Advice Request Comodo Internet Security Setup/configuration thread

[TheMalwareMaster]

Hello all COMODO Firewall users, what do you think of my COMODO Firewall configuration?
It's default-deny and automated, made to work on every system, also for beginners (they just import in COMODO and use the config file).
Cloud lookup is off to prevent whitelisted malware.
I Can't understand a part of the settings: what is "trust files installed by trusted installers"? Which are the "trusted installers"? (can this setting cause troubles with whitelisted malware, like the cloud lookup?)
Is there any way it can still be improved concerning security?
COMODO - Maximum Security.cfgx

 

[Maxwell Sien]

Hello all COMODO Firewall users, what do you think of my COMODO Firewall configuration?
It's default-deny and automated, made to work on every system, also for beginners (they just import in COMODO and use the config file).
Cloud lookup is off to prevent whitelisted malware.
I Can't understand a part of the settings: what is "trust files installed by trusted installers"? Which are the "trusted installers"? (can this setting cause troubles with whitelisted malware, like the cloud lookup?)
Is there any way it can still be improved concerning security?
COMODO - Maximum Security.cfgx

Quote from: File Rating Settings, Virus Protection, Internet Protection | CIS Help | COMODO

• Trust files installed by trusted installers - If enabled, CIS will trust executable and files whose parent applications are listed under the 'Installer or Updater' rule in HIPS Rules. (Default=Enabled)

Everytime you Run an Unrecognized File (in this case, Installer), HIPS will hook and give an Alert. Usually, user will Treat this file as Installer or Updater. If you check Trust applications signed by trusted vendors, All files are created from this Installer will automatically be trusted by Comodo and you will save your time since you wouldn't get another alert again.

can this setting cause troubles with whitelisted malware, like the cloud lookup?

Yes, this can cause trouble if you Run an Installer from Untrusted Website. If you get an fake Installer, all files that are created from this fake Installer will be trusted by Comodo.

No, this can't cause trouble if you Run an Installer from trusted Website like: softonic, softpedia, filehippo, piriform, cnet, or from its official website.

 

[AtlBo]

I Can't understand a part of the settings: what is "trust files installed by trusted installers"? Which are the "trusted installers"? (can this setting cause troubles with whitelisted malware, like the cloud lookup?)

Yes, this can cause trouble if you Run an Installer from Untrusted Website. If you get an fake Installer, all files that are created from this fake Installer will be trusted by Comodo.

@TheMalwareMaster...just as an example, have you ever installed BlueStacks on a computer? It's an android emulator program. When you install BlueStacks, during the installation it downloads and installs 20 or so applications into the emulation environment. This is before the program even runs for the first time. If you had selected to trust the BlueStacks installer, those apps would install freely without HIPS or sandbox monitoring (and run unmonitored on the system too after installation).

Still think Comodo should go out of their way to remove the trust decision from the user everywhere but in the files list and maybe the Trusted Vendor list.

 

[TheMalwareMaster]

Quote from: File Rating Settings, Virus Protection, Internet Protection | CIS Help | COMODO


Everytime you Run an Unrecognized File (in this case, Installer), HIPS will hook and give an Alert. Usually, user will Treat this file as Installer or Updater. If you check Trust applications signed by trusted vendors, All files are created from this Installer will automatically be trusted by Comodo and you will save your time since you wouldn't get another alert again.


Yes, this can cause trouble if you Run an Installer from Untrusted Website. If you get an fake Installer, all files that are created from this fake Installer will be trusted by Comodo.

No, this can't cause trouble if you Run an Installer from trusted Website like: softonic, softpedia, filehippo, piriform, cnet, or from its official website.

But.. If the installer is not clean, it shouldn't be trusted

 

[Maxwell Sien]

But.. If the installer is not clean, it shouldn't be trusted

Feel free to Uncheck/disable it..

 

[TheMalwareMaster]

Feel free to Uncheck/disable it..

I will probably disable that.. What about the trusted vendors list (I didn't edit it). I heard some bad voices but, can you make a single example of a vendor in the default trusted vendors list, which makes adware or PUPs?

 

[SearchLight]

Hello,
I recently, after reading the many posts here, set up CFW according to CS settings video guide. I was going to pair it with WD, and tried to adjust the settings in my Windows 10 GPE according to another post but none of those settings took effect. I am running a W10 pro desktop..

Frustrated, I downloaded CAV and converted CFW to CIS still using CS settings. Now I am having second thoughts as many feel CAV is inferior to the other free AV products. What appealed to me was the use of heuristics.

That being said, I have a lifetime licenses to MB3 and ZAL. I was thinking of removing the AV component and install ZAL and run it alongside CFW because Malwarebytes has not been well received by many on this forum but ZAL has.

Have any suggestions? Thanks.

 

[darko999]

Hello,
I recently, after reading the many posts here, set up CFW according to CS settings video guide. I was going to pair it with WD, and tried to adjust the settings in my Windows 10 GPE according to another post but none of those settings took effect. I am running a W10 pro desktop..

Frustrated, I downloaded CAV and converted CFW to CIS still using CS settings. Now I am having second thoughts as many feel CAV is inferior to the other free AV products. What appealed to me was the use of heuristics.

That being said, I have a lifetime licenses to MB3 and ZAL. I was thinking of removing the AV component and install ZAL and run it alongside CFW because Malwarebytes has not been well received by many on this forum but ZAL has.

Have any suggestions? Thanks.

I would go with CFW alone, ZAL won't give you much if you are running CFW. There is no point to run COMODO with CS settgins and to use COMODO AV at the same time. If you want combo it COMODO FW + WD is cool.

 

[Maxwell Sien]

I will probably disable that.. What about the trusted vendors list (I didn't edit it). I heard some bad voices but, can you make a single example of a vendor in the default trusted vendors list, which makes adware or PUPs?

Untill now, i still don't have any information about this..

 

[SearchLight]

After reading all the suggestions, I decided to complement CFW with CS settings with Avast Free. Seems like the best compromise.

I wanted to use the new Kaspersky Free but upon installation it displays a message that CFW is incompatible.

 

[Maxwell Sien]

Anyone can explain why Cruel Sister Disable the HIPS?

 

[BugCode]

Anyone can explain why Cruel Sister Disable the HIPS?

She doesn't like it... Simple as that. There are more simple and easier way get aroud this. Maybe she trust the power off isolation with proactive method as the settings are.

 

[Maxwell Sien]

She doesn't like it... Simple as that. There are more simple and easier way get aroud this. Maybe she trust the power off isolation with proactive method as the settings are.

Does she use another Tools to Replace HIPS?

 

[Davidov]

Does she use another Tools to Replace HIPS?

Sandbox isolates threats, and the firewall blocks communication so there's no need. After reboot, malware is reset (reset sandbox).

 

[Arequire]

Anyone can explain why Cruel Sister Disable the HIPS?

With cruelsister's setup the only thing HIPS will do is throw up alerts about events happening inside the sandbox, which is somewhat pointless as anything inside the sandbox can't do any damage to the system anyway. The only value HIPS would add is if malware somehow circumvented the sandbox.

 

[cruelsister]

Actually the HIPS will be oblivious to anything running inside the Comodo sandbox (Sandboxie is different in this respect- things running inside SBIE will make requests that a HIPS will be aware of, although all these requests will be denied by SBIE no matter what choice you make in the HIPS. In Comodo Containment all such request will be blocked and any HIPS will be oblivious to them).

So with Comodo Sandbox at the preferred (my) setting the only thing the HIPS will alert to are legit processes which will throw up popups that I personally find a bore.

 

[Arequire]

Actually the HIPS will be oblivious to anything running inside the Comodo sandbox (Sandboxie is different in this respect- things running inside SBIE will make requests that a HIPS will be aware of, although all these requests will be denied by SBIE no matter what choice you make in the HIPS. In Comodo Containment all such request will be blocked and any HIPS will be oblivious to them).

So with Comodo Sandbox at the preferred (my) setting the only thing the HIPS will alert to are legit processes which will throw up popups that I personally find a bore.

Has HIPS ever alerted to events inside the sandbox in any version of Comodo or have I been mistaken this whole time?

 

[cruelsister]

I've never seen it other than the HIPS alerting initially to when an application initially is executed (Explorer.exe is trying to start whatever). A HIPS will only be aware of things that try to mess with the actual system. The Comodo containment (unlike SBIE) will prevent any requests from reaching the system, so no HIPS popups will be seen.

As an example, consider running the miner Adylkuzz.b- with both HIPS and containment active you will just get the initial HIPS alert that Explorer is trying to run Adylkuzz. That's it.

With Containment off and HIPS on, you will get a total of 17 HIPS alerts (that is if you click allow at each one). If you just click "Block" without clicking the "Remember my Answer" you will actually get over 30 alerts (God knows how many it would actually be, but I got bored after 30!). If you clicked on the "Remember my Answer" box you still would have received 12 popups.

Now in all of the above scenarios the malware will be blocked. Personally I have better things to do with my time than answering stupid HIPS alerts which is why I don't suggest the HIPS being active. Trust me- I'm more than just another pretty face...

 

[shmu26]

All so true.
But just in order that people won't think some advanced Comodo users are totally crazy, I would like to mention some things that HIPS can add:
Besides giving you more control over exploitable apps, it can also help to protect you from processes that start up in unconventional ways, and somehow manage to elude containment.
For instance, if you set Powershell to unrecognized, then even if it gets launched in an underhanded way, you should still get prompted for its actions.
Or, if a signed PUP downloads an unrecognized file, and schedules it to run immediately at the next reboot, you should start to get HIPS prompts for its actions, when Comodo protection kicks in.

I am sure other users can tell of more nifty HIPS tricks, despite all the trouble and aggravation that HIPS does entail.

 

[shmu26]

Is this right, for CS settings?