Component Analysis- Comodo versus ZAP

Discussion in 'other firewalls' started by aigle, Jan 28, 2007.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Can anybody( who has used both Comodo and ZAP) explain to me how does component monitoring differs in both? I have found component monitoring in Comodo rather annoying with many popups and so I always keep it in learning mode( that is practicaly almost equivalent to turning it off). I used ZAP in the past and was never annoyed by this feature at that time. So I wonder what is the differece in two an which one is better?

    Thanks
     
  2. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    I always leave it in learning mode...

    The first thing that I do after install it, is set the frequency level alert to minimum... This definition is more than enough for me...
     
  3. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,184
    I have no idea how component control can be usefull to a normal user.
    So a learning mode should be ok, as useless as it is.
    It really does as you have found out to be a source of unnecessary popups and that in itself is a security risk. A more serious popup alert may go accepted if always answering things.

    Except to see what is allowed, all the DLL's.
    With Sygate I let it unticked.
    With Comodo one can sure go and try to see later what they are.

    SSM free does not have that, it only tells when something is putting a hook and that is more usefull, maybe. Gets paranoid with that too :p


    That is not the right solution with Comodo, in my opinion. You can run it with 'Very High' alert level, I do. You just have to make the rules to not be alerted often.
    I am just testing this FW and might be soon back to my fave kerio 2.1.5, but I sure don't get alerted unnecessary when my rules are right. Not that they are all wide as that minimum alert level provides.

    Basically you need to allow UDP 53 out to your isp DNS servers for the applications. And allow incoming for localhost address, 127.0.0.1, to some applications that need it.
    If they are server accessing kind, maybe SPI is enough, but if not, only then some network rule ports need to be opened too.
    I do have my Firefox allowed all connections outbound, but I always have done that with any firewall.
    Not the smartest thing to do propably.

    Jarmo
     
    Last edited: Jan 28, 2007
  4. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    Depends what you want to know about the program.
    For me I only want to be notified when a program wants to use the Internet.
    If I need, I will do other investigations about it...

    You can read this: Poll: Alert Frequency Level
     
  5. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I find component control in ZAP extremely useful. I only really get pop-ups after Windows updates and that sort of thing, but by clicking on 'Details' and then 'Properties' you are able to get all the info you need in order to make an informed decision as to whether or not to allow the module.

    Basically, if a program needs to connect to the net and it has a new .dll loaded you will be warned, so you can check it out. If you have it in learning mode you will not be receiving this information.

    I suppose you could argue that if you are protected by HIPS progs against alien .dll injection you are not going to need to worry about new modules connecting. But I believe it can also protect against certain exploits that seek to misuse legitimate MS .dlls by loading them into IE (for example). Thus if you are at a 'suspect' website and IE suddenly wants to load a new .dll you can block it in ZA and shutdown the browser and start again - threat avoided!

    I'm afraid I have no experience of Comodo.
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks for replies.

    I think no such option in Comodo, if I deny the popup, whole of browser is blocked? Can anybody confirm this?
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Exactly what I do.
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    As I see in ZAP, there is only two options for componants, allow or ask, no block option. Am I trued?

    In Comodo I found three options when u get a pop up ask, allow or block.
    While in the main firewal rules window there is only option for allow or block, however if u delete the rule, u will get the ask option again in the form of pop up.

    I found these rules a bit useless. For a test, I enabled component monitoring and then installed google toolbar that loaded new componets in IE. Now when IE tried to conect to internert, I got a pop up of unknown components in IE( google toolbar.dll), when I blocked this dll, whole of IE was blocked from acess to internet. So I can,t use IE for internet unless I allow this new component or remove it.
     

    Attached Files:

    • 1.jpg
      1.jpg
      File size:
      52.8 KB
      Views:
      683
    • 3.jpg
      3.jpg
      File size:
      86.6 KB
      Views:
      5
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Comodo component rules.
     

    Attached Files:

    • 2.jpg
      2.jpg
      File size:
      79 KB
      Views:
      687
  10. dah145

    dah145 Registered Member

    Joined:
    Jul 3, 2006
    Posts:
    262
    Location:
    n/a
    mmm, it has the same function as AIC (Application Integrity Control) on KIS...
     
  11. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    That is correct, you can only have 'ask' or 'allow'; but if you have it set to 'ask' you will receive a pop-up if that component loads into a process with access, you can then click 'deny' on the pop-up. If you do that and it turns out the .dll was vital you might crash the process in question, in which case you can close it down and start again. If the .dll was not important (or malware!) then of course you can continue browsing as usual.
    Not exactly, Application Integrity Control in KAV's PDM is not confined to controlling a modules access to the web (by it loading into processes with access); rather it is keeping a list of known trusted .dlls loading into specific critical processes. These include system processes as well as those requiring Internet access. Everytime a new module is loaded into Explorer (say) you need to allow or deny it on the list for Explorer - and boy do you get a lot of pop-ups! Everytime you so much as run your mouse over something in Windows Explorer, you get a pop-up; but these do decrease sharply with time, as the list gradually becomes more complete.
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    So u mean u can specifically block a dll loaded into browser and still continue to use browser to surf the net? Am I correct?
    In Comodo as I told, if I say block, it will block the whole browser not the dll only.
     
  13. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Yes, you can restrict the individual component without affecting the process itself.

    However the process may have restricted functionality if the .dll (or Active x etc) was required in order to enable that function.

    If a component has previously tried to access the net it will be on the list (though you can remove it from the list without any problem), the program it is loaded into may be a browser, but it is not confined to browsers as such.
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I was thinking it might not be possible. If it is correct, then Comodo has no such ability.
    BTW, still I doubt as I did not get any option in ZAP to block specifically a dll loaded in browser. Can u post a screenshot.

    Thanks.
     
  15. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    O.K., here's a screenshot. The pop-up on the left is the one you first receive. If you click 'Details' you get the middle one, which tells you the components seeking to connect. By selecting a component in that pop-up you can bring up the properties for that component. You can then decide whether to 'Deny' or 'Allow' on the first pop-up.

    I just upgraded to KAV's Maintenance Pack 2, so I've been getting a few pop-ups today; usually I don't get any.
     

    Attached Files:

  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    So this Yes or Deny will be for all componenets and the KAV, u can,t select unlike to ur statement or I am missing something.
     
  17. pugmug

    pugmug Registered Member

    Joined:
    Oct 23, 2006
    Posts:
    413
  18. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I think it must block the whole program rather than the individual components. :doubt:

    I think must have been wrong to suggest otherwise - that seems logical. o_O

    Actually, I rarely have to block and the only times I have done so were when I was using IE at a 'suspect' site which was trying a known exploit on me; I had to close IE and start again - but the new module (which was a legitimate MS one) was not loaded into the new Window, so I assumed it had been individually blocked - but now I'm not sure. :doubt: The fact is my browser was open and working perfectly until I clicked a link at a 'naughty' site - so what was being blocked, the browser that already had access or the component that failed to load when I clicked 'Deny'?

    The example in my screenshot is much clearer because KAV did not have access and was seeking it with new modules - so if you 'Deny' you block access to the whole application. But what happens when the app already has access when the loading of the new module occurs? My assumption was that the module was blocked from loading rather than access for the browser suddenly being disconnected. o_O
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I have same feeling.

    Thanks
     
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ya, actually I just downloaded a bit older trial version from download.com to see the componenet control. Not using it anymore.
    Are there more options in newer versions?
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,024
    Location:
    The Netherlands
    I must admit that currently I´m not using the compenent monitor in ZA Pro because it takes a while to configure it, it will give lots of popups, of course for more security you should use it. :rolleyes:
     
Loading...
Thread Status:
Not open for further replies.