Hello all, I wanted a fairly light, yet powerful and secure free HIPS system, and Comodo 3 and OA Free seemed to be what most experts on this forum suggested. I tried OA Free, but felt somewhat restricted by its seemingly barebones and limited firewall and HIPS features. I've heard Comodo 3 is much more comprehensive and powerful. What would you suggest between the two? Remember, my first priority is a good free HIPS, the firewall is secondary.

Also, I'm running Avira PersonalEdition Classic as my AV. Is it better (security-wise) to use either:

A. a combo of ThreatFire + GhostWall, or
B. Comodo v3 OR Online Armor Free

Thanks in anticipation,
Dan

Dan

First welcome to Wilders. What you are going to get with this question, is a flurry of opinions, mainly based on what people are using. You might be well of reading recent threads on the different software, but in the final analysis, the only real answer will be for you to trial them, and see how they fit.

Pete

Well since you already tried OA, just give Comodo a whirl and see for yourself.

DanielRego,


What operating system are you using? Do you have enough RAM and a strong CPU?

I understand that your first concern is a free good HIPS and of secondary concern the FireWall. From the alternatives you mentioned yourself ThreatFire is a free good easy to use HIPS.

Another popular HIPS is EQSecure, soon with a new release and members available for help configuring the HIPS or using (importing) their filters.

Regards Kees

-{ Quote: "A. a combo of ThreatFire + GhostWall" }-
The best choice hands down.

1- Threatfire + Ghostwall? Ghostwall only protects against incoming. Such being the case, it would be just as effective to use Threatfire + Windows built-in firewall. This will still leave you with no outgoing firewall, which many folks say is not sorely needed -- unless, of course, you get infected by malware that calls out, in which case an outgoing firewall would probably alert you to that fact.

2- Comodo & Defence+ (Comodo 3's HIPS) gives great protection IF (a) you are tolerant of an app that produces numerous alerts, AND (b) you are proficient at dealing with those alerts. If your answer to either (a) or (b) is "no" then Threatfire would be a better choice. TF is "intelligent." Defence+ is "Chicken Little" (the sky is falling! the sky is falling!)

3- OA-free has a grrrreat firewall. Protection both ways (in & out). The HIPS module is okay if you are not a really risky surfer.

>>>If you ARE a risky surfer (&/or you are paranoid) then I recommend a combo of OA-free plus Threatfire. That is an armor-plated set-up, & isn't hard on system resources. TF & OA usually get along well together (but nothing in life is certain, wot?).

-{ Quote: "Ghostwall only protects against incoming. Such being the case, it would be just as effective to use Threatfire + Windows built-in firewall." }-
Ghostwall is a tad faster and offers a granular control over endpoints and protocols if you want to restrict network traffic to the essential.
-{ Quote: "unless, of course, you get infected by malware that calls out, in which case an outgoing firewall would probably alert you to that fact." }-
In this case, you have to know how to answer to a firewall/HIPS pop-up asking you about a random exe trying to connect out. On the other hand, you've assumed that this malware has managed to bypass both the AV and Threatfire.

-{ Quote: "...you've assumed that this malware has managed to bypass both the AV and Threatfire." }-Verus Ghostwall, OA has the advantage that it gives him another shot in the off-chance that: (a) he's already infected &/or (b) he someday encounters a nasty that by-passes his other security apps. NEITHER (a) nor (b) is impossible, wot?

Inasmuch as the OA firewall goes both ways, it's a dandy little fail-safe for very little system overhead & zero bux. Shazam!

Yes, OA (or any other 2-way firewall) may give you another chance, but it's a helpful chance? How are you suposed to discern between a harmless pop-up and the real one? If you can easily discern malicious behaviour from legitimate behaviour, you don't need to ask which program to use. With such knowledge, you go for a classic HIPS like SSM, PS or EQS and build your own ruleset.
I hope I'm being clear enough :)

Does Online Armor & Threatfire actually work alongside each other? I surmise that you must have managed to get both working together. Did you have any trouble doing this?

Wow I love this place, you people are really helpful and quick at that too.

After reading all the replies, I decided to do some testing on a friend's machine, which he suspected was infected as he got repeated, recurring alerts every few minutes from Avira PersonalEdition Classic, regarding a JS Trojan/Downloader. After installing ThreatFire, the alerts continued, but TF gave no indication of anything amiss, even when security level was set to FIVE. On the other hand, OA's HIPS module alerted us that a certain .tmp file (which was located in the \User\Local Settings\Temp directory) was repeatedly attempting to create an .exe file, which to my knowledge, was certainly suspicious behaviour. So i blocked the attempts at exe creation, and the AntiVir alerts also stopped. It seems to me that OA was more effective at preventing this supposed infection from spreading and causing potential damage.

I suppose the choice for me is between OA Free and Comodo v3 then. I have used HIPS apps like SSM in the past, but my new machine would display a BSOD on every boot after installing SSM on it. So I ditched SSM, and am now looking for an able replacement, but also want outbound firewall protection. Frequent alerts are not really a problem, because I like the anti-executable function and program monitoring of a classical HIPS system like OA (or Comodo, I haven't tried it yet). The problem is I live in India, and TRUE broadband connections are still fairly expensive here, so I'm stuck with a 96kbps connection. So even though I want outbound protection, I don't want the firewall to affect my internet performance noticeably.

I realise that Comodo 3, compared to OA Free, gives far more comprehensive control in both HIPS and firewall departments, but is it as effective, and most importantly, light on resources and internet traffic as OA?

My specs are: Windows XP SP2, Pentium 4 3.2 Ghz, 512 MB of DDR2 RAM, and a 7,200 RPM 160 GB hard drive.

Thanks for all the assistance, advice and tolerance,
Dan.

-{ Quote: "Yes, OA (or any other 2-way firewall) may give you another chance, but it's a helpful chance?" }-If any application attempts to connect out, and the computer's user did not directly and specifically INITIATE that very action, then that user does not have to be a rocket scientist in order to recognize that such an event is bloody suspicious, right? Right!

Any malware that connects out is bad to the extreme. Imaging, sandboxing, etc. can help a user recover 100% from just about anything EXCEPT if a malware phones home with that user's personal info, passwords, etc.

Malware that manages to secretly phone home is worse than an inconvenience. It is, very probably, an outright disaster.

Suppose that a user somehow screws himself by allowing a malware to get on his computer. OA will give that user an added chance to un-screw himself. The fact that he *might* fail to use that added chance is (IMO) a fallacious reason for not wanting that additional chance to be offered at all.

@Woody In my experience, TF plays nicely with OA. Your mileage may, of course, vary.

-{ Quote: " I realise that Comodo 3, compared to OA Free, gives far more comprehensive control in both HIPS and firewall departments, but is it as effective, and most importantly, light on resources and internet traffic as OA?" }-CFP 3 is surprisingly light, & is more configurable than OA-free. However, TF + OA-free gives a broader spectrum of protection that does CFP 3, IMO.

Try them out & decide for yourself. Either way, whether CFP or OA-free+TF, you will have superb protection.

-{ Quote: "
I have used HIPS apps like SSM in the past, but my new machine would display a BSOD on every boot after installing SSM on it. So I ditched SSM, and am now looking for an able replacement, but also want outbound firewall protection. Frequent alerts are not really a problem, because I like the anti-executable function and program monitoring of a classical HIPS system like OA (or Comodo, I haven't tried it yet).
" }-

If you were able to handle SSM, then I think you should be fine also with Comodo 3. It is light on memory and extensive in coverage. Newer versions, up through 3.0.21.329, can be slow when making a rule from an alert, if you have a large ruleset. Version 3.0.14.276 does not have this issue; you can get it at filehippo.com. If you're using Vista, consider v3.0.15.277, since it fixed an issue with Windows Updates on Vista.

For effectiveness against various tests, look at http://www.matousec.com/projects/firewall-challenge/results.php and also http://www.testmypcsecurity.com/view_results.html.

-{ Quote: "It seems to me that OA was more effective at preventing this supposed infection from spreading and causing potential damage. I have used HIPS apps like SSM in the past.

I suppose the choice for me is between OA Free and Comodo v3 then. " }-

Dan,

When on XP you have a choice between OA and CFP, when on Vista I would give CFP the advantage. OA versus CFP: OA is user friendlier. The OA paid version is really worth looking at, give it a spin.

Regards Kees

Thank you, I'm installing CPF 3 right now. Hope it lives upto expectations!

Thanks, you guys are incredibly helpful and fast at that too!

Dan

I need a HIPS that doesn't keep a use waiting an eternity to get up and working like SSM did. I'm getting very frustrated that EQS is dragging things out by delay and in the meantime theres growing importance for these coverages users need whereas it's finally coming to a point i may have to forget them altogether and go back to DeepFreeze & AE with DefenseWall.

I think it's admirable what OA and Comodo have done fron the implimenting of HIPS but they are FIREWALL specialists NOT HIPS experts and it shows.

-{ Quote: "
I think it's admirable what OA and Comodo have done fron the implimenting of HIPS but they are FIREWALL specialists NOT HIPS experts and it shows." }-

Hm, OA started life as an easy to use HIPS :)

-{ Quote: "
TF + OA-free gives a broader spectrum of protection that does CFP 3, IMO.
" }-

I would be very careful with this combination! There where a lot of people (including me) on this, and other, forums reporting about problems when running the two applications together. In particular, windows will freeze or not boot completely; uninstall necessary in save mode, etc...

I didn't read anything since then, but I don't think this was addressed in the new releases?

Installed and configured Comodo v3 (with D+), and I've decided to keep both modules in learning (safe) mode for a while. I have to say i'm incredibly impressed, as the application has improved tremendously. I last used CPF about a year ago, before v3 was launched and i remember it having a fairly bloated UI and hogging quite a bit of memory.

The new CPF is unbelievably light, and the D+ module is just superb, offering a much higher degree of control than OA Free.

Looks like this one's a keeper :)

-{ Quote: "Installed and configured Comodo v3 (with D+), and I've decided to keep both modules in learning (safe) mode for a while. I have to say i'm incredibly impressed, as the application has improved tremendously." }-

Glad to hear it :). Version v3.0.22 was just released.

-{ Quote: "Installed and configured Comodo v3 (with D+), and I've decided to keep both modules in learning (safe) mode for a while.
...
The new CPF is unbelievably light, and the D+ module is just superb, offering a much higher degree of control than OA Free.
" }-
How do you know its high degree of control in safe mode ???
This seems to be a little inconsistent.

Cheers

-{ Quote: "How do you know its high degree of control in safe mode ???
This seems to be a little inconsistent.

Cheers" }-

I left it in Learning (w/ Safe Mode) so that it learns the typical behaviour of apps on my system without going paranoid for each event, plus in this mode it displays in the corner of the screen each event is allows and blocks as per the rules and permissions set. I plan to leave it in this mode for atleast a week before I let it run normally.

By high degree of control I mean the Defense+ module gives you much more hands-on control over the program behaviour permissions, policies and the like, much more than OA Free atleast. I like being a control freak occasionally ;)

-{ Quote: "Hm, OA started life as an easy to use HIPS :)" }-

I apologize for misinterpreting your creation, i guess i have a real hard time dealing with a combo of HIPS + Firewall, thats another reason i dropped SSM.

OA surely has a lot of very useful secure functions that work well together in unison but HIPS part alone is my own favorite and i'm but only one that prefers to keep them separate apps.

Plus i am really hung up on EQS like none other before due to it's great configurational settings and now sandbox.

This is a customers/users market and the malware makers are the ones dizzy now trying to find ways around them and it's getting progressively harder for them now just to fashion a single compromise and thats the way it's going to stay if more developers just like you have anything to do about it. LoL

Do you really need a software firewall. Almost 95% of users here have some form of router with a built in NAT and/or SPI firewall already. Why add yet another layer of filtering?, you are just hurting your systems performance and introducing software bugs. Anyone with a router only needs outbound protection and program control available from a good HIPS such as ProSecurity and EQSecure. Stay away from HIPS with firewall type filtering like SSM.

-{ Quote: "Do you really need a software firewall. Almost 95% of users here have some form of router with a built in NAT and/or SPI firewall already. Why add yet another layer of filtering?, you are just hurting your systems performance and introducing software bugs. Anyone with a router only needs outbound protection and program control available from a good HIPS such as ProSecurity and EQSecure. Stay away from HIPS with firewall type filtering like SSM." }-

I agree with your suggestion avoiding HIPS with Firewall filtering but for different reasons i suppose. I prefer a single app approach to a single attack vector possiblity and like to keep it that way.

As far as a router, why should i install another hardware item when a single firewall guarded over by a HIPS and who knows what else should be plenty enough. I never been hacked in my history or remotely rooted but have had ny share of drive-by disruptions that gave me droppers that called out but the software firewall stopped them cold in their tracks everytime.

I don't network or link together PC's although in the future i may just do that myself like others before.

-{ Quote: "Why add yet another layer of filtering?" }-
- Mobile users (do you carry your router with your laptop?)
- Untrusted LAN. You can have infected hosts in your LAN or you may be part of a large LAN depending on your ISP.
- Fine-grained control over network traffic. Some routers do not offer SPI, they only do NAT. Or configuring the firewall settings of the router is cumbersome/too basic.
But yes, a NAT/SPI box offers very good protection. But people should know that routers aren't "plug and use" devices. They run software, so they can be compromised.
"Blackbox security" doesn't work in the long-term.

-{ Quote: "I apologize for misinterpreting your creation, i guess i have a real hard time dealing with a combo of HIPS + Firewall, thats another reason i dropped SSM." }-OA's website refers to OA as a "firewall" instead of "HIPS". In fact, the term "HIPS" rarely appears on OA's website.

Therefore, Easter old bean, I quite understand why you discerned that the OA folks are firewall folks moreso than being hip to HIPS. However, they are quite skilled in BOTH areas. My IT tells me that "firewall know-how" & "HIPS know-how" are pretty much heads & tails of the same coin.

-{ Quote: "OA's website refers to OA as a "firewall" instead of "HIPS". In fact, the term "HIPS" rarely appears on OA's website.

Therefore, Easter old bean, I quite understand why you discerned that the OA folks are firewall folks moreso than being hip to HIPS. However, they are quite skilled in BOTH areas. My IT tells me that "firewall know-how" & "HIPS know-how" are pretty much heads & tails of the same coin." }-

Alloha Again bellgamin:

Thanks for reading from the same page of this old bean LoL

I have no qualms or even complaints of either, in fact i like them both for somewhat similar reasons and just because a firewall vendor has advanced int the HIPS fields as they seem to be moving into now, it definitely doesn't mean limitations are imminent by any stretch as regards their HIPS part.

It's to every security conscious user's advantage to be recipient to a COMBO of that nature no doubt, but something still lingers uneasy for me when you mix together silver & lead, and those chemical compounds must be balanced precisely enough to prevent problems now and in the future.

Well, for that matter, even single dimension apps like either a HIPS or FIREWALL alone have experienced their own programming problems in the past and still do to an extent.

Boy, if i was forced a choice between either Comodo D+ or Online Armour right now i would have to invest a lot of time, testing, and effort just to pick one and then i think it would be a very thin line, although RunSafer is a pretty good invention then so is D+ HIPS. But i think lowering the NT rights would carry a little more weight don't you think?

EASTER

-{ Quote: "Therefore, Easter old bean," }-Lool,
both very good firewalls. If you have two computers just split them, one OA, one Comodo.

-{ Quote: "My IT tells me that "firewall know-how" & "HIPS know-how" are pretty much heads & tails of the same coin." }-
Networking skills (protocols, etc) is a different knowledge than NT kernel software development :)

-{ Quote: "Lool,
both very good firewalls. If you have two computers just split them, one OA, one Comodo." }-

How true, with either and both you can't go wrong, they,ve come leaps and bounds from practically little significance in the past to the very height of the best now.

Hi,

I have a vague idea that you are comparing OA paid and Comodo 3.
What I'm about to say now is supposed to be confidential because I am an OA paid user. Got that? :-X
As OA free is badly limited (only manual Updates, no Advanced Mode, no Import/Export Settings etc.) I would prefer Comodo 3 as a full featured free program.
I'm out of here... :lurking:

Cheers

Unfortunately tested latest Comodo on Vista64 and 3 Keylogging methods are effective, I thought this problem would be solved but no, Comodo actually vulnerable (again) in terms of Anti-Keylogging.

-{ Quote: "Do you really need a software firewall. Almost 95% of users here have some form of router with a built in NAT and/or SPI firewall already. Why add yet another layer of filtering?, you are just hurting your systems performance and introducing software bugs. Anyone with a router only needs outbound protection and program control available from a good HIPS such as ProSecurity and EQSecure. Stay away from HIPS with firewall type filtering like SSM." }-
I have a router, so I need outbound protection only, but I hear ProSecurity and EQSecure are very complicated. Is there a program with outbound-only protection and an easy to use HIPS? As in, no more complicated than Online Armor (whose inbound protection I don't need)?

Or, is there a program that offers outbound-only protection, with no HIPS? I could use that with ThreatFire and be content.

-{ Quote: "Or, is there a program that offers outbound-only protection, with no HIPS? I could use that with ThreatFire and be content." }-All you need of Threatfire. You can readily configure Threatfire's advanced rules so that it will offer fully effective outbound protection.

-{ Quote: "All you need of Threatfire. You can readily configure Threatfire's advanced rules so that it will offer fully effective outbound protection." }-

True, but where is the thread I think Kees1958 made on how to do this?

-{ Quote: "All you need of Threatfire. You can readily configure Threatfire's advanced rules so that it will offer fully effective outbound protection." }-

How do I do that? I saw a post here one time that had a long list of custom rules for ThreatFire, and I thought, ugh, no thanks. Security software shouldn't be that complicated to use. (Besides, other users said it wasn't necessary.) But I'm willing to configure some advanced rules if there aren't many and it doesn't take long.

i think you are referring to the custom rules kees1958 created. posted here (http://www.wilderssecurity.com/showpost.php?p=1059777&postcount=22)and here (http://www.wilderssecurity.com/showpost.php?p=1059784&postcount=23). the super simplified version here (http://www.wilderssecurity.com/showpost.php?p=1101843&postcount=47). it's really not that complicated at all and requires at most 8 mouse clicks :D

-{ Quote: "True, but where is the thread I think Kees1958 made on how to do this?" }-

I edited my post as I thought it was Easter that showed how to make the Advanced rules, but I still asked first. LOL.
Seriously though thanks for the reply zopzop.

-{ Quote: "the super simplified version here (http://www.wilderssecurity.com/showpost.php?p=1101843&postcount=47)." }-

That was so super-simplified that I didn't get it. Then I looked at posts #22 (http://www.wilderssecurity.com/showpost.php?p=1059777&postcount=22) and #23 (http://www.wilderssecurity.com/showpost.php?p=1059784&postcount=23) and it looks like those are what I should follow. The "super simplified version" is just a modification to #23, right? Or am I missing something here?

Anyway, thanks for posting the links, it doesn't look too hard. Still, too bad TF doesn't just provide a single setting that I can click once and be done with.

Also, back on the topic of CFP3 and OA Free, do they have settings to turn off inbound protection? That would be useful to a lot of people, since so many have routers with inbound protection already.

-{ Quote: "
Also, back on the topic of CFP3 and OA Free, do they have settings to turn off inbound protection? That would be useful to a lot of people, since so many have routers with inbound protection already." }-

IMHO, I wouldn't worry about that. If your router is already stopping unsolicited traffic, then that unsolicited traffic is not even reaching your software firewall. Also, it's good to have inbound protection in your software firewall as a backup, in case a hacker is able to penetrate your router and alter its behavior.

-{ Quote: "IMHO, I wouldn't worry about that. If your router is already stopping unsolicited traffic, then that unsolicited traffic is not even reaching your software firewall. Also, it's good to have inbound protection in your software firewall as a backup, in case a hacker is able to penetrate your router and alter its behavior." }-
What's the liklihood of that happening if my router has WPA? And I use a maximum-length passcode with random characters.

I know that unsolicited traffic isn't reaching my software firewall, which is why I wanted to turn off inbound protection. I thought maybe it would save some system resources to do so.

So I've narrowed my choices to one of these:

1) ThreatFire with custom rules for outbound protection. This intelligent HIPS is quiet until there is an attack. But it can't recognize every attack, and some say it can be defeated easily.

2) Online Armor Free. This classical HIPS is virtually leak-proof and disable-proof, and can probably stop any attack. But I can't recognize every attack, and I may click "yes" on an alert when I should click "no."

3) OA +TF (default settings). This would combine the powerful control of OA with the "second opinion" of TF to back up my own judgement. But these programs have redundant monitoring which may slow the system, conflict with each other, or cause other problems. Some have had problems with this combination, while others haven't.

I can't decide. What would you do in my shoes?

If OA could incorporate TF-like intelligent monitoring, it would be about perfect. As for CFP3, I tried it and it's even noisier than OA, so it's not an option for me.