Comodo Firewall questions

Some ransomware can lock the system when the sandbox level is "untrusted".

 

I guess you are referring to the GpCode encryptor variant. Thankfully not really around lately (the AV defs will stop those still lingering around the Net), it would indeed bypass CIS no matter what level is used; adding ?:\* to "protected files & folders" was the solution to this. I'm assuming that a form of this protection will be stock in version 6.

 

Wrong, it is a default CIS rule and should be left alone unless you really need to remove it.
The global packet rules are applied from top to bottom. Basically you put the globally permisive rules at the top and this global deny rule at the bottom and put all selective permissions inbetween.

 

1.In the game mode:
(1)in the white list --> trusted
(2)not in it --> automatically sandboxed

2.The installer/updater described by comodo is not definitely safe.

The user may get this alert after double clicking on a malware.

3.Not all installers/updaters can be detected by COMODO.

Some installers do not need getting unlimited rights.

 

Khagaroth- Perhaps you didn't read the rule that Phractal stated existed in his Global Rule setup- "Block all incoming IP traffic". I don't think that this would be a default rule for Comodo or any other firewall.

To see what I mean, try adding that rule for yourself (it's easy). Reboot and open a browser.

Sometimes one may see a Global Rule blocking IP traffic from websites that are part of a blocklist, but this will be individually done. But having a rule blocking all IP traffic from everywhere (no matter where on the list that you put it) is equivalent to setting the firewall to the "Block All" mode- no traffic at all.

 

My last, bottom global rule is Block IP In from MAC Any to MAC Any Where Protocol is Any(1). I don't recall that being configured by default; I think it was created when I used the Stealth Ports Wizard. Per the ordering described at http://help.comodo.com/topic-72-1-284-3017-Global-Rules.html, incoming traffic must first pass global rules and then also pass application rules. So I would expect that Block All IP In global rule to interfere with remote connections to a local server application even if there were an application rule allowing the local server to receive remote connections. A quick test confirmed that it does. A quick test also confirmed that an Allow IP In From TestHost global rule, when placed ahead of the Block All IP In global rule, works as expected.

(1) The Block IP In from MAC Any to MAC Any Where Protocol is Any global rule does not seem to affect inbound IP traffic that is associated with allowed/established outbound sessions. For example, inbound IP traffic on a Firefox established TCP connection with a remote server is not blocked. Perhaps there is a special global rule, hidden but effectively first in the list, that allows such traffic.

 

Indeed, the block all incoming IP rule is created by the Stealth Ports Wizard.

I have been fooling around with rules lately and a few things have come to my attention that I do not fully understand.

For example, if I create a rule for Firefox and block all tcp communication while exluding port 80, the browser can no longer connect to the internet. If I turn that rule into an allow rule for port 80, everything works fine. Why is that?

Regarding D+, are there any additions or modifications I should add to the default settings other than add ?:\* to the protected files section?
Do I need to alter the Access rights/protection settings of predefined rules or anywhere else?

Thanks in advance

 

You can look at Network Security Policy->Predefined Policies->Web Browser to see what Comodo considers appropriate for a Web Browser. In addition to allowing Outgoing HTTP Requests (those to port 80, 443, 8080) and FTP/FTP-PASV Requests, said Web Browser policy includes Allow Access to Loopback Zone (which Firefox uses even in the absence of a local proxy like Web Shield) and Allow Outgoing DNS Requests.

 

It's a stateful firewall, which means that it tracks outbound connections (connections that start from your computer) and allows the responses from the outside - if your outbound rules allow them of course.

The In and Out mean Inbound and Outbound, which refer to where the session originates. So that block all Inbound blocks anything that originates from outside, and doesn't block Outbound.

It's not a hidden rule, it's just how stateful firewalls work. Stateful is actually only possible for TCP, because UDP is a stateless protocol, but firewalls usually implement a pseudo-stateful firewall for UDP, which involves something like recording outbound connections to what IP's on a table, and allowing responses in a certain time frame from those IP's.

Note: it's actually more complicated, i'm just trying to provide an overview of sorts.

 

I should have been more clear. There I was trying to explicitly bring up the stateful aspect but I was also thinking out loud that the stateful checks could perhaps be implemented/viewed as a hidden, first, global "Allow IP In for established sessions" type rule. Hopefully your followup helped resolve any confusion.

 

No worries. As long as the confusion is cleared

 

+2. Their AV has indeed narrowed, nearly closed the gap. I used to always use a different AV (Avira/Avast) in conjunction with Comodo FW/D+. I've since stopped using a real-time AV altogether, but if I were to ever go back to using one again I'd just use the full CIS suite.

And I suspect that when v6 rolls out there will be an engine upgrade that'll make it even better.