Why I think comodo is rubbish

Discussion in 'other firewalls' started by Roman5, Jun 4, 2008.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Are you using CFP without or with D+ ?
     
  2. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    2,068
    Location:
    Serbia
    No, it's not. Of course this can be discussed but IMO, a true firewall should be controling network traffic, and like Comodo and many similar, tying this traffic to a process.

    Process checksum calculation is job for another tool. I think Comodo team actually nicely separated firewall from HIPS.

    What about packet filtering? TCP SPI?
     
  3. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Funny speaking of "true firewall", in the sense of barebone firewall, while being in a topic about Comodo. But anyway, yes, Comodo can be a "true firewall" too.

    Which tool is that? Yes, once upon a time (pre-2000), firewalls were application filtering applications only. But since then, most if not all of the firewalls, even the free ZA, do have a checksum calculation, because it is a basic mode of detecting infection in real time. Ok, i admit, that for you the checksum calculation may be "exotic" in a firewall and like Comodo as it is. It is a matter of personal taste and of what each persons thinks that "basic firewall" should have.

    But with the same mentality, Comodo shouldn't have HIPS, cause that is a job for other tools, same goes for the malware scanner. Since when "pure firewalls" need malware scanner? Hey, that would bring Comodo's installation folder from 70MB down to what? 10? Would be nice.


    It has SPI available (not sure how good). By security i meant in the HIPS part.

    P.S.: There are plenty of free firewalls out there with SPI (for those that still don't have router), small system impact, checksum calculation and some basic but non too intrusive antileak abilities (which Comodo lacks with D+ disabled).
     
  4. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    As to "disabling D+" -- the situation as I see it is this:

    1- If you WANT to use a classical HIPS, then recognize that the alerts generated by a properly trained D+ are neither simpler nor more complex than the alerts generated by other classical HIPS such as ProSecurity (PS), System Safety Monitor (SSM), & Online Armor (OA).

    2- D+ covers the full spectrum of threats that are the domain of classical HIPS. On the other hand...

    a- SSM lacks file protection (Vitali is predicting that a future update of SSM will include that capability by late summer).

    b- OA lacks registry protection

    c- PS has it all, but appears to be abandoned by its developer (Jei). If Jei ever reappears and GOES TO WORK on PS, then (in my opinion) PS is by far the best & easiest of all classical HIPS. In the meantime it is abandoned-ware.

    d- On the other hand, D+ covers all of these threats including but not limited to registry protection, file protection, parent-child, etc. D+ also covers Buffer Overflow (BO) BUT ONLY IF you install Comodo's crappy adware/toolbar, which I refuse to do. None of the other classicals listed above include BO. Threatfire DOES cover BO, but it is a semi-intelligent Behavior Blocker, not a full classical/dumb HIPS.

    e- Furthermore, both SSM & PS are one-man operations. Therefore it is difficult for them to achieve & sustain "state-of-the-art status" versus the constantly changing nature of threats. D+, on the other hand, has (AFAIK) a multi-person staff at its command, as evidenced by the fact that it has been vigorously updated ever since its inception.

    3- As I see it, the alternatives for those wanting full-scope classical HIPS coverage include but are not necessarily limited to the following...

    a- D+ and its tool bar (for BO coverage)

    b- D+ and Threatfire (for BO coverage and more)

    c- OA plus RegWatch (for registry protection) plus Threatfire (for BO coverage and more)

    d- SSM plus Sensive Guard (for rudimentary file protection) and Threatfire (for BO coverage and more)

    e- ProSecurity and Threatfire (for BO coverage and more)
     
  5. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    2,068
    Location:
    Serbia
    Am I missing something? Firewalls do not detect infections, they filter traffic.

    HIPS is the "other tool". Comodo 3 is actually a semi-suite.

    Do not disable D+ then. Or use the "other firewall".

    Please note the "IMO" in my previous post.
     
  6. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Well, nowdays they detect infections too, but anyway... The use of checksums in firewalls (even in Kerio 2), was introduced, so to avoid that a malware, with the name of a "trusted" application, could fool your firewall and connect out. A firewall with checksum control, will alert you that for example your iexplore.exe has changed from the last time you used it, allow it or not? If you have performed some update it will be reasonable to believe that there is nothing wrong. If not, you should better scan your PC to avoid a hijack. With Comodo without D+, you won't know the difference. The malware will happily be allowed to connect out. With the 2002 era Kerio 2, it won't...



    Ah, i agree! In deed, with D+ turned on, there is no problem. The problem is with those that have it off and still would like this basic form of protection which even ZAF provides.



    Yes, i was answering to a poster about what happens with D+ disabled.

    And in fact, if you look some posts earlier i wrote:

    "There is no reason why one should use Comodo over other "simple" firewalls, with D+ disabled."



    I noticed i think, why do you think i didn't? I wrote:

    "Ok, i admit, that for you the checksum calculation may be "exotic" in a firewall and like Comodo as it is. It is a matter of personal taste and of what each persons thinks that "basic firewall" should have."
     
  7. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    2,068
    Location:
    Serbia
    well, they can make an irish breakfast if the vendor feels the need for this feature and still be branded as firewalls :rolleyes:

    You install a different kind of HIPS, one that is more "user friendly". Most HIPS (if not all) come now with checksum calculation.

    It was an agreement statement. Confronting different opinions on what is "basic" in most cases ends with a draw.
     
  8. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Understood. I agree that today it's all bloatware. As a matter of fact, i never liked Comodo having malware scanner too (not to mention a toolbar), because it is becoming bloatware too, even for a HIPS-firewall combo.

    I can install a different hips, but the main problem with those that disable D+, is because they are annoyed by answering to pop ups, so installing another HIPS, isn't as good as a solution. Even the "old" MD5 hash check, was allowing even "average Joe" user to suspect that there was something wrong, without using HIPS, which , are an expert tool. And checksum control doesn't generate any pop ups under normal circumstances, so far less annoying.
    So for a user that doesn't understand or doesn't want to use HIPS, IMO, a checksum control is a good "basic" extra firewall defence.

    It's not that i don't like Comodo. I think higly of it as firewall-HIPS combo, for reasons that Bellgamin described. But i think that without D+, it becomes nothing extraordinary. The old Sygate 5.5 is more secure (assuming you don't use local proxies) and has better logs for example.
     
  9. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    2,068
    Location:
    Serbia
    In a sense that it misses checksum verification as a superflous feature (in my opinion lol), it is closer to a packet filter (a definition of firewall I like to use), and it is the packet filter itself that is nothing extraordinary. Adding D+ does nothing to benefit the inbound protection. But I guess Comodo team was going by an assumption that almost everybody is behing a NAT now, so they didn't bother with SPI much.
    As I see as a strong point, you are not forced to use Comodo checksum verification and you can install the "other app" which will do this. Freedom of choice is always a good thing, and Comodo allows this to a cetrain point.

    But if I were to use Comodo, it would be the other way round - I'd ditch the firewall and use D+ only. If they ever separate the two, I may even become a Comodo user. You never know.
     
  10. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Again, please re-read what i said. It doesn't do MD5, but it blocks changes in real time. Change explorer rule in D+ to ask...
    And i got a Q: what's wrong with the SPI, you guys tested it? And UDP pseudo SPI? (yes, this is present since 2.x ..)
     
  11. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Yes, pity the localhost problem...
    Why is it more secure?
     
  12. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Just to avoid further misunderstanding, i am referring to Comodo with D+ turned off.

    sygate.png

    Better to have, than have not, IMHO.
     
  13. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I understood what you meant, and i still can't see, i mean objectively, why it's more secure. You can have your opinion though.
    That's not a reasonable argument. Some other guy will say the same regarding Defense+, better to have than not. :)

    I do believe Sygate is a good firewall. But, just looking at some boxes to tick, i can't really say it's more secure.
    It's also related to why i prefer to see actual rules, and don't mind learning.

    I'm not saying Sygate doesn't do those things well, i just have no idea, nor how they work. Why are those settings better than Comodo's? I'd have to ask Stem.
    I'd like some of those features in CFP (if they aren't in CFP already with another name), granted, but i'd also like Sygate to see localhost.

    I don't know which is most secure, i'd have to test them (and know how).
     
  14. wat0114

    wat0114 Guest

    I'm not sure the answer to this but the question has come up before. Firewall's incorporating Deep packet inspection or a network gateway solution such as Sonicwall, Watchguard or the free Untangle (I want to try this out someday :) ) can apparently scan for infections in the network traffic. Maybe this is also done via DPI?
     
  15. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    I agree that one could say "better have D+". That's why i tried more times to specify that i speak about Comodo WITHOUT D+.

    The main difference between the 2 being, that Sygate, has these options that are far less annoying (as in frequency of user input requested) and more understandable.

    By all means then, ask Stem. My ignorant's impression about Comodo, is that it is a packet filter allright, with optional SPI that can be activated, after which, all its security is thrown on the shoulder's of D+.

    Back at Sygate's time, devs were concentrated only in the firewall features and everyone was trying to find bugs and vulnerabilities in the actual packet filtering. Sygate's "boxes" are proven to work fine. Nowdays, who cares of doing that? Everyone looks just for a way to bypass D+.
     
  16. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Less annoying? Lets see. Comodo's default (without Defense+) will allow known programs, and for the rest its yes or no questions.
    Only you, the user, can ask for more, how much, and where. The default is very few pop-ups.
    If you believe it's not secure with defaults, then i'd have to point the same regarding Sygate, which is, i believe, 'server rights' included.

    BTW, i don't see the option to turn SPI on or off..

    I can agree with you that the firewall isn't getting much attention, but then again, people who tested Sygate for "bugs and vulnerabilities in the actual packet filtering", can do the same with CFP.
    Defense+ is not an issue, don't install it. After that, it's a rules based firewall.

    I still believe Egemen will come sooner or later with some long awaited features. I can think of reverse DNS which has been requested for a long time. And the GUI..
     
  17. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    Nor do I.

    Where or where can it be?
     
  18. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753
    Yes, you 're right, i got confused at the end with people talking about D+ while i was not and i ended comparing it with D+.

    "Secure" is relevant. Is there drivel level protection,checksum checking, anti-spoofing or dll authentication in Comodo without D+? It's secure allright, just not as secure outbounds. The server rights is true, they put it to reduce alers, but can be a bad thing, so you need to untick it.

    In Comodo they don't call it SPI, they call it "Protocol analysis".

    Yes, they CAN, but nobody bothers, because D+ is the target to bypass. I simply have difficulty to believe that up to a few years ago, programmers were idiots, so their firewalls had vulnerabilities which they made them work on the filtering part for years, while nowdays, programmers are geniuses which make the perfect firewall, while they can't quite do the same in HIPS, which they have to bugfix every month.

    I would rather install PC Tools firewall than Comodo without D+.

    Well, these are details. The important is to have the malware scanner and the toolbar (already done) and Threatcast.
     
  19. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    You either care for leaktests, or not. On the most basic application control, checksum (you mean hash), i told you, CFP does not turn D+ completely off. It blocks changes in real time.
    My opinion on it goes completely to the bin if we can't get past this :p
    That's something else.
    Easy for you to check. Turn that off, and you will see CFP will not create any IN rules for TCP, or UDP for that matter.
    It's not my problem. Or rather, it is, but indirectly. I will benefit of any flaws anyone finds for CFP's filtering. I'd like very much to read Stem finding flaws. That would mean Comodo would fix them.
    By all means, you chose what you prefer. I MUCH prefer CFP to PCTools FW. It runs with DEP. After that, it's beyond discussion for me.
    When it's compatible, i'll tell you the rest of the reasons. :)
    I'd use Jetico before that, no doubt. It's the firewall that makes me think twice regarding CFP. The only one.
    I'd prefer it didn't exist, indeed. But the solution is ridiculously easy: don't install it.
     
  20. Fuzzfas

    Fuzzfas Registered Member

    Joined:
    Jun 24, 2007
    Posts:
    2,753

    Things aren't black or white you know. There actually many degrees of anti-leaking. Some people, just like many other firewalls, don't care of having 100% leak-proof firewall, prefering usability instead.

    Sorry about the hash check, i didn't know Comodo does that. Until now i was believing Comodo's moderators.

    Thanks for the heads up.

    Uh, ok. I will do even more. I will stop commenting Comodo alltogether! There is no point in discussing about "like it or leave it", is there.
     
  21. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I mean don't install the toolbar..
     
  22. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    2,068
    Location:
    Serbia
    I am certtainly not an expert on DPI, but I guess it would be a case of how is DPI in a firewall implemented. Some will check for viruses, and the others would do other things (checking different kinds of patterns). But yes, I agree, a DPI can be designed to protect form malware (or do other numerous things). I can only imagine how this task can be resource consuming, especially when checking multiple connections, so DPI is not really designed to be used in such systems most of us (practically every member on Wilders) have. A dedicated gateway PC is needed, - that said, I heard great things about Untangle.

    My statement was in the scope of software we're discussing here - CFP, PCTFW, OA and the likes. These I believe will hardly ever have malware checking on packet level, as they are meant to be used on a personal system. If we speak of a personal firewall checking on malware then this will act as a proxy firewall. So can I change my statement from "firewalls" to "personal firewalls"?



    no, not yet. But I am in the process of building a gateway, as I have recently got me a second connection (cable). I have only one PC connected to it now, but I plan to add others (I'm missing some hardware) soon. The learning curve is still steep, but I do have some assumptions on Comodo as you may of noticed. I only question the point of doing this (checking packet filtering) as I have pretty much the same feeling about all the popular firewalls (those checked by Matousec i.e.).
     
  23. wat0114

    wat0114 Guest

    True, and I don't think I'd want to see this additional overhead added to these or other personal fw products. There's already enough going on with the HIPS already incorporated into them.

    No need to :) though I agree this concept should be restricted to appliance fw's such as Untangle or similar products.
     
  24. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,814

    Agree I think ZA is the best firewall ever made =\ been useing it sence 99
     
  25. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    ZAs time is over for a long time already always in relation to Comodo. Comodo is top of the notch and all other firewalls must and are forced to challenge with Comodo. But as a matter of fact no established firewall will redesign from the scratch, so many weak points remain and they can´t adapt to the speed of Comodo.

    Very interesting.

    Bellgamin, there are solutions for this problem, catch two gnats with one swatter. :D

    This will be touchstone and end of the road all in one for many many security companies and tools. A one man show has to cope a devilish/inhuman work to stay on the train.

    Exactly, comodo has the best staff as it seems.
    Extremely well organised, fast reactions. I really wonder why it took so long until a serious enterprise came into
    the field. It still has a lot issues and I consider it still as beta software but it is the most advanced security tool that was ever in existence if they had the chance to get AntiVir or Avast as AV scanning engine they would become much stronger in one step.
     
    Last edited: Jun 15, 2008
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.