Settings Discussion Comodo Firewall v 10

Status
Not open for further replies.

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
You guys using CCAV or CIS can post here too, since the programs are all similar with regards to the sandbox. Please just take a look and comment on anything that looks interesting or that you have a question about. No need to try to tackle all of this. It's only for a discussion. If anything jumps at you with easy scanning, great, but that's all.

OK, experimenting with the settings, I think I hit a nirvana sweet spot with Comodo 10. Here's the basics:

1. Proactive
2. Firewall-Custom->see at least once every app's attempt to connect and I think local separately from outside connections
3. HIPs-On->Safe Mode->all defaults
4. Sandbox-Default
5. Auto-Sandbox-Enabled (see this rule)->Target->All Applications->Reputation->Unrecognized->Action->Run Restricted (Not virtualized)

Best I can understand, if the All Apps sandbox rule is set to full restriction (I think so), the app just won't run if it's unrecognized and tries anything malware would need to try to make changes to the system or files. If there is any chance it could do damage, I will be virtualizing for this setting, so I appreciate any input here.

Compared to CruelSister's settings, some things I didn't do the same, that I would deploy 100% in an office environment:

1. Enable "Show desktop widget" (CruelSister setting is off but I like the widget)
2. Enable "Play sound when an alert is shown" (same as above)
3. Firewall settings->Disable "Do NOT show popups" (CS is checked and auto-block). I do not disable pop ups for internet connections (I want to see what is trying to contact out (not 100% CruelSister does this differently, just don't know but she does it differently in her 1.28.17 CFW video))
3. I use HIPs->Enabled
4. HIPs->Protected Objects->Set HIPs to protect file locations and secondary drives via "Protected Data Folders"
5. Sandbox settings-Enable "Do not virtualize access to [the specified folders]" (CS disables rule I think to protect downloads from ransomware but this one I am not sure about for myself yet)
6. Sandbox settings->Enable "Detect programs which require elevated privileges" but disable "Do NOT show privilege elevation alerts" (CS enables both using the Block option for the second rule)
7. Sandbox settings->Aforementioned All Applications->Run Restricted rule change. CruelSister runs Virtually all Unrecognized and then goes further by choosing the from Options for the rule the Block option. This is not available for "Run Restricted", only "Run Virtually".

Questions:
1. By recognizing MAC to MAC connections, it seems Comodo 10 firewall alerts by default separately for MAC to MAC and for other connections. This means an easy allow always for MAC to MAC and then anything over the internet will receive a separate alert. IP is on the alert so MAC to MAC is easy to spot. Can anyone verify this? I like to see which apps want to contact the outside world and when. I am basing this on the understanding that MAC to MAC will always be local on a Home network.
2. In Sandbox settings, what does "Do not virtualize access to [the specified folders] do? I think this means downloads are placed in the actual downloads folder if browser is sandboxed. That's good, but CS says there is a way to protect the folder from ransomware. I couldn't see how she was doing this, and maybe this is the way. I think I understand. She did uncheck the "Do not virtualize..." setting, where I still have it checked for now, even though I don't virtualize anyway, instead for now use restricted.
3. In Auto-Sandbox is setting a rule to run "Restricted" the same as forcing unrecognized to run fully restricted, or is it run partially restricted? Can malware do damage potentially outside virtually?
4. Sandbox settings->Enable "Detect programs which require elevated privileges but disable "Do NOT show privilege elevation alerts" (CS enables both using the Block option for the second rule). OK this is a tricky question so maybe noone knows, but it's deep, and I think it is important. If I allow unrecognized to run fully unrestricted from an alert that comes from this second rule being disabled, would Comodo still Auto-sandbox this unrecognized by the Auto-Sandbox rule? I have seen the answer a time or two for this, but I can't remember. I think it's no it won't.
5. Any good aspects to Virtual Desktop? I hear it's not very good compared to CIS Secure Desktop.

I may well end up virtualizing like CruelSister for the sandbox settings. This will be the case if ransomware can possibly bypass the simple change to All Apps->Unrecognized rule from Virtually to Restricted.

I would 100% do it CS' way in an enterprise environment, but not exactly this way at home, because I want to know what's happening. The restriction pop ups are an example. They are dangerous, but they are also a good indicator of a problem software and also the alert is red, which gets my attention. I believe after 5 years of PF pop ups, I am prepared for anything Comodo can dish out. I wasn't using a trust list in PF, so it's easy to imagine what I did for 5 years. 75+ pop ups to install Blue Stacks, I can say I experienced that LOL.

Again, please don't believe I expect a response to all of this or even to read all of it. If anything is interesting or you like some setting (maybe a different one you use), maybe you feel it would be appropriate to say so. I don't expect all the answers here honestly. Maybe some concepts could help some out there or some of us with a question.

What I like about this:

-Allowing the Restriction request alerts places a new understanding of the purpose of the "Unblock Applications" option on the widget. This alert really pins a user down to make a choice. I like this better than having to wait for the sandbox or worry about what might be in there if I empty it.
-Auto-Sandbox rule->Run All Apps->Unrecognized->Restricted (instead of virtual). Same as above unless I am wrong about the restriction. If it allows full access to the local account, no good, and I will use virtualize and send all the data to the sandbox.
-Firewall->Disable "Do not show Pop ups". This is a control thing. If you want to know what's doing what on the net, try this.
-The sequence of pop ups. It's very good with this.
-The frequency of pop ups. Not bad, honestly, unless you really hate HIPs alerts during installations, etc. I like them again because I like to know what's happening and what I am installing, especially considering only unrecognized bring the alerts.
 
Last edited:

sudo -i

Level 4
Verified
Jan 17, 2017
154
General:
Play sound - Disabled
Show the 'Upgrade' button - Disabled
Configuration - Proactive

Firewall Settings:
Do NOT show popup alerts - Enabled - Block Requests

HIPS Settings:
Enable HIPS - Disabled

Sandbox Settings:
Do not virtualize access - Disabled
Auto-Sandbox:
All Applications - Run Virtually - Set Restriction Level: Restricted

File Rating:
Trusted Vendors - Remove all

Edit: You are building your own whitelist with these settings. It takes a lot of time and you need to unblock/remove auto-sandboxing from each individual blocked process. This edit is to indicate that I'm still unblocking items as I go, 3 hours later.
 
Last edited:

BugCode

Level 10
Verified
Well-known
Jan 9, 2017
468
Hehehehehe!
Yeah, i think AtlBo make pretty longride working and it take a lot of time when those settings are gonna awakening about sandbox/hips/whitelisting/etc remix. I prefer "keep it things simple", like sudo -i says.

Well, afterall everyone doing his ownway, good luck everyone who testing/tuning/setup this software.
 

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
@pablozi I believe that is what prompted this thread. ;)

Yes this is true. CruelSister is good at explaining her settings, but there are elements she doesn't care for in Comodo (all versions CCAV/CFW/CIS). I started loosely with her settings and experimented. Generally I am impressed with Comodo 10 I have to say. Still have some questions, albeit I have narrowed them to a handfull now, so that is good.

Anyone have a comment on App Apps->Unrecognized->Run Restricted vs. All Apps->Unrecognized->Run Virtualized?
 
Last edited:

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Yes this is true. CruelSister is good at explaining her settings, but there are elements she doesn't care for in Comodo (all of them). I started loosely with her settings and experimented. Generally I am impressed with Comodo 10 I have to say. Still have some questions, albeit I have narrowed them to a handfull now, so that is good.

Anyone have a comment on App Apps->Unrecognized->Run Restricted vs. All Apps->Unrecognized->Run Virtualized?
I guess Run restricted means the app can run normally but under some restricted rules. It should be exactly the same as kaspersky's application control. The app doesn't run inside a sandbox
Run virtually means the app will be put into a sandbox and isolate from other running apps and system

EDIT: I found this
  • Run Virtually - The application will be run in a virtual environment completely isolated from your operating system and files on the rest of your computer.
  • Run Restricted - The application is allowed to access very few operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights. Some applications, like computer games, may not work properly under this setting.
  • Block - The application is not allowed to run at all.
  • Ignore - The application will not be sandboxed and allowed to run with all privileges.
 

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Thanks Evjl's. I guess I should probably switch to Run Virtually until I am sure about whether Run Restricted does the job to block all malware. Anyway, I can Run Restricted in the sandbox and I guess get the same exact response machine-wise.

I like an edgy setup, and I would like if I didn't have to use the sandbox, because cleaning it out can set back beneficial programs. This means something else to think about I guess. I can see the benefit, though, since changes that do occur can be easily wiped out with the sandbox, where Run Restricted leaves user to clean up the mess in user space if there is a malware episode. Maybe that's the main reason to run Virtually.
 

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
I guess Run restricted means the app can run normally but under some restricted rules. It should be exactly the same as kaspersky's application control. The app doesn't run inside a sandbox

I had this thought too. Kas has the system/file guard system that seems largely superior to the comparable module in Comodo 10 (Viruscope), other that this Comodo is reminding me of Kas. So I will go back and look for a video testing only Kas Application control on Restricted. That should show what I need to know about this. If malware can't do damage, I think I will go with Restricted on one machine to test long range.
 
Last edited:
D

Deleted member 2913

CCAV ---

As per Comodo staff "umesh" --- CCAV ---
"Trusted Installers
If A.exe drops B.exe and if B.exe is unknown by itself, B.exe will be treated safe if A.exe was safe and installer type.
Unknown Installers
If A.exe drops B.exe and B.exe is unknown by itself, B.exe wll be treated safe if A.exe was allowed by the user i.e selected "Dont isolate again" and installer type."

My little test confirmed the above And hope CCAV really works the above mentioned way (dont know applies to CIS too or not?) As "Usability" would be good And so you can set sandbox option to "Run only safe programs"...known programs allowed & unknown blocked...no need rules/firewall, etc customization like CIS.

CFW ---
I have mostly used CFW with no AV, no 3rd party AV, no additional realtime security, etc...
My setup was mostly -
Customize the GUI/Appearance stuffs like Comodo messages, upgrade tab, sound notifications, etc...
Protection wise, always used defaults with little customization.
I have always used "Internet Security" config --- Its default config with CIS suite install --- Balanced protection & usability.
But with CFW only install too, I use "Internet Security" config.
Few customization only ---
FW settings - "Dont show popup messages" --- Unchecked Or Checked And set to "Block".
"Do not virtualize access to the specified files/folders" --- Unchecked
"Enable automatic startup for services installed in the Sandbox" --- Unchecked
Sometimes I have used default autosandbox rule (Internet) And sometimes customized to (Any) i.e removed Internet, Intranet & Removable Media from autosandbox rule.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top