Advice Request Using COMODO Firewall as a default-deny security software

Please provide comments and solutions that are helpful to the author of this topic.

Do you like this COMODO concept?

  • Yes

  • No

Results are only viewable after voting.
Status
Not open for further replies.
TheMalwareMaster said:
I'm doing some testing on my VM. Why to delete trusted vendors also? Probably because they pay for being added, and some unwanted programs may be allowed to run this way?
Click to expand...

Clean up the trusted vendors list, only auto-allow vendors you have running on your PC (including Microsoft third party and supported hardware)
 
  • Like
Reactions: Andytay70, simmerskool, TheMalwareMaster and 3 others
TheMalwareMaster said:
-Cloud lookup disabled: some scripts are blocked and, in the end, I have no PUPs installed
Click to expand...

General question scripts brings to mind. Curious if you have enabled all the heuristic command-line detection protections (and embedded)? There is basically no cost to this. I recommend it, although it might mean a rare alert. Just something that you might like for strengthening the setup. For me, it's a fallback should containment fail somehow or should I run malware uncontained by mistake For you, not sure if it helps with default deny but I don't see how it could hurt.

TheMalwareMaster said:
-Cloud lookup disabled: some scripts are blocked and, in the end, I have no PUPs installed
Click to expand...

Sounds like Comodo needs to work on their whitelisting more than I realized. If @Maxwell Sien is right about the whitelisting, Comodo is almost pushing users to turn off Cloud Lookup by whitelisting that kind of program. :(

Windows_Security said:
Clean up the trusted vendors list, only auto-allow vendors you have running on your PC (including Microsoft third party and supported hardware)
Click to expand...

Well, this is what I did, but would this work well for @TheMalwareMaster since he is creating a template for new users?
 
  • Like
Reactions: Maxwell Sien and TheMalwareMaster
Right now i installed (in Comodo virtual desktop) ByteFence. It's rebranded version of Reason core. It scanned and found nothing. bytefence is Pua, but, thanks God, not fake antivirus. It didn't detect eicar viruses. I dowloaded bitconminer Anketa for Iphone.doc.exe (virustotal 47/63). I was unnabled to launch on virtual desktop it because comodo autocontaiment blocked it in real system (i had 96 intrusions and 7 blocked apps and 2 unrecognized files) - by the way, no alerts from real system (i was in full screen mode) So, bytefence at least is very bad, weak antimalware. I removed Bytefence and reason from trusted vendors list and from file ratings.
 
Last edited:
  • Like
Reactions: TheMalwareMaster and AtlBo
AtlBo said:
Curious if you have enabled all the heuristic command-line detection protections (and embedded)?
Click to expand...
How can I check that? Are they enabled bu default? I spent a lot of time in the settings and I think they were enabled by default
 
  • Like
Reactions: AtlBo
Windows_Security said:
Clean up the trusted vendors list, only auto-allow vendors you have running on your PC (including Microsoft third party and supported hardware)
Click to expand...
Yeah, I was looking for a solution to recommend to the guys who ask me for Windows XP. VoodooShield doesn't work anymore on XP, so there we are: comodo! I can't remove the trusted vendors considering each user has different programs
 
  • Like
Reactions: AtlBo
TheMalwareMaster said:
How can I check that? Are they enabled bu default? I spent a lot of time in the settings and I think they were enabled by default
Click to expand...

Advanced Protection->Miscellaneous->"Do heuristic command-line analysis for..." Click on "Certain Applications". You can enable them all no problems. Some of them were disabled for me with the previous two updates from Comodo. I reenabled them.
 
  • Like
Reactions: TheMalwareMaster
Utorrent installation
No security: Bytefece and Avast installed
default.PNG

Comodo with cloud lookup and trusted vendors list: an EXE is blocked. Only Bytefence installed
default1.PNG default2.PNG

Comodo with cloud lookup disabled and default trusted vendors list: two scripts blocked and no bundled programs installed. Utorrent opens with an error
default3.PNG default4.PNG default5.PNG default6.PNG
 
  • Like
Reactions: kylprq, brambedkar59, AtlBo and 1 other person
AtlBo said:
Advanced Protection->Miscellaneous->"Do heuristic command-line analysis for..." Click on "Certain Applications". You can enable them all no problems. Some of them were disabled for me with the previous two updates from Comodo. I reenabled them.
Click to expand...
Yeah, some of them were disabled. Guess why COMODO did that
 
  • Like
Reactions: AtlBo
AtlBo, question: if HIPS is disabled, what sens to go to ,,Advanced Protection->Miscellaneous->"Do heuristic command-line analysis for..." Click on "Certain Applications". ? Because it is called,, Hips to perform analyz TheMalwareMaster, did you enabled HIPS or disabled it?
 
  • Like
Reactions: TheMalwareMaster and AtlBo
That did it @AtlBo
Cloud lookup and trusted vendors on, with all option selected in command line analysis: A lot of command lines were bloked (I don't show all in the photos) and, in the end, no bundled programs. Why the bundled programs were blocked, this time?
HIPS were Always off
blocked.PNG blocked1.PNG blocked2.PNG blocked3.PNG blocked4.PNGblocked5.PNG
 
  • Like
  • Wow
Reactions: kylprq and ZeroDay
Bombus said:
Virus total 1 out of 63 (detected by malwarebtes). Maybe its like enigma software?
Click to expand...

AtlBo said:
General question scripts brings to mind. Curious if you have enabled all the heuristic command-line detection protections (and embedded)? There is basically no cost to this. I recommend it, although it might mean a rare alert. Just something that you might like for strengthening the setup. For me, it's a fallback should containment fail somehow or should I run malware uncontained by mistake For you, not sure if it helps with default deny but I don't see how it could hurt.



Sounds like Comodo needs to work on their whitelisting more than I realized. If @Maxwell Sien is right about the whitelisting, Comodo is almost pushing users to turn off Cloud Lookup by whitelisting that kind of program. :(



Well, this is what I did, but would this work well for @TheMalwareMaster since he is creating a template for new users?
Click to expand...

But there many legit programs that are bundled with other legit (free) programs. Similar to UC Browser, Baidu AntiVirus, Chromium, some User Install it on Purpose, some user get it with bundled.

AntiMalware (like MBAM and Zemana) are more aggresive than AntiVirus in blacklist a PUP, maybe because AntiVirus focus on Prevent and AntiMalware focus on cleaning.

In case of PUP, we can't trust AntiVirus 100%. Only User can know what program is installed on purpose and what program is install with Bundled. AntiVirus just can detect a possibility. That's why we need HIPS because it based on user decision.

@TheMalwareMaster, can you send Utorrent installer file to us that contain ByteFence? I just downloded it from official but not bundled with ByteFence. I want to test how HIPS React with this situation.
 
Last edited:
  • Like
Reactions: AtlBo, TheMalwareMaster and Bombus
TheMalwareMaster, if you have some time, you can play a game with Comodo: creat a file test.doc.exe . Upload it to some filesharing service. Open comodo, enable Hips. Go to hips setting-to blocked objects. browse to any file and rename it *.doc.exe .Save changes. After that try to download your text file. It shoud be blocked by..... Comodo hips without alerts. Or you can go to rghost search for Анкета доставки iPhone.doc.exe In this way you can add all kind of staff *.pdf.exe, *.jpg.exe. *.doc.vbs etc. I had a list of about 20 possibe variants. I disabled HIPS, so this list won't help to me.
 
  • Like
Reactions: AtlBo, ZeroDay and TheMalwareMaster
TheMalwareMaster said:
That did it @AtlBo
Cloud lookup and trusted vendors on, with all option selected in command line analysis: A lot of command lines were bloked (I don't show all in the photos) and, in the end, no bundled programs. Why the bundled programs were blocked, this time?
HIPS were Always off
View attachment 159042 View attachment 159043 View attachment 159044 View attachment 159045 View attachment 159046View attachment 159047
Click to expand...
Maybe you can see all blocking activities here: Manage Blocked Items, Blocked Applications, Comodo Internet Security | COMODO
 
  • Like
Reactions: AtlBo and TheMalwareMaster
What are these? Last lines of firewall settings. Is it Worth enabling them? firewalls.PNG
 
TheMalwareMaster said:
HIPS blocked the bundled programs without alert, even if they were set to alert. Here is the utorrent file @Maxwell Sien
uTorrent.exe
Click to expand...

Thank you

TheMalwareMaster said:
What are these? Last lines of firewall settings. Is it Worth enabling them? View attachment 159050
Click to expand...

You can find it here: General Firewall Settings, PC Firewall, Firewall Protection | Internet Security

As far I know, Enable anti-ARP spoofing is for prevent Net Cut Attack in Wireless Connection..
 
  • Like
Reactions: AtlBo and TheMalwareMaster
Last config for maximum security. Tell me if it can still be improved, test it in a virtual machine please. Cloud lookup is off but trusted vendors are on because it's not for a particular system, but for all COMODO - Maximum Security.cfgx
 
  • Like
Reactions: AtlBo
Status
Not open for further replies.

You may also like...