HIPS in Online Armor and Comodo Firewall

Discussion in 'other firewalls' started by skylights, Mar 19, 2008.

Thread Status:
Not open for further replies.
  1. skylights

    skylights Registered Member

    Joined:
    Jun 3, 2006
    Posts:
    42
    Does anyone know how turning off the HIPS in Online Armor Free and Defense+ in Comodo Firewall 3.0 affects their outbound protection and performance in leaktests? I'm interested in using one of these firewalls in conjunction with a different HIPS, but I want the firewall to work well. :)
     
  2. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Firewall without HIP is risky nowadays, just to inform you.
     
  3. skylights

    skylights Registered Member

    Joined:
    Jun 3, 2006
    Posts:
    42
    I know, that's why I said I wanted to add on a separate HIPS, or is this a bad idea for some reason? My reasoning is that I want to use ThreatFire because it's supposed to be really good and very quiet (has bigger whitelist than the other two programs?), but it probably interferes with OA or Comodo HIPS. Prevx has the biggest whitelist of all but I'm only interested in free programs.
     
  4. Dieselman

    Dieselman Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    795
    Both OA and Comodo have increased there while lists and both of them are the top firewalls out there. No need for TF if you use Comodo or OA.
     
  5. InVitroVeritas

    InVitroVeritas Registered Member

    Joined:
    Mar 5, 2008
    Posts:
    64
    On the other hand, some people present rather convincing arguments for using both Comodo/OA +their respective integrated HIPS activated ALONG with Threatfire.

    (and the rest of the post here :
    http://www.pctools.com/forum/showpost.php?p=180315&postcount=5
     
  6. Wordward

    Wordward Former Poster

    Joined:
    Jan 12, 2007
    Posts:
    707
    Same goes for using Mamutu with Comodo. That is if you want to pay for a security program. I am getting ready to use Mamutu with the next release of OA Personal, not because I feel I also need Mamutu though, but because I got it free on GAOTD. LOL.
     
  7. Dieselman

    Dieselman Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    795
    No reason to combine 2 HIPS programs. Use one or the other. You will not be better protected by layering your security.
     
  8. Wordward

    Wordward Former Poster

    Joined:
    Jan 12, 2007
    Posts:
    707
    I don't know. The above post in PC Tools Forum seems pretty convincing. Especially when there are also posts like these in the Comodo Forum.

    http://forums.comodo.com/feedbackcommentsannouncementsnews/trojan_protection-t20906.0.html

    http://forums.comodo.com/leak_testi..._research/weakness_with_defence-t19968.0.html

    I would feel much safer using OA Personal by itself than Comodo 3.0 at this point.
     
    Last edited: Mar 19, 2008
  9. skylights

    skylights Registered Member

    Joined:
    Jun 3, 2006
    Posts:
    42
    I know their whitelists are better than before, but I've been using OA for a couple days and I installed several new programs during that time, and OA popped up alerts for even well-known programs. I used Prevx when it was free, and it "knew" even obscure programs-- really set-and-forget. That's what I'm looking for in a whitelist, and I'm curious if ThreatFire approaches Prevx in that regard.

    So I guess OA and Comodo lose a lot of their protectiveness when their HIPS are shut off, but I wonder if ThreatFire would cover most of the lost functionality, particularly against leaks. The link provided by InVitroVeritas makes it sound like it would. I'd also be interested to see how ThreatFire would fare in the "Firewall Challenge" that launched yesterday on the Matousec site-- http://www.matousec.com/projects/firewall-challenge/
     
  10. Dieselman

    Dieselman Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    795
    Give OA or Comodo a week and it will calm down. Be patient. TF is not a firewall only a behavior blocker.
     
  11. Dieselman

    Dieselman Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    795
    I read that post in PC Tools and I have never had to shut off D+ to install Windows Updates.
     
  12. InVitroVeritas

    InVitroVeritas Registered Member

    Joined:
    Mar 5, 2008
    Posts:
    64
    Even so, there's a lot of other point made, in that post.
     
  13. skylights

    skylights Registered Member

    Joined:
    Jun 3, 2006
    Posts:
    42
    I emailed Matousec about testing Prevx and ThreatFire in their Firewall Challenge, and they replied that Prevx doesn't fit their definition, and ThreatFire partially fits their definition, but let's just say they don't have a positive opinion of it. Matousec is due to test the PC Tools firewall in the Firewall Challenge, so I don't want to raise any hackles by posting their full response regarding TF-- unless you think it would be OK. :)

    So, I'm disappointed about TF. What I would really like is if OA or Comodo implemented a system like Prevx, with millions of programs in their database. I want a program that doesn't ask me questions, but just knows what to do. I also think this makes more sense from a security standpoint, since most people who get themselves infected probably don't know how to appropriately respond to alerts anyway.

    I also asked if they would test OA and Comodo with their HIPS deactivated, since I wanted to run a separate HIPS. They replied that they don't test products with disabled functionality, and that running two or more security solutions is risky because you might have stability issues or weaken the security of the machine. Also, they won't test Comodo Firewall 2.4 because the company discontinued support for it except for Windows 2000 users.
     
    Last edited: Mar 20, 2008
  14. Coolio10

    Coolio10 Registered Member

    Joined:
    Sep 1, 2006
    Posts:
    1,124
    Comodo is implementing a system like that next week for beta testing.
    Its called threatcast. It will not automatically answer alerts but will tell you the user how many people allows and denied to help make their decision.

    Maybe if were lucky they will add a feature which will follow threatcast statistics.

    EDIT: A while ago Melih from Comodo dropped a hint about threatcast.

    Your wish may come true :D
     
    Last edited: Mar 20, 2008
  15. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    Most firewalls include features that can be classified as HIPS, not only Online Armor and Comodo (but only OA, Comodo and perhaps others have "full" HIPS as they have execution control). If you disable the HIPS features they will pass only the most basic tests.
    Matousec only test firewalls with outbound protection. If Prevx cannot control outbound traffic then it's not a firewall. Prosecurity is considered a firewall as it can control outbound traffic. Threatfire can control outbound traffic but only with advanced rules.
     
  16. skylights

    skylights Registered Member

    Joined:
    Jun 3, 2006
    Posts:
    42
    OK, that's a step in the right direction, but Prevx also adds automated sandbox analysis into the mix. That's what sets it apart, I think. And honestly I don't want to have to make a choice at all, particularly one based solely on what "the masses" think. I have a similarly jaundiced view of something like Security Task Manager, where a community rating is shown next to every process running on your system. I don't trust the community of users to be that wise. I would venture to guess that the majority of people exposed to some of the cleverest trojans fell for it. I don't want to trust those people's "herd intelligence." Am I off base here? But I trust Prevx because it adds automated analysis into the mix. I hope someday Comodo will have something like that, and keep it free. Better yet, maybe someday we'll have a complete solution that protects every area of the system and uses every technique without conflict, so people aren't always asking, "Does X software conflict with Y software?" and "Should I keep software A or are its areas of protection covered by software B?" and so on.

    Basically, I don't want to have to even think about security, beyond what security program to use. It's the principle of it. Most internet users -- beyond a small minority of security geeks and fanboys who frequent places like Wilders and the Comodo forums -- don't think about security, don't understand security, and have little interest in security. What these people need is one program that "everybody has" that they can set and forget, that "just works." Or, it needs to be built into the OS. Or Windows needs to be made secure. Or Linux needs to take over the marketplace. I won't be satisfied until security is something that comes easily.

    I must admit I resent MS for creating an OS that is so insecure that entire communities and billion-dollar industries are necessary to secure it, and yet millions of computers still get infected and botted. It's just absurd and it shouldn't be necessary. I know you guys love this stuff, but c'mon, if security weren't an issue you wouldn't miss it.

    Sorry about the rant, I guess I'd been holding back for too long.
     
  17. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    You need to set the right amount of trade-offs between security and usability/comfort which you deem adequate.
    Completely automated solutions don't (and probably will never) exist.
    Remember that machines compare and humans think. Thinking > comparing.
     
  18. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    OA has database. I cannot say how big is it, but I know it exists for at least a year. Some time ago they implemented database lookup during SCW (once-run procedure during installation). And they plan to add realtime lookup soon. This is here: http://www.tallemu.com/oasis2/
     
  19. Coolio10

    Coolio10 Registered Member

    Joined:
    Sep 1, 2006
    Posts:
    1,124
    He means automated.
     
  20. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    I understand. But I'm very sceptic about the whitelists idea. I think the better way is to improve s/w intelligence. Having whitelist you need to spend a lot of time to handle it. It cannot be handled automated, because just having info of how many users allowed or denied something tells nothing. For example some new sophysticated trojan will be marked as allowed by most of the users. The same about behavior. Every particular behaviour can equally mean suspiciouse activity and quite legal complex s/w. So the final desicion must be a decision of a person that have responsibility.
     
  21. skylights

    skylights Registered Member

    Joined:
    Jun 3, 2006
    Posts:
    42
    After doing quite a bit of reading, I've concluded that TF and Comodo/OA are very different beasts. TF is an intelligent expert-based behavior blocker, whereas OA and Comodo are more like classical HIPS with firewall and whitelisting. For the most part, I think they do very different things.

    BTW, since Matousec's email to me, I've decided they're FOS on TF, because everything I've seen about TF says it's wonderful. I'm going to add it on as another layer of protection. I haven't seen anything about TF hurting system stability or security with Comodo or OA.
     
  22. skylights

    skylights Registered Member

    Joined:
    Jun 3, 2006
    Posts:
    42
    I've done some reading and discovered that in Pro or Expert mode, Prevx controls outbound traffic and passes leaktests (but doesn't control inbound connections). This post is over a year old but I think Prevx still works like this:

    http://www.castlecops.com/modules.php?name=Forums&file=viewtopic&p=922876
     
  23. skylights

    skylights Registered Member

    Joined:
    Jun 3, 2006
    Posts:
    42
    I agree with regards to the new Comodo ThreatCast system-- I wouldn't want it automatically making decisions based on a high percentage of "allows," since the majority of people could be fooled by a convincing trojan. For automatic decision-making, I would want something like Prevx ABC mode. (I'm not a Prevx shill-- I keep mentioning it because I think it's great, but I won't use it because it's not free). It combines expert-based behavior blocking, whitelist/blacklist, analysis by live humans at Prevx (sometimes), and some other techniques to make its decisions. I forget now what else goes into the mix, and some of its techniques are secret, but I trusted it when I used it, and figured that anything it missed would be caught by my AV, antispyware, immunization/blocklists, or firewall. If Comodo wants TC to have herd intelligence and not just herd mentality, they should implement Prevx-like technologies, but I think it would require a major additional investment in money, time and talent.

    But Comodo is still the best firewall and has some good features that OA Free lacks (like automatic update), so I finally decided to switch from OA to Comodo. These two will be battling it out for a long time, but Comodo has an advantage in that they can offer an un-hampered free version, since they make most of their money through other products.
     
  24. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    And this is the very reason I switched from Comodo to OA paid :)
    I'm developer myself, so I understand quite well what an enourmous efforts should have done OA team to 1.) appear on the market from nowhere 2.) in a very short time to score the highest results other products have been achieving for the years. So I wish to support them. I think for my $40 I got more than enough and in addition a nice feeling of dealing with a brave, skilled and cooperative team. I'm sincerely proud to be in OA beta team.

    BTW, I have just tested OA build 119 (beta) against Matousec tests .. And yes, 100% again. Just a week passed since publication :)

    PS. Another pure human reason is I'm very disappointed with behaviour Comodo showed as a company. For one this was some dirty words about Scott Finnie and Tall Emu when Scott wrote in his blog something that Comodo didn't like. For two they allow to bush theirs competitors at their forum. And I never heard just a single bad word at OA forum neither about Comodo nor about any other product. "Yes, precisely those kind of flames. It is not necessary to attack the competition in order to praise Online Armor. Posts that do, regardless of good intent will either be edited or deleted by the mods here." (this is a cite from OA forum). And I cannot resist decent behaviour, but I hate any tricks and unfair competition. The latest disappointment happened just a pair of days ago when I discovered that information published at their test site about OA is incorrect. And it is incorrect not in OA favour, as you could guess. Can't say about other products, because I was concerned with what OA failed and this is the only FW that is listed there and installed here.
     
    Last edited: Mar 23, 2008
  25. Coolio10

    Coolio10 Registered Member

    Joined:
    Sep 1, 2006
    Posts:
    1,124
    Melih had to defend his product because of the false information Scott Finnie had written, but it was bad that he brought OA into the problem.
    Regarding the test site, as i said before this is a community run site. It was nice of comodo to provide hosting and all the recording materials for the testers. And there are over 30 tests i believe which is a lot to make mistakes on. You maybe perfect but not everyone is. And you also need to stop looking at comodo as just a firewall maker. Comodo has several products which is why they must behave differently compared to tallemu and many other firewall developers
     
Loading...
Thread Status:
Not open for further replies.