Advice Request Using COMODO Firewall as a default-deny security software

[TheMalwareMaster]

Good morning. I'm trying comodo firewall at cruelsister settings, and made a few changes... What do you think of setting comodo to block instead of Run virtually for unrecognised applications? I don't like the sandbox concept, and I always have the fear that something may go out and infect the system, even with sandbox restricted. Do you like this concept of default-deny? Which are the advantages of using the sandbox restricted setting, instead? Also, I'm looking for some setting to prevent whitelisted malware files by mistake to run unlimited (remember Av gurus video?)


Video Review - Malware bypass Comodo Firewall @ CS settings

 

[TheMalwareMaster]

Disabling the cloud lookup would solve the problem of whitelisted malware?

 

[Evjl's Rain]

disabling cloud lookup will solve the problem of malwares being whitelisted by mistakes

however, disabling cloud lookup + sandbox = block can be very risky for the stability of your PC. In rare cases, the system can be unbootable, who knows. Otherwise, it's very very safe

this is default-deny if you want a complete lockdown system and you don't install new softwares everyday but you may have to do much more homework to manually unblock all the programs that are blocked by comodo (really, a lot more)

in this case, I feel that voodooshield and other anti-exe can do better because they whitelist you to allow something when you need with 1 or a few clicks

 

[TheMalwareMaster]

disabling cloud lookup will solve the problem of malwares being whitelisted by mistakes

however, disabling cloud lookup + sandbox = block can be very risky for the stability of your PC. In rare cases, the system can be unbootable, who knows. Otherwise, it's very very safe

this is default-deny if you want a complete lockdown system and you don't install new softwares everyday but you may have to do much more homework to manually unblock all the programs that are blocked by comodo (really, a lot more)

I'm doing some testing on my VM. Why to delete trusted vendors also? Probably because they pay for being added, and some unwanted programs may be allowed to run this way?

 

[TheMalwareMaster]

Yeah, I've just tried to run the COMODO Internet security essential thing, bundled with the firewall (it's used to block man in the middle Attacks while online banking/shopping) and it got blocked

 

[Evjl's Rain]

I'm doing some testing on my VM. Why to delete trusted vendors also? Probably because they pay for being added, and some unwanted programs may be allowed to run this way?

yes but rare
the more you delete, the less stability your PC are, the more risk of blocking safe apps

I think this is quite paranoid to do so. Even CS herself doesn't change that much

if it suits your need, you can use it but don't forget to make a full backup before applying it into your main PC

 

[TheMalwareMaster]

Haha, I've removed Cloud Lookup, all trusted vendors and rebooted. I also deleted all Known file verdicts (this causes the issue), and I got a black screen on boot. Sometimes there is a prompt, saying that some applications are being isolated and blocked (legit Windows files). I will try again, without deleting known file verdicts

 

[Evjl's Rain]

Haha, I've removed Cloud Lookup, all trusted vendors and rebooted. I also deleted all Known file verdicts (this causes the issue), and I got a black screen on boot. Sometimes there is a prompt, saying that some applications are being isolated and blocked (legit Windows files). I will try again, without deleting known file verdicts
View attachment 158977

because you removed Microsoft => it blocked all microsoft files => unbootable
you should remove only unfamiliar vendors or some chinese vendors

 

[TheMalwareMaster]

because you removed Microsoft => it blocked all microsoft files => unbootable
you should remove only unfamiliar vendors or some chinese vendors

Yeah, this trusted vendors list is way too long to edit

 

[TheMalwareMaster]

VoodooShield is much clever on the "trusted malware" part. In VS, the developer has no control on his application: he cannot whitelist certain files, but the verdict is based on VirusTotal, which is automated and based on the union of 60+ antivirus vendors

 

[Maxwell Sien]

Me too, I set the Auto-Containment Settings to Disabled. So, if any Unrecognized file want to run, i got the HIPS alert Directly.

Auto-Sandbox/Auto-Containment purpose is to prevent User in taking Wrong Decision of HIPS Alert. User can mistakenly Treated a Bad File as Allowed Application or even Installer or Updater.

If you can Analyse Unrecognized files by yourself and determine safe or not, you can skip the Auto-Containment feature (disabled).

 

[TheMalwareMaster]

Me too, I set the Auto-Containment Settings to Disabled. So, if any Unrecognized file want to run, i got the HIPS alert Directly.

Auto-Sandbox/Auto-Containment purpose is to prevent User in taking Wrong Decision of HIPS Alert. User can mistakenly Treated a Bad File as Allowed Application or even Installer or Updater.

If you can Analyse Unrecognized files by yourself and determine safe or not, you can skip the Auto-Containment feature (disabled).

I set auto-containmemt on and to block all unrecognised apps (instead of running restricted) with HIPS on safe mode. Is it ok? I really like it

 

[jamescv7]

Well there's a reason why Sandbox mechanism is exist, to avoid the possible problems when HIPS and other predefined rules managed to block the incorrect software.

Comodo is a very comprehensive tool so a silly mistake in configure may lead to major impact in a system.

Yes a strong concept of default-deny but with precaution.

 

[AtlBo]

@TheMalwareBlaster. Been down this same road you are travelling. Conclusion for me was to use NVT ERP with Comodo with the Comodo sandbox set to run "Unrecognized" Restricted. This has me thinking about actually lessening the restriction level of sandboxed (keep it auto) to first hand be able to see what an app does. Restricted is so strict, can only get a look at the GUI many times. Kind of defeats the purpose of the container. @cruelsister's earlier videos from last year showed how to see the malware run in the container. She has implicit confidence in that protection and has run many tests to show that it works, so...

Maybe I will experiment some today but I can't test malware for now. Anyway, I don't know the difference between "Restricted","Limited", and "Partially Limited". If limited is like running in a standard limited rights user account, well I am already doing that on this PC.

Also, if you really want to trim the TVL this is what I did following @cruelsisters video guide (can't locate the vid):

1. Open TVL
2. Click on top box to select them all
3. click on magnifying glass in vendors header and type Microsoft
4. uncheck the Microsoft boxes (at least the major ones)
5. Repeat for Google and security programs and any other vendors you want in the list (your program vendors)
6. Click Remove
7. All but the unchecked you unchecked will be removed

This will remove all but what you choose. However, as @Evjl's Rain says there isn't really a security reason to do this anyway. I did it because I want to learn the mechanics of Comodo and see how it responds. Almost everything I bring onto the system in unrecognized since I have only about 30 vendors.

You can add vendors by finding the exe too if you want.

Cloud Lookup will add to the Trusted Vendors list if you edit it. It does add a sliver of a risk of whitelisted malware, but what kind of mistake does it take to actually whitelist malware? Don't think this happens often, and I have only seen two mentions of it ever.

 

[AtlBo]

BTW...my impression of default deny for Comodo:

1. Make sure all heuristic command-line monitors are set to on and the embedded detections
2. HIPS on Safe Mode means from a "Trusted Vendor" will not prompt HIPS. "Unrecognized" will do so. That's OK for defalut deny, but make sure not to make any applications an "Allowed" application. That way, Comodo will automatically create exemptions for HIPS rules when you select "Allow"->"Remember". Ex, if there were a rule for Explorer.exe as "Unrecognized" every app you open from start menu or a folder would generate a prompt for the "Run an Executable" HIPS rule. If you choose to remember this would be included in exemptions. It's more powerful that way. I am still learning about this, but I see it happening and have started changing rules over to "Custom" from "Allowed" to get this security performance.

 

[Maxwell Sien]

I set auto-containmemt on and to block all unrecognised apps (instead of running restricted) with HIPS on safe mode. Is it ok? I really like it

I think that is Ok, Set to block all unrecognised apps (instead of running restricted) is not reduce your security level. But what if Auto-Containment block all of your Unrecognized apps whereas that file should be safe to Run? That's no option Exlude it Quickly, you must make extra effort in set it into Allowed Application or Trusted Files.

 

[DJ Panda]

They need to fix their performance impact first... Adding another "layer of security" is just going to make the computer even more unbootable..

 

[TheMalwareMaster]

Thank you all guys... Yeah, I'm still learning how to better use comodo firewall, that's why I'm on a VM. But I like default-deny concept more than the sandbox one. The only disadvantage is: "Average Joe makes a software. Unrecognised by comodo. An other average user runs it in his system, using comodo and "run virtually" by default. He will see that software, understand that it's safe and run it out of the sandbox. Case B: a user is running comodo with default-deny settings. He will see that comodo blocks that software, so he won't trust to run it anymore". The only issue of the default-deny config is that beginners may think that a safe unrecognised software is malware.

 

[509322]

Thank you all guys... Yeah, I'm still learning how to better use comodo firewall, that's why I'm on a VM. But I like default-deny concept more than the sandbox one. The only disadvantage is: "Average Joe makes a software. Unrecognised by comodo. An other average user runs it in his system, using comodo and "run virtually" by default. He will see that software, understand that it's safe and run it out of the sandbox. Case B: a user is running comodo with default-deny settings. He will see that comodo blocks that software, so he won't trust to run it anymore". The only issue of the default-deny config is that beginners may think that a safe unrecognised software is malware.

The whole point of default-deny is to lock a system down and not install new things on a regular basis = once locked down, everything not allowed is blocked from executing.

Sanboxing is not really default-deny even though it is called that. Sandboxing is containment, which isn't strictly default-deny.

There's often confusion regarding the terminology as it is applied loosely.

But you're right - a sandbox and file ratings have inefficiencies that can result in troubles for some users. It's a long-standing problem and the only real solution is user awareness.

 

[TheMalwareMaster]

Are HIPS really needed for this setup? I don't think so