Advice Request Using COMODO Firewall as a default-deny security software

[Maxwell Sien]

The only issue of the default-deny config is that beginners may think that a safe unrecognised software is malware.

Yes, and to Counter/prevent it, you must analyse yourself whether a Recognized Files is safe or Bad. To do this, you can Run Manually to SandBox (Right Click and choose Run in Comodo Containment). Comodo Containment let you to check/track behaviour (What File/Folder/Registry that had been changed) after you Run it Virtually. So, you can decide it is safe or not. If Safe, just run it Directly, no need to wait Comodo Update.

Are HIPS really needed for this setup? I don't think so

Which set up did u mean?

 

[TheMalwareMaster]

Is there a way to remove geekbuddy prompts when COMODO cloud blocks malware? I don't have geekbuddy installed, but still get these prompts

 

[TheMalwareMaster]

Yes, and to Counter/prevent it, you must analyse yourself whether a Recognized Files is safe or Bad. To do this, you can Run Manually to SandBox (Right Click and choose Run in Comodo Containment). Comodo Containment let you to check/track behaviour (What File/Folder/Registry that had been changed) after you Run it Virtually. So, you can decide it is safe or not. If Safe, just run it Directly, no need to wait Comodo Update.



Which set up did u mean?

I mean my default-deny setup. I remember Cruelsister some time ago made a video when the containment on restricted wasn't enough to stop a particular malware. In my setup, the whole execution is stopped, so there is no risk at all

 

[TheMalwareMaster]

This is my final COMODO Firewall setup for today. If anyonw wants to take a look at it in a virtual machine, I would be pleased. COMODO is set to work automatically: defult-deny mode, HIPS are off, Cloud lookup and Virusscope are set to automatically remove malware. I can't upload the config file here on the forums (I don't know why, I can't select that file), so I will upload it on Zippyshare. I still need to find a solution to that "whitelisted malware", even if it's not that frequent to find it
EDIT: little mistake there. I set COMODO to not show any kind of prompt, not even when it blocks malware. Now it's set correctly. Here is the config:
COMODO - TMM Security.cfgx

 

[AtlBo]

The only issue of the default-deny config is that beginners may think that a safe unrecognised software is malware.

Yes this is true. Also, on W7 systems here I see a way on Containment alerts to unblock app. That means next time someone runs it it will run unrestricted. I like your way honestly better than run restricted. For any regular user that is a really good way to use the program, and I think I may start to recommend it to newer users too.

I don't use the nornal TVL (much smaller) so I can study what happens when Comodo detects "Unrecognized" (because I can't test malware). I am studying the mechanics of the program. So this is not even a secure setup for Comodo Firewall that I have, but I have NVT ERP, Qihoo 360, Zemana real-time, EMET and AppCheck. Mostly I block connections with CFW and then I don't travel the internet heavily or download programs from unusual places anyway.

Thanks for the tip. Really great idea.

 

[AtlBo]

I still need to find a solution to that "whitelisted malware", even if it's not that frequent to find it

Isn't this a 1 in a billion chance? I don't think that someone will find a malware very often that Comodo "trusted" enough to spread trust for it into all their products. Surely that requires Melih himself to say so or something. I know it has happened but I wouldn't worry.

Thinking about your setup, you have default-deny with Comodo's expertise with Vendors and then Cloud Lookup. It's great now, but Viruscope will eventually get done and Valkyrie too. Anyone who uses this setup is safe imo. If you plan to add an a-v? Wow. CF is way better than VoodooShield or NVT ERP to pair with that. Avast + CF->crazy good and Avast will install only the a-v component if Custom installation is chosen...

 

[TheMalwareMaster]

Isn't this a 1 in a billion chance? I don't think that someone will find a malware very often that Comodo "trusted" enough to spread trust for it into all their products. Surely that requires Melih himself to say so or something. I know it has happened but I wouldn't worry.

Thinking about your setup, you have default-deny with Comodo's expertise with Vendors and then Cloud Lookup. It's great now, but Viruscope will eventually get done and Valkyrie too. Anyone who uses this setup is safe imo. If you plan to add an a-v? Wow. CF is way better than VoodooShield or NVT ERP to pair with that. Avast + CF->crazy good and Avast will install only the a-v component if Custom installation is chosen...

Yeah, it's really rare but VS would handle it better. VS is completely automated: it connects to VirusTotal, so Dan is not able to whitelist files. But VS will be bypassed if VirusTotal and VoodooAI both say that an executable is safe

 

[AtlBo]

But VS will be bypassed if VirusTotal and VoodooAI both say that an executable is safe

True and they haven't yet added self-defense to VS.

 

[danb]

Yeah, it's really rare but VS would handle it better. VS is completely automated: it connects to VirusTotal, so Dan is not able to whitelist files. But VS will be bypassed if VirusTotal and VoodooAI both say that an executable is safe

This only applies to AutoPilot mode... if VS is in Smart ON or Always ON, the file is blocked either way if it is not on the whitelist, even if all of the file insight is clean.

Also, I have already implemented the global whitelist, but I have not found a whitelist service / feed that is cautious as it needs to be.

And self protection is coming. There is only one very specific script that is an issue for VS... other than that, VS protects itself nicely.

 

[Deleted member 178]

Isn't this a 1 in a billion chance? I don't think that someone will find a malware very often that Comodo "trusted" enough to spread trust for it into all their products. Surely that requires Melih himself to say so or something. I know it has happened but I wouldn't worry.

happened few weeks ago, we have a thread about it here.

 

[TheMalwareMaster]

happened few weeks ago, we have a thread about it here.

Where? Is it the Av Gurus thread?

 

[DeepWeb]

I use it as Default-Deny and F-Secure DeepGuard for cloud lookup scans unknown files automatically. More often than not, it's a harmless file so I end up whitelisting in Comodo.

Default-Deny is NOT a good solution for systems with games I learned especially if you play old indie games that nobody knows about. So I decided to whitelist all the game folders (Steam, GOG, Origin and Uplay) and just cross my fingers that anything suspicious that ends up hiding there will be detected by DeepGuard.

 

[TheMalwareMaster]

What are these in the firewall settings? Is it Worth enabling any of these?

 

[Rengar]

I have cloud loukup disabled for over 2 months, no problem has ever occured.

 

[Bombus]

to TheMalwareMaster: Disable Hips, Automatic containment set as Block (without virtualisation) and you will get automatic deny protection. And Problems. When comodo doesn't know that application o version of that product, it will block without alerts and you are going to wonder why updated mozilla won't install. you can disable cloud but in this case you can have problems as: you installed some application. Few weeks later there is update. You download it. Comodo will block it because the version/product of that application is unknow to comodo.

 

[TheMalwareMaster]

Should I use HIPS in safe mode in this setup? Or it's not needed?

 

[TheMalwareMaster]

to TheMalwareMaster: Disable Hips, Automatic containment set as Block (without virtualisation) and you will get automatic deny protection. And Problems. When comodo doesn't know that application o version of that product, it will block without alerts and you are going to wonder why updated mozilla won't install. you can disable cloud but in this case you can have problems as: you installed some application. Few weeks later there is update. You download it. Comodo will block it because the version/product of that application is unknow to comodo.

It gives you an alert when something is blocked

 

[Bombus]

HIPS in safe mode means: you will get alert when installing an application without digital signature or very recent update of something (maybe 5 years ago I had Avira Free. I heard about updated version of Avira. Waite for a week. Removed Avira and wanted install the new version. Comodo alerted: ,,Avira is signed by Avira Operations GMBH, but product unknow. If you trust this app, push ,,Allow" and put a mark on ,,Send to Comodo". " I had to wait about 10 minutes until Comodo allowed to install Avira.

 

[Bombus]

TheMalwareMaster, thanks for replay. In my 8 version of comodo it blocked without allert. Now i have 10 version (I haven't try setting i suggested.) As you can see now you are protected by ,,default-deny".

 

[TheMalwareMaster]

HIPS in safe mode means: you will get alert when installing an application without digital signature or very recent update of something (maybe 5 years ago I had Avira Free. I heard about updated version of Avira. Waite for a week. Removed Avira and wanted install the new version. Comodo alerted: ,,Avira is signed by Avira Operations GMBH, but product unknow. If you trust this app, push ,,Allow" and put a mark on ,,Send to Comodo". " I had to wait about 10 minutes until Comodo allowed to install Avira.

10 minutes it's not a lot of time.
I decided to shut off the HIPS for some reasons.
1 HIPS with popup (allow, deny, treat as): it causes a notification mess if a sample is also detected by the cloud. I run a Jscript file, detected by COMODO cloud and I had the HIPS notification on top and the cloud one hidden under it. You couldn't click on the HIPS notification if you didn't close the cloud one
2 HIPS on deny request without showing popup alerts: I noticed a fact: if you run an executable, the containment will be faster to catch it and block it. If it's a Jscript file, the HIPS will be faster to catch it, and it will be blocked without alerts. So I prefer to receive the containment alert and shut off the HIPS (remember that this is an automated COMODO config I made for some beginners)