looking for replacement for comodo CIS

Discussion in 'other firewalls' started by LMHmedchem, Mar 2, 2015.

  1. LMHmedchem

    LMHmedchem Registered Member

    Joined:
    Feb 8, 2012
    Posts:
    28
    Hello,

    I have been a paying Comodo CIS customer for many years but I have stated looking for alternatives. The software has deteriorated significantly since 2012 and I find the more recent versions to be unusable. There is a never ending series of issues with updating the AV database, the redesigned interface is useless, and my computer is so slow and locks up so often that it's not even close to being manageable. I can renew my license for the 2012 version, but I thought I should start looking at alternatives.

    One feature I liked about the pre 2013 versions of CIS were the Defense+ feature that white-lists program execution. If the digital signature of an application is not in the approved list, the program runs in a sandbox unless it is added to trusted files. I think this is one of the best approaches to protect against 0 day threats. I also liked the firewall which I also have set to white list. All programs are by default not allowed to connect to the internet but it was not too hard to set up rules to allow connections to specific domains. It is important that rules can be configured by domain. It was also nice in the pre 2013 CIS that you could look at all your current active connections with one click and terminate any connection with a second click. This was done away with for reasons that defy explanation. I guess the CIS AV worked fine, but I never had a detection alert from so it's hard to say.

    One thing that would be very useful would be the ability to exclude directories and files from both AV scan and execution prevention. I am a developer and CIS could be very hard to work with when creating new software. Every newly compiled application would trigger the D+ since the digital signature had changed. I also have backup directories with TB of old data and this does not need to be scanned by the AV. I like applications that let you know what they are doing. There were allot of times when CIS would ramp up the CPU usage for a considerable length of time and there was no explanation of what it was doing. My worst infection ever was an infection to the Norton updater, so I don't like security software that is constantly doing tasks in the background. If a background task is running, the user should be able to see what is going on and have the option to quit the task. I guess such options should be password protected.

    Suggestions would be appreciated, I haven't looked at this stuff in a while. I guess this is the best forum to post in but please feel free to move it elsewhere if it isn't.

    LMHmedchem
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    It is important that rules can be configured by domain.

    This makes things tough. Verify few firewalls have that capability at the application rule level. You might want to check out Agnitum's Outpost products. I know their firewall back in ver 9.0 days supported DNS addressing so I assume their current versions do so also.

    The software is a bit buggy and the AV portion is not the greatest, kind of like Comodo. It is VB100 certified though.
     
  3. LMHmedchem

    LMHmedchem Registered Member

    Joined:
    Feb 8, 2012
    Posts:
    28
    It is not essential to be able to configure the firewall rules by domain, it is just convenient. All of my applications are set to white-list access meaning that all connections to the internet are blocked with notification unless there is a specific rule to allow the application to connect to the specific destination. My browser has a a more liberal rule, but that is it. My email needs to connect to pop and smtp servers at comcast and yahoo and the ip address of these servers changes fairly frequently. It is nice to be able to configure a rule to allow port 465 connections to smtp.bizmail.yahoo.com and not have to add a new rule every time the ip changes. Now this doesn't always work with Comodo and I do still get connection requests from the email client. I have to look up the ip and it is always valid. For some reason, Comodo doesn't always seem to get the domain association correct. Comodo has its own DNS servers, so I suppose it it safer to allow domain based rules when you are more sure about trusting the DNS server.

    On the other hand, my hardware firewall does not support domain based rules so I have to have rules for multiple ip ranges to make pop and smtp connections. Since it works for the hardware firewall, I'm sure it would work for the software firewall as well and wouldn't be the end of the world to set up. Occasionally my email stops working and I have to go into the hardware firewall and check the logs. I find that one of the mail servers is using a new ip range and I have to add a rule. I would just have to do the same thing for the software firewall. I guess I don't have any other reason for wanting domain based rules.

    The execution prevention feature is important for me and it has been very difficult to determine which security suites have such a thing and which don't. The websites just give a very non-specific list of features with no explanation of how they work or how the rules are configured. The Agnitum site you mentioned has a product called Outpost Security Suite.

    On the feature list are items like,
    Keeps your confidential data private
    Your identity stays safe online
    Secure online payments
    Forget system crashes and slowdowns

    For a programmer, this type of information is not all that, well, informative. I would hope that a security suite would provide some protections of that kind, but the devil is in the details, which are non-existent. The site does say something about

    Proactive Protection: Blocks new and sophisticated malware even before your antivirus can identify it.

    This sounds like execution prevention, but it's hard to know what the feature actually does, how the rules are configured, and how effective it is. I once had the Norton firewall and had set a rule to block all Microsoft Office applications from any communication with the internet. When I opened a packet sniffer, I could sit and watch all of the data moving from my computer to Microsoft ip addresses and see the connections that the office apps had opened. Apparently Symantec had an arrangement with Microsoft to allow such connections even when a user had configured a rule. It's hard to know exactly what software is and isn't doing in practice and the bullet point on the brochure don't change that. I really don't trust much of anything other than comments from technically proficient users who have had the software running on their own systems and can comment from experience.

    I do have applications that I simply do not ever want to run or be accessed under any circumstances and I think that white-list execution is the best overall defense against 0 day threats, including doing something stupid myself without paying attention. I have thought for 20 years that white-list execution should be part and parcel of every operating system, let alone third party security software, but I guess we aren't there yet.

    LMHmedchem
    .
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    You might also check out Emsisoft Anti-Malware + Online Armor combo. Note that each would have to be purchased separately and the Online Armor firewall license alone is $39 per year. FYI - their Internet Security product just includes a firewall w/o HIPS, etc.

    EAM is top rated AV/AM with one of the best behavioral blockers in the business. Online Armor has excellent firewall, fully functional HIPS*, and online banking protection*. Note that Online Armor does not have a sandbox like Comodo.

    * paid version only.

    http://www.emsisoft.com/en/software/antimalware/

    http://www.emsisoft.com/en/software/oa/
     
  5. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    As a caution, OA leverages many whitelist (mostly in cloud) and automation by default. Maybe you want to disable those features. And whatever you changed settings, it can't reach Defense+'s paranoid mode granularity as you can't completely remove some degree of automation in some of application behavior. Otherwise, it will be good candidate.
     
  6. yongsua

    yongsua Registered Member

    Joined:
    Feb 9, 2011
    Posts:
    474
    Location:
    Malaysia
    So you want a paranoid execution prevention or HIPS program like the previous Comodo? I would like to suggest Malware Defender
    http://www.softpedia.com/get/Security/Secure-cleaning/Malware-Defender.shtml

    Unfortunately, it only supports up to Windows 7 and 32bit (Windows 8 not supported). This program may suit you, it can be very paranoid even more paranoid than Comodo. This is the most powerful execution prevention or HIPS that I have ever met. It is too powerful and paranoid until I used it only for once. Not really suitable for daily use but can be effective when it comes to detecting suspicious execution.

    Here is the official website: http://labs.360.cn/malwaredefender/
    You can click the Free Download English Version. It is created by, once again, 360.
     
    Last edited: Mar 6, 2015
Loading...