How to Optimize Security in Comodo V 2.4.18.184-Learning Thread 2

Hello:
Attached are snaps of 2 sets of current rules I have for CFW 2.4

They are here for a sanity test/comments by the posters in this thread and Stem of course. If you think I haven't followed previous advice it may be so either by fatigue or omission feel free to point it out!

On the network rules I added some accepts for my 4 isps and the BD updatsites. But my mind has seized up (sanity) and I think they either shouldn't exist at all of be moved to after the blocks?

On application rules the techi gremlins seem to mess with those so I've lost my way on loopbacks, parents etc again?

Sorry but this is a learning thread!

 

Hello Escalader,

I am not clear on what you are doing with the "Network Monitor" rules, as somewhere down that list of rules you must have a rule for your browser (which would allow outbound to all IP`s.... unless you have become restrictive to a point of only allowing certain sites for connection)

The "Network" rules should be a base, to restrict (by blocking rules) or to allow, with (as example) rules to allow outbound to HTTP (for browsing). Placing rules in this area, for such as updates to specific IP are meaningless, unless you are also restricting all other process to these, such as your browser.

 

Hi Stem et al!

Sorry to be slow in answering your "what are you doing question". I had a thread over at CFW forum where I worked on this a bit: Here is a clip of my own from there that will ( I hope) describe what I am trying to achieve regarding blocking phone home or other questionable sites I have found.

"I think a better way to do this would be to identify what executables are trying to phone home and then set up BLOCK rules in the application monitor for them. As you correctly pointed out in an earlier post, the application monitor is checked prior to the network monitor for outbound traffic, so the attempt would be blocked fractionally quicker." CFW Poster

It would be better but it is not easy or in this case possible to do that. For example a site called report.bitdefender.com 80.86.106.67 is the "gathering site" for spam and world wide outbreak/virus information. I have confirmed that with their official user forum.

In that product, and others you are offered a chance to opt in or out of virus reporting. I choose not since I don't want products phoning home from my PC. Turns out the product does the phoning home anyway. It is not their update site. So to ensure I can update I allow the update sites and block the "gathering site". Telling the executable not to access the internet will not solve the problem and still allow me to update BD AV 10 on an hourly basis.

So, what I have been doing is trying to block the phone home sites, and allow the valid update sites for BD etc. What I'm testing now is putting the update site name in the update application rules while blocking the phone home sites in the network rules since you can't easily id the executable that is doing it and in some cases the application itself has the dll's embedded in it to call home!

I'm no doubt out in left field somewhere and I would welcome any ideas on how to do this in CFW 2.4!

 

"The "Network" rules should be a base, to restrict (by blocking rules) or to allow, with (as example) rules to allow outbound to HTTP (for browsing). Placing rules in this area, for such as updates to specific IP are meaningless, unless you are also restricting all other process to these, such as your browser."

Stem:

I didn't answer the last part of your post fully,

Yes, I am thinking not to allow ANY application to connect to a "gathering site".

Why should we assume that only BD or ZA use these sites? In fact ZA did attempt to "share" the same ip range on my PC. I view these sites as bad sites for everyone.

What do you guys think?

I wish I could have a white set up rather than a guess who the bas sites are.

In other words, allow only the safe sites I need and EXCLUDE ALL others.

 

Escalader, allow the updates to the specific IP's, and block all else. There's a setting in the rule creation dialogue, for AppMon, to block all else (sorry can't remember the wording).

 

Tks, Pedro, as you know the way our learning thread works I wait now for Stem to verify any advice before acting!

This does not mean I think your advice is incorrect!

Are you active on the CFW forum? I only ask as I could throw this issue in just to see what they will say?

 

Hi Escalader,

As "Pedro" as posted, this is the direction normally taken, to allow the IP`s for updates(for such programs), then to simply place a "Block" rule at the end of the ruleset to block all else (application rules).

As you have posted, you want to block all applications from certain IP`s, so this (as there is no "block zone" in comodo) needs to be done in the network rules. But you should still place rules as mentioned for the applications.

Now, with the reported problems, of loss of rules and reg curruption(of rules). This is really quite bad, regular backup of rules is needed. There have been posts concerning a "script" that can be used for rules backup (I have not seen this yet), but at minimal, I would suggest making regular backup of the reg entries for comodo firewall rules (these are at:- HKEY_LOCAL_MACHINE\ system\ software\ comodo)

 

Thanks guys:

I have some rule work to do and will report back with sample jpg's to challenge!

On the corruption issue I will for now rely on my paragon HDD0 images.

But I will look for these rules at Hkey right now I'm not even sure they are worth backing up!

I wonder if the V3 CFW will fix this rule back up issue? Anybody know?

 

In v3 you are able (will be able) to save rulesets.
I'd say follow Stem's advice. Look in the forums for the script to backup the rules. FAQ section.
That problem about loosing the rules seem too much . 2.4 unfortunately isn't going to be updated, i don't know what i would do in your shoes.

Off topic: with all those issues of phones and homes , do you have an external HD, imaging program etc.? XP cd ?

 

Yes I have an external HD where the images are kept also on DVD's off site.
Yes I have Paragon DB8 and their Partition Manager all work well with good support.

Also all the original xp install cd's plus some special recovery cd's.

Since we are talking backing up CFW 2.4 rules it isn't OT in my view.

Don't worry about what I will do in my shoes I appreciate the sentiment though!

I am learning here, and as long as that is occurring I'm "happy" considering that the phone homes are under control more than before and I have an In/Out FW working I've gained. CFW is harder to use than ZA Pro BUT with all it's "buggies" it is safer for me and I trust the developers and user forum way more than ZA. But that is just my bias. I hate hidden call homer software.

 

Hello Stem and fellow posters:

Sorry to be slow in posting back I have excuses but they are of no general interest.

I got fed up spending hours programming rules into CFW 2.4.18.184 only to have them jumbled up. So I un-installed it.

When CFW V3 is out and stable I'll revisit it then.

What I have done is reinstall PC Tools FW Plus V25 is current level

PC Tools are still developing it and issuing fixes not like CFW 2.4 which is frozen on support in favour of V3.

I don't know what this means to this learning thread PC Tools has a trusted and internet zone and I would be glad to post images from those rules for comment but that is OFF TOPIC in my own thread ?

Stem, et al please advise and comment at will. My goals are the same no unauthorized outbound packets and solid In/Out applications control and ability to block gathering sites already identified.

 

The trusted/internet zone are not the same as with ZA etc. These zones (when I last installed this firewall) where for different NIC cards, so you would for example, have one ruleset for your direct to internet connection, and then one ruleset for ICS(Internet Connection Sharing)

Well, yes,... but you also need to realise, if you where to continue on this thread, and ask questions concerning PC tools firewall, these would be lost behind this thread title (it would also get confusing if others where to start/continue to post concerning comodo on this thread).

 

Hello Escalader,
This post is probably off topic as well, but have you considered trialing OA 2? I was thinking of giving it a trial on my laptop as my security apps there expire at the end of this month. Stem has got a good thread on his trial of this software in this forum around March or so.

Take care.

 

Hi Shep! Good to see you here still!

Brief answer to your question is "No, not yet!)

Have a look at my "new" thread please and tell me if OA 2 is on my short list under a different name/short form.

https://www.wilderssecurity.com/showthread.php?t=181849

When you say your subscription expires I' guessing you mean ZA or OA 2 but please clarify if you have time

 

I don't see Online Armor 2 (OA 2) in your list. I think the Firewall in OA is new to version 2 since ~ March(?) this year. My understanding is that OA is predominantly a HIPS application with the firewall being added in V2. Stem should be able to say if it meets your criteria.

My laptop subscriptions that will expire at the end of the month are ZA ISS + Spysweeper. I was going to trial Eset Smart Security (ESS) but it doesn't look like it will be ready.

 

Hi there,

Here are my questions :

1) Does comodo completely disable file sharing and neighbor browsing by default, just like ZA & Sygate ? couldn't find the option ..

2) Does comodo lack some inbound protection features ? I don't really care about outbound protection ; I'm gonna install comodo on a brand new laptop, and I know I'll use it in many different public places (using Wi-fi), I just want the best incoming protection available

 

1) No, as I recall it asks that question during install/setup. Do a search in it's help for file sharing, any good FW IMO would never disable that by default.

2) No, it is strong on both in and out. Leave it on learning mode for 2 weeks so it " learns" and creates the rules it needs.

Be very carefull with brand new lap top it is no doubt vista is the OS! Not XP.

With no guarentees here is what I have gleaned on it re vista

Works: Comodo Firewall Pro 3.0.2.5 (alpha) x86 - x64 versions ( may be necessary to register in the comodo forum to download this alpha version)

Works with solvable problems: COMODO Firewall Pro 2.4.5.111 BETA (32-bit) -- Seems to work fine despite warnings from Vista to the contrary during installation. Setup EXE file must be run in Windows XP compatibility mode.

Hope this helps

 

Thanks for your reply Esalader

About the OS, yeah, Vista will be installed, but I'm gonna format as quick as possible and install Windows XP

1) I don't recall any option about Local File Sharing / Neigborhood browsing during the installation process, but I may be wrong ; I'll give you some news when I'm done with it.

2) Well as far as I know, the learning mode is all about inbound protection (detects which applications should be allowed/blocked), so .. nothing about inbound protection.

[off topic]
Feels like it's very hard to find a comparative of inbound protection features, people only talk about leaktests, and mention matousec, which is a mistake in my humble opinion. Did you know that many commercial and well known firewalls can't even successfully pass GRC.com stealth test in default configuration ? I think we should focus a bit more on that 'basic' feature, which makes your computer fully "invisible".
[off topic]

I had some last question though ;
As I said, I'm gonna be very mobile using wireless (wifi) connection to many different public places ; does Comodo easily detect new networks and set up Internet Zone Rules automatically ? (just like ZA does)

Thank you for your time
Cheers

 

Hi Bls: As is my practice I will put my replies in red in context with your post.