comodo firewall so weak ?

Hi

i have comodo firewall last version under xp sp3

well i found a weird behavior


i installed comodo some moths ago , and i had firefox 3.6.1 installed
i create some rules for firefox

but when i update firefox 3 to 4 (and added new components and disabled others) , comodo did not pop up a window to warning me about the new version of firefox

i mean the size , hash of firefox.exe did change , but comodo 5 last version did not notice and even did not warning me

i disabled secure application

in short a firefox.exe lamed by malware could by pass comodo so easly ?

thanks

 

It's digitally signed by Mozilla thus it's on whitelist so no popups.

 

but i disabled the the whitelist

 

Comodo firewall doesn't work that way , meaning ... if you have rule for example Firefox and you update Firefox , rule that you made for it will still apply , it doesn't matter that hash for Firefox has changed.

 

so if i add a component (that could be a beak for my privacy ) or a malware overwrite firefox , comodo doesn't detect it ?

even outpost 2.0 ,6 years ago was able to do it

 

Yes comodo detect if the file is different, maybe your comodo is not configured as you think.
Have you checked the option "create rules for safe applications" in the firewall settings?
Maybe is because you manually acepted the the digital certificate of Mozilla with firefox v3 and firefox 4 uses de same certificate.

 

I'm talking about firewall only , so I'm not sure what do you mean exactly.
I'm using only firewall component , so I don't know if other features would detect your scenario.

 

yes , i have checked the option "create rules for safe applications" , in short in ON

what should i turn on ?

thanks to everbody
cheers

 

I don't believe you can do what you want with Comodo.
If you have rule created for some app. and that app. changes via update or something else , existing rules will still apply.

 

Go back to comodo firewall 2.0 it has hash check on allowed executables

 

Wow! Great Memory! It was nice when security was so simple.
Ice

 

some times whitelisting programs can be a pain too as malware writers are getting a way around

 

pc tools firewall will ask you if the file changed.comodo will not ask if the file is in the same path. if file path changed it will ask for permission.

 

comodo has a novel cloud based system and firewall checks for any abnormal activity almost real time in cloud and allows it if found safe
this is a method to prevent common users to face lesser perplexing alerts
they have sandbox based security also which automatically sandboxes any unknown program thus restricting it's capability to cause any potential damage
regards
Akhil

 

If malware attemts to replace/overwrite an executable, D+ will alert you. If you do it yourself in Explorer or it's done with a signed installer, you probably won't be alerted, depending on your settings. I'm trying out OA right now so I can't check.

 

This was discussed Firewall Rules for Changed application

 

without d+ , comodo is really weak

 

Without D+, it's little more than a packet filter which can't be criticized for duties it's not expected to perform.

 

This is why D+ is there but still you have the sandbox.

Anyway it's like say "Norton without the AV is really weak..."

 

But why do these modern firewalls rely so heavily on their HIPS components? Can't they implement something like the old Kerio that warns if the application's MD5 hash has changed without requiring HIPS to be on?

I believe Outpost also behaves similar to Comodo in that it'll only warn of changed executable if the HIPS is enabled.

 

If the file is trusted because is in the whitelist or you already made it trusted manually and gave it access to internet in a FW popup where is the problem?
Maybe only if somebody uses the FW alone, anyway if somebody is really interested you can add this idea to the whitelist, is a good one.

 

No the sandbox is part of D+.
"If Defense+ is deactivated permanently, this option will have no effect."

 

I mean just disabling D+ (right click on the icon -> D+ -> Disable)

 

This was my point actually. If a user only installs the firewall and no D+, rules are enforced via filename/file path. Comodo will not prompt the user if the executable connecting out has changed unlike Kerio which doesn't have HIPS but still alerts the user that the executable's hash has changed and asks to allow the outgoing connection or not.

 

The firewall is desgned to work together with the rest of the suite.
Probably they haven't added this feature because it will be overlaping with D+, also almost everybody install at least, the FW, D+ and the sandbox. If you only want a firewall with MD5 check try another, or you can add this idea to the comodo whitelist.

If you remove features to any other suite will happen the same thing, but only Comodo and avast allow you to install what you want