Which Elements of Comodo do You Use?

[AtlBo]

Similar to this. Read the first reply. Basically CS settings it's just a "brand name" which is now used as "quality assurance".

Could it be the simple effectiveness? I mean no alert. Unsigned or incorrectly signed or no TVL listing or no Cloud Lookup input->item definitely is boxed. I bet some of those users get something from the firewall too, so maybe that contributes. FW is pretty good...not smart but pretty good with configurations. It's at least partly a second layer beyond default deny since so much malware requires the internet to do harm.

 

[Sephiroth Source]

Comodo Firewall with Cruel Sister settings and also use the Comodo Dragon browser.

 

[shmu26]

Could it be the simple effectiveness? I mean no alert. Unsigned or incorrectly signed or no TVL listing or no Cloud Lookup input->item definitely is boxed. I bet some of those users get something from the firewall too, so maybe that contributes. FW is pretty good...not smart but pretty good with configurations. It's at least partly a second layer beyond default deny since so much malware requires the internet to do harm.

@AtlBo, would you mind posting a screenshot of your command line/embedded code settings? I am curious to see how you have configured the various processes, and I also would like to see exactly what Comodo put on the list (I don't have Comodo installed right now).

If you or others have any comments on the default Comodo list, I would be happy to hear.
Did they miss anything important, or include something useless?

 

[monkeylove]

I installed it to replace another firewall and because of HIPs and auto-contain, but I also enabled Viruscope and website filtering because they're already included.

 

[Raka Daku]

I use Proactive Security Config

Elements of Comodo that I Use
Firewall - Default Settings
Auto-Contain - Set to "Restricted"
Heuristic Command-line Monitoring - Defaults
Cloud Lookup - Default Settings
VirusScope - Set to "Monitor programs in Containment only"
Trusted Vendors List - Default List
Detect PUP Software - Default
Desktop Widget - No
KillSwitch - Yes

I would like to see "ask" option in Auto-Containment.. its going to be there in the next release or beta.

 

[Deleted member 178]

I use Proactive Mode with ALL modules customized toward maximum possible protection (aka paranoid mode.)
For advanced users, Comodo's HIPS is a required feature.
For less advanced users, the sandbox is the preferred feature.

 

[AtlBo]

@AtlBo, would you mind posting a screenshot of your command line/embedded code settings? I am curious to see how you have configured the various processes, and I also would like to see exactly what Comodo put on the list (I don't have Comodo installed right now).

@shmu26. Here you are. The second one is gigantic sorry about the size of the pic.



First list is defaults plus mshta.exe, vds.exe, and vdsldr.exe. 2nd list is the full extended list I put together from some Bouncer list I found here on MTs.

I wonder if it would make sense to add .EXCEL.exe and the other MS Office programs to the list. Might try this later to see if HC-L can generate an alert up from macro code in those files.

 

[shmu26]

@shmu26. Here you are. The second one is gigantic sorry about the size of the pic.

View attachment 172158 View attachment 172159

 

[shmu26]

@shmu26. Here you are. The second one is gigantic sorry about the size of the pic.

View attachment 172158 View attachment 172159

First list is defaults plus mshta.exe, vds.exe, and vdsldr.exe. 2nd list is the full extended list I put together from some Bouncer list I found here on MTs.

I wonder if it would make sense to add .EXCEL.exe and the other MS Office programs to the list. Might try this later to see if HC-L can generate an alert up from macro code in those files.

What is vds and vdsldr?

 

[AtlBo]

What is vds and vdsldr?

Here is the explanation I found:

Virtual Disk Service. vds.exe. C:\WINDOWS\System32\vds.exe. VDS is a set of application programming interfaces (APIs) that provides a single interface for managing disks. VDSprovides an end-to-end solution for managing storage hardware and disks, and for creating volumes on those disks.

The genuine vdsldr.exe file is a software component of Microsoft Windows Operating System by Microsoft.
The client side process for Microsoft's Virtual Disk Service, this application runs on client machines to support virtual disk implementation. A host machine running VDS will have a management console that will allow access to all storage that is accessible through the client machines.

Can't recall who recommended adding this. I had been under the impression it is associated specifically with execution of vb script, but I see this is not the case. I guess the larger list has been more or less an experiment for me. I can see how script might be referenced by some of the added elements (like with rundll32.exe), so I have stuck with them for the last 6 months.

 

[shmu26]

Here is the explanation I found:



Can't recall who recommended adding this. I had been under the impression it is associated with execution of vb script, but I see this is not the case. I guess the larger list has been more or less an experiment for me. I can see how script might be referenced by some of the added elements (like with rundll32.exe), so I have stuck with them for the last 6 months.

Thanks. I think a lot of ransomware uses vds.

 

[shmu26]

Here is a use of Comodo Firewall that I haven't seen anyone talk about yet:
HIPS at paranoid, but monitoring only for process execution and DNS/RPC client service.
This gives you an advanced anti-exe, plus protection against network connection snooping.

 

[AtlBo]

Here is a use of Comodo Firewall that I haven't seen anyone talk about yet:
HIPS at paranoid, but monitoring only for process execution and DNS/RPC client service.

Interesting way to think for someone who is not currently using the HIPS element of Comodo. I am using the HIPS module since I don't install many programs these days, but I ran Comodo with only about 5 of the the HIPS modules enabled for awhile. After that I realized they are all actually fairly pointedly purposeful, so I reenabled them all. Still, I can see why someone would go this direction with the settings, and it seems like a very nice idea to me.

 

[FleischmannTV]

For advanced users, Comodo's HIPS is a required feature.

Advanced users don't use HIPS. People use HIPS in order to look like advanced users. Once you are advanced enough to understand HIPS properly, you know how you can get infected, which threats apply to you, what you need to do against it, and finally you realize you don't actually need it anymore or never needed it in the first place.

 

[inuyasha]

if i could improve something, it would be for it to remember whitelisted programs

 

[klaken]

HIP is important, only with so many tools you can exclude it. If some of these tools did not exist, it would be extremely necessary.

I would improve the AV and viruscope: Although it is understandable that they have not worked so much ..
1- The method of protection avoids the need for signatures.
2- I do not think they earn a lot of money with CIS

Before I liked the method of protection and comfortable (2009 approx) but it was impossible to use the alerts .. now I noticed a lot that advanced and comfortable cloud has been a pleasant change ..

I hope they improve.

 

[shmu26]

Interesting way to think for someone who is not currently using the HIPS element of Comodo.

Reinstalled CFW today, just to try out my idea.
@Lockdown kept telling me about how powerful SpyShelter Firewall is, if you run it in "ask user" mode. It took me a while to wrap my mind around it, but when I finally understood what SpyShelter application execution control is doing, I realized that you can achieve the same with Comodo HIPS. Had to try it out. So far, so good.
If I am not mistaken, this is what the new NVT ERP will be accomplishing, through the addition of parent process to the whitelisting.

 

[shmu26]

Advanced users don't use HIPS. People use HIPS in order to look like advanced users. Once you are advanced enough to understand HIPS properly, you know how you can get infected, which threats apply to you, what you need to do against it, and finally you realize you don't actually need it anymore or never needed it in the first place.

Just out of curiosity, what does the true "advanced user" need, in terms of security software? Assuming he is a home user with normal computer purposes.

 

[klaken]

Just out of curiosity, what does the true "advanced user" need, in terms of security software? Assuming he is a home user with normal computer purposes.

I think it depends on your knowledge ..
eg: CFW is enough for someone who knows the use of sandbox and sends things to virustotal (HIP is not necessary).
CIS: It is enough for a user who does not install anything signed or very unknown.

A user who wants control would use all CFW

 

[AtlBo]

Advanced users don't use HIPS. People use HIPS in order to look like advanced users. Once you are advanced enough to understand HIPS properly, you know how you can get infected, which threats apply to you, what you need to do against it, and finally you realize you don't actually need it anymore or never needed it in the first place.

I use the HIPS as a stand in "cover" for some of the weaknesses of Comodo Firewall. The input is helpful with questionable apps when the app or the functionality in the application is something required at the time. Mostly, the alerts give an indication for me of what the specific app would like to be able to access, and knowing I can watch the app if necessary.

Kind of sounds like you are saying that what the advanced user needs is the same as what the noob needs. Don't take this the wrong way, because it would be great if it were true at this time. For me, security software has a little ways to go before I'll count out old fashioned HIPS. I think more clever presentation of threat potential (on alerts) is needed and then more clearly understandable security options packages or package choices. Example is Comodo's Internet, Firewall, and Proactive options. There isn't much clarity to the choice in the deepest sense. New Comodo user ends up taking Comodo's word for it with the default or choosing based on someone else's experience and or advice.

Also, there are different levels of noob or non-advanced, when it is taken into consideration that some users focus hard on a limited set of applications and then may switch. Essentially, they become a noob all over again even if a noob with good knowledge.