Maybe parts of Comodo and OA?

I find all the security stuff to get way over my head, all the different types of attacks and how to know if what I have is full coverage or what.

So one thing I want to know is if I am going for free versions, at least to start, it looks like Comodo has more protections than OAfree.

What does Comodo (firewall and def+) and OAfree protect against that the other does not?

And I like the run safer idea in OA, so, would it be good to use some parts of OAfree and some of Comodo, and what stuff from each should I then turn off as no need to have 2 trying to do same thing.

And if the only thing oafree has extra is the run safer, is there something else better to use to do that (not "drop my rights" but a real program) that would work well with comodo?

Thanks.

(for info: i have a new Vista laptop and am also trying avast for the AV and trying returnil. of course I don't want too much resource use but just a good set-up that covers all bases like this).

 

Hello,

It is not advisable to install 2 3rd party firewalls, low level driver conflicts can take place. Caution is also required when thinking of installing 2 real time HIPS as if both those HIPS are hooking the system and attempting to intercept the same internal action, then problems can arise.



- Stem

 

From one who has used both Comodo and OA (not at the same time) I would recommend OA in your case following your comment "over my head". OA is engineered for the rest of us as well as the techies.You can run it in standard mode and be fine. After using it for over a year, I can vouch that it protects you as well as or better than the other firewalls.

 

oh so not even installed with certain things turned off so no redundancy because you are saying the drivers can still conflict.

well, 1 reason I don't want to buy software at least before a good trial is because of all the times I have and they have done more harm than good (like mcafee and norton i learned to stay far away from the hard way.) It is like paying for a mess too often.

Yeah OA seems easier to understand than comodo for me, like the layout better, but it still has issues (like a service problem it had in version 3 on xp that I had tried and I see here that the color border won't stay on the run safer, so maybe it is not applying the limited rights? I don't know.) So I'm waiting for the next release anyway, but the free version has some protections disabled, so I figure Comodo is better (although wow these popups...) because I guess it covers any of the protections OAfree has disabled


Question:

So with using Comodo, what can I add for an easy drop rights or any other specific things that Comodo doesn't cover to fill the gaps?

thanks.

 

OA does run the applications as run safer, only some (I guess) java/J2EE based applications (like Limewire and Chrome) are not shown with the coloured border.

Give OA a serious try, Comodo requires some more knowledge, although the freeware version offers more buttons to play with (than OA) and tune your setup.

 

Do NOT use 2 or more firewalls at the same time. Software conflicts can arise and do permanent damage to your system's hard drive or registry keys.
It is advisable that you use only 1 firewall to run in realtime.

The difference between COMODO and OA to most other firewalls is they both have built-in HIPS. HIPS gives you control to allow or deny the programs from running/executing.

Yes, COMODO's D+ is more comprehensive than OA's built-in HIPS.
In fact, I believe it is THE most comprehensive HIPS available in the market right now.
It even has anti-keylogger capability, and protects from buffer overflow attacks.

But for newbies/non-techies, I suggest you use OA. Its HIPS may not be as comprehensive as COMODO's, but the protection is top-notch nonetheless

 

This is hardly Comodo is more comprehensive, it is rather more settings-packed, but this is natural, cause OA's goal is to keep it as simple as possible. I'd say it is even opposite, for Comodo still do not show you commandline parameters and fails to intercept entry point infection, for example. Also it doesn't use parent-child rules. I mean if some dll is run let us say using rundll, Comodo applies the rules for rundll, while OA applies the rules depending on the dll that is launched.

 

hehe? Bullshit? What good would commandline parameters do? Don't claim it adds anything securitywise.. Comodo has so much others that OA lacks.. Eg Buffer overflow protection, "probably" better interception, its technically #1 at matusec, but has not paid for a retest as some others have..

Regarding parent-child rules, comodo uses parent-child rules.. thats just pure crap argument..
geezz.. Let the man try CIS.. after all its free.. Try a little of both is my suggestion.. then make your pick.. Iam more than happy with CIS.

Also I think it is OA that still can be crashed easily by flooding. But not sure about that one.

 

Actually, this adds a lot. For example some program can start explorer exe just to browse some directory, and other can start it like "explorer.exe http://bullshit.biz?your_encripted_credit_card_requsites

I still cannot find a proof this "buffer overflow" does something useful. The only POC to test it is stopped by OA when tries to infect another process. But if you can provide some proof it is welcomed.

Take a look here:
https://www.wilderssecurity.com/showthread.php?t=231106
to understand what I'm talking about

This is good you are not sure, for more than a year passed since Ailef did it with some of the old OA version.

BTW, I do not want you to change your software, I just hate when people make not grounded statements. CIS is good software and it is
"Free", this is what nobody denies. I'd only say to use CIS and to be secure you need to understand a lot about how system internals work. CIS has a lot of different modes and settings and not everybody understands the difference between them. I saw a lot of people failed Comodo own test with CIS due to misconfiguration and misunderstanding. The same may happen with real malware. From the other side OA has only two mode - standard and advanced, but the both are the same secure, the difference is only in the number of available settings for "fine tuning".

 

Iam sorry aigle is A nice guy.. but he made an allow rule to BYPASS CIS usual parent child rules..

Qoute from aigie of how he did the test (link lower down on page):

He did not say that on wilders thou.. But he was proved wrong by internal testings at comodo..

It was in my mind not a proper way of testing.. HE ONLY TWEAKED D+ FOR LESS CHATTINESS, stil if that what he feels like testing then he should not say "I used CIS default interactive security mode".. Actually CIS popups MORE than 10 times if aigie had only used default CIS settings.. witch he did not.. D+ even says "MALWARE BEHAVIOR".. It probably passed that test the best.. and it shows that D+ handle complex parent child relationship Good also, without problems.

http://forums.comodo.com/leak_testi...ficker_worm_versus_defence_plus-t33410.0.html

read that from the comodo forum if you want.. Login to see all beautiful popups it really generated..

Also some more "tweeaking" stuff he did to prove that CIS only gives ONE popup for this..

Still think he proved CIS can't handle parent child relationships?
This guy even says on the forum CIS has this...

"Being a classical HIPs with complex parent child relationship for executables, it,s too chatty"

Aigie says IT GOT complex parent child relationship for executables.. The guy you are referring to as a proof that CIS don't have this.. =S
Iam sorry.. But CIS do handle these stuff very well, and uses parent child relationship.. I know. If still in doubt, please try it out, I know that it uses this since I do a lot of testing.

I don't feel the need to pump arguments for this one.. but if its nthing to worry about then why would M$ brag of added protection against it..
Many drive by downloads is acctually using BO attacks..
And usually when a software such as firefox, ie, apache, whatever experience a vulnerability, it can be linked down to a BO-flaw..

Bo attacks can be lunched REMOTE and used to take over a computer without the need for them to manually installing something..

Here are 2 links that seems to take BOattacks serious..
I say its better to be protected than to not be..

http://www.networkworld.com/newsletters/sec/1115sec2.html
http://articles.techrepublic.com.com/5100-10878_11-5031882.html

Do you still consider my stateements ungrounded? I don't consider yours to be.. I usually base my saying on facts, and has something to back it up with.. And I can see that you have also.. Still sometimes facts are wrong.. Like the one about child parent accusation..

 

But what does make you think you are really protected from this ?

 

Just some simple advice... Go ahead and search for "Buffer Overflow" in ANY AV Vendor's site/forum.

Few examples -
Buffer Overflow Vulnerabilities: :

Symantec site

Security Focus

Secunia

Secunia Research 2

Here is a huge list of BO:
http://www.milw0rm.org/

Another example: winamp BO exploited 5th of March (ages ago but still a relevant comparison)... And CIS protects below (As you asked for proof).

Wimamp did fix this btw:
http://www.filehippo.com/download_winamp/changelog/

Cheers,
Josh

 

So I did. The first POC that exploits buffer overflow in FF crashed FF without any warning from CMF: http://milw0rm.com/sploits/2009-ffox-poc.tar.gz

It may be, though, CMF protects you from "some" known attacks, but buffer overflow is by its nature a thing it's impossible to protect from generally, so I'd not rely too much on CMF. As for me I rely more on RunSafer feature in OA for the web applications which strips all the potentially dangerous rights and priviledges and turns BO attack ineffective. This approach is more safe, cause it protects not only from known BO attacks, but from all of them.

I went further trying to find exploit that CMF could stop. Next sample was:
http://blacksecurity.org/download/66/Adobe_JBIG2_Universal_Reader_Acrobat_Exploit
and CMF failed to help here too.

More later.

 

god dam, the Avira beep freaked me out when i tried to visit that second link lol, well at least i know Avira detects that as shellcode exploit now even though that wasnt my initial intention... lol

 

It's loud isn't it? First time I heard it (from the new AV Premium 9) I was almost deaf for a minute or two and it squared the heck out of me. Blood pressure up to 200. And that was only the test button I used. Got to test this out in the middle of the night, let's see how the wife reacts...

 

Did you test CIS or the actual stand a lone CMF?

Cheers,
Josh

 

Good question, just to be sure.

 

It was CMF. From what I see it doesn't do much. I have imitated several BO attacks and CMF did nothing. The only profit I see from CMF is it doesn't take too much resources

 

Haha I've long since given up on visiting any of those exploit sites with Avira enabled,it always goes positively ballistic and spoils the party.

 

lol yes it does, and can scare the sht outta u in the middle of the night when ur not expecting it lol

 

It really has "so much". But what makes me think this "so much" is not too useful is the fact with this "so much" it performes not that "much" on the independent tests. How can it happen ? Why this "so much" doesn't help ?

 

here is one...

 

This is a kind of "attack" any HIPS can stop without much trouble when this process will try to tamper other process. Most likely this is even not an attack, but just a bug in a code which often results in execution go to a stack or heap. In any case inside itself a process can do whatever it wishes, even overflowing its own buffers.

 

so this is not useful?

 

If you gimme this example I'll tell you what this program actually does and how useful CMF was in this case

BTW, what does happen with this sample without CMF ?

From my experience with CMF it jumped a pair of times catching BO, but actually they were just mistakes in a code that would lead to a program crash otherwise. And they were only the programs coded with VC. CMF failed to catch the BO in a programs compiled with the different compilers.

I think the whole approach trying to protect from BO is wrong. For one every particular compiler can use stack and heap how it wishes working with RTL. And to protect from BO using API you need to duplicate a lot of things OS does. But where is a guarantee this "protection" which should "fix" mistakes in other programs will not add its own bugs and in the end decrease security insted of increasing it ?