Can anybody( who has used both Comodo and ZAP) explain to me how does component monitoring differs in both? I have found component monitoring in Comodo rather annoying with many popups and so I always keep it in learning mode( that is practicaly almost equivalent to turning it off). I used ZAP in the past and was never annoyed by this feature at that time. So I wonder what is the differece in two an which one is better?

Thanks

I always leave it in learning mode...

The first thing that I do after install it, is set the frequency level alert to minimum... This definition is more than enough for me...

I have no idea how component control can be usefull to a normal user.
So a learning mode should be ok, as useless as it is.
It really does as you have found out to be a source of unnecessary popups and that in itself is a security risk. A more serious popup alert may go accepted if always answering things.

Except to see what is allowed, all the DLL's.
With Sygate I let it unticked.
With Comodo one can sure go and try to see later what they are.

SSM free does not have that, it only tells when something is putting a hook and that is more usefull, maybe. Gets paranoid with that too :P


{QUOTE-> The first thing that I do after install it, is set the frequency level alert to minimum... This definition is more than enough for me... <-QUOTE}

That is not the right solution with Comodo, in my opinion. You can run it with 'Very High' alert level, I do. You just have to make the rules to not be alerted often.
I am just testing this FW and might be soon back to my fave kerio 2.1.5, but I sure don't get alerted unnecessary when my rules are right. Not that they are all wide as that minimum alert level provides.

Basically you need to allow UDP 53 out to your isp DNS servers for the applications. And allow incoming for localhost address, 127.0.0.1, to some applications that need it.
If they are server accessing kind, maybe SPI is enough, but if not, only then some network rule ports need to be opened too.
I do have my Firefox allowed all connections outbound, but I always have done that with any firewall.
Not the smartest thing to do propably.

Jarmo

{QUOTE-> That is not the right solution with Comodo, in my opinion. <-QUOTE}
Depends what you want to know about the program.
For me I only want to be notified when a program wants to use the Internet.
If I need, I will do other investigations about it...

You can read this: Poll: Alert Frequency Level (http://forums.comodo.com/index.php/topic,2209.0.html)

I find component control in ZAP extremely useful. I only really get pop-ups after Windows updates and that sort of thing, but by clicking on 'Details' and then 'Properties' you are able to get all the info you need in order to make an informed decision as to whether or not to allow the module.

Basically, if a program needs to connect to the net and it has a new .dll loaded you will be warned, so you can check it out. If you have it in learning mode you will not be receiving this information.

I suppose you could argue that if you are protected by HIPS progs against alien .dll injection you are not going to need to worry about new modules connecting. But I believe it can also protect against certain exploits that seek to misuse legitimate MS .dlls by loading them into IE (for example). Thus if you are at a 'suspect' website and IE suddenly wants to load a new .dll you can block it in ZA and shutdown the browser and start again - threat avoided!

I'm afraid I have no experience of Comodo.

Thanks for replies.

{QUOTE-> Thus if you are at a 'suspect' website and IE suddenly wants to load a new .dll you can block it in ZA and shutdown the browser and start again - threat avoided!

I'm afraid I have no experience of Comodo. <-QUOTE}

I think no such option in Comodo, if I deny the popup, whole of browser is blocked? Can anybody confirm this?

{QUOTE-> I always leave it in learning mode...

The first thing that I do after install it, is set the frequency level alert to minimum... This definition is more than enough for me... <-QUOTE}
Exactly what I do.

{QUOTE-> I suppose you could argue that if you are protected by HIPS progs against alien .dll injection you are not going to need to worry about new modules connecting. But I believe it can also protect against certain exploits that seek to misuse legitimate MS .dlls by loading them into IE (for example). Thus if you are at a 'suspect' website and IE suddenly wants to load a new .dll you can block it in ZA and shutdown the browser and start again - threat avoided!
<-QUOTE}

As I see in ZAP, there is only two options for componants, allow or ask, no block option. Am I trued?

In Comodo I found three options when u get a pop up ask, allow or block.
While in the main firewal rules window there is only option for allow or block, however if u delete the rule, u will get the ask option again in the form of pop up.

I found these rules a bit useless. For a test, I enabled component monitoring and then installed google toolbar that loaded new componets in IE. Now when IE tried to conect to internert, I got a pop up of unknown components in IE( google toolbar.dll), when I blocked this dll, whole of IE was blocked from acess to internet. So I can,t use IE for internet unless I allow this new component or remove it.

Comodo component rules.

mmm, it has the same function as AIC (Application Integrity Control) on KIS...

{QUOTE-> As I see in ZAP, there is only two options for componants, allow or ask, no block option. Am I trued?
<-QUOTE}
That is correct, you can only have 'ask' or 'allow'; but if you have it set to 'ask' you will receive a pop-up if that component loads into a process with access, you can then click 'deny' on the pop-up. If you do that and it turns out the .dll was vital you might crash the process in question, in which case you can close it down and start again. If the .dll was not important (or malware!) then of course you can continue browsing as usual.
{QUOTE-> it has the same function as AIC (Application Integrity Control) on KIS...
<-QUOTE}
Not exactly, Application Integrity Control in KAV's PDM is not confined to controlling a modules access to the web (by it loading into processes with access); rather it is keeping a list of known trusted .dlls loading into specific critical processes. These include system processes as well as those requiring Internet access. Everytime a new module is loaded into Explorer (say) you need to allow or deny it on the list for Explorer - and boy do you get a lot of pop-ups! Everytime you so much as run your mouse over something in Windows Explorer, you get a pop-up; but these do decrease sharply with time, as the list gradually becomes more complete.

{QUOTE-> If the .dll was not important (or malware!) then of course you can continue browsing as usual. <-QUOTE}

So u mean u can specifically block a dll loaded into browser and still continue to use browser to surf the net? Am I correct?
In Comodo as I told, if I say block, it will block the whole browser not the dll only.

{QUOTE-> So u mean u can specifically block a dll loaded into browser and still continue to use browser to surf the net? <-QUOTE}
Yes, you can restrict the individual component without affecting the process itself.

However the process may have restricted functionality if the .dll (or Active x etc) was required in order to enable that function.

If a component has previously tried to access the net it will be on the list (though you can remove it from the list without any problem), the program it is loaded into may be a browser, but it is not confined to browsers as such.

{QUOTE-> Yes, you can restrict the individual component without affecting the process itself.
<-QUOTE}

I was thinking it might not be possible. If it is correct, then Comodo has no such ability.
BTW, still I doubt as I did not get any option in ZAP to block specifically a dll loaded in browser. Can u post a screenshot.

Thanks.

O.K., here's a screenshot. The pop-up on the left is the one you first receive. If you click 'Details' you get the middle one, which tells you the components seeking to connect. By selecting a component in that pop-up you can bring up the properties for that component. You can then decide whether to 'Deny' or 'Allow' on the first pop-up.

I just upgraded to KAV's Maintenance Pack 2, so I've been getting a few pop-ups today; usually I don't get any.

So this Yes or Deny will be for all componenets and the KAV, u can,t select unlike to ur statement or I am missing something.

aigle,from your screen shot of ZA it seems you are using an older ver.If you download ver 6.1.744.001 from here, http://download.zonelabs.com/bin/free/information/zap/releaseHistory.html#7.0.302.000 it gives you more control and is mucl less buggie than any 6.5 ver. I have not tried ver 7.0 at present so I can't comment on it.

{QUOTE-> So this Yes or Deny will be for all componenets and the KAV, u can,t select unlike to ur statement or I am missing something. <-QUOTE}
I think it must block the whole program rather than the individual components. :-\

I think must have been wrong to suggest otherwise - that seems logical. ???

Actually, I rarely have to block and the only times I have done so were when I was using IE at a 'suspect' site which was trying a known exploit on me; I had to close IE and start again - but the new module (which was a legitimate MS one) was not loaded into the new Window, so I assumed it had been individually blocked - but now I'm not sure. :-\ The fact is my browser was open and working perfectly until I clicked a link at a 'naughty' site - so what was being blocked, the browser that already had access or the component that failed to load when I clicked 'Deny'?

The example in my screenshot is much clearer because KAV did not have access and was seeking it with new modules - so if you 'Deny' you block access to the whole application. But what happens when the app already has access when the loading of the new module occurs? My assumption was that the module was blocked from loading rather than access for the browser suddenly being disconnected. :wacko:

{QUOTE-> I think it must block the whole program rather than the individual components. :-\
<-QUOTE}

I have same feeling.

Thanks

{QUOTE-> aigle,from your screen shot of ZA it seems you are using an older ver.If you download ver 6.1.744.001 from here, http://download.zonelabs.com/bin/free/information/zap/releaseHistory.html#7.0.302.000 it gives you more control and is mucl less buggie than any 6.5 ver. I have not tried ver 7.0 at present so I can't comment on it. <-QUOTE}
Ya, actually I just downloaded a bit older trial version from download.com to see the componenet control. Not using it anymore.
Are there more options in newer versions?

I must admit that currently I´m not using the compenent monitor in ZA Pro because it takes a while to configure it, it will give lots of popups, of course for more security you should use it. ::)