http://www.memoryfirewall.comodo.com/

Hi, folks:

Just installed 2 hours ago on this Intel duo 2 core processor, WinXP MCE, sp3.

Seems running very smoothly; very little impact on system resources, no noticeable slowdowns on Internet surfing, no traceable drags on system performance. I do not even notice its presence except an icon in system tray area.

Likely to be a nice companion to other security apps (transitional and revolutionary, all alike)

Thanks for the info, and congratulate to Comodo folks.

Take care.

Just installed it. XP Home SP2. Avast, SpywareTerminator, and CFP 2.4.
As above, barely noticeable.

I don't have any technical knowledge when it comes to buffer overflow
exploits. My machine supports DEP and it's turned on. Do I gain anything
from installing Comodo?

-{ Quote: "...My machine supports DEP and it's turned on. Do I gain anything from installing Comodo?" }-
If you are using Win XP then DEP provides no protection against return-to-libc attacks, which CMF detects.

/C.

-{ Quote: "If you are using Win XP then DEP provides no protection against return-to-libc attacks, which CMF detects.

/C." }-
Yes, running XP 32 here. I'll give it a try. Thanks!!

-{ Quote: "If you are using Win XP then DEP provides no protection against return-to-libc attacks, which CMF detects.

/C." }-while looking into Threatfires buffer overflow protection, i ran into this paragraph on their blog. so in support of what has already been said, here it is:

-{ Quote: "this exploit works on Vista systems when IE6 and IE7 do not have the "Data Execution Prevention" feature enabled. But techniques to disable the DEP check even when it is enabled have been published as well." }-

so mayhap CMG is worth taking a closer look at afterall.


Mike

So far I´ve discovered a smaller memory conflict between CMF and a Windows systemfile that handles updates. The solution is simple, just exclude the file in CMF:s application list:

C:\Windows\system32\wuauclt.exe

/C.

I´ve asked it on the CMF forum, and luckily it´s not incompatible with SSM and ZAP, upon install it will warn you about this, but it´s because they have used the same installer as for Comodo Firewall. There also don´t seem to be any visible conflicts on my machine, so it´s looking good.

Now I only need to know if this tool is really effective or not, according to LUSHER it is not, apparently it´s explained on the Threatfire blog why this is the case, but I couldn´t find it. But Solcroft says that TF can´t protect against some type of BO´s itself. I think it would be useful for the Comodo team to create some new tests, and with that I mean real POC´s who can all be used in real life attacks.

Rasheed: Slipfest. Then again DEP can grab it also i think.

I installed CMF. When I rebooted, I received a message box that said Windows had been altered without authorization and it would no longer be able to verify that I was licensed. It also refused to open the Control Panel or Computer - Properties dialogue.

Attempts to uninstall CMF did not work when using the Uninstall link in the program's Start Menu folder. It appeared to uninstall, but would reappear at next book. The program finally uninstalled correctly through CCleaner's Tools - Uninstall menu and the Windows message has not returned since.

I am using Vista Ultimate, with NOD32v3 for malware prevention. It returned the same error with the previous poster's file listed in the exclusion box of CMF.

Is this firewall used in place of comodos personal pro f/w? Are there now 2 distinct and separate f/w available?

I would not think it would be in conjuction with it. Is there an advantage to using one vs. the other.

I have a Zyxel route with SP1 stateful inspection f/w. Any idea which would work the best?

Thanks.

Well, they do different things, this protects against buffer overflows, Comodo Firewall Pro 3 protects against anauthorized network traffic, program execution or file write...

-{ Quote: "Is this firewall used in place of comodos personal pro f/w? Are there now 2 distinct and separate f/w available?

I would not think it would be in conjuction with it." }-
As said above, they do different things. So, yes, in conjunction with it. (or another firewall.)
Perhaps Comodo could have named it slightly differently...you can see how confusion is likely to arise....maybe something like Comodo Memory Protect, or Guard, or something.

Does anyone know how to get rid (permanently) of the balloon tip above the Systray at startup?

Have a look at the following pages:

They show you in detail which buffer overflows various softwares have stopped and the benefits of using "Buffershield" instead of hardware DEP.

http://www.sys-manage.com/PRODUCTS/BufferShield/PreventedExploits/tabid/63/Default.aspx

https://www.sys-manage.com/PRODUCTS/BufferShield/DEPcomparison/tabid/186/Default.aspx <---- DEP Test

http://www.sys-manage.com/BufferShield/tabid/61/Default.aspx

I wonder how Comodo will fair in the above prevented exploits page!!!

Hi,folks:

I d/l DEP test from the 2nd link provided by previous post.

Comodo memory firewall has FAILED in all five categories.

Any comments?

-{ Quote: " ~snip~
Perhaps Comodo could have named it slightly differently...you can see how confusion is likely to arise....maybe something like Comodo Memory Protect, or Guard, or something. ~snip~ " }-
:thumb: Very confusing, especially since they already offer a real firewall. Forever people have been telling us to not run two firewalls or two Anti-viruses or etc... I guess they don't know the same people we do :dry:.

I've downloaded the test as well and yeah Comodo fails all five DEP tests.

Obviously Comodo is a relative newcomer in this segment and thus has lots of room for improvement. My only worry is now it will give users a false sense of security...

Will be interesting to see how Prevx and DefensePlus fare...

A great free alternative to Comodo Memory Firewall is Wehntrust Home User. However this is heaps more powerful and free.

Could someone test it with the DEP test mentioned above.

Be warned though WehnTrust creates BSOD with DefenseWall.

Link: http://www.wehnus.com/products.pl

Hi,

WehnTrust 1.0,0.9 ? Forget it;

I tested it with a testing machine, It rendered WinXP sp3 unbootable after first reboot, I have to use safe mode to reach recovery commander of system suite 8 to restore .

Do not even thinking about trying it, unless you are well prepared for the worst, besides, that version was released way way back in mid 2006, an aged app, no flavour any more, and could be poisonous. Take care.

-{ Quote: "Hi,

WehnTrust 1.0,0.9 ? Forget it;

I tested it with a testing machine, It rendered WinXP sp3 unbootable after first reboot, I have to use safe mode to reach recovery commander of system suite 8 to restore .

Do not even thinking about trying it, unless you are well prepared for the worst, besides, that version was released way way back in mid 2006, an aged app, no flavour any more, and could be poisonous. Take care." }-

I tried it also but without probs here. XP SP2

Gerard

-{ Quote: "I tried it also but without probs here. XP SP2

Gerard" }-
Hi, interesting. Good for you.

Perhaps mine is primarily an apps compatibility issue. Comodo Memory Firewall is OK here. ::) just can not please everyone, eh? Take care.

Hi, folks;

If I use the BO tester provided by Comodo, Comodo Memory Firewall passed the first two of three tests. Just wonder are these testers impartial at all ?

-{ Quote: "...Just wonder are these testers impartial at all ?" }-
I hardly think so since they tailoring the tests to let their own products pass at first hand.

/C.

I have SSM and Comodo Firewall [Without Defense+] activated. I had a couple of minor problems and found that even though it showed Defense was inactive it wasn't. I think I have it fixed now. I have been interested in this Memory Firewall ,and did have it installed for a short time with no problems. I want to know is it really effective in the real world with BO's . People with Vista should stay away. I have read of the software licenses being lost. Check on Comodo Forum.

-{ Quote: "Hi,folks:

I d/l DEP test from the 2nd link provided by previous post.

Comodo memory firewall has FAILED in all five categories.

Any comments?" }-

Tested it in my VM, and same over here, I wonder what the Comodo folks will have to say about this test. Btw, I have just received a PM from LUSHER, and he didn´t say that CMF is not effective (he still needs to test this), he said that the Comodo testing tool is, so my mistake.

-{ Quote: "Rasheed: Slipfest. Then again DEP can grab it also i think." }-
Thanks, but this tool is way too advanced for me, I started a topic about how to use it, but no one replied.

Well cmf supposedly fails because there tests are fake?

-{ Quote: "Yep this has already been discussed. CMF block api calls from BO so if POCs are only used to demonstrate Buffer Overflows there would be no way to block those.
Anyway any malicious code needs to call some API to accomplish something so real exploits will be catched by CMF.

It would be interesting to run Comodo BO tester 3rd test against BufferShield. It should fail.
Also CMF should protect your PC if some malware disable widows enforced hardware DEP.

I looked at that thread and found out http://www.sys-manage.com/PRODUCTS/BufferShield/PreventedExploits/tabid/63/Default.aspx CFM is not mentioned I guess that someone could ask them to include it in their tested products list " }-

Whom have you quoted?

/C.

-{ Quote: "Whom have you quoted?

/C." }-
Comodo Forum Moderator

Hi,

I don´t get it, I have this .ani file that triggers a BO on my VM, and now I want to see if CMF can stop it, but even with DEP turned off, it still seems like if DEP is the one who´s stopping it, it keeps restarting explorer.exe, any ideas? How to turn DEP off inside a VM?

Please see http://forums.comodo.com/feedbackcommentsannouncementsnews/result_of_real_world_exploit_test_comodo_memory_firewall_worked-t18683.0.html for a test against a real world proof of concept exploit.

Yes! ;D I was able to make this POC exploit work on my VM (thanks a lot MrBrian), and I was happy to see that CMF was able to stop it. I tested it in all modes (restart, terminate, ask user) and it did the job. I have to say that I was a bit surprised that DEP couldn´t stop it, or perhaps I need to test again.

Btw, the buffer overflow would make Winamp v5.12 execute code (launch calc.exe) so I thought, why not test the process execution protection from SSM/NG, and both stopped the execution, so you would think that even if a BO occured, HIPS might still be able to stop the attack, by simply blocking process execution.

-{ Quote: "I was a bit surprised that DEP couldn´t stop it, or perhaps I need to test again." }-
Software DEP? Hardware DEP? Which DEP mode (AlwaysOn, OptiOut, OptiIn)? BTW, I'm not sure if DEP works correctly in VMs.

-{ Quote: "Yes! ;D I was able to make this POC exploit work on my VM (thanks a lot MrBrian), and I was happy to see that CMF was able to stop it. I tested it in all modes (restart, terminate, ask user) and it did the job. I have to say that I was a bit surprised that DEP couldn´t stop it, or perhaps I need to test again.

Btw, the buffer overflow would make Winamp v5.12 execute code (launch calc.exe) so I thought, why not test the process execution protection from SSM/NG, and both stopped the execution, so you would think that even if a BO occured, HIPS might still be able to stop the attack, by simply blocking process execution." }-

You're welcome Rasheed187 :)

You can think of buffer overflow exploit code as having a first and possibly a second stage. The first stage code runs within the process attacked itself, and so can do whatever your computer security policy allows the attacked process to do. This first stage gives no alert in Comodo Firewall. For this reason, I don't advocate running Defense+ in any mode that allows training, except maybe for just the first few days or maybe weeks after installation. Let me give an example. Suppose your favorite video media player has a buffer overflow vulnerability. Let's suppose this video media player is on Comodo's whitelist. Let's suppose you are using a Defense+ mode that allows training for programs on Comodo's whitelist. Let's suppose you play a poisoned video file in your video media player, and buffer overflow exploit code within the video media player process runs a keylogger and also sends the results to a rogue website using Internet Explorer via COM interface. Both of these actions, the low-level keyboard access, and also the COM interface used, will be learned by Comodo Firewall, assuming you are in a training mode that trains for the video media player! I use Paranoid mode in Defense+, so that I can be alerted to such behavior that might provoke suspicion.

The buffer overflow exploit code may try to do things such as download further exploit code via a web browser and execute the downloaded file in a new process. This I refer to as the second stage of the attack. Comodo Firewall, or your other favorite HIPS, could indeed alert about the second stage actions, depending on your HIPS configuration. This second stage may not exist, but I am guessing that usually it exists in most buffer overflow exploits.

Thanks for the feedback. So basically, CMF recognizes the fact that a BO attack is in progress, and will take action in the "second stage" (by killing the attacked process), while other HIPS will simply try to block the things that the BO tries to achieve, like loading a process, correct? Isn´t the CMF approach better? Btw, I´ve also tested it with KAV v7 (who claims to be able to stop BO´s), but it didn´t make a sound. But I have to admit that currently my VM is not the best testing environment, because sometimes other HIPS also malfunction. ::)

-{ Quote: "
Software DEP? Hardware DEP? Which DEP mode (AlwaysOn, OptiOut, OptiIn)? BTW, I'm not sure if DEP works correctly in VMs.
" }-

It´s hardware DEP, enabled for all processes, and I think I have seen DEP in action on VM´s.

-{ Quote: "It´s hardware DEP, enabled for all processes" }-
Enabled from within Windows (OptiOut) or by editing the BOOT.INI file (AlwaysOn)?

-{ Quote: "Thanks for the feedback. So basically, CMF recognizes the fact that a BO attack is in progress, and will take action in the "second stage" (by killing the attacked process), while other HIPS will simply try to block the things that the BO tries to achieve, like loading a process, correct?
" }-

Better yet, Comodo Memory Firewall prevents the first stage code from executing APIs, from what I have read. On http://forums.comodo.com/comodo_memory_firewall_beta_corner/comodo_memory_guardian_beta_v1016_bug_reports_closed-t12960.15.html is found the statement that Comodo Memory Firewall "detects only API calls in shellcodes, not instructions." If Comodo Memory Firewall didn't stop the first stage code from executing APIs, then you should have received an alert in your HIPS when, for example, calculator was launched in the proof of concept. In this example, the first stage code is the code that launches calculator, while the second stage is the separate calculator process.

I would guess that there usually is a second stage, because I would think that the malicious code would want to establish itself in your system permanently somehow. Also, the amount of space available for the first stage code might be quite limited, depending on the particular vulnerability. You're right that HIPS can warn about the second stage, but of course it depends on how your HIPS is configured for the particular program attacked. Fortunately, Comodo Firewall, when in one of the learning modes, will not learn modification of protected files nor launching of processes. Unfortunately though, Comodo Firewall will learn actions other than these 2 types, if in a training mode and training on the particular program attacked. If you had previously applied the Comodo Firewall predefined policy 'Trusted Application' to the process attacked, then Comodo Firewall would have allowed the first stage exploit code modification of protected files, but alerted upon launching of new processes. If you had previously applied the Comodo Firewall predefined policy 'Windows System Application' to the process attacked, then Comodo Firewall would have allowed the first stage exploit code modification of protected files and launching of new processes.

-{ Quote: "Enabled from within Windows (OptiOut) or by editing the BOOT.INI file (AlwaysOn)?" }-

I´ve checked it, and it´s Optin, but I have also tried to disable DEP completely by editing the boot.ini file, I can´t remember which VM it was though. But you would think that DEP should be able to stop the attack also. Btw, I´ve done some searching, and I found the bug that this POC tries to exploit:

http://secunia.com/advisories/18649/

-{ Quote: "
Better yet, Comodo Memory Firewall prevents the first stage code from executing APIs, from what I have read." }-
-{ Quote: "
Unfortunately though, Comodo Firewall will learn actions other than these 2 types, if in a training mode and training on the particular program attacked." }-

Thanks for the feedback MrBrian, but just to clarify, I´m not using CFP at the moment, it´s quite powerful but I don´t like it because of various reasons. ;)

Rasheed187, only the off switch is worst than OptIn. :)

Try reading from here (http://www.wilderssecurity.com/showthread.php?t=175384&page=2&highlight=alwayson).
I'm tired, sorry for not expanding. But most of what i found out is there, link by link, Illya's replies and so on.

-{ Quote: "http://www.memoryfirewall.comodo.com/" }-
cool the comodo products are great

but is integrated in comodo 3 or should i run with comodo?

It isnt integrated in CFP but will be in the future. You can run both together.

IIRC doesn't Comodo Firewall already have this?? I remember seeing something about this during installation.

-{ Quote: "IIRC doesn't Comodo Firewall already have this?? I remember seeing something about this during installation." }-

Not yet. Perhaps you were thinking of Defense+, which does not detect buffer overflows.

I think CMF is more or less for WinXP folks, not so much for Vista.

I installed it also, because my boot-to-restore ignores my memory completely, while malware loves my memory. :)

-{ Quote: "....
WehnTrust 1.0,0.9 ? Forget it;

I tested it with a testing machine, It rendered WinXP sp3 unbootable after first reboot.....

Do not even thinking about trying it....." }-

dude, i should have listened to you. i actually tried installing this thing. after installation it asked to reboot, i did BAM! BSOD. i couldn't boot into windows. i had to go into safe mode, disable the service, disable the startup entries, and only then was i able to boot into windows normally. after that i uninstalled this thing ASAP.

for the record i'm running windows xp media center edition with sp2 fully patched. the only security software i have running is geswall, antivir, and secunia PSI.

Zopzop, it patches the kernel (!) afaik.

Sorry if it has been mentioned before, but Comodo Memory Firewall will soon be integrated into CFP 3.

Check here (http://forums.comodo.com/frequently_asked_questions_comodo_memory_firewall/do_i_need_the_memory_firewall-t21312.0.html)

-{ Quote: "Sorry if it has been mentioned before, but Comodo Memory Firewall will soon be integrated into CFP 3.

Check here (http://forums.comodo.com/frequently_asked_questions_comodo_memory_firewall/do_i_need_the_memory_firewall-t21312.0.html)" }-
I hope they keep CMF also as a standalone software.
CMF works fine on my computer, but the Comodo Free Firewall was a disaster in my system, I couldn't get it work, even after the right settings.