Advanced Plus Security ErzCrz Security Config 2024

Last updated
May 19, 2023
How it's used?
For home and private use
Operating system
Windows 11
On-device encryption
BitLocker Device Encryption for Windows
Log-in security
    • Biometrics (Windows Hello PIN, TouchID, Face, Iris, Fingerprint)
Security updates
Allow security updates and latest features
Update channels
Allow stable updates only
User Access Control
Always notify
Smart App Control
Off
Network firewall
Enabled
About WiFi router
Sky Router with built-in IPV4/IPv6 Firewall
Real-time security
Microsoft Defender + DefenderUI
CyberLock
Comodo Firewall .8012
Firewall security
Other - Internet Security (3rd-party)
About custom security
DefenderUI - Recommended Settings
Cyberlock - ON - Create In/Out Firewall Rules for Unsafe Items. Require Captcha to exit.
Comodo Firewall - Cruelsister Configuration
Periodic malware scanners
Norton Power Eraser
Malware sample testing
I do not participate in malware testing
Environment for malware testing
N/A
Browser(s) and extensions
Primary: Edge with uBO in Medium Mode - Netcraft/BD:TL
Secondary - Firefox with uBO in Medium Mode - Netcraft/BD:TL
Secure DNS
Provided by ISP Sky Shield though occasionally Cloudflare DNS over HTTP.
Desktop VPN
None. Browsing primarily on home private network.
Password manager
KeepassXC
Maintenance tools
Windows built-in Disk Clean-up and Storage Sense.
File and Photo backup
Seagate - Toolkit - Weekly Backup
Active subscriptions
    • None
System recovery
External Drive - Backup of Documents and folders.
Risk factors
    • Browsing to popular websites
    • Working from home
    • Making audio/video calls
    • Opening email attachments
    • Buying from online stores, entering banks card details
    • Downloading software and files from reputable sites
    • Gaming
    • Streaming audio/video content from trusted sites or paid subscriptions
Computer specs
ErzCrz Laptop Specs 2024
Notable changes
22.01.2022 - Reverted to Comodo Internet Security setup with Firefox as default browser and Thunberbird email client.
15.05.2022 - Reverted to Hard_Configurator setup following errors after uninstall and PC reset with Edge as default browser for MD integration while also sticking to Thunderbird for email & Updated backup routine.
13.08.2022 - Swapped to built-in backup solution.
12.09.2022 - General update in line with new guidelines.
29.10.2022 - Edge Exploit Tweaks re-implimented
15.11.2022 - Edge Exploit Tweaks removed. Removed OneDrive backups.
18.11.2022 - Firefox now my primary browser & Thunderbird primary email client.
12.12.2022 - updated Dec 2022 changes, backup now manual and onedrive. Experimenting with Comodo Internet Security but not fully committed to it yet.
11.01.2023 - Updated Security Configuration for new laptop and having won Emisoft giveaway.
22.01.2023 - Reverted to MD, ConfigureDefender - High & Enabled CFA, FWHardener, Added NPE to scanner, Edge exploit tweaks.
01.02.2023 - Now using Seagate Toolkit for Backup of Documents and Folders
18.05.2023 - Using H_C Beta and few unticks/ticks of PC use.
24.06.2023 - Back to Emsisoft Anti-Malware Home, Changed Password Manager to KeepassXC
02.09.2023 - Switched from Emsisoft Setup to CF/MD Configuration
20.10.2023 - Switched to Firefox, no longer using VPN for as work now has Azure cloud servers. Temporarily removed custom exploit settings.
01.11.2023 - Back to MD H_C setup
12.12.2023 - Added Anti-Exploit Tweaks and uBO in Hard Mode with noop rules.
20.12.2023 - Removed custom exploit rules as having some Edge freezes. Moved back to Comodo Firewall with Cruelsister Configuration.
21.12.2023 - Firefox now primary browser.
27.12.2023 - Edge changed to Primary Browser
06.01.2024 - Removed WFC, Implemented WFH & CL create firewall rules for not safe items.
08.01.2024 - Re-Added WFC
03.01.2024 - Firefox now primary browser.
21.01.2024 - Changed Primary Browser to Edge
28.01.2024 - Removed WFC and replaced with CF
05.02.2024 - Returned to WFC
28.02.2024 - Adjusted uBO Rules & Added Netcraft & BD:TL extensions
25.03.2024 - Changed to CIS .8012
10.04.2024 - Reverted to MD/DefenderUI/Cyberlock/WFC Config
31.12.2023 - New config for 2024 - MD (DefenderUI), CyberLock,WFC

11.04.2024 - Reverted to MD/DefenderUI/Cyberlock/CF
Disclaimer we use date format DD/MM/YYYY here in the UK
What I'm looking for?

Looking for minimum feedback.

ErzCrz

ErzCrz

Level 21
Thread author
Verified
Top Poster
Well-known
Aug 19, 2019
1,023
Been trialling Malwarebytes Windows Firewall Control with this setup. Seems to run without any issue. Obviously not the same as CF but effective at blocking inbound and outbound connections for applications. I like the feature checking files via VirusTotal page. Anyway, useful setup though a little more testing to do with it. As usual bouncing back and forth between setups ;)
 
  • Like
Reactions: Nevi, piquiteco, Gandalf_The_Grey and 1 other person
ErzCrz

ErzCrz

Level 21
Thread author
Verified
Top Poster
Well-known
Aug 19, 2019
1,023
I do a bit of trying out configurations and I though I'd just post my Comodo Firewall / Comodo Internet Security Rules when I use it.

Initially @cruelsister 's setup with then some additions to clear firewall log going into the 100s. The main ones I'd say are required is the DCHP which I added specific IPv6 Address for and Edge if you use it. My thing has always been use Edge with Microsoft Defender and Firefox with Comodo but just out of preference and the Comodo web filtering only works with Firefox.

Proactive configuration

Containment - Do Not Virtualize Access to - Unchecked

Auto Containment - Run Virtually - Set Restriction Level - Restricted

---------------------------

I have HIPS enabled for some reason, doesn't cause much issue.

I have IPv6 filtering enabled. I don't need to add ICMP global rules as Proactive Config Stealth Default is "Alert Incoming" but if you want to add rules it's Allow In ICMP - IPv6 ICMP, Packet too big, Time Exceeded, Custom Type 134,0 - 135,0 - 136,0

Regarding Firewall Application rules I have the below set:

explorer.exe - Allow TCP Out - Port 443 (HTTPS)
Allow OUT ICMP IPv6 135,0 (IPv6 Neighbour Solicitation)

searchHost.exe - Allow TCP Out - Port 443 (HTTP)

StartMenuExperienceHost.exe - Allow TCP Out - Port 443 (HTTPS)

AsusSoftwareManager.exe - Allow TCP Out - Port 443 (HTTPS)

svchost.exe - Allow UDP Out - Dest. Port 546 (Router DCHP)

Edge.exe - Web Browser Preset plus
Allow TCP/UDP Out - Port 443 - Amended HTTPS Rule for TCP and UDP
Allow OUT ICMP IPv6 135,0 (IPv6 Neighbour Solicitation)
Allow UDP Out Dest Port 1900 (SSDP)
Allow UDP Out Dest Port 5353 (MDNS)
Click to expand...

Needless to say, worth exporting the config when changing installs etc.
 
Last edited:
  • Like
Reactions: Nevi, Gandalf_The_Grey, harlan4096 and 1 other person
ErzCrz

ErzCrz

Level 21
Thread author
Verified
Top Poster
Well-known
Aug 19, 2019
1,023
Back to Emsisoft Anti-Malware Home. Kinde of fed up with Betas and waiting Comodo release. CIS works okay but had some random Edge freezes.

Changed Password Manager to KeepassXC
 
  • Like
Reactions: Nevi, piquiteco and harlan4096
piquiteco

piquiteco

Level 14
Oct 16, 2022
626
ErzCrz said:
Comodo beta should be out in a couple of months and Hard_Configurator on Beta 3 just now.
Click to expand...
I understood, I asked why CIS failed to detect and block a RedLine Stealer, it only blocked it when the hips were active, but after deactivating the hips, CIS was not able to protect it, nor did it go to the sandbox, but the firewall blocked it. No AV is perfect, plus I never saw CIS fail with me until this day, I guess I did something wrong in my testing it just might be.
 
  • Like
Reactions: Nevi and oldschool
ErzCrz

ErzCrz

Level 21
Thread author
Verified
Top Poster
Well-known
Aug 19, 2019
1,023
piquiteco said:
I understood, I asked why CIS failed to detect and block a RedLine Stealer, it only blocked it when the hips were active, but after deactivating the hips, CIS was not able to protect it, nor did it go to the sandbox, but the firewall blocked it. No AV is perfect, plus I never saw CIS fail with me until this day, I guess I did something wrong in my testing it just might be.
Click to expand...
Which Redline Stealer? It would only not block one if it was whitlisted in the File Ratings or you haven't unchecked the "Do not virtualize the following..." which if left checked, would ignore files in Download or Recycle bin. You should have @cruelsister test it.

I'm not using CIS at the moment as I'm investigating why I had a Edge page freeze and a heat management warning in the windows logs and I'm just trying to find the culprit. May have been Edge itself doing a update or a game glitch.
 
  • Like
Reactions: Nevi and piquiteco
piquiteco

piquiteco

Level 14
Oct 16, 2022
626
ErzCrz said:
Which Redline Stealer? It would only not block one if it was whitlisted in the File Ratings or you haven't unchecked the "Do not virtualize the following..." which if left checked, would ignore files in Download or Recycle bin.
Click to expand...
It was a supposed fake "Game" that is actually stealer malware @Kongo posted here and my credit goes to him too I downloaded sample here. On VT out of 67 AVs only 11 detects follow the url of VirusTotal
So CIS was not able to protect it, MS-Defender did detect it as soon as it extracted the compressed file as Trojan:Win32/Wacatac.B!ml (y)
 
  • Like
Reactions: Nevi and Kongo
ErzCrz

ErzCrz

Level 21
Thread author
Verified
Top Poster
Well-known
Aug 19, 2019
1,023
piquiteco said:
It was a supposed fake "Game" that is actually stealer malware @Kongo posted here and my credit goes to him too I downloaded sample here. On VT out of 67 AVs only 11 detects follow the url of VirusTotal
So CIS was not able to protect it, MS-Defender did detect it as soon as it extracted the compressed file as Trojan:Win32/Wacatac.B!ml (y)
Click to expand...
Do you have a video of Comodo not sandboxing the malware? The VT is just the on-demand scanners of each AV and Comodo's scanner isn't the best. What settings did you use with CIS? The default has it's flaws but @cruelsister 's setup is better as Proactive Configuration is complete protection. Wishing I had a testing machine.

EDIT: Found your related posts Discussion Thread - Harmony Endpoint by Check Point
 
  • Like
Reactions: Nevi and piquiteco
piquiteco

piquiteco

Level 14
Oct 16, 2022
626
ErzCrz said:
Do you have a video of Comodo not sandboxing the malware?Do you have a video of Comodo not sandboxing the malware?
Click to expand...
I don't have video, I just didn't record the video because I did it on the real machine. And then I had to restore a backup image after the test lol, Remembering that I do not test malware is more @Shadowra was a curiosity of mine when @Kongo posted and also because of a giveaway that @BigWrench posted of ZoneAlarm Extreme Security NextGen was that I decided to test if really the ZA would detect and block but no, according to @Trident the ZA was not able to detect this type of threat because it exceeds the file size limit set by the ZA of 20MB and Malware has 63MB.
ErzCrz said:
The VT is just the on-demand scanners of each AV and Comodo's scanner isn't the best.
Click to expand...
Yes, I posted the VT URL to show that most AVs will not detect it, only when executed. Only kaspersky, MD could detect it.
ErzCrz said:
What settings did you use with CIS?
Click to expand...
Proactive configuration activated, even the malware stealer was not contained by CIS.
ErzCrz said:
The default has it's flaws but @cruelsister 's setup is better as Proactive Configuration is complete protection. Wishing I had a testing machine.
Click to expand...
Yes, I know Comodo's default configuration is not good but adjusted it is much better. Yes, it was in the proactive configuration activated, I found strange the malware has microsoft signature, but false and invalid, I think it was for CIS blocked or ending up in containment the stealer malware.
 
  • Like
Reactions: Nevi, Kongo and Trident
Trident

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,737
piquiteco said:
according to @Trident the ZA was not able to detect this type of threat because it exceeds the file size limit set by the ZA of 20MB and Malware has 63MB
Click to expand...
It detected it when I ran the malware and it established a dozen of connections. I provided the forensic reports there on ZA thread. The attack was then remediated. Seems like the C&C has been used in plethora of other malware.
 
  • Like
Reactions: Nevi, Kongo and piquiteco
piquiteco

piquiteco

Level 14
Oct 16, 2022
626
Trident said:
It detected it when I ran the malware and it established a dozen of connections. I provided the forensic reports there on ZA thread. The attack was then remediated. Seems like the C&C has been used in plethora of other malware.
Click to expand...
Let me get this straight, if the hash is the same and this malware is already known why AVs haven't added it to their signatures yet? Yes, it is a specific malware but...
 
  • Like
Reactions: Nevi and Kongo
Trident

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,737
piquiteco said:
Let me get this straight, if the hash is the same and this malware is already known why AVs haven't added it to their signatures yet? Yes, it is a specific malware but...
Click to expand...
It is known to some, including to ZoneAlarm. Problem is it exceeds scan size so before you launch it, this file is not checked at all. Once you run it, many of them will detect by behaviour, including Webroot as you mentioned. There are additional detections for the dropped files. But that’s about it. Some of them still don’t know this stealer exists. I am guessing new versions of it are released at all times. My question is why the hosting provider is not terminating the C&C server? It has been registered almost a year ago. It has just gone under the radar like many others.
 
  • Like
  • Applause
Reactions: Nevi, Kongo and piquiteco
piquiteco

piquiteco

Level 14
Oct 16, 2022
626
Trident said:
Some of them still don’t know this stealer exists. I am guessing new versions of it are released at all times. My question is why the hosting provider is not terminating the C&C server? It has been registered almost a year ago. It has just gone under the radar like many others.
Click to expand...
So you were right, if I had used another AV also would not detect, it would be almost minority that would block, I thought it was only ZA that was failing, good let's stop here, because it is private topic of ErzCrz. I apologize @ErzCrz for having invaded your topic and I am not criticizing CIS or comodo I like this CF/CIS product. I am always open to new possibilities. The good news is that I did not use the @cruelsister configuration I even breathe a sigh of relief, for those who use the @cruelsister configuration you are safe.
 
  • Like
  • Thanks
Reactions: Nevi, Kongo, Trident and 1 other person
ErzCrz

ErzCrz

Level 21
Thread author
Verified
Top Poster
Well-known
Aug 19, 2019
1,023
HarborFront said:
Can give reason(s) why you need BitLocker for home use?
Click to expand...
Quite simply, it was enabled by default on this new laptop I bought in January this year. Plus it being a laptop, encryption is a good idea if it gets stolen ;) No issue with it enabled as far as I can tell so if it's providing extra security I'm all for it.
 
  • Like
  • +Reputation
Reactions: Nevi, piquiteco, Kongo and 1 other person
ErzCrz

ErzCrz

Level 21
Thread author
Verified
Top Poster
Well-known
Aug 19, 2019
1,023
I never seem to stay with one configuration for long. Probably just going to move back to my H_C CD FWH setup for it's simplicity. Will update post when I've done that. Will investigate Comodo again at some point when a stable comes out, just a number of things for them to still get right with it.
 
  • Like
Reactions: Nevi, piquiteco, oldschool and 1 other person
ErzCrz

ErzCrz

Level 21
Thread author
Verified
Top Poster
Well-known
Aug 19, 2019
1,023
Was getting slows and internet stops when Emsisoft updating. Decided to change things up and go back to Comodo Firewall .8012 with Cruelsister config with custom rules for windows applications to allow outgoing only to HTTP ports. Edge had to have some extra rules added to Browser default ruleset but easy enough to do.
Good news is that switching the setup I realized uPNP/SSDP was still enabled on this laptop so resolved that :)
 
  • Like
Reactions: Nevi, Moonhorse, oldschool and 1 other person
ErzCrz

ErzCrz

Level 21
Thread author
Verified
Top Poster
Well-known
Aug 19, 2019
1,023
Kind of short lived, just checking on some game playing glitch I've experienced with it. It only happened when CF whitelisted some windows apps while the game was playing. Hmm. When in doubt go back to WD H_C with CFA enabled.
 
Last edited:
  • Like
  • HaHa
Reactions: Nevi, Moonhorse, Gandalf_The_Grey and 1 other person

Similar threads

ErzCrz
    • Like
    • Applause
    • +Reputation
Advanced Plus Security ErzCrz config 2021
Replies
54
Views
11,827
CSC Archive
ErzCrz
ErzCrz
SpyNetGirl
    • Like
    • +Reputation
    • Hundred Points
Harden Windows Security | Only with official documented methods | Always up to date
Replies
75
Views
10,418
Other security for Windows, Mac, Linux
Warencom
W
4
    • Like
    • Thanks
    • +Reputation
Reverse Engineering Rogue Kaspersky browser extension
Replies
12
Views
2,911
Malware Analysis
oldschool
oldschool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top