comodo firewall pro vs online armor free

Discussion in 'other firewalls' started by ahmed12, Aug 31, 2008.

Thread Status:
Not open for further replies.
  1. Makav3l1

    Makav3l1 Registered Member

    Joined:
    Nov 26, 2007
    Posts:
    241
    I've used both. I feel Comodo w/Defense+ offers me more protection.
     
  2. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Can you clearly explain what does mean "Comodo has SPI". I'm not sure this is selfexplaining statement.
     
  3. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Real life doesn't second your feeling. You can take (let us say) well known matousec's dnstest and you will see that Comodo doesn't recognize entry point infection this test does in addition to dns stuff. Also it doesn't recognize command-line the program is started with. Instead it catches unnesesary priviledges elevation attemps (including those that a process already has which is dangerously misleading because user thinks the process doesn't have a priviledge after he blocked an attempt while actually a process does have it). My feeling is it has too many "whistles & bells" instead of real security and is primarily "test-oriented". I use the both currently, but OA is my main one, while Comodo is installed only on a one PC which is of no much importance for me. And my feeling is quite opposite to yourth, OA provides more security with less "whistles & bells". But that is to say I always use the lates beta and that is to say the latest beta is much more secure than current 131 release.
     
    Last edited: Sep 5, 2008
  4. Kyle1420

    Kyle1420 Registered Member

    Joined:
    May 27, 2008
    Posts:
    490
    Hello Alex.
    SPI; Stateful Packet Inspection

    And what exactly are the extra bells and whistles that you were referring to comodo? IMO it offers all that it should and nothing more, I don't even use an antivirus comodo.

    What's your opinion?
     
  5. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    I'm sorry, but to say this does mean to say nothing. There are too many definitions for Stateful Packet Inspection out there.

    You are comletely right not using Comodo AV because it is owfully outdated and doesn't catch the viruses and malwares that are year and more old. As for the "whistles & bells" I mean it has too many not needed alerts for completely harmless actions but sometime it fails to show really important alerts like entry point infection and command-line parameters. Those "extra" alerts can make an impression of "safety" to the people who do not familiar with Windows internals but they are useless for those who understand what they are about. Did you ever use something other than Comodo ? Defensewall, SuperAntiSpyware, EQS are not a bit weaker, but their alerts are much more informational, useful and which is more important they are not that annoying (it's about HIPS part).

    I think I said enough. I can say more, but since nobody cares to provide anything except personal opinion why should I ? :)
     
  6. Kyle1420

    Kyle1420 Registered Member

    Joined:
    May 27, 2008
    Posts:
    490
    I'm enjoying this convo with you :) Sorry, I worded my previous post, I don't use ANY antivirus, I agree with you that the current CAVS2 BETA is really poor, They have stop development on it because Melih was not happy with it so they have completely built CAVS3 from scratch with rumored to be a very fast engine. The Public BETA is due to be released in the next few days :)

    I cannot expand on SPI, sorry.
    I have used Behavioral based HIPS such as threatfire or those found in some avs, but nothing dedicated.
    Yes if somebody doesn't know what they are doing while soley relying on a HIPS, they can be in some serious trouble, I would not recommend CPF3 for my mother for example.

    Yes Defense+ does alert for command lines, You have to have the right settings.

    If you have a malware sample you think can bypass D+ please send me a link or a compressed file to kyle142@gmail.com
     
  7. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,587
    My gripe with comodo is the appalling way it uninstalls.After trialing it i uninstalled and noticed that security centre still reports comodo firewall as being on!!.This after normal uninstall and registry clean.After googling i notice that this is common occurence and that a script is available from comodo forums that can fix this.However if the security centre then doesnt recognize your av it is suggested to reinstall your av.Thanks but no thanks comodo.
    ellison
     
  8. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    This is a WMI Windows bug that manifests itself with tons of firewall and antivirus products; your complaint would better be directed to Redmond...
     
  9. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,587
    Strange ive used tons of firewalls and avs, and that has never happened before comodo.Any ideas why it happens with comodo and not others or is the bug random?
    ellison
     
  10. AKAJohnDoe

    AKAJohnDoe Registered Member

    Joined:
    Sep 26, 2007
    Posts:
    989
    Location:
    127.0.0.1
    There's a couple of possible ways to correct that. I have used this one and it works:

    1. Open "Control Panel"
    2. Select "Performance and Maintenance" (if you see Admin tools, just click on that)
    3. Select: "Administrative Tools"
    4. Double-click "Services"
    5. Locate: "Windows Management Instrumentation", right click on it and select "Stop"
    6. Go to the "wbem" folder (C:\Windows\system32\wbem)
    7. Locate the "Repository" folder and delete it (DELETE ONLY THE REPOSITORY FOLDER!!)
    8. Repeat steps 1 - 5 but this time right click on "Windows Management Instrumentation" and select "Start". This will recreate the "Repository" folder.
    9. Reboot your computer

    I have not yet tried this one: link.
     
  11. virtumonde

    virtumonde Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    504
    I've seen it on my vista alone with mcafee,kaspersky,threat fire.It's one of those cases when "it's Microsoft fault "is true.
    Nothing to worry about,just follow John Doe steps and the nottification will dissapear after reboot.
     
  12. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    What settings should I set to get it?
    The problem is in term "to bypass" ? This is rather a question of usability than a question of popup existense. If you get 5 popups instead of 1 and automatically press "allow" is this "bypass" ?
     
  13. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    About SPI. In general this is tricky question. For one no one firewall can work at NDIS level without basic SPI, so it is safe to say that any firewall that works with the network packets has SPI (basic). But then there is a lot of other things different people mean by SPI, for example a check of packets to be consistent inside a stream of established connection. And the term "consistent" is also not that simple. So I'd not recommend to say "FW X surely has SPI" until you clearly understand what exactly it does with the packets. Unfortunately, vendors prefer just to say "yes, we do SPI", but never explain what do they mean by that. This is what I like OA for. They never say "we do" without explaining what exactly they do.

    Edit: analogy stiked my mind. For example you have the two AVs. One has 100 signatures in DB and the other one has 100,000. They both are AVs, aren't they ? But actually one of them is almost useless. The same with SPI. For example SPI functionality can be ranged from 0 to 10. Having level 1 allows to say "WE HAVE SPI", but actually this is almost useless.
     
    Last edited: Sep 6, 2008
  14. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,587
    Thanks for this useful information.Ive printed it off
     
  15. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,976
    Both are very good firewalls.

    The best one for each user, is the one that he can understand better. I suggest that you try them both and use the one that you find easier to control.

    Panagiotis
     
  16. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,976
    Alex,

    comodo do SPI.
    Actually it has 3 levels of Statefull packet inspection.
    1. A very basic one.
    2. A more agressive (do protocoll analysis); this one can cause a lot of headaches since it will block every uncommon protocol.
    3. A third level (packet checksum verification) that should be combined with the second.

    ps. you can check comodo's ability to SPI by installing comodo on one computer and using a second pc as a gateway for the first. Install a sniffer on both pcs and then control their logs.
     
  17. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Theoretically it is possible. Though, it is a bit timeconsuming :)

    I'm not sure I understand what is "protocol analisis". There is a lot of different protocols, many of them are encrypted, and dropping everything unknown actually can bring a lot of unexpected problems.

    Checksum validation I think is not that important, more important would be sequnce number and ack number consisteny, packet size validation (that declared size didn't exceed real size) etc. The problem is to do a full SPI you need to reproduce the whole tcp/ip stack, so I think SPI should be thought out very carefuly before to implement something. SPI fucntionality should be REALLY useful and not duplicate the thigns that are not needed to be duplicated. And which is most important SPI should not bring additional troubles in case it is implemented wrong.
     
    Last edited: Sep 7, 2008
  18. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,976
    I had done it when I wanted to verify some problems with wifi connections and peer2peer problems and it is time consuming.

    It does give a lot of problems and this is why I used to recommend to those that wanted to peer2peer to disable it. The main problem is that comodo does not log the uncommon packets that silently drops and it makes it almost impossible to make appropriate rules for them. If I am not mistaken this feature is now disabled by default but I would prefer to see comodo add a debug logging for these kind of situations. (I requested it several times in the 2 years that I was an active member/moderator at the comodo fora, but I guess it is not in their "to do list").

    Panagiotis
     
  19. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Would that be packet check for IP/Ports?
    I have never taken time to look at that in comodo, but checking an header of a packet will show the protocol, I am not clear on what other checks comodo would class as "protocol analysis"
    Of actual little use, checksum errors can happen, but as example, an intentional malformed packet will have a correct checksum.

    Just use a direct connection, you can always add a VM as an attacker or internal logger.


    - Stem
     
  20. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,976
    For version 2, I think that this is the case.
    The statefull packet filter is there and it works but the user needs to add the rules for it to work properly.
    For version 3, I can't tell for sure but I think it is not that basic.
    It seems to have some rules enabled by default for TCP,UDP some ICMPs and the GRE protocols, but I can't tell for sure.

    If I am not mistaken with the option "protocol analysis" they simply apply some extra rules to their SPI filter, instead of manually adding them at the generic network rules.
    Every packet that is not in those rules will be dropped.

    I agree and this is the reason I never used this one.

    I have tried this too, but I found that comodo behaved differently on a VM and on my system. (for example on the VM it sees the ICMP traffic genarated from cfp.exe/cfos speed, but on the real machine it does not).

    Panagiotis
     
  21. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I dont install the firewall to check onto a VM, I will sometimes use a VM in such a setup to sit behind the firewall to check first for routed packet interception and then for direct filtering when using a host based server proxy. It gives me insight into packet handling by the firewall, it also allows me to log on the VM.
    I have seen before where a host based sniffer can log inbound packets which are then actually silently blocked by the firewall and can then give incorrect results, whereas on a setup where packets need to go through a local server proxy (as example) that is controlled by the firewall before the packets are passed to the VM interface for logging does then give more accurate results.

    - Stem
     
  22. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,976
    Interesting setup Stem, I'll make good use of this in the future.

    Thanks,
    Panagiotis
     
  23. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    Why not? I am genuinely interested why you would recommend not to pay too much attention to "leak tests"? Aren't those tests anything to be concerned about?
     
  24. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,814
    Those tests are flawed. and there is really no way to change it. frankly a Program could stop all attempts to connect to the internet but still fail the leak test even tho nothing got out.

    IMO Leak tests seem to be nothing but a marketing tool for some Firewall's that cant do anything but pass tests.

    I would rather see Attack tests. see things stopped from the outside. also see programs show how well it can stop something from connecting to the internet as a firewall was intended and not some test about can your firewall stop this from executing. I miss the test about how well a firewall could stop something from leaving your computer... not this Behavior blocker that all firewalls seem to agree is the only measure of a firewall.

    Ditch the bloat get back to the basic's
     
  25. Kyle1420

    Kyle1420 Registered Member

    Joined:
    May 27, 2008
    Posts:
    490
    How much Mem Usage does OA use in the Task Manager?
    Not Sure about you, But CPF use 7mb. The new CIS has Firewall,HIPS,AV. Is under 3mb. I don't know about you.. But that doesn't sound like bloat. It sounds like the fastest today, by a long shot.

    I don't get why you are so aggressive towards comodo Fajo.. I've seen some of your posts, you switch firewalls more than you change your underpants. Also your saying these leaktests aren't important and that it doesn't mean anything to pass them, Then tell me - Why oh why your your beloved OA update itself to passs these leak tests? Also, Could you please link me to the "attack" tests you are referring to.
     
    Last edited: Sep 7, 2008
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.