then any child processes inherit restricted resource access. This includes network access; the firewall generates outbound alerts when a spawned process (such as powershell) of an untrusted file (e.g. script or download cradle, such as .hta or .one) attempts to connect outbound to the internet.

Most of this can be learned by simply reading the manual. It is a 1000+ page manual that explains everything in great detail. Carefully dissecting some videos is helpful as well.

 

[Trident]

If an app is being ran with many restrictions/prompts, it is unlikely that it will work properly.

Why not just choose the setting to block untrusted apps without any containment whatsoever?

 

[ForgottenSeer 98186]

If an app is being ran with many restrictions, it is unlikely that it will work properly.

Not really. In enterprise some use VDI with very heavy application restrictions and apps still run fine.

As far as prompts, the only thing I have ever observed is that occasionally a program will need to be restarted after the allow rule is created.

Why not just choose the setting to block untrusted apps without any containment whatsoever?

Oh. Can't do that. "Users want to use stuff" and all that obsolete, outmoded drivel.

In enterprise, after working with literally 1000+ clients, I have never encountered one that allows users to willy-nilly download, execute, and install whatever they want from the internet or BYOD. Now, mind you, these clients are not the small manufacturing, corner cafe shop type clients, or NGO. They are not even major retailers. Most of them are either agencies or heavily regulated private industry. Gee, I wonder why the regulations impose such strict policies? Could it be because users doing what they want is THE primary problem? Just read the regulations. It's obvious.

 

[Trident]

"Users want to use stuff"

That’s why users buy a device and that’s why they are called users - because they want to use stuff.

Enterprises want to restrict “users” from using only what’s acceptable to be used — this is frequently in the employees contract as well and is further enrolled by the usage of non-admin accounts, blocking certain websites and other measures that tend to prevent employees from “using stuff” that’s outside of the scope needed for work. It’s up to the company’s IT department to establish this scope and produce the necessary blocks.

The usage of stuff has for years been the major problem (specially stuff from torrents) but you can’t solve the problem just by enrolling a global block. This is why all these countless technologies like signatures, heuristics, fuzzy signatures, unpacking engines, emulation, ML classifiers and others exist - to block the bad “stuff” whilst still allowing the user to do what they wish. If you will block everything but 10 programmes coming from Microsoft, why not just switch off the PC and use pen and paper instead?

If Comodo can fast and accurately analyse what’s safe, then neither at work, nor in a home environment should there be a problem to run only apps that have been pre-approved. Kaspersky, Avast, Norton and Trend Micro, as well as McAfee in their download advisor all include a sort of that.

The only difference is Comodo and Kaspersky control scripts as well and not the script interpreters, which makes them even better. Others like Norton, Avast and Trend Micro only focus on executables (for home users it may still be OK).
So back to the question, why waste time on containment, ifs and buts when a user can just block everything that is not trusted?
I would certainly activate this setting.

 

[ForgottenSeer 98186]

That’s why users buy a device and that’s why they are called users - because they want to use stuff.

Windows was never meant for "users who want to use stuff." It was developed to be managed. The Home version came later. What Microsoft has turned the home version into is a conduit or a funnel for app revenues.

Allowing "users who want to use stuff" to use stuff is dinosaur thinking and policy. Most everybody in the industry knows it. Microsoft certainly knows it. That's why it is trying WDAC-based SAC. It will not be very effective since it will disable itself for all those "users who want to use stuff."

Here is the thing about the big tech companies. They do not care about anybody's privacy or security. Their primary directive is profit. And they will never put into place extremely effective security because "users who want to use stuff" - with all their wrong and bad security habits - are extremely profitable for them.

Enterprises want to restrict “users” from using only what’s acceptable to be used — this is frequently in the employees contract as well and is further enrolled by the usage of non-admin accounts, blocking certain websites and other measures that tend to prevent employees from “using stuff” that’s outside of the scope needed for work. It’s up to the company’s IT department to establish this scope and produce the necessary blocks.

Some do it to reduce costs. Others do it because of regulations, liability. But most all nowadays are doing it to qualify for cybersecurity and breach insurance. Some nations are requiring businesses to carry such insurance just to get a business license - a license to operate. Then those providing services to businesses who connect with their systems are also requiring both the insurance and the strict cybersec policies.

Again, unregulated home users is dinosaur thinking and policy.

So back to the question, why waste time on containment, ifs and buts when a user can just block everything that is not trusted?
I would certainly activate this setting.

Those features in Comodo are extremely effective. Just as effective as SRP, WDAC and much easier to manage in the Comodo GUI. The primary problem is if a user creates enough rules in the GUI, then there is the "disappearing Comodo rules" bug that Comodo has said it will never fix.

 

[Pico]

A process whose network traffic is encrypted by a VPN does not bypass localhost firewall filtering.

Most VPN's use their own network adapter and those (or most) VPN adapters are not monitored nor captured nor filtered by Comodo FW and some VPN adapter types are not even supported by Comodo so VPN traffic still finds its way out (or in).

The primary problem is if a user creates enough rules in the GUI, then there is the "disappearing Comodo rules" bug that Comodo has said it will never fix.

As said before, the bug just happens at will. The amount of rules doesn't matter.

 

[Trident]

Again, unregulated home users is dinosaur thinking and policy.

I don’t really think so, you have to establish benefits vs risk. Restriction to use only signed software with all libraries signed is totally reasonable. Even before Microsoft comes up with that, for years AVs have been much more aggressive towards files with no signature. Restrictions such as not executing from user space at all go too far. Is the potential trouble really worth it?

 

[ForgottenSeer 98186]

Most VPN's use their own network adapter and those (or most) VPN adapters are not monitored nor captured nor filtered by Comodo FW and some VPN adapter types are not even supported by Comodo so VPN traffic still finds its way out (or in).

Comodo Firewall filters by application, protocol, port. It doesn't matter which adapter is being used.

As said before, the bug just happens at will. The amount of rules doesn't matter.

Whether rules disappear with 1 rule or 100 rules, it does not matter because Comodo stated it will never be fixed.

I don’t really think so, you have to establish benefits vs risk. Restriction to use only signed software with all libraries signed is totally reasonable. Even before Microsoft comes up with that, for years AVs have been much more aggressive towards files with no signature. Restrictions such as not executing from user space at all go too far. Is the potential trouble really worth it?

Typo. It was supposed to say "unmanaged," and not "unregulated."

Mankind does not do anything to solve a problem that it can solve until catastrophe happens. When cybercrime global costs start to reach $15 or $20 trillion (current total costs are $6 trillion), and companies, organizations and governments are having to spend trillions upon trillions for security, services and insurances just to stay on an even threshold, only then maybe - just maybe - society will be willing to make the really hard decisions and limit user rights as part of a broad solution involving users, service providers, OEMs, software publishers, governments, technology policy makers.

You know, when you start to get into sums of $10, $20 trillion dollars or euros in losses and expenses, it enters global-economy-nation-smashing territory. The entire world economy will be worth about $100 trillion, so 10% or 20% of that value is just huge trouble on many levels.

I bet if Russia hacked and destroyed half the US electrical grid through a user hack, then that might be the kind of thing that might make policy makers re-think what they are allowing people to do with devices. Or maybe hacked into air traffic control system that caused a flight to crash. The thing I know that will bring change is a home user hack that results in a precipitous nuclear meltdown of the US stock exchange and commodities markets that, in turn, caused a global economic meltdown. If that happens, then things will change.

I know that a new trend is companies suing the employees of their subcontractors directly when they cause breaches and other cyber incidents through negligence - like not protecting their company issued laptop and leaving it in plain sight on the back seat of their car or sharing it with family members.

People only want change when it affects them personally. Same with companies, but the thing with companies is that they will just pass on the huge increased expenses caused by the malware and hacking problem to consumers.

 

[Pico]

Comodo Firewall filters by application, protocol, port. It doesn't matter which adapter is being used.

Please try this yourself, install CIS, install a VPN, block your browser in CIS FW, start your browser and enjoy surfing on the internet.

 

[Pico]

New CIS 2024 status update

 

[Trident]

@Oerlink you are right about enterprises but I was talking more about home users.

Enterprises have for years not done enough and that’s why most of them have suffered breaches. In many cases (of course not all) malware, “hacks”, exploits and other forms of malicious code haven’t been used at all — phishing and impersonation have been the culprit. Employees would frequently reuse passwords. In other cases various vulnerabilities have been utilised - Windows is jam packed with them.

Microsoft cares about enterprise security just as much as it cares about home users — let nobody be fooled that Microsoft day and night is sweating to deliver a secure environment. Looking at the Mittre Att&CK at least 5/10 samples employ privilege escalation which requires one out of the few UAC bypasses (they have been around for 10+ years) or almost all scripting attacks require AMSI bypass (over 10 methods of bypassing it have been documented hundreds of times). Microsoft for years has been allowing malware writers with <10 lines of code to unhook AVs behavioural features.

For years they have been implementing all sorts of features such as UAC, KMCS, ELAM, AMSI, the patches around Mimikatz, SmartScreen and many others and none of them have managed to even disrupt malware authors — you close a door they open a window.

The issues there are a lot and very complex. Many of them can’t be solved with any Windows built-in methods as all of them have proven to be far from effective.

We are going a bit off-topic here, these discussions are better for PM…

 

[Ink]

New CIS 2024 status update

I don't see any update there.

They are asking Comodo users to drop requests here: Feature Requests For CIS | Comodo

 

[Trident]

I don't see any update there.

They are asking Comodo users to drop requests here: Feature Requests For CIS | Comodo

When I see these suggestions I quickly realise why at Comodo they don’t care about users and forums

 

[Ink]

When I see these suggestions I quickly realise why at Comodo they don’t care about users and forums

Making individual feature requests/suggestions in another location helps reduce the braindead spam of requests from their announcement thread. The devs are not paid to sift through 1000s of comments.

 

[Pico]

I don't see any update there.

Yeah I agree, not much news but still "Guys are working on it".

They are asking Comodo users to drop requests here: Feature Requests For CIS | Comodo

So many feature requests were collected on the old SMF forum over the past many years. I don't see them on that new link only new and mostly irrelevant ones, where have those old requests gone? In the bin?