Battle Firewall + HIPS choices

Coool

Level 1
Thread author
May 13, 2017
5
Hello everyone,

I have been a long time lurker, always finding these forums and the members extremely informative and helpful, and finally joined trying to find some advise on this subject.

I am setting up from scratch a Windows 7 Pro 64 bits system on an HP workstation (Xeon E3-1240, 16gb RAM) and I am hesitant regarding the real-time security software setup.
I am going from my old desktop (same OS) set up with real-time security software being CIS - Firewall and HIPS only - and ESET NOD32 (AV only).

I will keep NOD32 as AV but keeping HIPS down (I did try it but did not really get good impressions).
On the other hand, I am a bit tired of Comodo as I have found quite heavy on resources lately and somehow sometimes forgetful (a couple of Firewall exclusions and HIPS popups always popping up and rules not remembered).

As an advanced user, I want to keep visible control at these two levels, network access and execution granularity (not overly too paranoid), and so have been looking at alternative setups.
I was considering Private Firewall as it also has a HIPS (tried it once some time ago) but have been reading over here on security concerns for it not being updated any more.

I prefer free software but would consider paid alternatives if proved more capable in terms of efficacy and resource usage (that was the case with ESET NOD32).

Thanks in advance!
 

darko999

Level 17
Verified
Well-known
Oct 2, 2014
805
I use Comodo Firewall with auto-containment ON with @cruelsister settings. Except that I still let HIPS on with create rules for safe applications disabled. This way for example, if an application bypass Auto-Containment because the application was considered TRUSTED then HIPS will give you a second chance to block it. ON this preset I have improved system performance "Since there is no real time protection" and it is still rock solid. HIPS pretty quiet with this setup.
I have to add that I use Firewall with Custom Ruleset and create rules for safe applications disabled, but also "set alert frecuency level to very low" like in the screen below.

Ans3Qmi.png
 

Coool

Level 1
Thread author
May 13, 2017
5
You can look at ZoneAlarm PRO Firewall - Professional Firewall Protection

A free version is also available, but may be limited when it comes to HIPS control.
ZoneAlarm Free Firewall - Personal Computer Firewall Software

I used ZoneAlarm a long way back (some 12-13 years ago?) and I gave it up mostly for for some forgetful (like Comodo) and rules messing tendencies.
Also I think I used it alongside with KAV and later had some problems when I tried with KIS (even with KIS firewall disabled).

Maybe I should try the latest version.

I use Comodo Firewall with auto-containment ON with @cruelsister settings. Except that I still let HIPS on with create rules for safe applications disabled. This way for example, if an application bypass Auto-Containment because the application was considered TRUSTED then HIPS will give you a second chance to block it. ON this preset I have improved system performance "Since there is no real time protection" and it is still rock solid. HIPS pretty quiet with this setup.
I have to add that I use Firewall with Custom Ruleset and create rules for safe applications disabled, but also "set alert frecuency level to very low" like in the screen below.

I also use some auto-containment: I am still in version 8 which has only Auto-Sanbox.
Have Firewall and HIPS in Safe mode (not really fan of Safe mode but only trying to make it a bit lighter) and alert frequency to Low.
But its forgetfulness still bothers me.
Do you think these aspects might have improved in the latest version (10, I believe)?
 

darko999

Level 17
Verified
Well-known
Oct 2, 2014
805
I used ZoneAlarm a long way back (some 12-13 years ago?) and I gave it up mostly for for some forgetful (like Comodo) and rules messing tendencies.
Also I think I used it alongside with KAV and later had some problems when I tried with KIS (even with KIS firewall disabled).

Maybe I should try the latest version.



I also use some auto-containment: I am still in version 8 which has only Auto-Sanbox.
Have Firewall and HIPS in Safe mode (not really fan of Safe mode but only trying to make it a bit lighter) and alert frequency to Low.
But its forgetfulness still bothers me.
Do you think these aspects might have improved in the latest version (10, I believe)?

I can tell you it is much quieter than in the past when I used early version 7 I think it was. I run a few games, the Steam client, and a few other applications. The only thing I had to do was to exclude the Steam subfold which cointained all steam games for the Auto-Sandbox feature. The hips Pop-up like 2 in total after a few days of use.
For example these are cruelsister containment and auto-containment settings in Comodo 10 :
iXFIR8i.png

CXSnJFf.png


I have read some comments about V10 being buggy and it probably is, but won't affect all users equally. So far I haven't had any issues, as soon as I find one I'll share it.
 
  • Like
Reactions: AtlBo

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I am not a fan of Comodo but I think you will find Comodo 10 to be very good at remembering your rules, and very light on the system. Don't install CIS. Install CFW (no AV component). During installation, pay attention to the tab where you choose components that will be installed, and untick Geekbuddy and Chromodo browser.
If you liked what Comodo HIPS was doing, you will find it hard to replace it with something else.

Just make a system image before you install, because some people have had serious installation problems on Windows 7.
 
D

Deleted member 178

I am going from my old desktop (same OS) set up with real-time security software being CIS - Firewall and HIPS only - and ESET NOD32 (AV only).
I will keep NOD32 as AV but keeping HIPS down (I did try it but did not really get good impressions).
Not a good idea, despite being disabled , the drivers are still there and may conflicts.

On the other hand, I am a bit tired of Comodo as I have found quite heavy on resources lately and somehow sometimes forgetful (a couple of Firewall exclusions and HIPS popups always popping up and rules not remembered).
Reason why me and other comodo's experienced users here ditched it.

As an advanced user, I want to keep visible control at these two levels, network access and execution granularity (not overly too paranoid), and so have been looking at alternative setups.
I was considering Private Firewall as it also has a HIPS (tried it once some time ago) but have been reading over here on security concerns for it not being updated any more.
There is only 2 real HIPS FW left, Spyshelter and Comodo.

I prefer free software but would consider paid alternatives if proved more capable in terms of efficacy and resource usage (that was the case with ESET NOD32).
To me SRP or anti-exe are the best solutions to ensure security without hassle and resources wasting.
After all why care about continually monitoring the system for unknown applications/processes when they can't even run at the first place.
 

Handsome Recluse

Level 23
Verified
Top Poster
Well-known
Nov 17, 2016
1,242
CF is fine but you may want something like SecureAPlus or VoodooShield for execution and a Windows Firewall GUI like Windows Firewall Control or Tinywall for outbound connections instead. Alternatives do exist.
 

Handsome Recluse

Level 23
Verified
Top Poster
Well-known
Nov 17, 2016
1,242
You can use auto-sandbox by using cruelsister's setting like enabling Proactive mode and disabling HIPS or if you want more control but few of the popups, make HIPS monitor only execution of programs although autosandbox should be better. But you can still use the anti-executables from above.
 
  • Like
Reactions: AtlBo and Rengar

Coool

Level 1
Thread author
May 13, 2017
5
Not a good idea, despite being disabled , the drivers are still there and may conflicts.

So, do you mean that as I will keep NOD32 (even with HIPS disabled) I cannot have another HIPS?

There is only 2 real HIPS FW left, Spyshelter and Comodo.

Do you think ZoneAlarm is not worth trying, unlike Spawn suggested?


To me SRP or anti-exe are the best solutions to ensure security without hassle and resources wasting.
After all why care about continually monitoring the system for unknown applications/processes when they can't even run at the first place.

I had a look at How to make a disallowed-by-default Software Restriction Policy guidefor SRP setting up but I don't think I have the time now to go through the serious setup and I imagine the Parental Control might not be enough - execution control only, not checking, I imagine (maybe I am wrong), for instance, hash for allowed executables to prevent malware from using known exec locations or code injection...


You can use auto-sandbox by using cruelsister's setting like enabling Proactive mode and disabling HIPS or if you want more control but few of the popups, make HIPS monitor only execution of programs although autosandbox should be better. But you can still use the anti-executables from above.

My problem with CFW, besides getting heavy on resources, is not too many popups but showing the same popups after I told it to remember - that makes me suspicious of its efficacy in other situations (if it is failing to find the previous rules, maybe it will also fail to apply some others?).
 
Last edited:
D

Deleted member 178

So, do you mean that as I will keep NOD32 (even with HIPS disabled) I cannot have another HIPS?
You can but not recommended, unless you totally uninstall the HIPS (which can be done with ESET if my memory is good)

Do you think ZoneAlarm is not worth trying, unlike Spawn suggested?
i don't like Zone Alarm personally.

I had a look at How to make a disallowed-by-default Software Restriction Policy guidefor SRP setting up but I don't think I have the time now to go through the serious setup and I imagine the Parental Control might not be enough - execution control only, not checking, I imagine (maybe I am wrong), for instance, hash for allowed executables to prevent malware from using known exec locations or code injection...
SRP must be used if you are comfortable with it or have the time to learn it, it is the more secure method but require lot of time and understanding.

My problem with CFW, besides getting heavy on resources, is not too many popups but showing the same popups after I told it to remember - that makes me suspicious of its efficacy in other situations (if it is failing to find the previous rules, maybe it will also fail to apply some others?).
Comodo has many bugs, it is why i can't rely on it 100% like i do with the one im using; in the past i used it for years and i had a very strong setup but wasting 3-4 hours to set it up almost prefectly to find out that the rules disappeared out-of-the-blue was very irritating then i ditched it for simpler and more secure solution.
 

EASTER

Level 4
Verified
Well-known
May 9, 2017
145
Comodo has many bugs, it is why i can't rely on it 100% like i do with the one im using; in the past i used it for years and i had a very strong setup but wasting 3-4 hours to set it up almost prefectly to find out that the rules disappeared out-of-the-blue was very irritating then i ditched it for simpler and more secure solution.

Hi umbra. Please elaborate on that because it is like you say a wasted effort if the rules which spent countless sessions setting in place decide to vanish as you suggested.

When Saving The PROACTIVE to a saved file doesn't IMPORTING return those at all?

Also is there anyway at all possible to also EXPORT the FILE LIST itself and later return it again completely as you saved it? If there even is such a thing?

I haven't found it yet. Or does the CONFIGURATION FILE when exported contain ALL SETTINGS including the FILE LIST?

Thanks for your answers and results in advance.
 
  • Like
Reactions: AtlBo
D

Deleted member 178

Hi umbra. Please elaborate on that because it is like you say a wasted effort if the rules which spent countless sessions setting in place decide to vanish as you suggested.
it is what happened to users since more than 10 years...ask @Lockdown , he suffered the same...

When Saving The PROACTIVE to a saved file doesn't IMPORTING return those at all?
it does of course, but the point is how can you know they have disappeared ...


Also is there anyway at all possible to also EXPORT the FILE LIST itself and later return it again completely as you saved it? If there even is such a thing?
Just export/import the settings but as i said above, the problem is that there is no notice that the rules created disappeared...i could figure it out because my comodo behavior wasn't normal because it let run something i specifically blocked or blocked something i allowed to run unrestricted.

I haven't found it yet. Or does the CONFIGURATION FILE when exported contain ALL SETTINGS including the FILE LIST?
All is exported normally.

you can test it, export , delete the file list yourself and import it.
 
  • Like
Reactions: AtlBo
5

509322

There were multiple open bug reports pertaining to "disappearing rules" on the COMODO forum. I don't know if they are all still there or not. I do know that about a year ago one of the forum moderators changed it from open to closed and then back to open again. In other words, the bug was not fixed at that time. I do not know the status of that particular bug report at this point in time.
 
  • Like
Reactions: AtlBo and shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Regardless of this particular bug, I agree with @Umbra's earlier comment: "To me SRP or anti-exe are the best solutions to ensure security without hassle and resources wasting.
After all why care about continually monitoring the system for unknown applications/processes when they can't even run at the first place."
 
5

509322

Regardless of this particular bug, I agree with @Umbra's earlier comment: "To me SRP or anti-exe are the best solutions to ensure security without hassle and resources wasting.
After all why care about continually monitoring the system for unknown applications/processes when they can't even run at the first place."

@Umbra is talking about AppGuard and ReHIPS. The same can be achieved in COMODO; just set the HIPS and\or sandbox to "Block" Unrecognized files. If it blocks something that is safe\needed, just un-block it. Simple concept that applies to almost any SRP and anti-executable.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top