Which Elements of Comodo do You Use?

Elements of Comodo that You Use

  • Firewall

    Votes: 43 86.0%
  • HIPS

    Votes: 16 32.0%
  • Auto-Contain

    Votes: 37 74.0%
  • Heuristic Command-line Monitoring

    Votes: 24 48.0%
  • Cloud Lookup

    Votes: 27 54.0%
  • Viruscope

    Votes: 29 58.0%
  • Shortened (Edited) Trusted Vendors List

    Votes: 11 22.0%
  • Detect PUP Software (setting in File Rating Settings)

    Votes: 20 40.0%
  • Desktop Widget

    Votes: 10 20.0%
  • Killstart

    Votes: 12 24.0%

  • Total voters
    50
  • Poll closed .
Status
Not open for further replies.

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Posting this to see how most Comodo users use the program. If you would like you can rate the importance of the features in a post.

Feature Security Value and 1-10 rating of the element in Comodo
1. Auto-contain (element 1-10 rating 8.5)
2. Heuristic Command-line (element 1-10 rating 9.0)
3. Firewall (element 1-10 rating 7)
4. HIPS (element 1-10 rating 6.5)
5. Cloud Lookup (element 1-10 rating 6)

The rest are optional for user

One question: If you could improve any one thing about Comodo (any of them) what would the improvement be?

For me this would be improving the interactibility of the user to the "Unblock Applications" dialog. Make it so that users have more control when unblocking.

EDIT: In poll Killstart should be Killswitch :oops:
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Most important thing to fix: command line analysis/embedded code detection.
If you have autocontainer enabled, and you have a bat file or embedded code with a random name, it doesn't work well together.
 

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Obviously, the desktop widget is by far the most important feature of Comodo! I am sure that all users will agree!

Of course :). Just trying to see how many make use of the widget with that one.

Most important thing to fix: command line analysis/embedded code detection.
If you have autocontainer enabled, and you have a bat file or embedded code with a random name, it doesn't work.

Thanks for this. Wasn't aware. What is a random name if I may ask? Wondering if Comodo knows about this. Haven't had any time to test the feature, although I have been hoping to put it through some tests at some point.
 

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
1/ Firewall: it's a must for me. Windows Firewall is not easy to use at least for me. I can't create a rule which "Allows A and blocks everything else". Very easy to monitor all the connection and block if necessary + outbound connection notification
2/ Auto-contain: I now use it as an on-demand sandbox, not automatically blocks my programs. Also I made some rules to block dangerous extensions (.js, .jar, .ps1,... for example) and block vulnerable processes (powershell). I disable auto-containment of unrecognized apps
3/ cloud lookup and virusscope, PUP: reduce false positive rate with basic malware signatures, although they are useless most of the time
4/ Heuristic Command-line Monitoring: never does anything for me, but I keep it enable

what is broken: update module. After 2 tries and reboots, I still haven't get the latest version for some reasons although I downloaded the installer straight from comodo website today
 

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Firewall: it's a must for me. Windows Firewall is not easy to use at least for me. I can't create a rule which "Allows A and blocks everything else". Very easy to monitor all the connection and block if necessary + outbound connection notification

I lean heavily on the Firewall too @Evjl's Rain. I have a fairly large number of processes set to "ask" so I can see when they contact the internet. I am also monitoring ipV6 traffic which has been interesting. You get all those hits about hardware detection from apps, but I once in a while something will try to reach across the net via that protocol.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Thanks for this. Wasn't aware. What is a random name if I may ask? Wondering if Comodo knows about this. Haven't had any time to test the feature, although I have been hoping to put it through some tests at some point.
Yeah, they know about it. It mainly affects cmd.exe. A random name is something like 45000100bcf12.bat
My intel integrated graphics spawns a bat file like that at system startup, and every time it is a different name. That's that rub. It will always be autocontained, and the system tray icon for graphics won't work. Currently, that icon is the only way to access graphics settings.
 

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
When i use Comodo nowadays i only use the firewall but i consider the auto containment, Heuristic Command-line Monitoring and Shortened (Edited) Trusted Vendors List useful. No longer do the same for hips because it's broken, viruscope is useless, cloud is run by monkeys, pup is no worry for me, widget is too big and i use process explorer so i don't need killswitch.
 

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
That's that rub. It will always be autocontained, and the system tray icon for graphics won't work. Currently, that icon is the only way to access graphics settings.

Yes that nasty bug. OK. I hadn't thought of it in terms of a boot scenario. That is a nasty issue. Of course, there are other scenarios with the auto-sandbox occurring before heuristic command-line can be detected issue too. I wonder if Comodo could ever get to the point with the heuristic command line monitoring where they would trust the monitoring over the sandbox and then allow the sandbox to run command lines if HCL option is on. This way there could be separate and logically compatible alerts, even if the process were contained.

This still wouldn't solve your issue or mine with the Qihoo browser extension, since there isn't anyway to wildcard the dropped .tmp for it to be ignored. However, part of me really still feels that devs shouldn't be making use of command line on boot or on program start up. This practice does put security writers in a tough spot coming up with hands off security for c-l monitoring. That's kind of amateurish it seems to me when there are surely security friendly ways to accomplish the same thing.
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Maybe someone can explain to me the special magic of CFW at CS settings, which seems to be so popular in this neck of the woods.
I admit that it works; it is a simple yet effective setup.
But why is it preferable to any of the other default/deny solutions out there?
 

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
Maybe someone can explain to me the special magic of CFW at CS settings, which seems to be so popular in this neck of the woods.
I admit that it works; it is a simple yet effective setup.
But why is it preferable to any of the other default/deny solutions out there?
Similar to this. Read the first reply. Basically CS settings it's just a "brand name" which is now used as "quality assurance".

Hoover vs. vacuum - Grammarist
 

bribon77

Level 35
Verified
Top Poster
Well-known
Jul 6, 2017
2,392
Maybe someone can explain to me the special magic of CFW at CS settings, which seems to be so popular in this neck of the woods.
I admit that it works; it is a simple yet effective setup.
But why is it preferable to any of the other default/deny solutions out there?
You said it. Simple but effective. It doesn't bother me with alerts.
 
  • Like
Reactions: AtlBo and shmu26

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Maybe someone can explain to me the special magic of CFW at CS settings, which seems to be so popular in this neck of the woods.
I admit that it works; it is a simple yet effective setup.
But why is it preferable to any of the other default/deny solutions out there?
because it sandboxes everything which is "Unrecognized" according to the TVL or the cloud. During the sandbox, we can see how the app is doing to decide if it is safe or not to allow or block
in the default settings, there are a few other rules which allow more apps to run without being sandboxed (a file must come from the internet, from specific locations or the file age is less than 3 days,... if I recall it correctly -> CS's settings bypass these rules and sandbox everything Unrecognized regardless of the file's location, age,...)

compare to other solutions
- anti-exe: block or allow, you don't know if the file is safe or not, just base on the ratings. If we allow a malware to run, we are screwed
- SRP: I don't have experience with it

CS's settings: sandbox first -> OK, this app looks safe/malicious (visually) -> allow/block
 
Last edited:
  • Like
Reactions: ZeroDay and AtlBo

Sephiroth Source

Level 2
Verified
Jul 13, 2015
65
1/ Firewall: it's a must for me. Windows Firewall is not easy to use at least for me. I can't create a rule which "Allows A and blocks everything else". Very easy to monitor all the connection and block if necessary + outbound connection notification
2/ Auto-contain: I now use it as an on-demand sandbox, not automatically blocks my programs. Also I made some rules to block dangerous extensions (.js, .jar, .ps1,... for example) and block vulnerable processes (powershell). I disable auto-containment of unrecognized apps
3/ cloud lookup and virusscope, PUP: reduce false positive rate with basic malware signatures, although they are useless most of the time
4/ Heuristic Command-line Monitoring: never does anything for me, but I keep it enable

what is broken: update module. After 2 tries and reboots, I still haven't get the latest version for some reasons although I downloaded the installer straight from comodo website today
I updated the Comodo Firewall today and also had problems. After restarting the machine, Windows warned that there was no active firewall in the system. I did the entire installation process and the second time it worked.
 

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
moreover, CS's settings are almost bug-less and are used by many users without any major issue
if we try to use more modules such as HIPS and tweak everything intensively, we may encounter bugs. CS's config just simply works without many complicated tweaks. The net result could be exactly the same before or after tweaking between CS's and paranoid setup

my real experience after many months, I have never ever had the bug of rule disappearance using simple configurations. I think most issues come from the HIPS module after a period in training mode
 
Last edited:
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top