Guide for Comodo Internet Security v8 installation & setting

[viktik]

I am assuming that you are installing on a clean computer in which there is no malware.

INSTALLATION

Spoiler: Installation

Click "Customize installation"

• Untick the feature you don't want to install

• When asked to choose the location, select correct one.
• If you are not sure just select “I am at public place“

INTERFACE

• User can turn ON/OFF or change the security level from this Advanced view
• By default Auto-sandbox and Viruscape is turned ON
• By default HIPS is disabled
• By default Firewall is turned ON and is set in "Safe Mode". Remember this.

SETTINGS

How the files will be handled with these settings

• All the files that are rated as "Trusted" will run unobstructed and can access the internet
• All files that are rated as "Malwares" will be quarantined or deleted
• All files that are rated as "Unrecognized" will run completely isolated inside sandbox and will be denied access to the internet. Viruscope will monitor the sandboxed application and if found malicious will delete it.

Do any settings carefully and calmly. Don't be in hurry.
Until you click "OK" at the bottom of the comodo advanced settings window, any change you do in the settings won't be applied. So make sure that after doing all the changes in settings you click "OK"

• User may un-tick “Show messages from COMODO Message center“
• Un-tick “Show welcome screen on startup“
• Un-tick “Show the upgrade button in the main interface“

• On 64 bit system tick “Enable enhanced protection mode“

• When shown this window click “yes“

• Select the auto-sandboxed rule as shown below and click “Edit”

• Set “Any” under tab “Origin” as shown below

• Tick “Do NOT show popup alerts“

• Select “Block requests” next to “Do NOT show popup alerts“

• Un-tick “Do NOT show popup alerts“

RATING SCAN

Spoiler: rating scan

The ‘Rating Scan’ feature runs a cloud-based assessment on files on your computer to assess how trustworthy they are.

Based on the trustworthiness, the files are rated as:

• Trusted – the file is safe

• Unknown – the trustworthiness of the file could not be assessed

• Bad – the file is unsafe and may contain malicious code. You will be presented with disinfection options for such files.

• Select "unrecognized files" next to Show
  
• If you are sure that these files are safe then set Action "Trust"
• Click "Apply selected action"

COMODO FILE LIST

Spoiler: File list

The 'File List' pane displays a list of executable files, programs and applications on your system with their trust rating. CIS rates the files as:

• Trusted

• Unrecognized

• Malicious

Whenever a file is first accessed, CIS will check the file against our master whitelist and blacklists and will award it trusted status if:

• The application is from a vendor included in the Trusted Software Vendors list
• The application is included in the extensive and constantly updated Comodo safelist.

Select a file and click "File Details"

• You can see that this file has two ratings : My rating and Comodo rating
• User can give their own rating to the file under "My rating"

• Whatever rating the user will set will be reflected in the File list.
• Comodo will use the rating given by the user. So be careful while rating an application. Rating a file wrongly can lead to security risk, not able to run an application or can cause system instability

COMODO CLOUD LOOKUP

Spoiler: comodo cloud lookup

• Cloud lookup checks the rating of selected files using online Comodo database
• Select all the files and select “lookup”

• Comodo lookup shows the rating of scanned files

• The "Trusted" file rating received by Comodo lookup will be saved in the File List

• When asked for submitting unknown files click “yes“, to upload those files to Comodo for analysis

• Submitting files may take some time depending on your internet speed

• Don’t worry about failed upload

• You may Clean the list of submitted files

Installing Applications

Spoiler: Installing applications

Installing applications while using auto-sandbox feature

Most of the time the software you want to install is digitally signed and is trusted by Comodo or it is rated as Safe by the Comodo cloud lookup. Installing those trusted applications should not be a problem.

The problem arises when user try to install softwares rated as unrecognized or the software installer has some components that are rated as unrecognized by Comodo.

• If the user is sure that the software he wants to install is safe, then before trying to install it add it to the "File List"
• Open "File List" and click "Add -> files"

• Select the safe file which you want to install and click "Open"

• Select "trusted" and click "OK" to add the installer files as rated "trusted" in file list

• You may submit this installer file to comodo for file analysis.
• Click "OK" to save the settings
  
• Now you may run the installer file to install the software

If you did not added the installer file as "trusted' in file list then while trying to install the safe software which is unrecognized by comodo, comodo sandbox will get active and will show this alert message

• In order to successfully install this software tick "Trust this application" and click "Run Unlimited"

Sometimes installing softwares while giving it "unlimited access", the installer starts other components which is rated unrecognized by comodo which will get sandboxed during the installation. This will cause unsuccessful installation.

So the best way to successfully install safe applications is

1. Disable auto-sandbox
2. If the software requires internet connection for installation then, disable the firewall.
   
3. Install the safe application
4. Enable the auto-sandbox and firewall

While installing some safe application, user may get this alert. This is false positive

• Tick “Do not ask me this question again”
• Click “No. i will try to clean it myself”

• Click “Ignore“

• Click “Ignore and Report as False Alert“

Running unrecognized applications

Spoiler: running unrecognized application

Application rated as unrecognized by comodo can be a good application or it can be malware which can harm the computer.

When unrecognized applications is executed automatically or it is executed by the user, this message will be shown be comodo sandbox because the unrecognized application will be forced to run inside sandbox.

If the user is not sure that it is a safe application or in other word it is a malware, then he must Reset the sandbox. Then reboot the computer.

If the user is sure that it is a safe application, then

• Open File List
• Find application with file rating “unrecognized”. You may click on filter icon as shown below and tick "unrecognized" to show only unrecognized files

• Select the unrecognized files
• Right click and select "Lookup"

• The unrecognized files will be checked by comodo lookup
  
• If the files need to be submitted to comodo then submit it

• If the user is sure that these unrecognized files are safe then select it
• Right click and select "Change file rating to -> Trusted"

• Check the auto-sandbox settings
• The application that you rated as "Trusted" may be in this list with Action set as "Ignore". Since you have already rated these applications as "trusted" in File list, these application won't get sandboxed. So you don't need these applications set as "ignore" in auto-sandbox rules
  
• Find and select those applications
• Click "Remove" to remove those applications from the list
• Save the settings

Now that the safe application is rated as "trusted" by the user in the File List. Close the application if it is running inside sandbox. Try running it again. Since the safe application is rated as trusted it should not get sandboxed. If other components started by this application gets sandboxed, then open file list and rate those applications as trusted. Save the settings. Close the application if it is running inside sandbox. Try running it again.

Realtime Protection optimization

Spoiler: Realtime Protection optimization

• Everytime database is updated, realtime protection need to redo the scan of file being accessed
• So higher the frequency of database update the higher will be the resource usage
  
• So decreasing the frequency of database update will lead to less resource usage. Settings database update every 1 day will help reducing the resource usage
• The choice is yours. Do you want more frequent updates or do you want less resource usage

Resetting sandbox

Regularly do the resetting of sandbox. It deletes all the files stored in sandbox

https://help.comodo.com/topic-72-1-623-7625-Reset-the-Sandbox.html


Extra reading at comodo online help file

1. Installation
2. Understanding Security alerts
3. Rating Scan
4. Scan profiles
5. Unknown Files: The Scanning Processes
6. File List

 

[VladDracul]

Thank you for this tutorial.To bad they remove the "Purge" function,it's a real drawback IMO.

 

[Raul90]

Very good there! With all the images! I like it! I will be printing this in PDF and save as a resource file. Great work viktik!

 

[viktik]

Adding a User-Trusted Vendor to Trusted vendor list

Spoiler: adding user trusted vendor

If you use a digitally signed software which is a safe software, whose certificate is not in Comodo's trusted vendor list, the you can manually add the certificate provided by the vendor of that software to the comodo trusted vendor list.

• click "add" and select "read from a signed executable"

• Select the digitally signed software

• If the software is properly digitally signed then the digital certificate of the software vendor will be added to the comodo trusted vendor list

Scheduled scans

Spoiler: Scheduled scans

Edit "Full scan" profile

• By default "Full scan" is scheduled to run weekly.
• To edit it select the "Full Scan" profile and Edit

• In Schedule tab you can see the Scheduled scan settings
• You may want to disable this by selecting "Do not schedule this scan"

Add a new schedule scan to scan C: drive

• Click "Add"

• Enter a Scan name.
• Add the C: drive by clicking "Add folder"

• In Options tab you may want to tick "Use Cloud while scanning"

• In Schedule tab select frequency "Every month"
• Set start time
• Click on day of the month on which you want scan to occur.
• Tick "Run only when computer is not running in battery"
• Click "OK"

Edit Quick scan

• To edit "Quick scan" profile select it and click "Edit"

• In Schedule tab set frequency to "Every week"
  
• Set start time
• In days of week select the day on which Quick scan will occur. Set it to sunday
• Click "OK"

ENABLING HIPS

Spoiler: Enabling HIPS

If you enable comodo HIPS, then by default it will be working in "Safe mode"

• Monitoring settings shows the activities and objects the HIPS will monitor

HIPS trusts the applications if:

• The application/file is included in the Trusted Files list
• The application is from a vendor included in the Trusted Software Vendors list
• The application is included in the extensive and constantly updated Comodo safelist

Installing or updating applications with HIPS turned ON

If the user is sure that the software he wants to install is safe, then add the installer file to File list and set is as "trusted" file. Save the settings. Once done run the installer to install the software.

• While trying to install or update unrecognized software HIPS will generate this alert.
• If the user is sure that it is a safe application then Click "Treat As"

• Select "Installer or Updater"

When a an application tries to execute another executable file which is rated unrecognized then HIPS shows this alert

• If the user is sure this application is safe then tick "Remember my answer" and click "Allow"
  
• Otherwise click "block"

When an unrecognized application tries to do monitored activities or access monitored objects then comodo HIPS shows this alert

• If the user is sure this application is safe then tick "Remember my answer" and click "Treat as"
• Otherwise click "block"

• Select "Allowed application"

Blocking Unsafe application while using HIPS

Spoiler: block unase app using hips

If HIPS shows alert messages and user is not sure that this application is safe, then block the request.

• Select "block and terminate".
• If the user get this alert repeatedly then "remember my answer" and then block it

• Click "block"

• Select "Block, terminate and reverse"
• If the user get this alert repeatedly then "remember my answer" and then block it

Using Firewall to Custom Mode

Spoiler: Using firewall in custom mode

Advance user can use firewall in custom mode, which gives user complete control on which application gets access to the internet and which ones don't.

A better way to manage applications that will be allowed or blocked access to internet is to create a File group.

• To create a group of files that will be allowed to access the internet, click "Add->New group"

• Give a name to the File group

• Add files & folders to this file group which will be allowed to access the internet
  
• Its better that you add the whole folder where the software is installed

• When a folder is added, all the files in that folder and sub-folder will be become part of that group

• Similarly create a File group which will contain files & folders that will blocked access to internet.

• Now we just need to add these file groups in firewall application rules.
• To add a File group in firewall rules click "Add"

• Select Broswe->File Groups->application allowed internet access

• These applications will be allowed to make outgoing connection to internet.
• There is already a ruleset present by default which allows only outgoing connection and blocks all incoming connection.
• So select "use ruleset" and select "outgoing only"
• Click "Ok" to save.

• Firewall application rule created which allows outgoing connection to the files & folders in File Group named " Application allowed internet access"

• Similarly add the file group "application blocked internet access"
• Select "use ruleset" and select "blocked application"

• Both the file group created my me has been added
• Also notice that there are other application rules which will also be used by firewall to make decision.

• Even with all the present firewall application rules, there will be some more applications which needs internet connection.
• So it is recommended that you set the firewall in "training mode". Do this only when you are sure that your system is free from malware. In this mode firewall will automatically create application rules for the applications that are not defined in application rule. It will allow all the internet access request and and create a rule for it.
• Untick "Do NOT show popup alerts"

• keep firewall in training mode for a week or two.
  
• After one week if you check the firewall application rules, you will see the new rules created by the firewall as shown below
  
• Some of these applications should have been in "allowed application internet access" list and some in "blocked application internet access" list.
• It is not necessary to add all the application to the file group. But it is better that you do so with most of the applications.

• Add those new applications in "allowed application internet access" list and "blocked application internet access" list as per your requirement in the File Group

• Since these applications has already been added to the file group, select them and remove them from the firewall application rules

• After keeping firewall in "training mode" for two weeks, you must set it to "custom mode"
• From now on firewall will show alert for every application that is not in the firewall application list that asks for internet connection.

• If user is sure that application asking for internet connection is safe then tick "remember my answer" and click "Allow"

• Alternatively user can assign a predefined ruleset to the application asking for internet connection
• To do so click "treat As" then select the ruleset which you want to assign to the application.
• For most application "outgoing only" is a good option to select.

• If the user is not sure that application asking for internet connection is safe then select "block and terminate"

 

[Countryboy_MN]

Thanks for info