Advice Request Using COMODO Firewall as a default-deny security software

Please provide comments and solutions that are helpful to the author of this topic.

Do you like this COMODO concept?

  • Yes

  • No


Results are only viewable after voting.
Status
Not open for further replies.

Maxwell Sien

Level 2
Verified
Nov 15, 2016
97
The only issue of the default-deny config is that beginners may think that a safe unrecognised software is malware.

Yes, and to Counter/prevent it, you must analyse yourself whether a Recognized Files is safe or Bad. To do this, you can Run Manually to SandBox (Right Click and choose Run in Comodo Containment). Comodo Containment let you to check/track behaviour (What File/Folder/Registry that had been changed) after you Run it Virtually. So, you can decide it is safe or not. If Safe, just run it Directly, no need to wait Comodo Update.

Are HIPS really needed for this setup? I don't think so

Which set up did u mean?
 

TheMalwareMaster

Level 21
Thread author
Verified
Honorary Member
Top Poster
Well-known
Jan 4, 2016
1,022
Is there a way to remove geekbuddy prompts when COMODO cloud blocks malware? I don't have geekbuddy installed, but still get these prompts
 
  • Like
Reactions: AtlBo

TheMalwareMaster

Level 21
Thread author
Verified
Honorary Member
Top Poster
Well-known
Jan 4, 2016
1,022
Yes, and to Counter/prevent it, you must analyse yourself whether a Recognized Files is safe or Bad. To do this, you can Run Manually to SandBox (Right Click and choose Run in Comodo Containment). Comodo Containment let you to check/track behaviour (What File/Folder/Registry that had been changed) after you Run it Virtually. So, you can decide it is safe or not. If Safe, just run it Directly, no need to wait Comodo Update.



Which set up did u mean?
I mean my default-deny setup. I remember Cruelsister some time ago made a video when the containment on restricted wasn't enough to stop a particular malware. In my setup, the whole execution is stopped, so there is no risk at all
 
  • Like
Reactions: kylprq and AtlBo

TheMalwareMaster

Level 21
Thread author
Verified
Honorary Member
Top Poster
Well-known
Jan 4, 2016
1,022
This is my final COMODO Firewall setup for today. If anyonw wants to take a look at it in a virtual machine, I would be pleased. COMODO is set to work automatically: defult-deny mode, HIPS are off, Cloud lookup and Virusscope are set to automatically remove malware. I can't upload the config file here on the forums (I don't know why, I can't select that file), so I will upload it on Zippyshare. I still need to find a solution to that "whitelisted malware", even if it's not that frequent to find it
EDIT: little mistake there. I set COMODO to not show any kind of prompt, not even when it blocks malware. Now it's set correctly. Here is the config:
COMODO - TMM Security.cfgx
 
Last edited:
  • Like
Reactions: Parsh and AtlBo

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,716
The only issue of the default-deny config is that beginners may think that a safe unrecognised software is malware.

Yes this is true. Also, on W7 systems here I see a way on Containment alerts to unblock app. That means next time someone runs it it will run unrestricted. I like your way honestly better than run restricted. For any regular user that is a really good way to use the program, and I think I may start to recommend it to newer users too.

I don't use the nornal TVL (much smaller) so I can study what happens when Comodo detects "Unrecognized" (because I can't test malware). I am studying the mechanics of the program. So this is not even a secure setup for Comodo Firewall that I have, but I have NVT ERP, Qihoo 360, Zemana real-time, EMET and AppCheck. Mostly I block connections with CFW and then I don't travel the internet heavily or download programs from unusual places anyway.

Thanks for the tip. Really great idea.
 

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,716
I still need to find a solution to that "whitelisted malware", even if it's not that frequent to find it

Isn't this a 1 in a billion chance? I don't think that someone will find a malware very often that Comodo "trusted" enough to spread trust for it into all their products. Surely that requires Melih himself to say so or something. I know it has happened but I wouldn't worry.

Thinking about your setup, you have default-deny with Comodo's expertise with Vendors and then Cloud Lookup. It's great now, but Viruscope will eventually get done and Valkyrie too. Anyone who uses this setup is safe imo. If you plan to add an a-v? Wow. CF is way better than VoodooShield or NVT ERP to pair with that. Avast + CF->crazy good and Avast will install only the a-v component if Custom installation is chosen...
 

TheMalwareMaster

Level 21
Thread author
Verified
Honorary Member
Top Poster
Well-known
Jan 4, 2016
1,022
Isn't this a 1 in a billion chance? I don't think that someone will find a malware very often that Comodo "trusted" enough to spread trust for it into all their products. Surely that requires Melih himself to say so or something. I know it has happened but I wouldn't worry.

Thinking about your setup, you have default-deny with Comodo's expertise with Vendors and then Cloud Lookup. It's great now, but Viruscope will eventually get done and Valkyrie too. Anyone who uses this setup is safe imo. If you plan to add an a-v? Wow. CF is way better than VoodooShield or NVT ERP to pair with that. Avast + CF->crazy good and Avast will install only the a-v component if Custom installation is chosen...
Yeah, it's really rare but VS would handle it better. VS is completely automated: it connects to VirusTotal, so Dan is not able to whitelist files. But VS will be bypassed if VirusTotal and VoodooAI both say that an executable is safe
 
  • Like
Reactions: AtlBo

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
Yeah, it's really rare but VS would handle it better. VS is completely automated: it connects to VirusTotal, so Dan is not able to whitelist files. But VS will be bypassed if VirusTotal and VoodooAI both say that an executable is safe
This only applies to AutoPilot mode... if VS is in Smart ON or Always ON, the file is blocked either way if it is not on the whitelist, even if all of the file insight is clean.

Also, I have already implemented the global whitelist, but I have not found a whitelist service / feed that is cautious as it needs to be.

And self protection is coming. There is only one very specific script that is an issue for VS... other than that, VS protects itself nicely.
 

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
I use it as Default-Deny and F-Secure DeepGuard for cloud lookup scans unknown files automatically. More often than not, it's a harmless file so I end up whitelisting in Comodo.

Default-Deny is NOT a good solution for systems with games I learned especially if you play old indie games that nobody knows about. :confused: So I decided to whitelist all the game folders (Steam, GOG, Origin and Uplay) and just cross my fingers that anything suspicious that ends up hiding there will be detected by DeepGuard.
 

TheMalwareMaster

Level 21
Thread author
Verified
Honorary Member
Top Poster
Well-known
Jan 4, 2016
1,022
What are these in the firewall settings? Is it Worth enabling any of these? firewall.PNG
 
  • Like
Reactions: DeepWeb

Bombus

Level 2
Verified
Jun 12, 2016
50
to TheMalwareMaster: Disable Hips, Automatic containment set as Block (without virtualisation) and you will get automatic deny protection. And Problems. When comodo doesn't know that application o version of that product, it will block without alerts and you are going to wonder why updated mozilla won't install. you can disable cloud but in this case you can have problems as: you installed some application. Few weeks later there is update. You download it. Comodo will block it because the version/product of that application is unknow to comodo.
 
  • Like
Reactions: TheMalwareMaster

TheMalwareMaster

Level 21
Thread author
Verified
Honorary Member
Top Poster
Well-known
Jan 4, 2016
1,022
Should I use HIPS in safe mode in this setup? Or it's not needed?
 

TheMalwareMaster

Level 21
Thread author
Verified
Honorary Member
Top Poster
Well-known
Jan 4, 2016
1,022
to TheMalwareMaster: Disable Hips, Automatic containment set as Block (without virtualisation) and you will get automatic deny protection. And Problems. When comodo doesn't know that application o version of that product, it will block without alerts and you are going to wonder why updated mozilla won't install. you can disable cloud but in this case you can have problems as: you installed some application. Few weeks later there is update. You download it. Comodo will block it because the version/product of that application is unknow to comodo.
It gives you an alert when something is blocked
comodo.PNG
 

Bombus

Level 2
Verified
Jun 12, 2016
50
HIPS in safe mode means: you will get alert when installing an application without digital signature or very recent update of something (maybe 5 years ago I had Avira Free. I heard about updated version of Avira. Waite for a week. Removed Avira and wanted install the new version. Comodo alerted: ,,Avira is signed by Avira Operations GMBH, but product unknow. If you trust this app, push ,,Allow" and put a mark on ,,Send to Comodo". " I had to wait about 10 minutes until Comodo allowed to install Avira.
 

Bombus

Level 2
Verified
Jun 12, 2016
50
TheMalwareMaster, thanks for replay. In my 8 version of comodo it blocked without allert. Now i have 10 version (I haven't try setting i suggested.) As you can see now you are protected by ,,default-deny".
 

TheMalwareMaster

Level 21
Thread author
Verified
Honorary Member
Top Poster
Well-known
Jan 4, 2016
1,022
HIPS in safe mode means: you will get alert when installing an application without digital signature or very recent update of something (maybe 5 years ago I had Avira Free. I heard about updated version of Avira. Waite for a week. Removed Avira and wanted install the new version. Comodo alerted: ,,Avira is signed by Avira Operations GMBH, but product unknow. If you trust this app, push ,,Allow" and put a mark on ,,Send to Comodo". " I had to wait about 10 minutes until Comodo allowed to install Avira.
10 minutes it's not a lot of time.
I decided to shut off the HIPS for some reasons.
1 HIPS with popup (allow, deny, treat as): it causes a notification mess if a sample is also detected by the cloud. I run a Jscript file, detected by COMODO cloud and I had the HIPS notification on top and the cloud one hidden under it. You couldn't click on the HIPS notification if you didn't close the cloud one
2 HIPS on deny request without showing popup alerts: I noticed a fact: if you run an executable, the containment will be faster to catch it and block it. If it's a Jscript file, the HIPS will be faster to catch it, and it will be blocked without alerts. So I prefer to receive the containment alert and shut off the HIPS (remember that this is an automated COMODO config I made for some beginners)
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top