Advice Request Using COMODO Firewall as a default-deny security software

Please provide comments and solutions that are helpful to the author of this topic.

Do you like this COMODO concept?

  • Yes

  • No


Results are only viewable after voting.
Status
Not open for further replies.

Bombus

Level 2
Verified
Jun 12, 2016
50
But there many legit programs that are bundled with other legit (free) programs. Similar to UC Browser, Baidu AntiVirus, some User Install it on Purpose, Some user get it with bundled.

AntiMalware (like ) are more aggresive than AntiVirus in blacklist a PUP, maybe because AntiVirus focus on Prevent and AntiMalware focus on cleaning.

In case of PUP, we can't trust AntiVirus 100%. Only User can know what program is installed on purpose and what program is install with Bundled. AntiVirus just can detect a possibility. That's why we need HIPS because it based on user decision.

@TheMalwareMaster, can you send Utorrent installer file to us that contain ByteFence? I just downloded it from official but not bundled with ByteFence. I want to test how HIPS React with this situation.
You are totally right. Skype ships bing, comodo - yahoo, Ccleaner (if i have good memory) suggested Goolge chrome ( as Avast), Foxit PDF reader (several years ago) Ask (Hips in paranoid mode helped me to avoid installation of this toolbar).
 

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,716
Yeah, some of them were disabled. Guess why COMODO did that

OK I will try to explain. Some programs are legit but make droppers or use a remote script from another app. This can happen easily with browser security extensions that work together with the security program. If the security program creates a randomly named temp file to control the extension, Comodo heuristic c-l will create a new alert each time for the temp file, even though it is the exact same script. These are strored in a folder and they will build up over time.

Ex. Open browser and each time an alert for extension. New file is created by security program to initialize connection to extension (new name but same script)->Allow->Comodo places file which it treats as the script application in ProgramData\Comodo\CIS\tempscrpt folder->they build up over time filling the disk (very slowly but also the alert is a pain). Comodo basically has taken a small portion from the script and now considers that the script itself and then the script a standalone application. These scripts won't run without Comodo's portion.

It's brilliant and all but Comodo was getting complaints about the alerts so they turned off protections :eek:. This was a very bad policy and for home users it's absolutely almost never a problem. I know they will have to fix it which they can if they just add the path of the app of script origination (as a dev note) in the file Comodo creates in tempscrpt folder. Any time Comodo wants to alert for c-l heuristics, the script portion that Comodo would save could be compared to all others already in the tempscrpt folder and then if found verified that it comes from the same app using the dev note path name (dev notes don't affect script function).

The biggest problem with the alerts was for devs who have to run complicated tests. Heuristic c-l was apparently causing them problems when they tested their developing apps, but I imagine it was unsightly the alerts happening in offices/businesses with unsigned company scripts.
 

TheMalwareMaster

Level 21
Thread author
Verified
Honorary Member
Top Poster
Well-known
Jan 4, 2016
1,022
Thank you all guys :) I will disconnect now, take a look at the new comodo config I linked some post ago. Have a good weekend!
 
  • Like
Reactions: AtlBo

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,716
This is only the firewall. Do you like mine?

Oh you mean the Comodo help page is for CIS? Firewall information is the same for CIS and CF. The help information is only the CIS help...nothing else from Comodo.

I enabled IPv6 because it's becoming more common. It's useful for looking at the local network, because Windows uses it between PCs. IPv6 connections can be logged if it's checked->good but some confusing alerts about svchost.exe and wmplayer.exe and others->bad. IPv6 still doesn't have much traction across the global internet...

You should be fine as is. Block fragmented and Protocol analysis can help detect DDOS attacks. I have them disabled for now. Doubt I will change them soon if ever.
 

TheMalwareMaster

Level 21
Thread author
Verified
Honorary Member
Top Poster
Well-known
Jan 4, 2016
1,022
Oh you mean the Comodo help page is for CIS? Firewall information is the same for CIS and CF. The help information is only the CIS help...nothing else from Comodo.

I enabled IPv6 because it's becoming more common. It's useful for looking at the local network, because Windows uses it between PCs. IPv6 connections can be logged if it's checked->good but some confusing alerts about svchost.exe and wmplayer.exe and others->bad. IPv6 still doesn't have much traction across the global internet...

You should be fine as is. Block fragmented and Protocol analysis can help detect DDOS attacks. I have them disabled for now. Doubt I will change them soon if ever.
No, I was saying there is nothing about how to set the containment, HIPS and other stuff
 
  • Like
Reactions: AtlBo

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
My bet is that AVAST in hardened agressive mode (with the cloud whitelist) would be an easier to configure alternative.n BTW I like ALL whitelisting concepts, so voted YES
Comodo Firewall with @cruelsister settings is easy to configure (pretty much the same number of settings). Avast with the above settings is easier to use for an average user, but Comodo Firewall has strong protection when malware can be executed in the system. I'm saying this, from my experience with both solutions (a couple of years).
I also like ALL whitelisting concepts, so voted YES.:)

Edit1.
Two years ago, I configured my father's computer using @cruelsister settings, with the autosandbox set to block unrecognized applications. Those settings are safe in the locked system (no Windows updates). I did not dare to test those settings, when the system can make updaes - I was afraid that CF would block some important system files.

Edit2.
One can use CF with the autosandbox set to block, in the system with suspended updates (not possible in Windows 10). When updating, the autosandbox is turned off. After updates, it is necessary to run CF rating scan, and check manually, if the system files are flagged as safe.
 
Last edited:

Itachi Sempai

Level 2
Verified
Sep 20, 2017
93
Also, I'm looking for some setting to prevent whitelisted malware files by mistake to run unlimited (remember Av gurus video?)

so you need two rules

1) block all applications that are unrecognized
2) block all applications that originate from: removable media, internet, intranet...
18fe816fba1d.png


that wey all the recognized software that you already have installed will run without problems but if you obtain something from outside of your PC will be blocked
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top