How do you set up your Comodo?

I'm curious as to how people set up their CIS, and what their convictions are for doing so.

I only use the FW & D+. I have the FW in Custom Policy mode, nothing checked in "General Settings". My "Alert Settings" is at Very High, with everything checked except the ICS Server box. But I rarely get alerts because I have rules set up for everything that regularly connects. And I don't make rules for things that only need to connect occasionally, say to update once a month or something. I allow them only as needed, and the Very High setting lets me allow only the specific ports, protocol & destinations necessary when I do. Under "Advanced Settings" everything is checked except the very bottom one "NDIS protocols other than TCP/IP".

I have my D+ in Clean PC Mode. I'm fairly positive that my box is clean right now. But I don't implicitly trust new things that I'm unfamiliar with. I treat Unrecognized Files as "Restricted". This is a setting I'm debating with myself over though. I'd like to hear other people's takes on this setting. I do not check the 2 boxes for cloud scanning, and I delete the "vendor.n" file in my Comodo program folder. I don't trust that vendor list, or their cloud database to decide what is or isn't trustworthy. Everything else is checked. And everything is checked in "Monitoring Settings". I have the sandbox disabled, but I'd like to hear people's take on this too that also use Sandboxie. Does anybody use both? How can one go about doing so effectively, and perhaps even increase their security as a result compared to just using SBE?

Your rundown does not by any means have to be as detailed and long winded as mine. You can simply cut to brass tax (i.e. Custom Policy, Safe Mode, Limited... end of story).

 

FW in Custom Policy mode, Defense+ in Paranoid mode, Sandbox disabled.


Obviously, in D+ all advanced settings.

 

Well when I used Comodo my settings were: FW in Custom Mode, Alerts medium, Defense+ in Safe mode, Sandbox untrusted, Under Defense+ advanced settings: Protect ARP Cache, Blocked Gratuitous ARP Frames
and Do protocol analysis checked

 

FW in custom mode, alerts on very high.
Everything else disabled.
I wish if they could only ship just the firewall without the rest of the suite.

 

With Defense+ in Paranoid mode settings, don't you getting a lot of popups?

 

Ya, it's what I want. The work of an HIPS is monitor and control all happens on my system, then I can create rules for the application that I trust.

 

1. CIS configuration - PS
2. AV component - not installed.
3. FW - safe mode, pretty much the default setting.
4. D+ - safe mode, w/ sandbox enabled, restriction set to "untrusted",

*Under protected files/folders I add "?/*" w/o "|" and my personal files/folders with "|".
*Under protected registry I add only *\SOFTWARE\Classes\*file\DefaultIcon*

I also use sandboxie.

 

That's another way to configured.

 

I appreciate all the replies. It's always interesting to see how other people approach it. Sometimes it influences my decisions too. I've changed my treatment of unrecognized files from "Restricted" to "Untrusted". By running in Clean PC Mode, with the vendor.n file deleted, I'm pretty much telling D+ I trust everything that's already on my computer, and NOTHING that isn't.

I'd also be interested in hearing how people handle port blocking in their Global Rules. Are there specific ports you like to block for TCP/UDP traffic? Or do some of you have a block rule for all TCP/UDP traffic, then whitelist ports? I've thought about doing the latter, but was too lazy to figure out which ones I absolutely need.

 

I'm not over familiar with Comodo as I prefer to set up an SUA-type account, but when I do use an admin account I install Comodo and D+.

I use almost exactly the same settings as you have in the first post.

fw = custom+very high, def+ = safe mode, sandbox = disabled.

I also disable the cloud settings for def+ but didn't know about the vendor.n tip, thanks - does this get added back only after an update?

I also make use of the "predefined policies" to add domains etc.

For port blocking, I just run the "stealth ports wizard".

Thanks,

 

I think the vendor.n file did get added back after 1 update only if I recall... a big update. But under normal circumstances no, it doesn't come back after updates.

I think that file in many ways defeats the entire purpose of having a HIPS, or an anti-executable. You have the power in your own hands, and as long as you make the right decisions your protection can be nearly bullet proof. But throw a gigantic whitelist in there that you're just supposed to blindly trust, and that all goes out the window. Same deal with trusting the cloud to decide what is or isn't safe.

JMO... glad you found this helpful.

 

when i used Comodo i left everything in default

i don't think i'm capable of use the high settings
i'm afraid if it did get so naggy i will just click my way through a malware or something bad

 

i wonder why you talk about settings scratching only the surface of this program.
there are tons of options and switches for each controlled application.
though i wonder too why you have to control programs with hips you installed
yourself. stealth ports - really useful in times of routers? or have you still dial-up?

sorry i cant help this topic with comodo settings cause i went away from such
blown security tools. i am a friend of basic protection instead rules afterwards.

i had comodo in their early times to gain some knowledge but it had issues here
and it was not really comfortable in some parts. so i went away to another product.
its ok to learn about the own system - whats going on - to improve behavior.
but more than those years ago i see people more and more relying on such products
and if the epic fail happens in most times user caused it, not the program.

you mentioned the whitelist - cloud behavior - in general its ok. in detail some
rules are overkill. i used malware defender (torchsoft) for a longer period - a
really strong hips control. i dropped it cause it got annoying and due failure.
i'd like to have some basic rules and group of rules for programs. at least i
learned that only 2 rules are important: web access, interactions between programs.

web -> nothing|local|lan|complete (you can refine that)
interactions -> those are needed, loading bibs (dll, ocx etc), passing commands to other programs.

but last is again such complicated - should i allow/disallow access to certain
bibs or not? what is the result? does it crash the program?
the normal user do not have the knowledge to rule it so why wasting time
with hips or a whitelist/cloud?
what about a whitelist but certain program is not allowed on the computer?
eg your child/brother/sister/parent has downloads/installs/games on your computer?
(family computer)

for me it's no longer important to have a detailed view/control on it. there are
enough options (in windows here) to have a smooth and secure running without
annoying popups or rules. if a closer look is needed i do like operamail with a sandbox
or virtual machine. that means more work/effort on a program but at least i
have a nice view from above on that rat in my cage

HTH

(using eset v5 with less control and windows 7 firewall control pro with a reduced ruleset)

 

Firewall is ok. But what do people think about Defence+ and the sandbox?

For the longest time I left defence+ off as I figured it'd waste resources and slow things down. Then with a new PC i turned it on. But most of the popups aren't very informative unless you know a lot, so I end up mostly allowing everything. Do people consider it to improve security or be worthwhile?

Same goes for the sandbox - I have Comodo FW and Avast AV and they both now include sandboxes, but I always disabled them by default.

Recently though, I've started to wonder if i should make use of them. Maybe, at the very least, I should set my browsers to run sandboxed. (that recent report said that Firefox is insecure as it isn't sandboxed, for whatever that's worth). It almost seems silly to have a sandbox and not use it for a web browser.

Is there a consensus on whether it's effective, slow or worthwhile?

 

firewall - safe mode (block all incoming ports)
D+ - learning mode, unknown files - untrusted (almost no pop ups at all)
sandbox - enabled

 

Firewall mode only (D+ disabled), Custom mode

Stealth ports - option 2 (alert me to incoming connections...) since if I block all incoming (option 3), then my port forwarding via router is somehow neglected even if the app is set as trusted.

 

I burned lots of Comodo CD's and used them as skeets, and shot the hell out of them

 

Comodo Firewall with D+
Firewall - Custom
Defense - Safe Mode (Sandbox disabled)
- *_CRYPT and /Device/KsecDD
- D+ set to block applications calling home or launching browsers.

Found this post at the Comodo forums..quite interesting post.

xttps://forums.comodo.com/index.php?action=printpage;topic=67464.0

Also closely watching this topic from which the *_CRYPT and /Device/KsecDD setting.

xttp://forums.comodo.com/leak-testingattacksvulnerability-research/weakness-of-the-gpcode-t65960.0.html

Very eagerly awaiting version 6!!!!!!!

 

What do I need to do to tell COMODO FW to allow everything that's running and REMEMBER everything, including all Punkbuster files etc?

When I tried "learning mode" in an old version of COMODO FW, it seemed to "forgot" about Punkbuster and I kept getting booted off servers.

Has this issue been fixed in the latest version?

 

All I want to know is, what do I choose for Firewall and Defense? Safe mode or what? LOL

All I want to do is stop nasties getting in or nasties sending personal info out. What do I choose?

 

I leave both Firewall and Defense+ in learning mode for about a week, maybe a little less. Then I run most of my software at least once, and then use my computer normally. After about a week, I change both modules to safe mode.

I do all this without running any outside potentially dangerous files. If I must run a file from the Internet, I set both modules temporarily to safe mode, and sandbox the file if need be. After I'm done, I reset the modules back to learning mode.

If you know a certain file you'd like to block, you can manually block the file from connecting to the Internet and also block certain permissions.

I do remember that in previous versions, CIS would forget some settings. But I haven't had that problem since version 5.

 

But doesn't SAFE MODE allow programs to contact the internet without you knowing? Don't we need PARANOID mode on all the time for Defense+ and Custom Policy for Firewall to be truly safe and to be told whenever a program tried to connect to internet?

BTW, I have Avast AV installed, do I also need Defense+ on COMODO enabled as well?

 

Go to:

Firewall>Define a New Trusted Application>Select/Running Processes

To define an application as Trusted via Predefined Policy,

Go to:
Firewall>Network Security Policy>Application Network Access Control>Use a Predefined Policy/Trusted Application

You can also make a predefined policy to tell CIS to "ask" so you will see what apps are calling home.

Go to:

Firewall>Network Security Policy>Predefined policies>Edit> "assign a name of your choice" Add> action = Ask. And then drag that to the top of the list.

Then got to Applications Rules>Select the program>Edit>Use a predefined rule>"select the rule you created" >Apply.


Some good block examples for application at the comodo forums here:

xttps://forums.comodo.com/beta-corner-cis/cannot-block-a-game-from-launching-firefoxconnecting-to-home-t75828.0.html;msg545199#msg545199

xttps://forums.comodo.com/news-announcements-feedback-cis/comodo-internet-security-592198632196-released-t79623.0.html;msg571706#msg571706

Reply 115/146/149

I use SAFE MODE(sandbox disabled --there are still vulnerabilities in the sandbox as reported by aigle) in D+ so when there is something suspicious a pop-up will be seen. That set-up was paired with Avast IS(no firewall) and Avira IS 2012(no firewall).

 

I have Comodo Firewall set as "Safe Mode" and Defense+ set as "Safe Mode". Is that enough and secure and stops any threats?

 

Oh, well you're changing your story !

In the first post I replied to, you used the term "nasties" which I took to mean any unknown, potentially dangerous file. In this case, if CIS hasn't learned it and the file tries to do something dangerous, it'll throw up a warning. But in your reply to my post, you switched to the generic term "program" which I take to mean any executable, be it friendly or potentially dangerous. In this case, I do think you'd need paranoid mode in order to be alerted, as long as there's no previous rule CIS has learned from. It depends: do you want to be alerted for ALL programs, or just the UNKNOWN (and potentially dangerous) ones?

Also, as constantine76 mentioned, you can add a custom rule in CIS that will ask you if you want to allow any program -- safe or dangerous -- to connect out.

With both Defense+ and Firewall set to safe mode with enhanced protection enabled (go to Defense+ -> Defense+ Settings -> check the box), you should be safe. As long as you know your computer is clean beforehand, safe mode is excellent at preventing any infections from unknown files.

To answer your question about if you need Defense+: do you have avast! Antivirus free or paid? The free version doesn't have a manual sandbox, so if you use a sandbox a lot, I'd consider installing Defense+. If you have the paid version, then I could risk leaving Defense+ uninstalled. In my experience, the behavior shield in avast! is pretty darn good, and then you have the option of manually running anything you want inside the sandbox.

But by all means, get some other opinions too!