Comodo Firewall questions

Hello all!

I just installed Comodo and Avast on my computer yesterday and have a few questions about Comodo mainly, which I hope can be answered here.

I set up the Firewall using this link and am running it in Safe Mode, as well as Defence+ in Safe Mode.

I added a few network policies for my openvpn connection as well as RDP.

When I looked into my global rules I found a setting that I did not add and was probably added by Comodo itself...."Blocking all incoming IP traffic".
Obviously this is not good when you are trying to connect to your home pc from work via RDP.

QUESTION: Is that a standard rule set up by Comodo?


QUESTION: How do exceptions in network policies work?
I tried to alter above rule by telling it to block everything but any connection to my openvpn server network. Did not work. I had to completely delete that rule in order to be able to connect to my home pc via my work pc. Why would that exception not work?

QUESTION: Should I run Comodo in Custom networks setting mode e.g. define every rule myself for maximum security? Or is that overkill ? Is there any good expert guide around?

QUESTION: How can I block trusted applications like Chrome for example?
I tried to block Chrome from connecting to the internet but to no avail. I just wanted it to be able to connect to local files (testing html codes etc., fiddling around with html code and websites ). But no rule, no matter what i did (Block, exception etc.) worked

These are the most prssing questions for me at the momen, but I am sure I will come up with more later on

Thanks in advance for any help!

Phraccy

 

Hi Phractal!-

First off, no, that IP rule that you see in Global settings is certainly not a default CIS rule. Delete it.

Second, I would suggest that the Firewall should be set as Custom. The folks at Comodo are very smart, but you still know your computer best. Allow/Deny all program connections on a case by case basis (it's really no burden at all). So switch to Custom, go in and delete any Google/Chrome references in application rules and try again. You should be able to block the program now.

As you already have had the Fireall in Safe Mode and don't want any extraneous stuff connecting to the net and just have the VPN valid, I guess you should delete all of the things in Program Rules save for svchost and System (you can allow these on reboot)

Hope this helped.

M

 

Hi cruelsister,

ok, thanks a lot. Already helped me a great deal )

Oh btw., even I already asked in a nother thread, but as Avast and Comodo Firewall don't seem to work well together on x64 Win 7 I was wondering if Comodo Internet Security is worthwhile or another free AV program!? Any hints on this topic?

Thanks again!

Phraccy

 

1.configurations:
CIS --> yes
CPS --> no
CFW --> no

2.You can choose the red one in the following pic.

http://i.imgur.com/4AsSh.png

3.safe mode is better

4.You can add it to the block list.

http://i.imgur.com/1EH4p.png

 

Although Avast is a fine product, we've noted that in the last few months that the difference between the AV in Avast vs the AV in Comodo, formerly a wide difference in favor of Avast, has really narrowed. As a matter of fact, reviewing our data for the past month Comodo actually was a tad better than Avast in detection of D+1 threats, although the difference was not statistically significant.

 

I would say try Comodo Internet Security for few days & see if you find it suitable for you.

I run it on XP SP3 32 Bits & 7 64 Bits, light & no prob here.

But every system is different so give it a try & see.

 

Hi all,

thanks a lot for all the input

Installed Comodo Internet security (free) yesterday and all seems great so far. All block and allowance rules work as they should.

Only thing I am missing (not sure if really needed) is a AV webshield of sorts, or is it there and I missed it?

But as I am using Firefox and noscript I am not even sure if it's really needed.

All in all, CIS seems a pretty decent piece of software and it's free....what else would one want?

Phraccy

 

CIS has no Web Shield or similar, if you go to an infected site, the malware will be on the memory or the HDD so CIS will detect/ask you about it

 

And in addition you can use Comodo SecureDNS too. -http://www.comodo.com/secure-dns/-

 

CIS can automatically sandbox malwares executed from the blackhole exploit kit.

So, the web filter is needless for users of CIS.

 

Thank you for that info! Didn't know that. But in order to do that, I would probably need to activate the integrated Sandbox or is that a seperate feature?

Speaking of Sandbox....when I install Sandboxie do I need to deactivate the CIS integrated Sandbox or would they work well together?

What is the difference between my current (ISP DNS) ones and the Comodo ones. As far as I can see, they block a whole lot more sites (intentional or not, I do not know) that my current DNS. Just not sure where the advantage of switching is?

Phraccy

 

1.You can enable the sandbox and the "partially limited" both.

2.
CIS V5 --> workwell together

CIS V6 --> sandboxie is needless

 

awesome, thanks

EDIT:

A few other questions came up and I am hoping to get answers to those as well.

Regarding Global Rules in the Comodo Firewall.

Do these have a certain priority in which they are utilized? Meaning, if I have a global rule for my vpn service (Allow in UDP port) and my RDP service (Allow in TCP port) and then, at the bottom, add a rule blocking all incoming traffic....would let in my vpn connection and rdp but everything else gets blocked??

 

+1

I too find Comodo AV's detection at par & even better than top free AV's now. It has improved a lot + Cloud is also good.

So I am trying CFW + CAV with D+ disabled on one system of mine for few months & no infection or FP yet. I disabled D+ coz other users on this system dont like the few popups it gives & are not ready to learn.

 

You can switch the configuration to "CIS" and then enable the game mode.

 

Do you mean enabling game mode I will get FW + AV & though D+ will remain enabled there will be no popups as all D+ popups will be automatically allowed coz of game mode?

 

1.there will be no popups as all D+ popups will be automatically allowed coz of game mode

2.Your PC is still protected by "partially limited"

3.You can check this one by the program,
"comodo leak test"
CLT.exe

 

Interesting that you bring up D+ issues.
With game mode I presume you mean D+ game mode and not all together game mode?

This is particularily interesting for me as D+ is driving me nuts.

It blocks Firefox flash, or better the plugin container, and I cant find out what to activate in order to have it running normally. Already tried all the tips on the comodo forums, to no avail
If D+ game mode would solve this AND keeps all things protected, I am a happy panda!

Phraccy

 

game mode:
automatically push the allow button in the d+ alert window

 

I really don't suggest that any set the sandbox to treat files as Partially Limited. Certain types of Ransomware will have the ability to trash your system if this setting is used.

You really won't notice any difference in computer response if either Restricted or Untrusted modes are chosen, but there is a world of difference in protection.

 

hi,

just realized what you meant by that....my problem is however, that no alert windows pop up anyway.
What I experience is the following. Firefox itself is loading correctly but will not show any flash content whatsoever. It tries to load it, as I see the processes in task manager but obviously it is being blocked somehow. I get no alerts in D+.

I tried adding plugin-container.exe and flash executable to allowed programs which can access intraprocess memory, end proces etc etc and also made exclusions for them in shell intrusion detection.

To no avail

The strange thing is, when I close Firefox, my taskmanager is filled up with stuck processes of werfault.exe, flash executable and plugin-container.exe
These processes are the same number as the times I tried to open flash content in firefox.
On top of that, I cannot end these processes manuall either...only rebooting kills them.

Anyone have any idea how to solve that? I know its a D+ thing as everything works fine when turning it off.

Thanks in advance!

Phraccy

 

Let's try easy first.- werfault.exe is the Windows error Reporting service, so obviously something is amiss.

1). Open up Comodo. On the main screen (Summary), do you see any number other than Zero for either Untrusted Programs or Sandboxed programs? If you see anything pertaining to Flash or Adobe, delete them.
Also open up CIS and click the Defense Plus tab. Click on View Defense+ Events and see if anything is showing up there for today.

2). After that, let's blame Adobe (they are evil, so it's OK). We will now uninstall Adobe Flash and reinstall it (it's totally safe to do this, trust me).

Get the Flash Uninstaller here:

http://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html

Make sure Firefox is closed and run it.

Now go get the latest flash version for Firefox here:

http://get.adobe.com/flashplayer

Install it and open up Firefox to see if you have the same problem.

Get back to us on what happens.

ps- the reason I think the issue is with Flash is that CIS really doesn't have an issue with Mozilla apps. I'm using FF 17.0a1 nightly and have never gotten a peep from Comodo.

 

If it still works in the same way from last time i used it (and i don't expect any changes), the answer is yes.

An incoming packet gets analysed based on those rules, in the order presented. The first rule is examined, if it matches the packet, the corresponding action is executed (allow/block/log). If not, the next rule is examined.

So in your case, you would create a very specific rule that allows your vpn, down to ports, protocol and address whenever possible.
Next you would make a block all incoming rule, and it would only block whatever the previous rule didn't allow, which is everything else.

 

D+ disabled - Self protection is also disabled.

So I think what you have mentioned is better than my approach.

I am running CFW + CAV with D+ disabled. In this way I get only CFW + CAV.

But what you have mentioned i.e Game mode enabled instead of D+ disabled, I will get little extra protection i.e CFW + CAV + Self Protection + Autosandbox, m I right?

With this setup the Unlimited Rights Popup is there or not, I think not, right? I dont want this popup too.


Edit - I checked CIS on Game Mode

I tried CLT.exe


When I ran CLT.exe, I checked there were entries in partial limited/Unrecognized Files & 1 program in Sandbox - This means due to CIS in game mode CLT.exe was automatically sandboxed otherwise you get a popup "Unlimited Rights" popup. This is the prob with game mode. If you are installing/uninstalling a program which is not recognized by CIS then in game mode the installer/uninstaller will be automatically sandboxed & the program may not install/uninstall properly.

I dont know how game mode will treat a program which is digitally signed but not whitelisted by Comodo, it will be allowed or sandboxed?

 

Hi cruelsister,

I made a clean reinstall of CIS or better the whole computer and it works fine now. Not sure what the problem was.
I have D+ in safe mode, enabled all the protection monitoring settings and otherwise left D+ as it was installed. Or should I tweak certain settings?

Thanks for all the helpful tips and hints here guys and gals

Phraccy