Advanced Plus Security ErzCrz Security Config 2024

Last updated
May 19, 2023
How it's used?
For home and private use
Operating system
Windows 11
On-device encryption
BitLocker Device Encryption for Windows
Log-in security
    • Biometrics (Windows Hello PIN, TouchID, Face, Iris, Fingerprint)
Security updates
Allow security updates and latest features
Update channels
Allow stable updates only
User Access Control
Always notify
Smart App Control
Off
Network firewall
Enabled
About WiFi router
Sky Router with built-in IPV4/IPv6 Firewall
Real-time security
Microsoft Defender
CyberLock
Malwarebytes WindowsFirewallControl
Firewall security
Other - Internet Security (3rd-party)
About custom security
Microsoft Defender with DefenderUI (Recommended)
Cyberlock - ON - Create In/Out Firewall Rules for Unsafe Items.
WFC - Medium Filtering - Display Notifications - Secure Profile
Periodic malware scanners
Emisoft Emergency Kit / Norton Power Eraser
Malware sample testing
I do not participate in malware testing
Environment for malware testing
N/A
Browser(s) and extensions
Primary: Firefox with uBO in Hard Mode with noop rules
Secondary - Edge with uBO in Hard Mode with noop rules
Secure DNS
Provided by ISP Sky Shield though occasionally Cloudflare DNS over HTTP.
Desktop VPN
None. Browsing primarily on home private network.
Password manager
KeepassXC
Maintenance tools
Windows built-in Disk Clean-up and Storage Sense.
File and Photo backup
Seagate - Toolkit - Weekly Backup
System recovery
External Drive - Backup of Documents and folders.
Risk factors
    • Browsing to popular websites
    • Working from home
    • Making audio/video calls
    • Opening email attachments
    • Buying from online stores, entering banks card details
    • Downloading software and files from reputable sites
    • Gaming
    • Streaming audio/video content from trusted sites or paid subscriptions
Computer specs
Notable changes
22.01.2022 - Reverted to Comodo Internet Security setup with Firefox as default browser and Thunberbird email client.
15.05.2022 - Reverted to Hard_Configurator setup following errors after uninstall and PC reset with Edge as default browser for MD integration while also sticking to Thunderbird for email & Updated backup routine.
13.08.2022 - Swapped to built-in backup solution.
12.09.2022 - General update in line with new guidelines.
29.10.2022 - Edge Exploit Tweaks re-implimented
15.11.2022 - Edge Exploit Tweaks removed. Removed OneDrive backups.
18.11.2022 - Firefox now my primary browser & Thunderbird primary email client.
12.12.2022 - updated Dec 2022 changes, backup now manual and onedrive. Experimenting with Comodo Internet Security but not fully committed to it yet.
11.01.2023 - Updated Security Configuration for new laptop and having won Emisoft giveaway.
22.01.2023 - Reverted to MD, ConfigureDefender - High & Enabled CFA, FWHardener, Added NPE to scanner, Edge exploit tweaks.
01.02.2023 - Now using Seagate Toolkit for Backup of Documents and Folders
18.05.2023 - Using H_C Beta and few unticks/ticks of PC use.
24.06.2023 - Back to Emsisoft Anti-Malware Home, Changed Password Manager to KeepassXC
02.09.2023 - Switched from Emsisoft Setup to CF/MD Configuration
20.10.2023 - Switched to Firefox, no longer using VPN for as work now has Azure cloud servers. Temporarily removed custom exploit settings.
01.11.2023 - Back to MD H_C setup
12.12.2023 - Added Anti-Exploit Tweaks and uBO in Hard Mode with noop rules.
20.12.2023 - Removed custom exploit rules as having some Edge freezes. Moved back to Comodo Firewall with Cruelsister Configuration.
21.12.2023 - Firefox now primary browser.
27.12.2023 - Edge changed to Primary Browser
06.01.2024 - Removed WFC, Implemented WFH & CL create firewall rules for not safe items.
08.01.2024 - Re-Added WFC
03.01.2024 - Firefox now primary browser.
21.01.2024 - Changed Primary Browser to Edge
28.01.2024 - Removed WFC and replaced with CF
31.12.2023 - New config for 2024 - MD (DefenderUI), CyberLock,WFC
05.02.2024 - Returned to WFC

Disclaimer we use date format DD/MM/YYYY here in the UK
What I'm looking for?

Looking for minimum feedback.

ErzCrz

Level 20
Thread author
Verified
Top Poster
Well-known
Aug 19, 2019
953
Been trialling Malwarebytes Windows Firewall Control with this setup. Seems to run without any issue. Obviously not the same as CF but effective at blocking inbound and outbound connections for applications. I like the feature checking files via VirusTotal page. Anyway, useful setup though a little more testing to do with it. As usual bouncing back and forth between setups ;)
 

ErzCrz

Level 20
Thread author
Verified
Top Poster
Well-known
Aug 19, 2019
953
I do a bit of trying out configurations and I though I'd just post my Comodo Firewall / Comodo Internet Security Rules when I use it.

Initially @cruelsister 's setup with then some additions to clear firewall log going into the 100s. The main ones I'd say are required is the DCHP which I added specific IPv6 Address for and Edge if you use it. My thing has always been use Edge with Microsoft Defender and Firefox with Comodo but just out of preference and the Comodo web filtering only works with Firefox.

Proactive configuration

Containment - Do Not Virtualize Access to - Unchecked

Auto Containment - Run Virtually - Set Restriction Level - Restricted

---------------------------

I have HIPS enabled for some reason, doesn't cause much issue.

I have IPv6 filtering enabled. I don't need to add ICMP global rules as Proactive Config Stealth Default is "Alert Incoming" but if you want to add rules it's Allow In ICMP - IPv6 ICMP, Packet too big, Time Exceeded, Custom Type 134,0 - 135,0 - 136,0

Regarding Firewall Application rules I have the below set:

explorer.exe - Allow TCP Out - Port 443 (HTTPS)
Allow OUT ICMP IPv6 135,0 (IPv6 Neighbour Solicitation)

searchHost.exe - Allow TCP Out - Port 443 (HTTP)

StartMenuExperienceHost.exe - Allow TCP Out - Port 443 (HTTPS)

AsusSoftwareManager.exe - Allow TCP Out - Port 443 (HTTPS)

svchost.exe - Allow UDP Out - Dest. Port 546 (Router DCHP)

Edge.exe - Web Browser Preset plus
Allow TCP/UDP Out - Port 443 - Amended HTTPS Rule for TCP and UDP
Allow OUT ICMP IPv6 135,0 (IPv6 Neighbour Solicitation)
Allow UDP Out Dest Port 1900 (SSDP)
Allow UDP Out Dest Port 5353 (MDNS)

Needless to say, worth exporting the config when changing installs etc.
 
Last edited:

ErzCrz

Level 20
Thread author
Verified
Top Poster
Well-known
Aug 19, 2019
953
Back to Emsisoft Anti-Malware Home. Kinde of fed up with Betas and waiting Comodo release. CIS works okay but had some random Edge freezes.

Changed Password Manager to KeepassXC
 

piquiteco

Level 14
Oct 16, 2022
634
Comodo beta should be out in a couple of months and Hard_Configurator on Beta 3 just now.
I understood, I asked why CIS failed to detect and block a RedLine Stealer, it only blocked it when the hips were active, but after deactivating the hips, CIS was not able to protect it, nor did it go to the sandbox, but the firewall blocked it. No AV is perfect, plus I never saw CIS fail with me until this day, I guess I did something wrong in my testing it just might be.
 
  • Like
Reactions: Nevi and oldschool

ErzCrz

Level 20
Thread author
Verified
Top Poster
Well-known
Aug 19, 2019
953
I understood, I asked why CIS failed to detect and block a RedLine Stealer, it only blocked it when the hips were active, but after deactivating the hips, CIS was not able to protect it, nor did it go to the sandbox, but the firewall blocked it. No AV is perfect, plus I never saw CIS fail with me until this day, I guess I did something wrong in my testing it just might be.
Which Redline Stealer? It would only not block one if it was whitlisted in the File Ratings or you haven't unchecked the "Do not virtualize the following..." which if left checked, would ignore files in Download or Recycle bin. You should have @cruelsister test it.

I'm not using CIS at the moment as I'm investigating why I had a Edge page freeze and a heat management warning in the windows logs and I'm just trying to find the culprit. May have been Edge itself doing a update or a game glitch.
 
  • Like
Reactions: Nevi and piquiteco

piquiteco

Level 14
Oct 16, 2022
634
Which Redline Stealer? It would only not block one if it was whitlisted in the File Ratings or you haven't unchecked the "Do not virtualize the following..." which if left checked, would ignore files in Download or Recycle bin.
It was a supposed fake "Game" that is actually stealer malware @Kongo posted here and my credit goes to him too I downloaded sample here. On VT out of 67 AVs only 11 detects follow the url of VirusTotal
So CIS was not able to protect it, MS-Defender did detect it as soon as it extracted the compressed file as Trojan:Win32/Wacatac.B!ml (y)
 
  • Like
Reactions: Nevi and Kongo

ErzCrz

Level 20
Thread author
Verified
Top Poster
Well-known
Aug 19, 2019
953
It was a supposed fake "Game" that is actually stealer malware @Kongo posted here and my credit goes to him too I downloaded sample here. On VT out of 67 AVs only 11 detects follow the url of VirusTotal
So CIS was not able to protect it, MS-Defender did detect it as soon as it extracted the compressed file as Trojan:Win32/Wacatac.B!ml (y)
Do you have a video of Comodo not sandboxing the malware? The VT is just the on-demand scanners of each AV and Comodo's scanner isn't the best. What settings did you use with CIS? The default has it's flaws but @cruelsister 's setup is better as Proactive Configuration is complete protection. Wishing I had a testing machine.

EDIT: Found your related posts Discussion Thread - Harmony Endpoint by Check Point
 
  • Like
Reactions: Nevi and piquiteco

piquiteco

Level 14
Oct 16, 2022
634
Do you have a video of Comodo not sandboxing the malware?Do you have a video of Comodo not sandboxing the malware?
I don't have video, I just didn't record the video because I did it on the real machine. And then I had to restore a backup image after the test lol, Remembering that I do not test malware is more @Shadowra was a curiosity of mine when @Kongo posted and also because of a giveaway that @BigWrench posted of ZoneAlarm Extreme Security NextGen was that I decided to test if really the ZA would detect and block but no, according to @Trident the ZA was not able to detect this type of threat because it exceeds the file size limit set by the ZA of 20MB and Malware has 63MB.
The VT is just the on-demand scanners of each AV and Comodo's scanner isn't the best.
Yes, I posted the VT URL to show that most AVs will not detect it, only when executed. Only kaspersky, MD could detect it.
What settings did you use with CIS?
Proactive configuration activated, even the malware stealer was not contained by CIS.
The default has it's flaws but @cruelsister 's setup is better as Proactive Configuration is complete protection. Wishing I had a testing machine.
Yes, I know Comodo's default configuration is not good but adjusted it is much better. Yes, it was in the proactive configuration activated, I found strange the malware has microsoft signature, but false and invalid, I think it was for CIS blocked or ending up in containment the stealer malware.
 

Trident

Level 26
Verified
Top Poster
Well-known
Feb 7, 2023
1,530
according to @Trident the ZA was not able to detect this type of threat because it exceeds the file size limit set by the ZA of 20MB and Malware has 63MB
It detected it when I ran the malware and it established a dozen of connections. I provided the forensic reports there on ZA thread. The attack was then remediated. Seems like the C&C has been used in plethora of other malware.
 

piquiteco

Level 14
Oct 16, 2022
634
It detected it when I ran the malware and it established a dozen of connections. I provided the forensic reports there on ZA thread. The attack was then remediated. Seems like the C&C has been used in plethora of other malware.
Let me get this straight, if the hash is the same and this malware is already known why AVs haven't added it to their signatures yet? Yes, it is a specific malware but...
 
  • Like
Reactions: Nevi and Kongo

Trident

Level 26
Verified
Top Poster
Well-known
Feb 7, 2023
1,530
Let me get this straight, if the hash is the same and this malware is already known why AVs haven't added it to their signatures yet? Yes, it is a specific malware but...
It is known to some, including to ZoneAlarm. Problem is it exceeds scan size so before you launch it, this file is not checked at all. Once you run it, many of them will detect by behaviour, including Webroot as you mentioned. There are additional detections for the dropped files. But that’s about it. Some of them still don’t know this stealer exists. I am guessing new versions of it are released at all times. My question is why the hosting provider is not terminating the C&C server? It has been registered almost a year ago. It has just gone under the radar like many others.
 

piquiteco

Level 14
Oct 16, 2022
634
Some of them still don’t know this stealer exists. I am guessing new versions of it are released at all times. My question is why the hosting provider is not terminating the C&C server? It has been registered almost a year ago. It has just gone under the radar like many others.
So you were right, if I had used another AV also would not detect, it would be almost minority that would block, I thought it was only ZA that was failing, good let's stop here, because it is private topic of ErzCrz. I apologize @ErzCrz for having invaded your topic and I am not criticizing CIS or comodo I like this CF/CIS product. I am always open to new possibilities. The good news is that I did not use the @cruelsister configuration I even breathe a sigh of relief, for those who use the @cruelsister configuration you are safe.
 

ErzCrz

Level 20
Thread author
Verified
Top Poster
Well-known
Aug 19, 2019
953
Can give reason(s) why you need BitLocker for home use?
Quite simply, it was enabled by default on this new laptop I bought in January this year. Plus it being a laptop, encryption is a good idea if it gets stolen ;) No issue with it enabled as far as I can tell so if it's providing extra security I'm all for it.
 

ErzCrz

Level 20
Thread author
Verified
Top Poster
Well-known
Aug 19, 2019
953
I never seem to stay with one configuration for long. Probably just going to move back to my H_C CD FWH setup for it's simplicity. Will update post when I've done that. Will investigate Comodo again at some point when a stable comes out, just a number of things for them to still get right with it.
 

ErzCrz

Level 20
Thread author
Verified
Top Poster
Well-known
Aug 19, 2019
953
Was getting slows and internet stops when Emsisoft updating. Decided to change things up and go back to Comodo Firewall .8012 with Cruelsister config with custom rules for windows applications to allow outgoing only to HTTP ports. Edge had to have some extra rules added to Browser default ruleset but easy enough to do.
Good news is that switching the setup I realized uPNP/SSDP was still enabled on this laptop so resolved that :)
 

ErzCrz

Level 20
Thread author
Verified
Top Poster
Well-known
Aug 19, 2019
953
Kind of short lived, just checking on some game playing glitch I've experienced with it. It only happened when CF whitelisted some windows apps while the game was playing. Hmm. When in doubt go back to WD H_C with CFA enabled.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top