Harden Comodo Firewall

[AtlBo]

Want to harden Comodo Firewall, particularly the Trusted Vendors list and then maybe go to Paranoid. If I go to paranoid, does the sandbox alert kick in for all not signed by a Trusted Vendor same as with Proactive? This would be acceptable to me. I'm not getting pop ups as it is, since I'm not installing a ton of software. However, if I trim the Trusted Vendors list, I would feel better about the sandboxing, and I can still get more prompts that way. Prefer being reminded security is doing its job at least once in awhile, so I could be satisfied with 2x or even 3x the number of pop ups I am seeing (maybe 3 a day), even more for a superior coverage. There are so many Trusted Vendors, I am concerned that someone could forge a certificate somehow or steal one or in some way get by the list.

Current basic settings
1. Proactive
2. Firewall-Enabled (I have filter loopback traffic checked. Don't remember if that's default)/Enable Trustconnect alerts (Unsecured Only)/Create rules for safe applications unchecked/all else unchecked
3. HIPS-Enabled (Safe Mode)/Monitoring Settings (Device Driver Installations/Process Execution/Protected Files and Folders/Protected Registry Keys/Computer Monitor/Keyboard (should I have more enabled here?). Added connected drives and Documents folders to "Protected Objects"
4. Sanbox-Do not virtualize access to the specified files and folders (checked/default locations-Shared Spaces and C:\Program Files\Shared Spaces)/Do not virtualize...the specified registry keys and values (unchecked)/Advanced-only Do NOT show privilege elevation alerts unchecked/Virtual Desktop password (unchecked)
5. File Rating-All checked but Do NOT show popup alerts. Trust files installed by trusted installers is good? All else defaults

Any simple way to edit the Trusted vendors list? Does Paranoid ignore signatures/Trusted? This is my problem with Comodo. I know the list is too large, and most of them are irrelevant to me anyway. I would like a simple much smaller Trust list, but I want to stick with developers that are well known for their clean practices and devotion to securing their product. I feel like all programs and program files should have protection mechanisms or be protected specifically via a security program. I think HIPS can monitor do this.

I sense that I could end up with possibly the most hardened possible setup for Proactive, but I am interested in learning Paranoid. Is using HIPS to via Protected Files and Protected Folders (or some other way) capable of monitoring for changes to .dll/.sys? Don't know if this is even practical/necessary/important.

 

[shmu26]

Hi there, you are really digging into the settings!
My brain just goes blank when so many hard questions are fired at it all at once. Slow down, focus on one main point at a time, and maybe feeble minds like mine will be able to keep up...

 

[HarborFront]

Want to harden Comodo Firewall, particularly the Trusted Vendors list and then maybe go to Paranoid. If I go to paranoid, does the sandbox alert kick in for all not signed by a Trusted Vendor same as with Proactive? This would be acceptable to me. I'm not getting pop ups as it is, since I'm not installing a ton of software. However, if I trim the Trusted Vendors list, I would feel better about the sandboxing, and I can still get more prompts that way. Prefer being reminded security is doing its job at least once in awhile, so I could be satisfied with 2x or even 3x the number of pop ups I am seeing (maybe 3 a day), even more for a superior coverage. There are so many Trusted Vendors, I am concerned that someone could forge a certificate somehow or steal one or in some way get by the list.

Current basic settings
1. Proactive
2. Firewall-Enabled (I have filter loopback traffic checked. Don't remember if that's default)/Enable Trustconnect alerts (Unsecured Only)/Create rules for safe applications unchecked/all else unchecked
3. HIPS-Enabled (Safe Mode)/Monitoring Settings (Device Driver Installations/Process Execution/Protected Files and Folders/Protected Registry Keys/Computer Monitor/Keyboard (should I have more enabled here?). Added connected drives and Documents folders to "Protected Objects"
4. Sanbox-Do not virtualize access to the specified files and folders (checked/default locations-Shared Spaces and C:\Program Files\Shared Spaces)/Do not virtualize...the specified registry keys and values (unchecked)/Advanced-only Do NOT show privilege elevation alerts unchecked/Virtual Desktop password (unchecked)
5. File Rating-All checked but Do NOT show popup alerts. Trust files installed by trusted installers is good? All else defaults

Any simple way to edit the Trusted vendors list? Does Paranoid ignore signatures/Trusted? This is my problem with Comodo. I know the list is too large, and most of them are irrelevant to me anyway. I would like a simple much smaller Trust list, but I want to stick with developers that are well known for their clean practices and devotion to securing their product. I feel like all programs and program files should have protection mechanisms or be protected specifically via a security program. I think HIPS can monitor do this.

I sense that I could end up with possibly the most hardened possible setup for Proactive, but I am interested in learning Paranoid. Is using HIPS to via Protected Files and Protected Folders (or some other way) capable of monitoring for changes to .dll/.sys? Don't know if this is even practical/necessary/important.

Are you using Comodo CIS to set the Proactive Security because if using CFW alone you can only have the Firewall Security?

 

[AtlBo]

Mine too shmu . Got busy, but I was going to post before that I learned the hard way what happens when the Trusted Vendors list gets deleted. If anyone has ever searched out an answer, CF alerts for everything . I had exported the settings before deleting TVL, but the TVL didn't reset when I imported them. Think I tried 3 or 4 times. Tried a repair and then reinstall CF, neither brought back the list. Pop ups didnt have the option to add the vendor I noticed, so I added about 20 manually.

I don't recommend doing this at this point, but I think I might like it better, not sure. The settings in post #1 are good with only the 6 HIPS detections added in, and I like that the sandbox will be default much more often now that the TVL is trimmed so far back. Don't see a way to easily edit the list, but I'm less intimidated by it now than before. Good idea to leave everything Microsoft at least.

Are you using Comodo CIS to set the Proactive Security because if using CFW alone you can only have the Firewall Security only

Thanks HarborFront. Using CFW. It's been auto-sandboxing, and I am getting the HIPS alerts somehow. Am I missing something about the firewall?

 

[HarborFront]

Mine too shmu . Got busy, but I was going to post before that I learned the hard way what happens when the Trusted Vendors list gets deleted. If anyone has ever searched out an answer, CF alerts for everything . I had exported the settings before deleting TVL, but the TVL didn't reset when I imported them. Think I tried 3 or 4 times. Tried a repair and then reinstall CF, neither brought back the list. Pop ups didnt have the option to add the vendor I noticed, so I added about 20 manually.

I don't recommend doing this at this point, but I think I might like it better, not sure. The settings in post #1 are good with only the 6 HIPS detections added in, and I like that the sandbox will be default much more often now that the TVL is trimmed so far back. Don't see a way to easily edit the list, but I'm less intimidated by it now than before. Good idea to leave everything Microsoft at least.



Thanks HarborFront. Using CFW. It's been auto-sandboxing, and I am getting the HIPS alerts somehow. Am I missing something about the firewall?

If you go to --> Advanced View --> Blocked Applications you should be seeing your HIPS, Sandbox and Firewall in action. For me I can see the three blocking something

 

[shmu26]

1 CFW allows you to switch to proactive, although it is not enabled by default

2 if you want to clean up TVL, temporarily disable HIPS and autosandbox, select all, delete all.
Then add back the various microsoft certs, by checking the running processes and you will eventually find all the various names that microsoft uses. Start up Word, so you can get that name, too.

while you are at it, you use the same method to add back your important drivers, plus google, mozilla, or whatever else you need to live. Other stuff can be added on the fly, when you get a prompt.

now you can re-enenable HIPS and autosandbox.

but you must also disenable cloud lookup, or else COMODO will allow things that you didn't.

 

[AtlBo]

If you go to --> Advanced View --> Blocked Applications you should be seeing your HIPS, Sandbox and Firewall in action. For me I can see the three blocking something

Yes, I see all three there. I forgot that view was even there.

but you must also disenable cloud lookup, or else COMODO will allow things that you didn't.

I didn't do this. Should I do it now or too late ?

 

[Andytay70]

Regarding the "Trusted Vendors" list I did a clean install, then installed comodo firewall then deleted all but Microsoft from the "trusted Vendors" list.
I then rebooted and installed all my software.

 

[shmu26]

Yes, I see all three there. I forgot that view was even there.



I didn't do this. Should I do it now or too late ?

not too late. it doesn't effect your cleanup job, it just prevents COMODO from allowing things that are not on your list, by supplementing your list with their cloud list.

 

[HarborFront]

1 CFW allows you to switch to proactive, although it is not enabled by default

2 if you want to clean up TVL, temporarily disable HIPS and autosandbox, select all, delete all.
Then add back the various microsoft certs, by checking the running processes and you will eventually find all the various names that microsoft uses. Start up Word, so you can get that name, too.

while you are at it, you use the same method to add back your important drivers, plus google, mozilla, or whatever else you need to live. Other stuff can be added on the fly, when you get a prompt.

now you can re-enenable HIPS and autosandbox.

but you must also disenable cloud lookup, or else COMODO will allow things that you didn't.

I like it but its too troublesome....so I just leave it as default will do

 

[shmu26]

I like it but its too troublesome....so I just leave it as default will do

I agree, firewall mode does the trick. Its protection is improved with comodo 10.

 

[Terry Ganzi]

If you disable hips & sandbox delete the TVL then run a scan with comodo file rating all trust apps on your pc will automatically be reinstall TVL, it is that easy you will not have to go into manual stuff.

 

[AtlBo]

not too late. it doesn't effect your cleanup job, it just prevents COMODO from allowing things that are not on your list, by supplementing your list with their cloud list.

OK, but I think I should leave it on and let the list grow. I didn't really care for it to be empty or small (100 or something OK maybe). However, Comodo's input on unknowns seems worth the price of a growing TVL .

I still don't comprehend the implications of Comodo's choices in its list of executables (File Groups/HIPS Protected Files & Folders). I don't see anything java (.js) or vb or .ps1.

 

[shmu26]

OK, but I think I should leave it on and let the list grow. I didn't really care for it to be empty or small (100 or something OK maybe). However, Comodo's input on unknowns seems worth the price of a growing TVL .

I still don't comprehend the implications of Comodo's choices in its list of executables (File Groups/HIPS Protected Files & Folders). I don't see anything java (.js) or vb or .ps1.

the cloud will not make your local list grow. It will just invisibly complement your local list, meaning that if the file is either on your local list or on the cloud list, it will be allowed.

 

[AtlBo]

I like it but its too troublesome....so I just leave it as default will do

HarborFront this is such a great comment, and you will soon say "well, you know it's OK and even good enough (such a great program), but what will it hurt to look at the settings again honestly?? Just one more time that is all." Then you will open the settings and you will realize . In Comodo's settings is all the power in the world , and you must play, play, play! Must have the P-O-W-E-R!

not too late. it doesn't effect your cleanup job, it just prevents COMODO from allowing things that are not on your list, by supplementing your list with their cloud list.

Well, if Comodo changes things to trusted alot, I wouldn't like that much now that I think about it. I was envisioning the Cloud lookup as "here is unknown executable" oh "it's malicious"->alert user now.

I think I did notice that Comodo can augment the list. Nothing big, but I added TVs from PortableApps. It was nice and required only one TV entry from the PortableApps app (Rare Ideas). Then I noticed that for each app, Comodo added to the list the vendor of the actual program... That's cool.

Guess I'm a little more concerned with what will happen if I turn off Cloud lookup for now than if I just leave it on. All the better if the list doesn't grow I guess.

 

[cruelsister]

Keeping the Comodo configuration at the Firewall security level should only be considered if you will also have the HIPS active. The Proactive mode will increase the baseline protection level (especially by enhanced monitoring of COM interfaces),

As a rule of thumb: Firewall Security Config + HIPS = Proactive Security.

 

[HarborFront]

Keeping the Comodo configuration at the Firewall security level should only be considered if you will also have the HIPS active. The Proactive mode will increase the baseline protection level (especially by enhanced monitoring of COM interfaces),

As a rule of thumb: Firewall Security Config + HIPS = Proactive Security.

I already have that in place. Thanks

 

[AtlBo]

If you disable hips & sandbox delete the TVL then run a scan with comodo file rating all trust apps on your pc will automatically be reinstall TVL, it is that easy you will not have to go into manual stuff.

Assume you mean Tasks->General Tasks->Scan computer for viruses and spyware . Only scan I could find in CFW. Gonna roll with the short list myself for awhile and see how it goes. I kind of like it so far.

 

[shmu26]

Keeping the Comodo configuration at the Firewall security level should only be considered if you will also have the HIPS active. The Proactive mode will increase the baseline protection level (especially by enhanced monitoring of COM interfaces),

As a rule of thumb: Firewall Security Config + HIPS = Proactive Security.

autosandbox in COMODO 10 firewall config has a rule that covers any file on your system that is less than 3 days old. So assuming you are starting with a clean machine, what's missing in the protection?