Regarding Comodo Firewall's Firewall

  • This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

cruelsister

Level 33
Verified
Apr 13, 2013
2,252
13,546
#1
A friend that has read my previous drivel about Comodo noted to me that I never really discussed the settings of the Firewall itself. This was indeed a rather big failing on my part that I apologize for, so here is a quick Primer:

(Note that CIS and CF have differing default settings- but as I see no value in CIS the below refers to Comodo Firewall. I further assume that the Sandbox will be Enabled with the "Any" change active)

Although the Firewall module of CF lends itself to much tinkering with regards to Portsets, Network Zones, Traffic Filtering, etc. only the most Networkly adept people need to be concerned with this stuff, and quite frankly I question the real-world value of playing with these settings (it also gives me a headache). This being said, let's discuss the important things:

1). CF default settings- If you already have CF installed, all that I will discuss can be found on the main Firewall setting page (Tasks>Firewall Tasks>Open Advanced Settings).



CF is configured to start in Safe Mode- this basically allows all applications that are whitelisted by Comodo to connect to the Network without any specific rules being made. Note also on that main page there is an unchecked box to "Create Rules for Safe Applications"- if you check this box and run a safe application like an email app or web browser, CF will start to pay attention to have the specific application operates and will automatically make rules specific for it. I personally leave it unchecked.
Note that no firewall popups will present for this default setting.

2). Custom Ruleset- This change can be made at the top, under Enable Traffic Filtering. Custom Ruleset simply will alert you to anything that tries to connect outbound, both safe apps and unknowns. A popup alert will occur asking whether the the connection request should be Allowed or Blocked, with an added checkbox to remember the action taken. This setting is very nice for the more advanced user that aside wanting all outbound requests by unknowns to result in an alert, but also wants to decide what legitimate applications should be allowed out.

3). The "Do Not Show Popup Alerts" setting- This is actually the point of this post. Custom Mode will give popups to everything (at least once, anyway); Safe Mode will not give popups for anything. By checking this box when the firewall is in Safe Mode what happens?

a). All whitelisted applications will still be allowed to connect to the Internet.
b). Any unknowns, which will be active in the Sandbox, that request network access will cause either a popup if the box is unchecked and you choose "Allow Requests", or will be denied any Network access silently by default.

In production systems I strongly recommend the uncheck that box and choose Block Requests. This will tell both Malware and Adware to go screw themselves when requesting Outbound connections without any input by the user. This would be really handy in preventing things like worms to connect to the C&C, and downloaders from downloading (note also that the malware from trojan downloaders will also be sandboxed, so no real issue here). Another benefit would be the silent blocking of script keyloggers. Remember that a keylogger in order to be successful must both log keystrokes AND send this information out to the Blackhats. Stopping even one of these actions would be successful protection.

As an example, seek out this test keylogger, evil.exe which is a Python script (and understand that a true malicious keylogger- not a script- would be prevented from logging anything if sandboxed in Full V):

(hxxps://samsclass.info/124/proj14/evil.htm)

Note that Comodo, although sandboxing the logger, won't actually stop the keylogging as user input is needed for it to work. This is what happens when evil.exe is run:

1). when the interface opens, you hit Enter
2). Open Notepad and type a few letters
3). Hit enter again

You will notice that a text file is created in the same directory as the logger, which will then be transmitted to Pastebin- a browser will then open an you will see the results. So what will happen when any of the above Firewall settings are used?

1). Firewall default settings- the keylogger logs keystrokes and successfully transmits out
2). Custom Mode- you will get a Outbound connection request popup. Blocking the transmission stops the logging effort
3). Safe Mode with "Do Not Show Popups" box unchecked, and action of "Block Requests"- Transmission by keylogger silently blocked, keylogger fails in malicious activity.

So the moral of this extended post- Blocking Outbound requests by sandboxed applications is good, especially if you put CF on Mom or Dad's computer.
 
Apr 30, 2012
689
2,280
#2
~~ I've snipped the first part of my post just to remove the mention of the settings I found not secure. I'm sorry for possible inconvenience in might cause. ~~

Why not to check all "Advanced" boxes starting from "Filter IPv6 traffic" down to "Enable anti-ARP spoofing"?
 
Last edited:

cruelsister

Level 33
Verified
Apr 13, 2013
2,252
13,546
#3
I have to respectfully disagree with you. Not showing popups and allowing everything will as I noted allow sandboxed apps to connect Outbound. This may be an issue depending on the state of malware development. Maximum safety dictates that anything sandboxed should be precluded from Outbound connections.

Regarding Filtering Traffic and spoofing I really didn't want to take the discussion into the weeds, as it were. The ant-ARP spoofing is really just of consequence for something like an Office network and isn't applicable for a single Home computer; filtering IPv6 traffic has little if any real-world relevance especially if NAT is in place.
 
Oct 22, 2012
4,055
8,905
#5
cruelsister,

Under FW settings, I have checked "Do not show popups" & set to "Block requests".

I want to know 2 things-
When Comodo detects a program install as unknown & gives Umlimited Rights alert & I know the program is safe so I select "Run Unlimited" on alert, now 2 questions -
1. Is this program treated as trusted?
2. Connection for the program is allowed or blocked?
 

cruelsister

Level 33
Verified
Apr 13, 2013
2,252
13,546
#6
Yes- As soon as you click on Run Unlimited it will be treated as Trusted (one time only unless you also check Trust this Application. It will also allow internet connection.
 
Oct 22, 2012
4,055
8,905
#7
Ok, I tested it with leaktest.exe from grc.com

I disabled cloud in CIS as cloud AV detects it.

Under FW settings, I checked "dont show popups" & set to "block"
I ran leaktest.exe. It was correctly autosandboxed & connection was blocked.

Now I moved leaktest.exe from unrecognized to trusted.
I ran leaktest.exe. It was correctly not autosandboxed but connection was still blocked?
Only after system restart connection was allowed.
Shouldn't connection be allowed too without system restart like leaktest.exe was not autosandboxed as leaktest.exe was trusted now?


Also I deleted leaktest.exe.
Reset sandbox.
Restarted the system.
Now leaktest.exe was deleted from the system. But I had purposely not deleted the leaktest.exe rule from trusted list.
Now leaktest.exe rule is in trusted list but it should be invalid coz leaktest.exe has been deleted from the system, right?
I had also restarted the system after deleting leaktest.exe & reset sandbox.
Now I downloaded leaktest.exe again.
I ran leaktest.exe & it was not autosandboxed.
This means previous invalid rule will be applied if & when the program is downloaded & installed again, is this a bug or for usability?
 
Last edited:

cruelsister

Level 33
Verified
Apr 13, 2013
2,252
13,546
#13
Yesnoo- Sorry for the delay in response. There is a difference in the way Comodo handles changing application settings; if Do not Notify is selected a reboot is indeed needed (as the suppression of firewall alerts is really for the novice, making things hard is actually good).

If Firewall alerts are selected to be given, individual application settings can be made on the fly.

Finally, Firewall and File Rating settings can be easily trashed for programs that were deleted.

I made a quick Vid here: http://malwaretips.com/threads/playing-around-with-firewall-application-settings-in-cf-8-1.44136/
 
Likes: Moose
Oct 22, 2012
4,055
8,905
#14
Yesnoo- Sorry for the delay in response. There is a difference in the way Comodo handles changing application settings; if Do not Notify is selected a reboot is indeed needed (as the suppression of firewall alerts is really for the novice, making things hard is actually good).

If Firewall alerts are selected to be given, individual application settings can be made on the fly.

Finally, Firewall and File Rating settings can be easily trashed for programs that were deleted.

I made a quick Vid here: http://malwaretips.com/threads/playing-around-with-firewall-application-settings-in-cf-8-1.44136/
Don't you think they should have auto purge invalid rules?

And I think there should be an option to notify if block requests is selected in FW settings.

And I really think would be good to have an option to password protect alerts, what you say?
This will make usability better & easy on the systems that are shared by novices & experts.
 
Likes: Moose