Why I switched to OnlineArmor + Threatfire

A- I have switched from Comodo Firewall Pro (CFP3) to Online Armor (OA) + Threatfire (TF).

1- I have long considered OA to be THE best hips/firewall -- right at the jagged bleeding edge of the state-of-the-art, in my opinion -- except that it lacks (a) file protection & (b) full-scope registry protection.

2- I recently came to the realization that TF's option for the user to set custom rules would enable me to use it for file & registry protection, PLUS gain the advantage of TF's excellent behavior blocker.

3- Thus I came to the logical conclusion that OA+TF would make a good security combo.

B- I have several reasons for switching away from CFP3 -- here are just few...

1- CFP's system tray icon gives NO clue whatsoever as to (a) whether or not the FW is running, & (b) whether D+ is in learning mode, or is disabled, or is set at paranoid, or WHATever. Thus, it is all too easy to run with a disabled CFP, while incorrectly thinking one's computer to be protected.

2- If you opt for NO logs, you run blind as to which rule is blocking whatever it is you're trying to do. On the other hand, if you opt to activate CFP's logging, it logs tooooo bloody dadgummed much -- plus I could never find a way to clean out the old stuff.

3- Most off-putting of all is the the fact that configuring CFP correctly is difficult to learn. Inputting configurations is made harder (not easier) by an unnecessarily convoluted, non-intuitive GUI design. (Compared with configuring CFP, configuring OA is child's play -- actually FUN to do.)

C- As to the degree of protection afforded by OA+TF versus CFP3 -- I am not a tester. As a purely subjective opinion, I feel that OA+TF affords at least as good protection -- maybe even a tad better -- than CFP. I do hope that aigle or Kees1958 or some other person with testing know-how will run a more *scientific* comparison.

 

I think on Vista64 Comodo is still the best/free power user HIPS+FW combo available, it makes more sense combining TF with Comodo (and reducing the hooks/events D+ monitors for pop-up reduction).

On XP/Vista32 OA is a strong user friendly solution. With new OA you run unknow aps as RUN SAFER. For out of the box usage and overlap reduction, it seems to me DriveSentry is a better companion to OA (in theory), why don't you try this out. DriveSentry fills in the registry and file gap for you (when you use the OA free version).

Personally when Tony Klein advised OA on startup protection, I would not mind missing a full configurable registry monitor. When I would have to choose between a pre-configured setup of Tony's and a painfully determined setup of my own, I would choose for Tony's setup.

Also when you take the trouble learning custom rules AND have Vista, why not also use the build in Vista FW (two-way) and limit your security aps to LUA, Vista FW and ThreatFire?

Hope this helps you in your evalution Bill

Regards Kees

 

I like CFP more but OA is my second favourite. There seems conflict between OA n TF and that,s not good. I have occasional hangs with explorer function while using OA free n SafeSpace.

Also OA pop ups GUI is nice but I need to strain my eyes a bit to read the names of execuatbles. Other HIPS popups are better as they give parent n child on top with type of alert on the top bar so easy to understand rather than getting in blod what happened , what to do like words and straining my eyes to read the names of executables. It,s personal liking but i get hard time with OA,s pop ups due to this. Are there any plans to change pop ups GUI a little or not?

Totally agree about CFP logging. It,s sooooooo stupid way to do it( sorry to say). the HIPS i used, I have seens very good logging with SSM and EQS.

CFP config n rules import n export is a bit far in GUI but not difficult ofcourse. It,s easy. U can choose between different configuration too but i like the way of EQS where u can switch between different configuration on the fly via hot key or via try icon. A very nice feature, handy during software isntall etc. I wish CFP people can implement such a thing.

 

Hi All

1) What is Drive Sentry a firewall or an AntiVirus?

2) If its the latter (An Antivirus) and teamed up with online Armor Free, would it replace Avast Home A/V?

Thank you

Terry

 

Terry,

To be released Vista compatible version of Online Armor is a FireWall + HIPS with black and whitelist with option to run programs not (yet) authorised by the user in a limited user environment (also stopping Malware attacking Master Boot Record, ergo a bit stronger than drop my rights).
Online Armor teams up with kapersky (paid extra version).

The free version of OA lacks advanced startup entry control (registry), paid version has a few extras (browser protection and advanced startup entry control, plus fully configurablke FW). Both OA free and paid do not have configurable file protection.

DriveSentry is a file and registry monitor program with a malware blacklist (subset of an AntiVirus data base containing "in the wild" malware fingerprints, difference with most full swing AV's is that full swing AV's also contain 'Zoo' or old virusses and some sort of passive and active heuristics). DriveSentry has a free, a cheap and a paid version.

Combining next OA free and DriveSentry free 3.1 supplement each other. Due to the whitelisting (execution control) of OA or the policy containment (run unknown programs as RUN SAFER) a some security experts claim that you won't need an AntiVirus. The in the wild AntiVirus subset of DriveSentry more or less bridgess the gap between traditional full layered (FW + HIPS + AV) solution and a 'naked' approach (FW + HIPS only).

Regards Kees

 

bellgamin, i most of all agree on the GUI part. It really is "unnecessarily convoluted, non-intuitive". There is no reason to make it that way.
I did suggest changes, even played with GIMP to show my point.
The only thing i gained was GIMP itself.

Given the lack of feedback, and given that i use Debian most of all, i'm slowly giving up on it.

Fixing the GUI would make everything a lot better. Easier to use, and understand what is missing.
Then, sure, make adjustments to the icon and so on, but more important is imo the firewall, it needs work.

People constantly demand from Defense+, while the firewall remains visibly inferior to Jetico for one.
Just opening Jetico's GUI is self explanatory.
Talking about packet filtering and control here only.

It's still a good program note. But it could and should be a lot better.

 

I followed the CFP evolution through 4 or 5 releases. The real benefit of that experience is that I was absolutely forced to educate myself about firewall+HIPS. Comodo gives you absolutely no choice but to learn both the essentials and to figure out both the theory and the specifics of how Comodo chooses to implement its protection through the CFP GUI.

I spent a great deal of time on the Comodo Forums deciphering the CFP GUI choices.

The much simpler and intuitive GUI structure of OA is reason enough to choose OA over CFP - essentially equal protection easily implemented.

Good points about file and registry protection offered by Threatfire.

 

Ran that same (free) combo on my old (= resource deprived) lap top Bellgamin. Will probably return to it on my new one.

 

I agree with you on this one. I check with the program constantly, so it's not a big issue for me.

I have no problem with logging here. My computer is pretty powerful, thus it can take on any amount of logging. I would like to be able to clean up the old logs, though.

I've never used OA (no Vista >_<) so I can't compare that to Comodo, but from my experience CFP is not difficult to configure provided that you learn its functions properly. In fact, the granular control that CFP provides is the best that I've seen.

 

Hi Kees

Thanks for the reply.

When will this firewall (with A/V subset) be released?

Thanks

Terry

 

TF ccustom rules are NOT user friendly at all.

 

@Kees1958- Thanks for the comments. By the way, I use XP, NOT Vista. Detest Vista. I await Windows7.

Also I use the paid version of OA, so am unfamiliar with capabilities & limitations of the free version.

I agree with you that RunSafer is absolutely a PRIMO unique feature of OA.

As to your suggestion to use DriveSentry (DS) vice TF-- from reading "Katie's DriveSentry thread" here at Wilders, I have firmly concluded that DS is in early beta status. Too many "next's" in Katie's replies, & not enough "now's".

@aigle- Thus far OA & TF play very very nicely together.

IMO, establishing custom rules with TF's wizard is simplicity personified. All you have to do is answer the Wizard's multiple-choice questions & Poof! you have the rule that you wanted.

For example to protect a file folder named Passwords, here is a paraphrase of the Wizard's questions (Q), together with my answers (A) thereto...

1- (Q) Which processes do you want to be protected from? (A) All processes
2- (Q) What triggers this rule? (A) When any process tries to write, delete, create, or execute any file within the designated file folder
3- (Q) Which folder? (A) I gave the full path for the Passwords folder
4- (Q) Any exceptions? (A) No. (There are a few exceptions but I prefer to name those when I get pop-ups instead of listing them in advance.)

And it's DONE!

@ALL- My computer feels just a teeny bit sluggish using OA+TF, compared with when I was running CFP. I don't know if this is caused by OA or by TF or by the combination of both, but -- if it persists -- I will need to consider other options.

 

That takes un-necessary time IMO. In other HIPS like Defence Plus, same rule can be made more quickly. But it,s a mtter of personal liking.

Also I feel pop up alerts of TF custom rules less explanatory and slow to appear, just a feeling.

 

I have set rules for both D+ & TF. The time involved is about the same.

TF's Wizard offers multiple choices. Therefore, to set the example rule it took just 3 left clicks and one "browse" (to identify the folder to be protected). Fast & simple.

aigle, I do wish you would put OA+TF through some of the tests you have mentioned in your recent posts.

 

I usualy tested TF against most of them I think. Also OA was tested either by me or some one I think. File protection tests are of no value with OA, as OA lacks this module.

 

I played with Threatfire for a couple of weeks and really have no complaints with it.

A couple of days ago, I once again succumbed to this crazed need to look at new software. I downloaded DriveSentry and Online Armor. I ran the latest version of DS for a couple of days. Light as a feather on this machine and absolutely no problems whatever so far.

This morning, I had the idea that DS and Online Armor (free versions) would provide an even better combination. As of right now, after running all day, they seem to work well together.

 

Bill Remove ThreatFire. You run the paid version of OA, it has strong autostart protection setup by specialists. Everything you enter manaully in TF is problably all taken care for,

When you look at the sequence of an attack this is a typical attack vector

First network stack
2Nd process stack

Both are covered by OA, the first program to be attacked is your webbrowser. The paid version of OA have security mechanismes for Web browsing (the options the free version is missing). You could spice it up little by running your browsers in RUN SAFER mode

OA has HIPS features which are directed to keeping the proces integrity in clean state. So here is a big overlap with TF. A wau to pass this process protection is via autostart locations. Rest asure you have an old OS (meaning most back doors are figured out) and the protection intelligence of an autostart expert on board, so this is covered.

File access is the near last straw to clinch protection upon (outbound control is the very last). Drive Sentry was primarely developed for that, all the next version promises is functionality you won't need (OA coveres that), so your are right that is still in development, but the core functionality you need works great (of Drive Sentry).

I will not try to convince you any more, I promise

 

You are right they, even in free versions they are a nice combo, (@ Bill )

 

Hi Kees

I agree with the previous post. On your recommendation I tried drive sentry and it is very light, plays well with Online armor. Somethings that are insubstantial nonetheless for the mainstream its oK.

It did quarantine IHATEKEYLOGGERS which it found on my system!!!

Finally, using OL Armor free and drive sentry free could I get rid of Avast Home?

Thanks fr your help

Terry

 

I still would keep Avast on there as a backup. I may have to try the new OA Free (whenever they finally decide to let it out) and DriveSentry together, though I for damn sure will remove all my other security software first to see what is making DriveSentry reboot my system constantly within a half hour of being installed.

 

What would be a nice idea is the following

A) Make sure you have all modules installed of Avast
B) When you use Outlook use the Outlook model, when you use Outlook express use the Internet mail module (so stop the mail module your are not using)
C) Go to the standards shield and stop this module (becuase DriveSentry sort of takes over the function of the standard module).

Consequences
A) Use avast's (activated by default) bootup rootkit scan
B) All incoming data is checked (messenge, P2P, mail, webpages are scanned)
c) You still can use the occasional disk scan of Avast
D) DriveSentry checks for in the wild virusses for writes when a new programs wants to write an file suffix for the first time (OA will protect existing programs from being changed). Drive sentry also protects your HKey_Current_USer hive of registry as an extra

Regards Kees

 

Hi Kees

Thanks, I will try it!

Terry

 

Hi Kees

Reference your last response re Drive Sentry & Avast. I forgot to ask. Do your recommendations change if one uses either Geswall Paid or Sandboxie?

Thanks

Terry

 

So what is the best? OA + Drive sentry or OA + threat fire. Since I have OA free which could be the best bet? I tried DS once but not convinced with their bugs or rather inconsistencies.

 

The best is whatever works on your system without crashing it and doing other things. I'm not convinced on DS either, I mean no disrespect to Katie personally, who came here in an obvious attempt to try and help, but there's too much "I'll run this problem by our development team" and "in the next version". I don't blame her personally, but the rest of her team, IMHO, aren't working with people as much as they should to get these issues fixed. Even their main forums barely have any activity. I wish them well, but I smell a "flash in the pan". I have to stress though that it is my own opinion.