Discussion in 'other anti-malware software' started by puff-m-d, Apr 17, 2018.
Got it, shmu. Thanks
Note that @cruelsister ' comodo settings emphasize the use of its auto-sandbox and sandbox rather than the HIPS which is disabled (aka sleep mode, will kick-in if nothing else kicked-in).
videos and comments.
the comodo section at malwaretips is quite furnished , you may take a look.
Yes...I agree with you...SS is not designed as anti-exe and such features aren't officialy documented... they are just the result of users inspirations and individual researches. SS+ERP combo was used long time on my XP and Vista - it was quite easy to manage and use.
@bellgamin: Umbra made a good point here. Your original quest was to compare one firewall/HIPS to another firewall/HIPS, but I answered you with a curve ball, as @CS config is not HIPS.
Yup, I knew cruel sister she no likee HIPS. But remember... if no HIPS, pretty soon pants fall down.
Hi Bellgamin! Actually that isn't the case. A few years ago there was a certain malware that acted in a certain way where the HIPS was of value. But since this mechanism was pointed out to Comodo this hole was filled; in addition (although Comodo for whatever reason did not take credit for it) the sandbox (especially at my setting) was made more restrictive. So currently if one uses preferred settings the HIPS (if it reacts at all) will just alert to things running in VTRoot (containment).
As I personally use CF I tend to test it more vigorously than other products- and trust me, I can be rather nasty. To date I see no advantage to activating the HIPS with Containment at the Restrictive level.
ps- in the past 10 days I was sent a couple of very, very fresh malware samples- one an H-worm, and the other some rootkit adware junk; both being at the time FUD. They were both nonetheless blown off by CF- both contained and eventually deleted. I was hoping for some infection excitement, but once again came away disappointed.
And YOU can fall down
And aloha to you! I learned from your post. I always do. My main security is daily imaging with AOMEI, but I always have enjoyed tinkering with HIPS. When one is retired & a widower, a HIPS pop-up can be the highlight of the day.
I miss Online Armor, System Safety Monitor, & their ilk. Right now I have fallen back to an old abandonware pal called Private Firewall. PFW's HIPS gives me a satisfactory number of daily pop-ups. I wish I could find something with HIPS, more up to date, but not Commode-o or SpyShelter.
Please give it to me straight -- is PFW so outdated as to be a totally useless bit of flotsam, jetsam, & lagan?
Try ESET in proactive mode (or whatever they call it). It has a good and customizable HIPS.
Or give Comodo one last chance. If you install it without AV, by default it will be in "Firewall" config, which gives you HIPS without autosandbox.
If you switch to "Proactive" config, you get a stronger HIPS, and you can disable the autosandbox and other annoying features as you wish.
@ shmu26 -- Much grateful for your suggestions. You have convinced to give Commode-o another try. It sure comes with a lot of baggage, though. As for Eset, I have heard lots of good things about it but I no longer use any antivirus. FW+HIPS is my goal, nada mas.
Glad I could help. Comodo has improved over the years.
I recommend to disable Virusscope and Web filtering, and maybe also untick the option that you see as unticked in the screenshot:
no way !
Well, we are totally off-topic anyways, so I would suggest that anyone interested in discussing the relative value of various Comodo components should do so in another thread.
Do you also agree with my other comments in the other SS thread, because you didn't respond to those. I was hoping you could bring it to the attention of the developers.
No I don't see, because like I said, I don't use certain features in SS, like anti-exe, the sandbox and firewall, because they don't work in the way I want them to. For example, there is no way to white-list and exclude certain folders with anti-exe. There is no way to auto-block outbound connections and the sandbox doesn't make use of virtualization. So that's why I had to complement SS with other tools.
so just the HIPS?
you would be better with Comodo then.
Sorry for that...I forgot about it because it's in other thread about older version. I wil read this one more time and try give some answer.
At this time maybe such disscus would be interesting due to observations of feature "Auto-block suspicious behaviour" especialy coonected to action type #48 and 50
Yes just the HIPS, all other components aren't good enough, so no overlap. I do use the firewall to block certain domain-names. And I never liked Comodo, too chatty but the auto-sandbox does look interesting.
Yes, please do so, let's try to make SS better. Auto blocking should be possible, even DR Web Katana (which is pretty bad) offers this. And the ActionType should be in text.
i managed to make the HIPS set as paranoid almost quiet, you just need to juggle a bit with the settings and makes your own rules.
@Rasheed187 Maybe "autoblock suspicious behavier" under settings combined with "auto allow high security level" or "ask user" will do what you want?
More os less guessing to be honest. I only remember the auto blocking was not what i liked ages ago and soon get rid of it.
OK...I'll try to follow step by step and give some answers...if only I can do this
- you can allways block all connections by marking network as "blocked" (left MB) or ocasionaly using the command "block network traffic" from try icon (right MB)
- you can prepare group rule that will block outgoing or/and incomming connection and than use it for needed single apps or processes
- if you want to block network access for specific folder I think it's enough to add that folder to restricted...file that can't be launched can't make connection also but It's appeares me that earlier rules will be still valid
- as regards network monitor and active coonections - you mean the list like this?
- if we are talking about services...I think there is a some messleading with this because SS can detect services and its actions, and it can prepare specific rule for needed services...I think screenshots below show such things
I know it's possible, after detecting or manually entering network zones, to completely block one yet allow another. In my case, I can block my local connection (192.168.x.x) while allowing my VPN (10.x.x.x). But I don't know how this is achieved. I thought that the zones dictate the rules before they are created, but this doesn't seem to be the case as al the rules I have either allow or deny something to pass, regardless of zone.
Any ideas how to achieve this?
I think the easiest way is to find connection to such IP - you can do this on "Network activity" tab (Firewall) checking listed "svchost.exe" entries. Than from RBM you block needed one what gives you new line in "Network zone" tab - an example from my system below
not tested latest version
but for example with Malwarebytes Anti-Exploit service last try
it does not prompt for some action 54 or 48 or 50
and not show it in network activity tab too
and even with manual rule creation still can check for update itself
maybe fixed not sure
Does SSF require a restart during installation?
Separate names with a comma.