shmu26

Level 85
Verified
Trusted
Content Creator
It is a pretty nice setup. Its efficiency will depend on how good is blocking executables:
"3 Unrecognized and created by Web Browsers, Email Clients, File Downloaders, File Archivers, or Management and Productivity Apps.
4 Found in suspicious locations.
"

I think that it would be good to test on Malware Hub the above Comodo features and efficiency of blocking malicious scripts.(y)
Great idea. Who among our testers might be willing to take it out for spin?
 

shmu26

Level 85
Verified
Trusted
Content Creator
Hi! Please just a simple question: For the past 2 years I've been using CruelComodoFirewall (CCF)... everything is almost perfect... never big issues... no infections... and no incompatibilities with Windows or other software. However, when eventually CCF finds an unrecognized file and activates auto-containment, sometimes (not always), CCF deletes the unrecognized file, not just blocking, but also deleting it. Sometimes the deleted file is a malware (that I am testing), and my guess is that CCF deletes it, because my "File Rating" is enabled (and the file is flagged as malware). But sometimes the deleted file is not a malware, is just an unreconized file to CCF. Does anybody has an explanation? May be a is a CF' bug? Is there a way to avoid any CCF' file deletion?
Go to Settings/File Rating/File List. Make sure it is set to show files of all types, and in the second box, Quarantined and not quarantined. Now can you find your file in the list, perhaps by means of the search box? If you are sure it is safe, "trust" it and Comodo will leave it alone in the future. You should also be able to see how Comodo classified it, whether it was considered malware, or PUP, or whatever.

I will be going offline soon, will be back in 24 hours or so...
 

simmerskool

Level 9
Verified
Malware Tester
I included the enhanced script protection only in the "lockdown mode" section because it might cause user problems, depending on your software. The most likely to cause problems is cmd.exe. In many cases, all you will have to do is whitelist the specific script(s) that are blocked. But there are also cases where the software generates bat files with a random file name or path. In that case, it will get blocked every time, and whitelisting it will not help.
thanks

Hi! Please just a simple question: For the past 2 years I've been using CruelComodoFirewall (CCF)... everything is almost perfect... never big issues... no infections... and no incompatibilities with Windows or other software. However, when eventually CCF finds an unrecognized file and activates auto-containment, sometimes (not always), CCF deletes the unrecognized file, not just blocking, but also deleting it. Sometimes the deleted file is a malware (that I am testing), and my guess is that CCF deletes it, because my "File Rating" is enabled (and the file is flagged as malware). But sometimes the deleted file is not a malware, is just an unreconized file to CCF. Does anybody has an explanation? May be a is a CF' bug? Is there a way to avoid any CCF' file deletion?
fwiw, I've been running cruelcomodo too for at least a year if not 2, and cf does contain unrecognized files, which I then check with virustotal and other means before deeming them "trusted" and I've never noticed cf deleting unrecognized files on my win7. maybe you missed a cruelsister tweak and should double check, or I've just been lucky with cf here, nary an issue :emoji_fingers_crossed:
 

shmu26

Level 85
Verified
Trusted
Content Creator
Why would you turn off ViruScope? It only works in sandbox anyway and it's a behavior analysis module.
I just like to minimize bloat, that's all. I don't believe very much in VirusScope's abilities, so I prefer to disable it.

@Decopi I don't understand how Comodo Firewall could delete files. AFAIK it doesn't have that function.
Perhaps you installed the antivirus mode as well, in which case you are actually running what is known as Comodo Internet Security?

The thing that worries me about Comodo is the inherent vulnerability to signed malware, since it maintains a massive list of trusted vendors. So I would not totally trust it without an AV, unless the Trusted Vendors list is cut down very drastically.
 
Last edited:

imuade

Level 11
Verified
I just like to minimize bloat, that's all. I don't believe very much in VirusScope's abilities, so I prefer to disable it.

@Decopi I don't understand how Comodo Firewall could delete files. AFAIK it doesn't have that function.
Perhaps you installed the antivirus mode as well, in which case you are actually running what is known as Comodo Internet Security?

The thing that worries me about Comodo is the inherent vulnerability to signed malware, since it maintains a massive list of trusted vendors. So I would not totally trust it without an AV, unless the Trusted Vendors list is cut down very drastically.
What about the option "Do not show popup alerts" ?
Even if, with that option enabled, the file should be quarantined, not deleted.

The only way to delete a file is to set the AV to block the threat without showing a pop-up
 

Back3

Level 5
thanks



fwiw, I've been running cruelcomodo too for at least a year if not 2, and cf does contain unrecognized files, which I then check with virustotal and other means before deeming them "trusted" and I've never noticed cf deleting unrecognized files on my Windows 7. maybe you missed a cruelsister tweak and should double check, or I've just been lucky with cf here, nary an issue :emoji_fingers_crossed:
The same here on Windows 10. No deleting unrecognized files.
 

Decopi

Level 3
First, I thanks all the direct and indirect answer to my question.
Second, and repeating to make it totally clear: I have CCF (Cruel Comodo Firewall), and nothing else in my system.
Third, at "File Rating", "Do not show popup alerts" is already unchecked at my settings.

Comodo is known for having bugs (most of the software have).
In my experience, I saw Comodo' bugs appearing in some computers, and not appearing in other devices. That's the nature of all bug, sometimes is not universal.
In the past, when I did a fresh reinstall of CCF, bugs disappeared. And it has been more than a year since my last CCF' refreshing. So perhaps is time to do it. Considering the answers here, no one seems to have deleted files by CCF. So I believe that reinstalling CCF will solve my issue.
 

shmu26

Level 85
Verified
Trusted
Content Creator
First, I thanks all the direct and indirect answer to my question.
Second, and repeating to make it totally clear: I have CCF (Cruel Comodo Firewall), and nothing else in my system.
Third, at "File Rating", "Do not show popup alerts" is already unchecked at my settings.

Comodo is known for having bugs (most of the software have).
In my experience, I saw Comodo' bugs appearing in some computers, and not appearing in other devices. That's the nature of all bug, sometimes is not universal.
In the past, when I did a fresh reinstall of CCF, bugs disappeared. And it has been more than a year since my last CCF' refreshing. So perhaps is time to do it. Considering the answers here, no one seems to have deleted files by CCF. So I believe that reinstalling CCF will solve my issue.
Maybe the files that were blocked were temporary program files? There are certain programs that create temporary files, and they delete those files when you exit the program, or when the program finishes a certain task. If such files were blocked, you might not find them on your system later, since the program itself deleted the file.

If you can reproduce the issue, please post a screenshot. Yes, it might be a Comodo bug, but since no one else seems to have experienced this bug, there might be a different reason for it.

I see that you restated that you have Cruel Comodo Firewall on your system. Unfortunately, that does not tell us whether you have the antivirus component installed, because CruelComodo could include the antivirus component. Maybe you can post a screenshot of the main window of Comodo, advanced view, so we can see which components you have?
 
Last edited:

Decopi

Level 3
Maybe the files... components you have?
I totally appreciate your willing to help me.
I also understand that many times there are no bugs, problems just are caused by users (direct or indirectly). But here, this is not my case.

As I said at the very beginning, I only have CCF at my system. No AA, no AM, no AS, no nothing. Even WD, SmartScreen and UAC are completely disabled at my system. I only care about zero-day-attacks or unknown malwares, therefore only interest me anti-executables or AI (artificial intelligence) solutions. This is my personal choice, and don't need/want nothing else at my system (killing my system resources or adding lot of incompatibilities, privacy issues etc).
And no, nothing to do with "temporary files", I meant to talk only about normal files (deletions).
I can perfectly reproduce the bug in my computer, but posting screenshots will add nothing to my previous explanations.

After confirming that no one here has my problem, I choose to reinstall my CF.

Thank you to all of you.
 
Last edited:

shmu26

Level 85
Verified
Trusted
Content Creator
I totally appreciate your willing to help me.
I also understand that many times there are no bugs, problems just are caused by users (direct or indirectly). But here, this is not my case.

As I said at the very beginning, I only have CCF at my system. No AA, no AM, no AS, no nothing. Even WD, SmartScreen and UAC is completely disabled at my system. I only care about zero-day-attacks or unknown malwares, therefore only interest me anti-executables or AI (artificial intelligence) solutions. This is my personal choice, and don't need/want nothing else at my system (killing my system resources or adding lot of incompatibilities, privacy issues etc).
And no, nothing to do with "temporary files", I meant to talk only about normal files (deletions).
I can perfectly reproduce the bug in my computer, but posting screenshots will add nothing to my previous explanations.

After confirming that no one here has my problem, I choose to reinstall my CF.

Thank you to all of you.
Great, let us know if it solved your problem after you reinstall.
 

SearchLight

Level 11
Verified
@shmu26, I set up CFW per your FIX instructions but I have some lingering questions:

1) If CFW is a firewall, why not deactivate Windows Firewall? You mentioned not to turn it off. Shouldn't there be only one Firewall in use?

2) Under Advanced Settings, I turned off Script Analysis however, CMD.exe is still being blocked by Containment(see attached screenshot.) Should I unblock it or is something wrong in my config?

Appreciate the clarifiction. Btw, I am running your FIX on Windows 10 v1903.

And thanks for your ongoing guidance to those of us less experienced.

Btw, do you think your FIX coupled with WD set at HIGH using Andy Ful's ConfigWD is a good combo that would provide decent protection to say the least?
 

Attachments

Last edited:

shmu26

Level 85
Verified
Trusted
Content Creator
1) If CFW is a firewall, why not deactivate Windows Firewall? You mentioned not to turn it off. Shouldn't there be only one Firewall in use?
Windows firewall does not conflict or slow down the system, so it is a safety measure, since in my suggested config, Comodo's firewall component is at less than full strength.
2) Under Advanced Settings, I turned off Script Analysis however, CMD.exe is still being blocked by Containment(see attached screenshot.) Should I unblock it or is something wrong in my config?
Please screenshot your script settings. You probably turned off half of it.
I am running your FIX on Windows 10 v1903.
Thanks for info, I didn't test it yet on 1903
thanks for your ongoing guidance to those of us less experienced.
:)
FIX coupled with WD set at HIGH using Andy Ful's ConfigWD
It's a beast!
 

SearchLight

Level 11
Verified
I did not toggle off the individual green script settings just unchecked the box at top "Perform Script Analysis". Thought this turns off everything related to scripts.( See screenshots below.)

In the meantime, I unblocked CMD.exe for all Security modules. Has not been blocked again but I do not know if this is the proper way, or I need to toggle all the green script protection toggles off?

I will turn Windows Firewall back on per your suggestion but I was thinking, wouldn't this defeat CFW ability to detect an intrusion or hacking attempt properly if WFW is the initial "filter"? In other words, if WF allows the probe to pass or filters it in such a way that it determines it is "good", could that influence how CFW would react? I know, I am reading into it because I am accustomed to the rule of never running two of the same security software together because that was how I was indoctrinated when I first started using Windows 98:). To put it another way, is your suggestion one in which one firewall handles inbound, and the other firewall, handles outbound connections? If so, which one is doing what? Thanks for your patience here.
 

Attachments

Last edited:

shmu26

Level 85
Verified
Trusted
Content Creator
I did not toggle off the individual green script settings just unchecked the box at top "Perform Script Analysis". Thought this turns off everything related to scripts.( See screenshots below.)

In the meantime, I unblocked CMD.exe for all Security modules. Has not been blocked again but I do not know if this is the proper way, or I need to toggle all the green script protection toggles off?

I will turn Windows Firewall back on per your suggestion but I was thinking, wouldn't this defeat CFW ability to detect an intrusion or hacking attempt properly if WFW is the initial "filter"? In other words, if WF allows the probe to pass or filters it in such a way that it determines it is "good", could that influence how CFW would react? I know, I am reading into it because I am accustomed to the rule of never running two of the same security software together because that was how I was indoctrinated when I first started using Windows 98:). To put it another way, is your suggestion one in which one firewall handles inbound, and the other firewall, handles outbound connections? If so, which one is doing what? Thanks for your patience here.
1 Is (or was) cmd.exe on the list of unrecognized files? What program or process triggered this block?
2 Running Windows firewall in tandem with Comodo firewall is counter-intuitive but CruelSister always insisted that it was not a problem, and I never saw a problem. If Windows firewall blocks it, it's blocked. And if Comodo firewall blocks it, it's blocked. They don't interfere with each other in practice.
3. Why did you completely disable script protection?
 

SearchLight

Level 11
Verified
1 Is (or was) cmd.exe on the list of unrecognized files? What program or process triggered this block?
2 Running Windows firewall in tandem with Comodo firewall is counter-intuitive but CruelSister always insisted that it was not a problem, and I never saw a problem. If Windows firewall blocks it, it's blocked. And if Comodo firewall blocks it, it's blocked. They don't interfere with each other in practice.
3. Why did you completely disable script protection?
1) Did not look in that list.. Just saw it blocked in the menu I show in my screenshot, and consequently unblocked for all security modules. What apparently triggered it was Roboform's extension in Chrome. Suddenly, it would not work automatically, and started referring me to the Chrome Store for another Roboform Manager. Once, I allowed CMD.exe, the Roboform Extension worked flawlessly like before.

2) If you say so, I believe you:) One learns something new every day.

3) Maybe I misunderstood your instructions but I thought Script Protection was to be left on if one wanted to harden Cfw further as an option . Otherwise to be left off. Sorry I misunderstood.

What should I be toggling on or off in the Advanced Protection section regarding Scripts. In other words, per your FIX guide, if I do not want the optional hardened settings, what should I toggle on or off?

Fyi, I re-enabled Script Protection as a test, and again CMD.exe was Blocked by Containment in the Blocked List. Nothing appears in the Unrecognized File list. This was initiated as soon as I executed Roboform.. This time I just toggled CMD.exe off in Script Protection, and Unblocked CMD.exe just for the Containment module. Roboform works like normal again.

Appreciate your attempt to clarify for me.
 
Last edited:

shmu26

Level 85
Verified
Trusted
Content Creator
Roboform's extension in Chrome.
Right. That makes sense. Just disable the right button for cmd, and leave the left button enabled. This is very normal.
Script Protection was to be left on if one wanted to harden Cfw further
It should always be left on, as per Comodo default settings. Hardening is when you slide all the buttons to the right.
What should I be toggling on or off in the Advanced Protection section regarding Scripts
One of your screenshots shows some buttons on, and others off. That looks like the default settings to me.
If you want hardened, then slide everything to the right, except for cmd.exe, where you will have the left button on, and the right button off. That should do it. Try it out!
 

SearchLight

Level 11
Verified
Right. That makes sense. Just disable the right button for cmd, and leave the left button enabled. This is very normal.

It should always be left on, as per Comodo default settings. Hardening is when you slide all the buttons to the right.

One of your screenshots shows some buttons on, and others off. That looks like the default settings to me.
If you want hardened, then slide everything to the right, except for cmd.exe, where you will have the left button on, and the right button off. That should do it. Try it out!
Your right, I left everything in Default. However, the only way I get Roboform to work, leaving the left script button on is to Unblock CMD.exe in the Blocked List for the Security Program that blocked it. That in effect creates an Ignore Rule in Containment rules, and Roboform is back to normal. See my further screenshots.
Snap 2019-07-12 at 00.07.58.png
Snap 2019-07-12 at 00.07.26.png
Snap 2019-07-12 at 00.09.26.png
 

Attachments

Top