Which Elements of Comodo do You Use?

[AtlBo]

Posting this to see how most Comodo users use the program. If you would like you can rate the importance of the features in a post.

Feature Security Value and 1-10 rating of the element in Comodo
1. Auto-contain (element 1-10 rating 8.5)
2. Heuristic Command-line (element 1-10 rating 9.0)
3. Firewall (element 1-10 rating 7)
4. HIPS (element 1-10 rating 6.5)
5. Cloud Lookup (element 1-10 rating 6)

The rest are optional for user

One question: If you could improve any one thing about Comodo (any of them) what would the improvement be?

For me this would be improving the interactibility of the user to the "Unblock Applications" dialog. Make it so that users have more control when unblocking.

EDIT: In poll Killstart should be Killswitch

 

[shmu26]

Obviously, the desktop widget is by far the most important feature of Comodo! I am sure that all users will agree!

 

[nikos200]

none

 

[frogboy]

None.

 

[shmu26]

Most important thing to fix: command line analysis/embedded code detection.
If you have autocontainer enabled, and you have a bat file or embedded code with a random name, it doesn't work well together.

 

[AtlBo]

Obviously, the desktop widget is by far the most important feature of Comodo! I am sure that all users will agree!

Of course . Just trying to see how many make use of the widget with that one.

Most important thing to fix: command line analysis/embedded code detection.
If you have autocontainer enabled, and you have a bat file or embedded code with a random name, it doesn't work.

Thanks for this. Wasn't aware. What is a random name if I may ask? Wondering if Comodo knows about this. Haven't had any time to test the feature, although I have been hoping to put it through some tests at some point.

 

[Evjl's Rain]

1/ Firewall: it's a must for me. Windows Firewall is not easy to use at least for me. I can't create a rule which "Allows A and blocks everything else". Very easy to monitor all the connection and block if necessary + outbound connection notification
2/ Auto-contain: I now use it as an on-demand sandbox, not automatically blocks my programs. Also I made some rules to block dangerous extensions (.js, .jar, .ps1,... for example) and block vulnerable processes (powershell). I disable auto-containment of unrecognized apps
3/ cloud lookup and virusscope, PUP: reduce false positive rate with basic malware signatures, although they are useless most of the time
4/ Heuristic Command-line Monitoring: never does anything for me, but I keep it enable

what is broken: update module. After 2 tries and reboots, I still haven't get the latest version for some reasons although I downloaded the installer straight from comodo website today

 

[AtlBo]

Firewall: it's a must for me. Windows Firewall is not easy to use at least for me. I can't create a rule which "Allows A and blocks everything else". Very easy to monitor all the connection and block if necessary + outbound connection notification

I lean heavily on the Firewall too @Evjl's Rain. I have a fairly large number of processes set to "ask" so I can see when they contact the internet. I am also monitoring ipV6 traffic which has been interesting. You get all those hits about hardware detection from apps, but I once in a while something will try to reach across the net via that protocol.

 

[shmu26]

Thanks for this. Wasn't aware. What is a random name if I may ask? Wondering if Comodo knows about this. Haven't had any time to test the feature, although I have been hoping to put it through some tests at some point.

Yeah, they know about it. It mainly affects cmd.exe. A random name is something like 45000100bcf12.bat
My intel integrated graphics spawns a bat file like that at system startup, and every time it is a different name. That's that rub. It will always be autocontained, and the system tray icon for graphics won't work. Currently, that icon is the only way to access graphics settings.

 

[SHvFl]

When i use Comodo nowadays i only use the firewall but i consider the auto containment, Heuristic Command-line Monitoring and Shortened (Edited) Trusted Vendors List useful. No longer do the same for hips because it's broken, viruscope is useless, cloud is run by monkeys, pup is no worry for me, widget is too big and i use process explorer so i don't need killswitch.

 

[AtlBo]

That's that rub. It will always be autocontained, and the system tray icon for graphics won't work. Currently, that icon is the only way to access graphics settings.

Yes that nasty bug. OK. I hadn't thought of it in terms of a boot scenario. That is a nasty issue. Of course, there are other scenarios with the auto-sandbox occurring before heuristic command-line can be detected issue too. I wonder if Comodo could ever get to the point with the heuristic command line monitoring where they would trust the monitoring over the sandbox and then allow the sandbox to run command lines if HCL option is on. This way there could be separate and logically compatible alerts, even if the process were contained.

This still wouldn't solve your issue or mine with the Qihoo browser extension, since there isn't anyway to wildcard the dropped .tmp for it to be ignored. However, part of me really still feels that devs shouldn't be making use of command line on boot or on program start up. This practice does put security writers in a tough spot coming up with hands off security for c-l monitoring. That's kind of amateurish it seems to me when there are surely security friendly ways to accomplish the same thing.

 

[bribon77]

I have used Comodo in many ways. But lately I use it with @Cs configuration. I think it's excellent.

 

[Captain Awesome]

When i use Comodo I install only FW and setup Auto-Contain.

 

[shmu26]

Maybe someone can explain to me the special magic of CFW at CS settings, which seems to be so popular in this neck of the woods.
I admit that it works; it is a simple yet effective setup.
But why is it preferable to any of the other default/deny solutions out there?

 

[SHvFl]

Maybe someone can explain to me the special magic of CFW at CS settings, which seems to be so popular in this neck of the woods.
I admit that it works; it is a simple yet effective setup.
But why is it preferable to any of the other default/deny solutions out there?

Similar to this. Read the first reply. Basically CS settings it's just a "brand name" which is now used as "quality assurance".

Hoover vs. vacuum - Grammarist

 

[bribon77]

Maybe someone can explain to me the special magic of CFW at CS settings, which seems to be so popular in this neck of the woods.
I admit that it works; it is a simple yet effective setup.
But why is it preferable to any of the other default/deny solutions out there?

You said it. Simple but effective. It doesn't bother me with alerts.

 

[Evjl's Rain]

Maybe someone can explain to me the special magic of CFW at CS settings, which seems to be so popular in this neck of the woods.
I admit that it works; it is a simple yet effective setup.
But why is it preferable to any of the other default/deny solutions out there?

because it sandboxes everything which is "Unrecognized" according to the TVL or the cloud. During the sandbox, we can see how the app is doing to decide if it is safe or not to allow or block
in the default settings, there are a few other rules which allow more apps to run without being sandboxed (a file must come from the internet, from specific locations or the file age is less than 3 days,... if I recall it correctly -> CS's settings bypass these rules and sandbox everything Unrecognized regardless of the file's location, age,...)

compare to other solutions
- anti-exe: block or allow, you don't know if the file is safe or not, just base on the ratings. If we allow a malware to run, we are screwed
- SRP: I don't have experience with it

CS's settings: sandbox first -> OK, this app looks safe/malicious (visually) -> allow/block

 

[Sephiroth Source]

1/ Firewall: it's a must for me. Windows Firewall is not easy to use at least for me. I can't create a rule which "Allows A and blocks everything else". Very easy to monitor all the connection and block if necessary + outbound connection notification
2/ Auto-contain: I now use it as an on-demand sandbox, not automatically blocks my programs. Also I made some rules to block dangerous extensions (.js, .jar, .ps1,... for example) and block vulnerable processes (powershell). I disable auto-containment of unrecognized apps
3/ cloud lookup and virusscope, PUP: reduce false positive rate with basic malware signatures, although they are useless most of the time
4/ Heuristic Command-line Monitoring: never does anything for me, but I keep it enable

what is broken: update module. After 2 tries and reboots, I still haven't get the latest version for some reasons although I downloaded the installer straight from comodo website today

I updated the Comodo Firewall today and also had problems. After restarting the machine, Windows warned that there was no active firewall in the system. I did the entire installation process and the second time it worked.

 

[Evjl's Rain]

moreover, CS's settings are almost bug-less and are used by many users without any major issue
if we try to use more modules such as HIPS and tweak everything intensively, we may encounter bugs. CS's config just simply works without many complicated tweaks. The net result could be exactly the same before or after tweaking between CS's and paranoid setup

my real experience after many months, I have never ever had the bug of rule disappearance using simple configurations. I think most issues come from the HIPS module after a period in training mode

 

[dvdke]

only the firewall.