Advice Request How is Your Experience with Comodo CIS/FW v10 so far?

Please provide comments and solutions that are helpful to the author of this topic.

How is Your Experience with Comodo CIS/FW v10 so far?

  • Excellent

    Votes: 34 44.7%
  • Good but I was hoping for better

    Votes: 15 19.7%
  • Average. Program has strengths and weaknesses

    Votes: 10 13.2%
  • Poor. Program is buggy or too resource intensive or is poorly designed and hard to use

    Votes: 9 11.8%
  • Awful. Nothing good about this program

    Votes: 2 2.6%
  • Haven't tried the program in v10 (post comment may contain why)

    Votes: 4 5.3%
  • Tried the program briefly or tested but gained no impression (post to add any comments)

    Votes: 1 1.3%
  • Other (please comment)

    Votes: 1 1.3%

  • Total voters
    76
Status
Not open for further replies.

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,716
@AtlBo, you went pretty deep into Comodo HIPS. If you can't find your way out of the woods, you could try posting on the Comodo forum. The guys over there know the product pretty well.
I must admit that you are dealing with certain settings that I don't rightly understand.

Thanks shmu26. Got it all worked out and back to the previous settings :). I used the list in the post to set everything back to previous settings.

@AtlBo, you went pretty deep into Comodo HIPS. If you can't find your way out of the woods, you could try posting on the Comodo forum. The guys over there know the product pretty well.

I may do this is if I have some time tonight. With CFW, seems I am slowly learning to wait longer and longer before inquiring about features or commenting. The actual protection scheme that the settings generate is giving me more and more pause to think I guess.
 
  • Like
Reactions: Andy Ful and shmu26
D

Deleted member 178

Thanks. Did this:

1. Sandbox set to "ignore" for both cmd.exes
2. Set them both to "Unrecognized" in files list
3. Made sure webshield.exe (Chrome extension) was "Unrecognized" in files list
4. Set all HIPs rules to ask for both cmd.exes
5. Turned off embedded detection for cmd.exe in Advanced->Misc
6. In HIPs set webshield.exe to ask (was allowed) for all HIPs protections

What security Mode ?
What HIPS settings?
 
  • Like
Reactions: AtlBo and shmu26

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,716
Glad to hear you are all sorted out.
NVT ERP already gives you cmd.exe protection, so you don't really need this tweak.

True @shmu26. Still somewhat concerned about the fact that tricks can bypass command line protection. @Andy Ful 's thread here is the one that started me looking at this:

How-to Guide - How do you secure PowerShell?

Really good information. At some point, I hope it becomes common knowledge how to protect against script elements of malicious programs. I feel like I have to dive into the Marianas trench for settings to get what I feel is good-normal protection from what are otherwise really good security programs. Maybe development will focus on this area in the future. Anyway, NVT ERP with its hashing has this covered fairly well I guess.

What security Mode ?
What HIPS settings?

@Umbra-
1. Proactive
2. Safe Mode-I think everything is default. Enhanced Protection mode is on whatever that is. Sounds great though :).
 
  • Like
Reactions: Andy Ful

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
True @shmu26. Still somewhat concerned about the fact that tricks can bypass command line protection. @Andy Ful 's thread here is the one that started me looking at this:

How-to Guide - How do you secure PowerShell?
Good point.
Andy tested Comodo protection for powershell, and found it to be good.
He found a hole in Voodooshield, and the dev already patched it.
But NVT ERP could probably use some improvement in that area.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,599
I did not check anything, because I tried updating CF from version 8 to 10, on my dad's computer with Windows XP + SP3. The version 8 worked very well, but after update the system hanged. Thankfully, I could boot in the safe mode, and run autoruns. I had to uncheck all Comodo entries (services and drivers) to make the system bootable. So, I restored the CF 8, and it is OK.:)
 

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,716
Andy tested Comodo protection for powershell, and found it to be good.

I saw that. Glad to hear that is the case.

He found a hole in Voodooshield, and the dev already patched it.

Very nice to hear. That's a juicy improvement to have the credit for I must say :). Dan must be happy about learning of such.
 
  • Like
Reactions: Andy Ful

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
I did not check anything, because I tried updating CF from version 8 to 10, on my dad's computer with Windows XP + SP3. The version 8 worked very well, but after update the system hanged. Thankfully, I could boot in the safe mode, and run autoruns. I had to uncheck all Comodo entries (services and drivers) to make the system bootable. So, I restored the CF 8, and it is OK.:)
Yeah, a lot of people had trouble updating to the newest Comodo build on Windows XP, and also on Win7. But it went smooth for most, on Win10.

Sorry for misquoting you! I guess I misunderstood your post:
How-to Guide - How do you secure PowerShell?

"Summing up the PowerShell security in Comodo Firewall, we have:
  1. Comodo Sandbox with @cruelsister settings, when keeping powershell.exe and powershell_ise.exe as Unrecognized.
  2. "Heuristic Command Line Analysis" and "Embedded Code Detection", integrated under one interface as "Do Heurristic Command Line Analysis".
The 'Embeded Code Detection' catches fileless scripts, converts them into files in the: C:\ProgramData\Comodo\Cis\tempscrpt
folder, and finally throws into the sandbox. This fucntion + heuristics has to be quite efficient in script blocking. People on Comodo forum complain, that their scripts (Visual Studio project assemblies) are autosandboxed, when "Do Heurristic Command Line Analysis" is activated. If one wants to run embedded scripts, he can activate the HIPS, and give the script hosting executable, the Installer/Updater policy.

So, for home users, CF offers very good PowerShell security."
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Yeah, a lot of people had trouble updating to the newest Comodo build on Windows XP, and also on Windows 7. But it went smooth for most, on Windows 10.

Sorry for misquoting you! I guess I misunderstood your post:
How-to Guide - How do you secure PowerShell?

"Summing up the PowerShell security in Comodo Firewall, we have:
  1. Comodo Sandbox with @cruelsister settings, when keeping powershell.exe and powershell_ise.exe as Unrecognized.
  2. "Heuristic Command Line Analysis" and "Embedded Code Detection", integrated under one interface as "Do Heurristic Command Line Analysis".
The 'Embeded Code Detection' catches fileless scripts, converts them into files in the: C:\ProgramData\Comodo\Cis\tempscrpt
folder, and finally throws into the sandbox. This fucntion + heuristics has to be quite efficient in script blocking. People on Comodo forum complain, that their scripts (Visual Studio project assemblies) are autosandboxed, when "Do Heurristic Command Line Analysis" is activated. If one wants to run embedded scripts, he can activate the HIPS, and give the script hosting executable, the Installer/Updater policy.

So, for home users, CF offers very good PowerShell security."
Okay, after rereading @Andy Ful's interesting post, I realized that he was just giving a general overview of the features, rather than reporting on his own testing.
 

cruelsister

Level 43
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
Although CF will always allow things like Windows Script Host (wscript.exe), Powershell, mshta.exe, cmd.exe to run but in the sandbox. And please note that something has to call these things up, and if it is malware they also will be running in the container. So whatever they are acting on (cmd.exe trying to delete a file, or powershell running a script to screw with your files) will also be contained and thus helpless to make any changes in your actual system. There is really no need to mess around disabling things in Windows that may be needed for the installation of legitimate stuff.

Also, although the HIPS module will be of use with the sandbox at default (or, God Forbid, if it is shut off like in Britec's videos), it really has nothing to react to when running malware. And playing around with it may just end in frustration.

The important thing with CF is to realize the best settings are not Rocket Science; trying to make it so will just end in tears.
 

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,716
The important thing with CF is to realize the best settings are not Rocket Science; trying to make it so will just end in tears.

I agree almost 100% with you cruelsister, and you are very knowledgable on CF. A few things I like:

1. Firewall settings "Create rules for safe (wrong word Comodo) applications" checked. I want this, because I want absolute control of the internet in and out on a PC.
2. HIPs Safe Mode. Sorry to say, I trace this issue partly to the fact that I am not comfortable with Comodo's Trusted Vendors List (I can fix this thanks to your vid :) ) and also partly to the fact that I feel that the system for unblocking is clumsy and seems unreliable. Unblocking is all or nothing, and it's not clear how this affects other settings. I hate this element of CF I have to admit. Still, with Comodo, unblocking could potentially be kept as trusting (I guess this must be the case) while only a single protection is unblocked and the dialog hence made meaningful. However, this would require some work I admit. All the facilities exist already to create rules for trusted ("safe" o_O) applications, so Comodo could just make use of those existing facilities with access from the unblock folder, one for each type of protection. Also would need a pop up asking if user would like to enable "Create rules for safe (let's go with "Trusted" here instead) applications" in case that is not already active or at least a notification that "Create rules for safe..." has been activated if this would be a requirement.

General bugginess isn't going to beat me out of CF 10 I don't think like it did with 8.x. CF is too good and maybe way to good for me to consider changing at this point. However, I don't see anything when I open the connections dialog (no connection info) and also the sandboxed app window shows no processes, even when there are processes in the sandbox. Tried the repair, but it found no errors. I may try to reinstall, which will be a chance to see if saved settings can be reimported successfully. In early 10 TVL changes were not imported for me for some reason.

Your settings are awesome, but digging around does yield some juicy insights with Comodo. Not recommended for those who don't make a spare life for themselves to find time however. For others, go with cruelsister and enjoy the security. BUT remember not to allow those pesky apps in the sandbox out...NO mistakes please...:)
 
  • Like
Reactions: Andy Ful

russ0408

Level 5
Verified
Well-known
Jul 28, 2013
240
I like CF, but I don't like having to download Comodo Dragon, and that Geek Buddy. Is there some way to avoid having to download that crap?
 
  • Like
Reactions: AtlBo

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,716
I like CF, but I don't like having to download Comodo Dragon, and that Geek Buddy. Is there some way to avoid having to download that crap?

Yes. As you go through the installation, first uncheck Yahoo! if you don't want the homepage change, then either the next dialog or the one after that has a tab at the top. Click on the tab to uncheck both and get just the firewall. It's 122 MB by itself. The tab is hard to see and sort of hidden but it's there on one of the install dialogs.
 
  • Like
Reactions: Andy Ful and lab34

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Also, although the HIPS module will be of use with the sandbox at default
Hi @cruelsister, no question about it, your settings are the quickest way to security nirvana.
But could you please explain in more detail the point quoted above?

Also, please explain how Comodo at your recommended settings would prevent a fileless attack that exploits a vulnerable app, and tries to call powershell, or cmd.exe, in order to do one of these nasty things:
1 download a malicious exe file that will run at startup, before Comodo protection kicks in
2 register a rogue driver or dll
3 disable AV and Comodo after next reboot
4 generally mess with the registry
 
Last edited:

cruelsister

Level 43
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
The more I think about it, the more I hate the term "Fileless Attack" as it is so misleading. When seeing that term one can reasonably infer that something just appears and will make changes to the local system without anything actually being run- and this is far, far from the case! In actuality a fileless attack will be something like going to a compromised webpage, running a Flash app (like through maladvertising) which will then run a PowerShell script locally on your system, which will them compromise you in various ways. CF will sandbox this process so no local changes will ever be seen. A file (malware) that tries to exploit something in another process can't actually do bery much if that process is not available to it.

About Boot time protection- Comodo has none at all! But it does not really matter as something has to get on the system first in order to mess with things at boot. A few years ago I coded a Timing trojan and did a few videos about it. Although it was undetected and got past all AV's tried (some had boot protection, some did not, some added such protection after the video), Comodo never allowed it to autostart, so Boot Time protection didn't even come into play.

But one thing I can assure you of- if CF could be compromised in ways like this I would never ever use it myself. I can be nasty beyond belief yet I am satisfied with CF.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
The more I think about it, the more I hate the term "Fileless Attack" as it is so misleading. When seeing that term one can reasonably infer that something just appears and will make changes to the local system without anything actually being run- and this is far, far from the case! In actuality a fileless attack will be something like going to a compromised webpage, running a Flash app (like through maladvertising) which will then run a PowerShell script locally on your system, which will them compromise you in various ways. CF will sandbox this process so no local changes will ever be seen. A file (malware) that tries to exploit something in another process can't actually do bery much if that process is not available to it.

About Boot time protection- Comodo has none at all! But it does not really matter as something has to get on the system first in order to mess with things at boot. A few years ago I coded a Timing trojan and did a few videos about it. Although it was undetected and got past all AV's tried (some had boot protection, some did not, some added such protection after the video), Comodo never allowed it to autostart, so Boot Time protection didn't even come into play.

But one thing I can assure you of- if CF could be compromised in ways like this I would never ever use it myself. I can be nasty beyond belief yet I am satisfied with CF.
Yes indeed, Comodo 10 with its awesome embedded code detection will stop straightforward exploits using powershell that actually execute the file the regular way. But what about attacks that use powershell in memory, and what about attacks that use cmd.exe? (By default, Comodo 10 disables embedded code detection for cmd.exe, because it cripples too many apps.)
 
  • Like
Reactions: Andy Ful and AtlBo
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top