Advice Request How is Your Experience with Comodo CIS/FW v10 so far?

[darko999]

I tried to run Comodo FW alongside Windows Defender and failed to do so. Even when both where excluded in their respective settings, Windows Defender will fail to work properly.

 

[shmu26]

OK thanks again. Here is a quote from Comodo on the restriction levels. This had me believing that Virtual was more restrictive than Restricted, since virtual is mentioned last after restricted:



Down further, this shows that obviously either of the settings is adequate for protection:



Anyway I don't think it is going to matter much. I am fine with the setting either way. Here is a link to the Comodo help for anyone who would like to look at the options:

Auto-Containment Rules, Containment Security Software | Internet Security | COMODO

Yeah, the thing is you have to understand what running virtually means. It is not as absolutely isolated as they make it sound. But there are people on this forum who can give you a better explanation than that.

 

[AtlBo]

Scouring around the Comodo forum, I read some information that led me to look at the "Options" for the All Applications->Untrusted->Run Virtual rule. Turns out the rule in the "Options" (Next to "Criteria") tab is set to a restriction level of "Restricted" for this rule anyway. Don't know if all Run Virtually rules do this by default. Looking on another PC, I see it is set up the same way. There is this option though, if anyone would prefer the virtual setting (based on Comodo's description) but would like to add a little bit of strength to the rule to be on the safe side. I suppose it ends up being the same thing as simply running restricted in the first place.

Never knew memory consumption can be managed in the sandbox with CFW. That's a new one. I would create a rule for Chrome, but it won't run in the virtual environment.

 

[EASTER]

I always been a big proponent when it came to HIPS from that awesome era of the 32 bit types.

Since it's still important that we layer our defense apps where compatible, this user recently added CFW 10 into the respective security schema.

I assume there are enough folks just as pleasantly surprised with the video test results too.

The last version of Comodo FW that I tried last and liked is probably relic by now but I can in all honesty say this newest v.10 has me hook, line, and sinker.

Really am almost awestruck to it's pretty well rounded capabilities in spite of certain issues that require a trace to correct with trial n error workarounds here or there too.

In silent observer status for a few weeks now as I soak in all the best possible settings.

Special thanks to everyone who is picking it apart as well as testing it's metal.

 

[Handsome Recluse]

Btw, "we are hard when it comes to people we appreciate" , but i like to sometimes give cookies

But you only follow Lockdown. That suggests you're only hard on Lockdown.

 

[Tony Cole]

Terrible. I install Comodo 10 IS and it was useless, reputation and scans took hours, and it detected windows files as unknown and kept crashing the system.

 

[AtlBo]

In silent observer status for a few weeks now as I soak in all the best possible settings. Special thanks to everyone who is picking it apart as well as testing it's metal.

You might want to take a look at the settings changes in the latest version of v10. They aren't well documented around the net yet. The biggest ones are in the Advanced Protections->Miscellaneous header. Previously, heuristic command-line analysis settings were in the HIPs section. Some executables (and malware) may depend on embedded scripts, and Comodo turned off most of the protections for embedded scripts by default. This is because some users were seeing a new pop up for the same activity every time they performed the action. Happens when a randomly named temp file is created by a process in order to run a script.

I turned all of the protections on and only have one recurring script. I am used to dealing with the issue, so it's not a problem for me. Others may want to test with the settings on to see if they have a problem. If you do get the repeating pop up, you will also get a new file in the file list and then a file will be created in the path C:\ProgramData\Comodo\Cis\tempscrpt. If you allow the behavior (if you know what caused it and it is safe) but uncheck the remember setting option, you will only have those two issues. Otherwise, if you remember it, you could end up with other references to the file in the "Unrecognized files" area/folder accessed from the widget and maybe in HIPs.

I just "forget" the choice each time and empty the tempscrpt folder once in awhile and then whenever I think about it purge the file list of files that have been removed from the system. That gets rid of them there.

Absolutely take a look at cruelsister's settings. She relies exclusively on the sandbox, and it is bullet-proof:

Video Review - Comodo Firewall 10 Setup

If you want that protection but also prefer to know more about what is happening on the system, the HIPs are awesome for that and also the script blocking functions.

I am liking CFW more and more too but it can still be improved. 10 is a big significant improvement over 8 even seems more or less universally accepted. Best thing for me is the ability to control the internet. Block and remember...that's what I do with apps and the net...

 

[Tony Cole]

I've never liked the whole the software has to be downloaded on the system, then executed before Comodo does anything.

 

[AtlBo]

it detected windows files as unknown

Many Windows files are unsigned. I don't get why. This is why they are unrecognized.

I've never liked the whole the software has to be downloaded on the system, then executed before Comodo does anything.

True, not much in the way of signature-based protection with CIS I don't think. Definitely it doesn't monitor downloads like some of the a-vs and other security suites. It's primarily mechanically based I guess I would say is my impression of CIS. With the sandbox and the much reduced bugginess of v10, I feel, though, that Comodo users can finally say that it's their fault if they get infected.

I saw a video here at MTs recently that showed Comodo a-v detected a huge number of samples in a group of malware. I was actually fairly impressed, but not enough to drop 360 Total Security and Comodo Firewall for CIS or Comodo a-v. There are subtle differences between CFW and the others in the sandbox protection schemes, and I haven't ever had time to sort them all out...

 

[EASTER]

You might want to take a look at the settings changes in the latest version of v10. They aren't well documented around the net yet. The biggest ones are in the Advanced Protections->Miscellaneous header. Previously, heuristic command-line analysis settings were in the HIPs section. Some executables (and malware) may depend on embedded scripts, and Comodo turned off most of the protections for embedded scripts by default. This is because some users were seeing a new pop up for the same activity every time they performed the action. Happens when a randomly named temp file is created by a process in order to run a script.

I turned all of the protections on and only have one recurring script. I am used to dealing with the issue, so it's not a problem for me. Others may want to test with the settings on to see if they have a problem. If you do get the repeating pop up, you will also get a new file in the file list and then a file will be created in the path C:\ProgramData\Comodo\Cis\tempscrpt. If you allow the behavior (if you know what caused it and it is safe) but uncheck the remember setting option, you will only have those two issues. Otherwise, if you remember it, you could end up with other references to the file in the "Unrecognized files" area/folder accessed from the widget and maybe in HIPs.

I just "forget" the choice each time and empty the tempscrpt folder once in awhile and then whenever I think about it purge the file list of files that have been removed from the system. That gets rid of them there.

Thanks. Just had a look in there and adjusted the settings accordingly.

The need to try to cover as much found left undone from a previous version is a good choice of course. Test for complications (if any) etc.

Absolutely take a look at cruelsister's settings. She relies exclusively on the sandbox, and it is bullet-proof:

Video Review - Comodo Firewall 10 Setup

If you want that protection but also prefer to know more about what is happening on the system, the HIPs are awesome for that and also the script blocking functions.

I am liking CFW more and more too but it can still be improved. 10 is a big significant improvement over 8 even seems more or less universally accepted. Best thing for me is the ability to control the internet. Block and remember...that's what I do with apps and the net...

Those special settings and confirmed testing's by her are very convincing enough for me too I agree wholeheartedly.

Putting CFW 10 through a few of my own preliminary metal tests (per cruelsister's rules) has not disappointed in the least. In fact solid.

Not at all familiar with version 8 so have no idea how comparisons stack up between them but it's simple enough to read through other's results and see how and/or where they differ.

The added idea behind HIPS which was a welcome development when in their first infancy was it's featured ability for users so inclined to learn some of the intricate behaviors and interactions the program encountered as signals were launched then instantly interrupted, where the user could trace origin/destination location paths/types of files/extensions etc. (the list goes on as evident in CFW) and basically get a better feel so to speak of their own machines.

For me it was a honeypot of the highest order.
Collecting those bugs after rendered inert, copy them, and safely set them apart for further study.

The security aspect of strengthening the CFW sandbox/auto-containment feature is to a HIPS devotee like me, a best dream come true.

For the time being until I get a bit farther along with it's many other good points for security the sandbox alone is proving quite a force field.

I can recall some time ago with 32 bit HIPS where that very thing was being tested but not sure if it was ever fully implemented before 64 bit knocked them out of contention for the most part to what we have today.

 

[AtlBo]

The added idea behind HIPS which was a welcome development when in their first infancy was it's featured ability for users so inclined to learn some of the intricate behaviors and interactions the program encountered as signals were launched then instantly interrupted, where the user could trace origin/destination location paths/types of files/extensions etc. (the list goes on as evident in CFW) and basically get a better feel so to speak of their own machines.

Yes. I didn't get started until Comodo Firewall 3.xxx. It didn't last long though. The program was very buggy.

I think in the future HIPs may be attached somehow to a new type of alert/warning, based on activities/risks associated with standard HIPs behaviors. I think of this concept as "super HIPs". With the sandbox behind the whole operation it might be an interesting concept I suppose. I think some of this exists already in the form of behavior blocking. At least it's similar. At any rate, I think as a user I would like to be aware of HIPs activities, even if the option to block from standard HIPs triggers were not considered practical anymore. As it is, Comodo has a good thing going with the HIPs to sandbox approach. I feel a high degree of confidence running with CFW.

I worked with Excubits Bouncer for a couple of months, studying the logs and activites of a normal working PC. I learned alot that way.

 

[EASTER]

Yes. I didn't get started until Comodo Firewall 3.xxx. It didn't last long though. The program was very buggy.

I think in the future HIPs may be attached somehow to a new type of alert/warning, based on activities/risks associated with standard HIPs behaviors. I think of this concept as "super HIPs". With the sandbox behind the whole operation it might be an interesting concept I suppose. I think some of this exists already in the form of behavior blocking. At least it's similar. At any rate, I think as a user I would like to be aware of HIPs activities, even if the option to block were not considered practical anymore. As it is, Comodo has a good thing going with the HIPs to sandbox approach. I feel a high degree of confidence running with CFW.

I worked with Excubits Bouncer for a couple of months, studying the logs and activites of a normal working PC. I learned alot that way.

That would be something of interest on this end too should that sort of development approach surface.

It's hard to say but since the HIPS field is narrow enough anyway there's always room for that section to improve too I guess.

So far there is been no real disappointment in these few weeks running CFW 10 on this end only learning the settings more.

Tickled today with the closing of cruelsister's video. What confidence! Also the added comedy with Felix was priceless stuff. Liked that.

From some of the reviews i watched so far isn't she using what I suppose is the strongest part of CFW in the the sandbox?

Boy does she ever apply it to absolute maximum effect w/returning positive results, and against some pretty crafty malware at that.

 

[shmu26]

I would create a rule for Chrome, but it won't run in the virtual environment.

I don't have Comodo installed right now, but Chrome should run just fine in virtual environment, if you leave sandbox at its default settings. In fact, in the sandbox tasks tab, as well as on the desktop widget, you have a ready-made link for running virtual chrome, firefox or IE, with an option for putting a shortcut on your desktop.

 

[AtlBo]

From some of the reviews i watched so far isn't she using what I suppose is the strongest part of CFW in the the sandbox?

Boy does she ever apply it to absolute maximum effect w/returning positive results, and against some pretty crafty malware at that.

I would say so. If you run her settings with no choice alert for application->unrecognized, every single unsigned application and any parents/children of its go straight into the sandbox. She has dozens of videos against all kinds of the nastiest malware, and none of it has beaten CFW. It stands to reason, since the sandbox simply does not allow malware to have access to what it requires to do harm when unrecognized are set to run restricted as cruelsister does.

Tickled today with the closing of cruelsister's video. What confidence! Also the added comedy with Felix was priceless stuff. Liked that.

Her videos are quite entertaining and informative. It's great to have such a great source of info on the internet.

I don't have Comodo installed right now, but Chrome should run just fine in virtual environment, if you leave sandbox at its default settings. In fact, in the sandbox tasks tab, as well as on the desktop widget, you have a ready-made link for running virtual chrome, firefox or IE, with an option for putting a shortcut on your desktop.

I tried earlier but just for a few seconds. PC was kind of stressed, and I was working fast. Seems I recall last time I used the sandbox for the browser I ended up liking the 360 TS option better (seemed smoother). That was with Firefox though. I'll try Chrome again with CFW and see if it's better now.

 

[shmu26]

I'll try Chrome again with CFW and see if it's better now.

Give a try with those ready-made links that Comodo provides.

Her videos are quite entertaining and informative. It's great to have such a great source of info on the internet.

Comodo and all that surrounds it is by far the best form of entertainment in the world of security apps.

 

[Av Gurus]

I run Chrome everyday in Comodo sandbox with no problem, through the Comodo widget.

 

[AtlBo]

No luck. The process starts but then no window and the process eventually stops after about 20-30 seconds. Some truths:

1. Running in standard account
2. IE 11 runs in the CFW sandbox from the widget
3. Changed existing containment rule for chrome.exe from Ignore to Run Virtually->Partially limited but same result on widget
4. With the setting changed attempted to start from pinned shortcut on taskbar but would not start there either
5. Reverted the setting and Chrome is working normally again from the taskbar

I'll try in the Admin account and see what happens. Av Gurus, you tried the memory limiting feature of the sandbox on Chrome?

 

[shmu26]

No luck. The process starts but then no window and the process eventually stops after about 20-30 seconds. Some truths:

1. Running in standard account
2. IE 11 runs in the CFW sandbox from the widget
3. Changed existing containment rule for chrome.exe from Ignore to Run Virtually->Partially limited but same result on widget
4. With the setting changed attempted to start from pinned shortcut on taskbar but would not start there either
5. Reverted the setting and Chrome is working normally again from the taskbar

I'll try in the Admin account and see what happens. Av Gurus, you tried the memory limiting feature of the sandbox on Chrome?

The gods of Comodo are full of wrath for those who tamper with their heavenly ordained settings.

 

[Av Gurus]

Av Gurus, you tried the memory limiting feature of the sandbox on Chrome?

SOrry, don't understand what are you asking?
What should I check or view?

 

[AtlBo]

Av Gurus, you tried the memory limiting feature of the sandbox on Chrome?

Well, if you use the widget to open Chrome, you don't have the feature available. However, if you find the sandbox rule for Chrome in the Comodo settings and double click on it, there is a setting there to limit the memory usage of processes running in the sandbox. There is a "Criteria" tab and next to it is an "Options" tab. The memory limiting is there. Anyway, you answered my question lol. I think to get it to work you would have to open Chrome from a shortcut. However, the sandbox rule can't be an ignore rule, it has to be changed to Run Restricted I believe, for the memory option to be available. You can then adjust the restriction to partial, limited rights, or full. It's all there in the Options tab.

The gods of Comodo are full of wrath for those who tamper with their heavenly ordained settings.

Yes. In this case, I wonder if it's the embedded script interaction with the sandbox. I turned on all the embedded script protections as you know, and now Comodo prompts to block the webshield.exe script from Qihu when I open Chrome normally. Maybe this causes a conflict. Chrome starts as a single process in the sandbox from the widget, then goes to two for just an instant after about 20 seconds and then closes. This makes me wonder if that's when the extensions are loading. I don't have time to hunt this one down unfortunately.

No dice in the admin account. Same thing. Thought maybe having installed in the standard account (can't remember which I used to install Chrome) could have been a problem somehow. I don't think that would be a problem ever honestly. I seem to remember this same issue back before I reinstalled Windows about 4-5 months ago. Dragon (Chrome based) would run in the Comodo sandbox (no webshield.exe now that I think about it...not available for Dragon) but not Chrome. I seem to recall that not even the 360 sandbox would work with Chrome.exe. Firefox worked fine. Can't test in a standard account because 360 sandbox isn't available under limited rights. Kind of a poison pill of 360 right now that so little is available in l/r accounts.

Anyway, no harm. I don't feel like I need the sandbox. Thought I would test the memory limiting feature of the s/b to see how it works.