COMODO Internet Security 5.x Thread

CIS does not differenciate internet files from unrecognized files, everying is trusted, malware or unknown.
With the option always sandbox you can choose different levels for different applications

http://help.comodo.com/topic-72-1-170-1735-Always-Sandbox.html

 

I think we're saying the same thing, it's the terms that we're missing on My browser is running sand boxed as 'Limited' (works fine) - but anything that isn't 'known' or 'recognized' or 'trusted' (by me or Comodo) gets run as 'Restricted' (probably gets broken). That's all I was trying to say.

NN

 

Yes, I didn't understand you the first time.

 

Take a look to this HIPS test where Comodo 5.5 (CIS) and Defensewall scored 100%

Rus
http://www.anti-malware.ru/firewall_test_outbound_protection_2011
Eng
http://translate.google.com/transla...are.ru/firewall_test_outbound_protection_2011
Excel with details
http://translate.googleusercontent....pb.xls&usg=ALkJrhh_R2S37FBAv1HbxBvm7xcldSmdww

 

thanks for the links

 

thanks raiden

 

I found the methodology here:
http://translate.google.com/transla...are.ru/firewall_test_outbound_protection_2011

 

Good stuff thanks guest.

 

Interesting post about the new defaults and settings in Comodo Internet Security 5.8

http://forums.comodo.com/defense-sa...w-when-to-use-draft-v58-onwards-t76410.0.html

 

has anyone of you tried the comodo leak test? I "tweaked" my CIS to its best settings (also by using the leak test setup guide) and can't get a higher score than 190/340 :S

 

I don't think that the leak test is valid anymore, anyway if you want to test it you should turn off the sandbox.
Take into account that if the leak test it sandboxed it will think that is able to modify things but really is only modifying something virtual.

 

Yep I've had CIS "fail" on multiple tests because they think that they can do things when they're just messing with a sandboxed area.

 

Mhh actually running the leak test in the comdo sandbox gave me better results

@edit: okay i just disabled the sandbox and got 340/340.. thanks guys. before i said "dont isolate again" but it seems like it still got sandboxed by comodo :S

 

I read a lot about leaktest with CIS, here & Comodo forum.

I think I am the lucky one with the leaktest. I get 340/340 with sandbox enabled & disabled both. This is on Win XP SP3 32 Bits.

Thanxx
Naren

 

Indeed interesting, as long as security isn't noticeably compromised.

 

As CIS should be set to "Proactive Security" for optimal protection these changes really don't affect us.

From the final paragraph:

"The new alert reduction installation option has no effect on new CIS installations set to proactive configuration".

 

I've tried it with v5.5. It seems to work fine. The guide needs to be rewritten for v5.x though because the CIS user interface has changed from the time the guide was written.

The guide shows how to configure CIS v4.1 to allow execution from only privileged locations, such as \windows and \program files. If an executable not in the privileged locations attempts to run, the executable is either blocked, or the user is prompted, depending on which option in the guide was followed.

There is one problem though: CIS v5.x cannot control DLL execution, whereas v4.x can.

I'd like to gauge interest in having the guide updated for CIS v5.x, so please let your voice be heard if you're genuinely interested. Also, if you're interested, do you plan to use CIS purely as an anti-executable?

 

I am interested in seeing a updated guide MrBrian. I hope you decide to rewrite..

 

Thanks for your input 1chaoticadult . I see you're using AppLocker already. Are you considering not using AppLocker anymore?

I see that CIS v5.x has the option to block untrusted files. Is there a way to have CIS automatically consider all files within a given folder as trusted (including new files created within the given folder in the future)?

 

Hey,

This question goes to MrBrian as he has shown a lot of knowledge of how to setup D+ to act as an anti-executable...

I am running only the firewall part of CIS [with D+] alongside with my AV which is ESET NOD32 v4.2.71 on Windows 7 Pro SP-1.

I am curious about how can I setup D+ to make it protect the folders shown below from non-legitimate programs executing there.
Usually, many Fake AVs and rootkits love executing on these locations.

How do I setup rules on D+ to protect these folders?

Win XP
C:\Documents and Settings\*\Local Settings\Application Data\*.exe
C:\Documents and Settings\*\Local Settings\Application Data\*.sys



Win 7

C:\Documents and Settings\*\Application Data\*.exe
C:\Documents and Settings\*\Application Data\*.sys


Thanks in advance for your replies.


Kind regards,


Carlos

 

In my guide you'll see mention of a file group named Global Blacklist. Follow at least those steps that mention Global Blacklist. In step 20, you specify which folders you want blocked. The location of the Global Blacklist policy should be moved relatively near the top in the Computer Security Policy list, because policy order matters.

Test if it works by putting an .exe in one of the folders you listed, and see if it's blocked when you try to run it.

 

Thanks for your prompt response.

I will try your suggestions. Although, they seem to be written for CIS 4.1 and I'm actually running the most recent version of the Firewall/D+ [version 5.5].

Would those settings still work for 5.5?

Thanks.


Carlos

 

You're welcome Carlos .

The techniques mentioned in the guide still work for v5.5, but the location of various user interface items has changed since v4.1, so it may be difficult to follow. You won't get DLL execution control in v5.x, whereas you can in v4.x, so my guide for CIS v4.x with DLL execution control is more secure than v5.x.

 

No I like AppLocker and prefer using it, I just think it would be interesting to have this guide as I might setup someone else's pc I know with this setup.

 

I also use AppLocker, though I've considered using CIS as an anti-executable in addition to or perhaps instead of AppLocker because AppLocker can be circumvented by design.