- Sep 22, 2014
- 1,767
Here one interesting video by Britec09.
Block Downloads of a Specific File Type in Windows (with Comodo)
Block Downloads of a Specific File Type in Windows (with Comodo)
How is Your Experience with Comodo CIS/FW v10 so far?
- Thread starter AtlBo
- Start date
Please provide comments and solutions that are helpful to the author of this topic.
- Status
- Dec 29, 2014
- 1,711
Thanks shmu26. Got it all worked out and back to the previous settings
. I used the list in the post to set everything back to previous settings.I may do this is if I have some time tonight. With CFW, seems I am slowly learning to wait longer and longer before inquiring about features or commenting. The actual protection scheme that the settings generate is giving me more and more pause to think I guess.
- Jul 3, 2015
- 8,153
Glad to hear you are all sorted out.Thanks shmu26. Got it all worked out and back to the previous settings
NVT ERP already gives you cmd.exe protection, so you don't really need this tweak.
- Dec 29, 2014
- 1,711
True @shmu26. Still somewhat concerned about the fact that tricks can bypass command line protection. @Andy Ful 's thread here is the one that started me looking at this:
How-to Guide - How do you secure PowerShell?
Really good information. At some point, I hope it becomes common knowledge how to protect against script elements of malicious programs. I feel like I have to dive into the Marianas trench for settings to get what I feel is good-normal protection from what are otherwise really good security programs. Maybe development will focus on this area in the future. Anyway, NVT ERP with its hashing has this covered fairly well I guess.
@Umbra-
1. Proactive
2. Safe Mode-I think everything is default. Enhanced Protection mode is on whatever that is. Sounds great though
.
- Jul 3, 2015
- 8,153
Good point.
Andy tested Comodo protection for powershell, and found it to be good.
He found a hole in Voodooshield, and the dev already patched it.
But NVT ERP could probably use some improvement in that area.
- Dec 23, 2014
- 8,177
I did not check anything, because I tried updating CF from version 8 to 10, on my dad's computer with Windows XP + SP3. The version 8 worked very well, but after update the system hanged. Thankfully, I could boot in the safe mode, and run autoruns. I had to uncheck all Comodo entries (services and drivers) to make the system bootable. So, I restored the CF 8, and it is OK.
- Dec 29, 2014
- 1,711
I saw that. Glad to hear that is the case.
Very nice to hear. That's a juicy improvement to have the credit for I must say
. Dan must be happy about learning of such.
- Jul 3, 2015
- 8,153
Yeah, a lot of people had trouble updating to the newest Comodo build on Windows XP, and also on Win7. But it went smooth for most, on Win10.I did not check anything, because I tried updating CF from version 8 to 10, on my dad's computer with Windows XP + SP3. The version 8 worked very well, but after update the system hanged. Thankfully, I could boot in the safe mode, and run autoruns. I had to uncheck all Comodo entries (services and drivers) to make the system bootable. So, I restored the CF 8, and it is OK.
Sorry for misquoting you! I guess I misunderstood your post:
How-to Guide - How do you secure PowerShell?
"Summing up the PowerShell security in Comodo Firewall, we have:
- Comodo Sandbox with @cruelsister settings, when keeping powershell.exe and powershell_ise.exe as Unrecognized.
- "Heuristic Command Line Analysis" and "Embedded Code Detection", integrated under one interface as "Do Heurristic Command Line Analysis".
folder, and finally throws into the sandbox. This fucntion + heuristics has to be quite efficient in script blocking. People on Comodo forum complain, that their scripts (Visual Studio project assemblies) are autosandboxed, when "Do Heurristic Command Line Analysis" is activated. If one wants to run embedded scripts, he can activate the HIPS, and give the script hosting executable, the Installer/Updater policy.
So, for home users, CF offers very good PowerShell security."
- Jul 3, 2015
- 8,153
Okay, after rereading @Andy Ful's interesting post, I realized that he was just giving a general overview of the features, rather than reporting on his own testing.
- Apr 13, 2013
- 3,151
Although CF will always allow things like Windows Script Host (wscript.exe), Powershell, mshta.exe, cmd.exe to run but in the sandbox. And please note that something has to call these things up, and if it is malware they also will be running in the container. So whatever they are acting on (cmd.exe trying to delete a file, or powershell running a script to screw with your files) will also be contained and thus helpless to make any changes in your actual system. There is really no need to mess around disabling things in Windows that may be needed for the installation of legitimate stuff.
Also, although the HIPS module will be of use with the sandbox at default (or, God Forbid, if it is shut off like in Britec's videos), it really has nothing to react to when running malware. And playing around with it may just end in frustration.
The important thing with CF is to realize the best settings are not Rocket Science; trying to make it so will just end in tears.
Also, although the HIPS module will be of use with the sandbox at default (or, God Forbid, if it is shut off like in Britec's videos), it really has nothing to react to when running malware. And playing around with it may just end in frustration.
The important thing with CF is to realize the best settings are not Rocket Science; trying to make it so will just end in tears.
- Dec 29, 2014
- 1,711
I agree almost 100% with you cruelsister, and you are very knowledgable on CF. A few things I like:
1. Firewall settings "Create rules for safe (wrong word Comodo) applications" checked. I want this, because I want absolute control of the internet in and out on a PC.
2. HIPs Safe Mode. Sorry to say, I trace this issue partly to the fact that I am not comfortable with Comodo's Trusted Vendors List (I can fix this thanks to your vid
) and also partly to the fact that I feel that the system for unblocking is clumsy and seems unreliable. Unblocking is all or nothing, and it's not clear how this affects other settings. I hate this element of CF I have to admit. Still, with Comodo, unblocking could potentially be kept as trusting (I guess this must be the case) while only a single protection is unblocked and the dialog hence made meaningful. However, this would require some work I admit. All the facilities exist already to create rules for trusted ("safe" ) applications, so Comodo could just make use of those existing facilities with access from the unblock folder, one for each type of protection. Also would need a pop up asking if user would like to enable "Create rules for safe (let's go with "Trusted" here instead) applications" in case that is not already active or at least a notification that "Create rules for safe..." has been activated if this would be a requirement.General bugginess isn't going to beat me out of CF 10 I don't think like it did with 8.x. CF is too good and maybe way to good for me to consider changing at this point. However, I don't see anything when I open the connections dialog (no connection info) and also the sandboxed app window shows no processes, even when there are processes in the sandbox. Tried the repair, but it found no errors. I may try to reinstall, which will be a chance to see if saved settings can be reimported successfully. In early 10 TVL changes were not imported for me for some reason.
Your settings are awesome, but digging around does yield some juicy insights with Comodo. Not recommended for those who don't make a spare life for themselves to find time however. For others, go with cruelsister and enjoy the security. BUT remember not to allow those pesky apps in the sandbox out...NO mistakes please...
- Apr 9, 2017
- 186
- Dec 29, 2014
- 1,711
Yes. As you go through the installation, first uncheck Yahoo! if you don't want the homepage change, then either the next dialog or the one after that has a tab at the top. Click on the tab to uncheck both and get just the firewall. It's 122 MB by itself. The tab is hard to see and sort of hidden but it's there on one of the install dialogs.
- Aug 19, 2016
- 200
I use both CIS & CFW with Cruelsister's setting on different machine. Comodo is super light and it makes me dare to do something crazy like testing malware on my real system and so far my machines are virgin
- Jul 3, 2015
- 8,153
Hi @cruelsister, no question about it, your settings are the quickest way to security nirvana.
But could you please explain in more detail the point quoted above?
Also, please explain how Comodo at your recommended settings would prevent a fileless attack that exploits a vulnerable app, and tries to call powershell, or cmd.exe, in order to do one of these nasty things:
1 download a malicious exe file that will run at startup, before Comodo protection kicks in
2 register a rogue driver or dll
3 disable AV and Comodo after next reboot
4 generally mess with the registry
Last edited:
- Apr 13, 2013
- 3,151
The more I think about it, the more I hate the term "Fileless Attack" as it is so misleading. When seeing that term one can reasonably infer that something just appears and will make changes to the local system without anything actually being run- and this is far, far from the case! In actuality a fileless attack will be something like going to a compromised webpage, running a Flash app (like through maladvertising) which will then run a PowerShell script locally on your system, which will them compromise you in various ways. CF will sandbox this process so no local changes will ever be seen. A file (malware) that tries to exploit something in another process can't actually do bery much if that process is not available to it.
About Boot time protection- Comodo has none at all! But it does not really matter as something has to get on the system first in order to mess with things at boot. A few years ago I coded a Timing trojan and did a few videos about it. Although it was undetected and got past all AV's tried (some had boot protection, some did not, some added such protection after the video), Comodo never allowed it to autostart, so Boot Time protection didn't even come into play.
But one thing I can assure you of- if CF could be compromised in ways like this I would never ever use it myself. I can be nasty beyond belief yet I am satisfied with CF.
About Boot time protection- Comodo has none at all! But it does not really matter as something has to get on the system first in order to mess with things at boot. A few years ago I coded a Timing trojan and did a few videos about it. Although it was undetected and got past all AV's tried (some had boot protection, some did not, some added such protection after the video), Comodo never allowed it to autostart, so Boot Time protection didn't even come into play.
But one thing I can assure you of- if CF could be compromised in ways like this I would never ever use it myself. I can be nasty beyond belief yet I am satisfied with CF.
- Nov 17, 2016
- 1,242
What would you use if it wasn't capable of this? What's in the market?
- Jul 3, 2015
- 8,153
Yes indeed, Comodo 10 with its awesome embedded code detection will stop straightforward exploits using powershell that actually execute the file the regular way. But what about attacks that use powershell in memory, and what about attacks that use cmd.exe? (By default, Comodo 10 disables embedded code detection for cmd.exe, because it cripples too many apps.)
- Status
Similar threads
