Advice Request Comodo Internet Security Setup/configuration thread

[Deleted member 178]

Hi guys,

Since many of us use Comodo IS, i decided to create this thread to share our skills of CIS/CFW, indeed some of us don't have the knowledge to tighten CIS by themselves without hampering their system. I hope this thread will help.

 

[Online_Sword]

Trust Application Signed by Trusted vendors: Yes

I guess you have reconstructed the Trusted Vendors List?

 

[LabZero]

Yes, thanks for this @Umbra!

I always say that CIS is a product for advanced users and it must be configured in detail.

 

[CMLew]

Hi @Umbra

Wanted to know if you include the BB also during installation?

 

[Deleted member 178]

I guess you have reconstructed the Trusted Vendors List?

yes, im doing it , i will surely finish next century since the list is huge

Hi @Umbra

Wanted to know if you include the BB also during installation?

Proactive Mode activate the BB (called gain Auto-Sandbox) & HIPS

so far i finally managed to make sandboxie and CIS works together with some browsers; only installed chromium-based browsers (except Chromodo) have issues and couldn't start in Sandboxie. i dont why yet, i surely missed something.

@Jack @hjlbx @cruelsister you are all invited to share your config, i know yours are quite good setup

 

[Online_Sword]

By the way, I hope someone could share his HIPS rules, especially the HIPS rules established manually.
Of course, specific HIPS rules depend on the system and softwares installed. But maybe you can share your strategies and ideas on how to establish the HIPS rules.

In addition, I also hope to learn some firewall rules for network ports.
I have read some firewall rules for network rules, based on CFW or some other software firewall.
Those guides generally contain a series of long lists of ports and rules for the ports, but do not explain the reason.
Without a detailed explanation, we can hardly adjust those firewall rules to adapt them to our own computers.

 

[Deleted member 178]

By the way, I hope someone could share his HIPS rules, especially the HIPS rules established manually.
Of course, specific HIPS rules depend on the system and softwares installed. But maybe you can share your strategies and ideas on how to establish the HIPS rules.

In addition, I also hope to learn some firewall rules for network ports.
I have read some firewall rules for network rules, based on CFW or some other software firewall.
Those guides generally contain a series of long lists of ports and rules for the ports, but do not explain the reason.
Without a detailed explanation, we can hardly adjust those firewall rules to adapt them to our own computers.

Those are mostly dependent of your system , if i put rulesets here they may wont works for others; but i will try and warn about following those rulesets. Give me time , i just get back with CIS , we were "separated couple" since v6 , so i need to rediscover her

edited my config intro: added what type of user may use it without issues in long term.

 

[Deleted member 178]

you are the expert of comodo here , i know their CCE really loves you

 

[cruelsister]

Umbra! I didn't know that you were using Comodo. Most excellent choice. EXCEPT:

Never saw the point in CIS over CF. Both have a Cloud AV, but with CIS one burdens oneself with a locally installed scanner (with definitions). As I really don't know anyone who considers the Comodo AV to be top tier, why bother (actually why bother with any AV- but that is another discussion).

But for those reactionaries who must have a local AV, wouldn't freebies like Avast or BD be a better choice (actually Qihoo is very good and works well with CF- yes, it does have a greater percentage of FP's, but does a better job against Scriptors)?

 

[Deleted member 178]

finished editing my trusted vendors list , easy trick to do it:

1- put HIPS on Training mode, disable auto-sandbox
2- select all vendors except microsoft, realtek, ATI, NVIDIA, etc.. mostly your drivers vendors (in case of ^^) by using search box.
3- delete all the others
4- add vendors by selecting them via running processes
5- put back HIPS & Auto-sandbox on safe mode

 

[Deleted member 178]

Umbra! I didn't know that you were using Comodo. Most excellent choice. EXCEPT:

Never saw the point in CIS over CF. Both have a Cloud AV, but with CIS one burdens oneself with a locally installed scanner (with definitions).

are you sure? i heard different, without the AV you lack something, can't recall what...

 

[CMLew]

Proactive Mode activate the BB (called gain Auto-Sandbox) & HIPS

Thanks! By the way, does your configuration affect the use of portableapps.com program?

I used CIS on my old laptop and I notice when I try to run the portable apps program (for instance: keepass), the CIS will somehow auto-sandbox the opened keepass with notification. It happens too when I open my portable firefox.

 

[Rod McCarthy]

Hey Thanks for this guys. I appreciate the hard work.

 

[Deleted member 178]

Thanks! By the way, does your configuration affect the use of portableapps.com program?

not on my system

I used CIS on my old laptop and I notice when I try to run the portable apps program (for instance: keepass), the CIS will somehow auto-sandbox the opened keepass with notification. It happens too when I open my portable firefox.

i have keepass too, no problem with FF portable

 

[Deleted member 2913]

are you sure? i heard different, without the AV you lack something, can't recall what...

An expert users like you doesn't need Comodo AV.. even if Comodo AV was top notch I would say the same. Sandbox with Cloud AV part is good for experts in my opinion.

If I remember correctly.. with CAV not installed.. there is no AV exclusion. Alert will give the option to add to trusted files but no AV exclusion.
And I think Cloud AV part in CIS is not pure Cloud AV.. just cloud connection for cloud databases. So there is no file execution blocking time to get verdict/detection from the cloud. So if it gets the verdict instant, malware is blocked & if couldn't get the verdict instant malware is run.

Back in the days users mentioned sometimes Cloud AV couldn't kill the detected malware i.e alert mentioned quarantined but malware processes was still running. But its an old news & guess no probs now.

 

[Deleted member 178]

And I think Cloud AV part in CIS is not pure Cloud AV.. just cloud connection for cloud databases. So there is no file execution blocking time to get verdict/detection from the cloud. So if it gets the verdict instant, malware is blocked & if couldn't get the verdict instant malware is run.

Back in the days users mentioned sometimes Cloud AV couldn't kill the detected malware i.e alert mentioned quarantined but malware processes was still running. But its an old news & guess no probs now.

yes that is it , i recall now, thx

 

[hjlbx]

I used CIS on my old laptop and I notice when I try to run the portable apps program (for instance: keepass), the CIS will somehow auto-sandbox the opened keepass with notification. It happens too when I open my portable firefox.

Some KeePass module(s) is\are Unrecognized by Comodo = not on their Safe List.

You can handle an Unrecognized file - and stop Comodo from blocking\auto-sandboxing it - in a number of ways:

1. In HIPS alert, select Allow and tick "Remember my answer" (creates permanent HIPS rule for action covered by that individual alert).
2. In Sandbox alert, select "Trust this application" (creates auto-sandbox Ignore rule); need HIPS alerts enabled.
3. Run Rating Scan and select "Add to Trusted Files."
4. Go into File List and manually change rating individual files\entire folder from Unrecognized to Trusted.
5. Enable Training Mode during install and initial use of application; CIS will auto-create rules.
6. Submit file to Comodo for white-listing = add to Safe List.

The above the are the main ways. There are even more ways, but it serves no purpose other than to confuse to cover every single one here.

WARNING ! In the HIPS alert, rule creation applies to the file performing the action - and not the target file ! Until a user fully understands how HIPS alerts "Treat as..." options work in CIS, the user is strongly advised not to use any of the "Treat as..." options.

A mistake with the "Treat as..." options can potentially compromise the entire system's security !

So if you select one of the "Treat as..." options, then it will apply to the file on the left side of the HIPS alert - not the object on the right !

A -> -> -> B

"Treat as..." will be applied to A - and not B.

 

[hjlbx]

And I think Cloud AV part in CIS is not pure Cloud AV.. just cloud connection for cloud databases. So there is no file execution blocking time to get verdict/detection from the cloud. So if it gets the verdict instant, malware is blocked & if couldn't get the verdict instant malware is run.

Back in the days users mentioned sometimes Cloud AV couldn't kill the detected malware i.e alert mentioned quarantined but malware processes was still running. But its an old news & guess no probs now.

Comodo does not use "pure" antivirus cloud at this time; it is on-going project.

* * * * * *

This is still an issue... and dependent upon user's internet connection speed and CAMAS queue (time it takes for Cloud and verdict to return results to local system).

For example, if HIPS alert appears before Comodo Cloud alert, then HIPS alert will prevail over any subsequent Comodo Cloud alert - and file is not quarantined immediately or blocked and terminated (which action is dependent upon Comodo Cloud settings in File Rating Settings).

It is also dependent upon HIPS timeout setting. Default is 120 sec, mine is set to 999 sec.

I replicated this issue a few times when a HIPS alert appeared and I didn't respond to the alert immediately. After allowing the system to set for about 3 or 4 minutes I noticed a Cloud alert. HIPS prevailed over the Cloud.

Initially I thought it was some kind of deranged bug, but I learned it is just a timing quirk.

WARNING ! If you receive a Comodo Cloud alert during an active HIPS for the same file, select "Block and Terminate" within the HIPS alert ! DO NOT SELECT "Allow" within the HIPS alert !

There are other ways this can be handled, but the above is sufficient basic advice to protect system.

 

[Deleted member 2913]

I have always used CIS defaults. CIS defaults comes with "Internet Security" config. Even with CFW only I use "Internet Security" config. Just some GUI customization & nothing affecting security part.. I only set FW to "ask".

Never faced boot slowdown, system slowdown, infection, probs, etc... Light, good & effective. Overall nothing to complain much about & a happy user.

Just want an option to "ask" instead of autosandbox.

 

[Deleted member 178]

WARNING ! In the HIPS alert, rule creation applies to the file performing the action - and not the target file ! Until a user fully understands how HIPS alerts "Treat as..." options work in CIS, the user is strongly advised not to use any of the "Treat as..." options.

so for educational purposes, say "File A" triggers an alert because it wants access "File B" , and i select "treat as allowed" , File A will be allowed in the future, but not File B ?

A mistake with the "Treat as..." options can potentially compromise the entire system's security !

i guess in the "block" case; because if you "treat as allow" , the file supposed to be safe at the first place.