Difference between D+ "Optimum" and "Network" protection ? [RESOLVED]

[Guest]

[raynor]

Well,

as we all know one can choose in the installer between "Optimum Protection"
and Firewall with Leak protecton only, which sets D+ into "Network Protection" mode.

Under "Manage my Configurations" you can later choose between "COMODO - Optimum Security"
and "COMODO - Network Security". I figure that this is the way to change the D+ mode later,
and is the equivalent to selecting the options in the installer, am I correct ?


Now - I was wondering what exactly the difference between these modes is.

The only thing that I have noticed so far is that in "network protection" mode there
are fewer protected COM Interfaces. Except for that, everything looks very similar to my eyes....

If somebody could please give a detailed explanation & description of the differences, that would be very much appreciated.

Thank you in advance and best regards,
raynor

[kail]

Hi raynor

An explanation of these different settings can found in CFPs Help..

Firewall with Defense+ (Recommended) - This is the most complete option and offers the greatest level of security. Choosing this will install Comodo Firewall Pro's Host Intrusion Prevention System - "Defense+" - in addition to the packet filtering firewall. Defense+ can stop malware, viruses, trojans and worms before they ever get a chance to install themselves by blocking  their ability to make changes to your operating system, applications, registry, running processes and important system files.  This extra layer of protection represents an significant increase in security and is recommended  for the vast majority of users.
..
Firewall (with 'Leak Protection' option checked) -  This option installs the packet filtering firewall as above and some, but not all, Defense+ functionality to provide effective leak protection against malware. Simplistically speaking, this option will monitor the activities of suspicious executables and will alert the user when an internet connection leak could occur.  Certain monitoring and file/folder protection is, however, disabled under this configuration. This option will create a protection level that is similar to, but slightly more secure than, the protection offered by Comodo Firewall Pro 2.4. 

So..

COMODO - Optimum Security = Firewall with Defense+ (full Defense+)

..and..

COMODO - Network Security = Firewall + Leak Test Protection (partial Defense+)

There's also a 3rd Install option..

Firewall ('Leak Protection' option NOT checked) -  This option is only recommended for experienced firewall users that have alternative Host Intrusion Prevention software installed on their systems.  Choosing this option will install ONLY the packeting filtering network and will not offer leak protection - essential for blocking malicious software (like worms and trojans) from making outgoing connection attempts. This isn't to say this option is an unwise choice (the network firewall is one of the strongest available - offering highly effective and configurable inbound and outbound protection) but it is important to realise that, on it's own, it does not offer the leak protection afforded by Defense+.

There is no default Profile for this as it is only recommended for experienced users, but a custom Profile can be created if desired.

I hope that helps.

[raynor]

OK, thx for the explanation.

Now I'm wondering: with Defense+ DISABLED, how much "Leak Protection" will remain ?

I mean, there still is outbound filtering, i.e. any Application (=EXE file) that wants to connect to the internet triggers an outgoing connection popup.

So does this mean any more exotic / sinister / strange / tricky etc. attempts by applications will not be caught ? or will it still pass at least SOME of the not-so-advanced (i.e. simple) leak-tests ?

What WILL be caught by the simple firewall ? Only EXE files trying to connect with "no tricks" involved ? In other words, only applications who play nicely "by the book" ?

I hope you guys understand my question... It's like "without D+, exactly what kind of outgoing application monitoring remains" ?

If malware / trojans / "evil" software is not a concern, the basic firewall will at least catch all "normal" outgoing connection attempts, right  ?


Thany you in advance & best regards,
raynor

[kail]

Hi raynor

When the help says there would be no leak protection, it means exactly that. So, components that directly access the Internet will be filtered, but components that indirectly access the Internet via a previously firewall-authorised component will not be filtered. Such as, a DLL hooked into explorer.exe (the parent of most user processes) that uses  (or abuses) the parent-child process privilege to gain access to and/or control over Internet accessing components without the firewall being aware of it (a typical leak). CFPs Firewall does have full inbound & outbound filtering, but it cannot stop what it isn't aware of.

Does that help?

[ganda claus]

IMO, we should have at least Firewall with Leak protection .
have you used CFP2 before? CFP3 with Leak protection offers the same capability similar to V2.

i attached 2 firewall test application.
a good BASIC firewall should pass this COT test.
but a Firewall with HIPS (like CFP3 with leak protection) should pass the CPIL test (basic firewall only won't pass it).

[raynor]

Hi raynor

When the help says there would be no leak protection, it means exactly that. So, components that directly access the Internet will be filtered, but components that indirectly access the Internet via a previously firewall-authorised component will not be filtered. Such as, a DLL hooked into explorer.exe (the parent of most user processes) that uses  (or abuses) the parent-child process privilege to gain access to and/or control over Internet accessing components without the firewall being aware of it (a typical leak). CFPs Firewall does have full inbound & outbound filtering, but it cannot stop what it isn't aware of.

Does that help?

Yes, it does . The question that remains is: That behaviour which you have just described
(indirect internet access), can this be often found with normal ("good")
applications / programs, or is this something which is usually only used by malicious
("evil") programs who are deliberately trying to bypass the firewall ?


So far, Comodo without D+ (i.e. basic firewall mode) has asked me correctly every time
one of my installed applications and games, etc. have tried to access the internet.

---> Does that mean if Malware accessing the internet is not a concern
(because the computer environment in which the basic firewall runs is 100% malware free,
i.e. we are only deling with "good" programs) the basic firewall will be
enough to control the outgoing behavior of the normal applications ?

[kail]

Yes, it does . The question that remains is: That behaviour which you have just described
(indirect internet access), can this be often found with normal ("good")
applications / programs, or is this something which is usually only used by malicious
("evil") programs who are deliberately trying to bypass the firewall ?

It is used by both "good" & "evil". Explorer.exe (not to be confused with MSIE) is a good example. Lots of legitimate (good) applications add DLLs to explorer.exe in order to add shell functionality (context menus, etc..).

So far, Comodo without D+ (i.e. basic firewall mode) has asked me correctly every time
one of my installed applications and games, etc. have tried to access the internet.

---> Does that mean if Malware accessing the internet is not a concern
(because the computer environment in which the basic firewall runs is 100% malware free,
i.e. we are only deling with "good" programs) the basic firewall will be
enough to control the outgoing behavior of the normal applications ?

Firstly, by "basic firewall mode" I assume we mean CFPs Firewall with Defense+ completely disabled (no leak protection) rather than CFPs installation of Firewall + Leak Protection?

That being the case, we're down to the "100% clean" statement. That's a problem for me, since I don't currently believe anything can guarantee your system is "100% clean".

Would I consider it safe? Would I run it that way? No, I would not.

Perhaps you should think of your system as 99% (arbitrary number) clean & consider how the 1% could impact the 99%. 

[raynor]

It is used by both "good" & "evil". Explorer.exe (not to be confused with MSIE) is a good example. Lots
of legitimate (good) applications add DLLs to explorer.exe in order to add shell functionality (context
menus, etc..).

Yes, but ... I wouldn't allow Explorer.exe to access the Internet anyway because
Explorer.exe does have no business on the Internet )

Firstly, by "basic firewall mode" I assume we mean CFPs Firewall with Defense+ completely disabled (no leak protection) rather than CFPs installation of Firewall + Leak Protection?

Yes, of course, as I said: Comodo with D+ completely DISABLED is "basic firewall" in my terminology

That being the case, we're down to the "100% clean" statement. That's a problem for me, since I don't currently believe anything can guarantee your system is "100% clean".
[...]
Perhaps you should think of your system as 99% (arbitrary number) clean & consider how the 1% could impact the 99%. 

I know that nothing can guarantee a 100% clean system, but as you have correctly poined
out, it's a matter of probability. I consider the cleanliness-probability of the system in question
to be 99.99 %  (and I consider it to stay that way because of usage patterns)
... So let's not talk about malware / trojans etc. now      .

Instead let's talk about this  .... If the system is clean, the basic (= no D+) firewall mode
should at least be enough to control normal applications, like DISALLOW Internet Explorer,
ALLOW Firefox, DISALLOW Windows Media Player, ALLOW Starcraft,
DISALLOW StupidUpdater.exe, etc... right ?

This is all I want. To control the normal apps' Internet access on a broad, general
(= YES / NO) level.

---> What else could be "hooked" by DLLs by normal applications other than Explorer.exe
(which I would't allow to access the net, see above) ? In what other ways (except using
explorer.exe) are "good", normal apps likely to slip accidentally past the basic firewall ?

Best regards,
raynor

[kail]

Sorry, I must have explained it poorly...

Explorer.exe does not access the Internet directly (never said it did). You would never let explorer.exe access the Internet? Well, without Defense+ Leak Protection (or something else like it) how are going to stop it from indirectly accessing the Internet? This is the leak (see above posts).

Firefox? The parent process of firefox.exe is.. explorer.exe. Since explorer.exe is the parent process it has certain privileges over firefox.exe. Basically, it can instruct firefox.exe to send data out to the Internet and do all sorts of amazing things. This would be completely invisible to CFP with Defense+ disabled, as Firefox is an approved application with Internet access. How would CFP know explorer.exe is communicating with, and controlling, Firefox behind the scenes? This is what Defense+ Leak Protection takes care of.

Note: You can replace explorer.exe and/or firefox.exe with any other two applications in a parent-child process relationship and the above is equally true. eg. swap firefox.exe for starcraft.exe. And, this is just looking a parent-child process leaks, there are others.

Now, you can have what you want.. allowing specific applications direct access to Internet or not. But, you'll not be protected from leaks unless you have some form of leak protection (even if it's not CFPs Defense+). In short, you will not be totally in control as you might think.. good, bad, clean or otherwise.

What can be DLL hooked? Almost anything that can executed/loaded usually.

edit: After considering the above DLL hook statement, a more accurate answer is probably: Lots of things (I'm not personally sure what can actually be & not be hooked specifically, but since kernel32.dll is one that can be hooked "lots" is good reply).

[raynor]

The parent process of firefox.exe is.. explorer.exe. Since explorer.exe is the parent process it has certain privileges over firefox.exe. Basically, it can instruct firefox.exe to send data out to the Internet and do all sorts of amazing things. This would be completely invisible to CFP with Defense+ disabled, as Firefox is an approved application with Internet access. How would CFP know explorer.exe is communicating with, and controlling, Firefox behind the scenes? This is what Defense+ Leak Protection takes care of.

OK, now explorer.exe as the parent can instruct firefox to do crazy stuff. But as explorer.exe
is a normal part of windows, why would it do so ?
The only thing that I am still wondering about is whether normal, non-evil applications
are likely to behave in such a sinister way.

I completely understand that CPF could be very easily tricked without leak protection
enabled. But I guess your average application would never try to do so under normal
circumstances, right ?

Does anyone have an example of a "normal" & "non-evil" program / application / game
which behaves in a way that it escapes detection by CPF without its leak protection
enabled (i.e. using hooks, parent-child leaks etc.)?

Thanks for your patience

[kail]

OK, now explorer.exe as the parent can instruct firefox to do crazy stuff. But as explorer.exe
is a normal part of windows, why would it do so ?
The only thing that I am still wondering about is whether normal, non-evil applications
are likely to behave in such a sinister way.

Explorer.exe, itself, usually doesn't. In the normal course of its business it doesn't require Internet access, unless the user explicitly tells it to do so.. searching, publishing, FTP, web folders, etc.. and even then I believe it calls upon other components to actually perform the not-so-sinister act. However, if explorer.exe has been "infected" by a trojan or virus, then.. oh.. there are probably loads of reasons.. financial gain, kudos,..  We'll need our resident psych-Mod (yes, we do have one) to address all those social things.

I completely understand that CPF could be very easily tricked without leak protection
enabled. But I guess your average application would never try to do so under normal
circumstances, right ?

No never, not intentionally anyway. Doing so could be a public relations nightmare (at best) and/or cause serious financial damage (at worst). Ask Sony

[kail]

Not exactly a leak.. but, interesting & topical: nProtect GameGuard is an anti-cheat application installed with several on-line games. GameGuard was actually disabling CFPs anti-rootkit protection (for reasons unknown), but in a way that CFPs Developers found very alarming & disturbing.

So.. Good, Bad or Ugly?

[raynor]

No never, not intentionally anyway. Doing so could be a public relations nightmare
(at best) and/or cause serious financial damage (at worst).

That is reassuring to hear. So far my experinece has indeed been that CPF (without D+)
has neatly asked me for each and every of my installed (more or less run-of-the-mill)
apps / games / updaters etc, all of which I presume to be "non-evil".

But you are right, the borderline between "good" and "ugly" is sometimes not
clear-cut at all, with some reputable companies trying to do some not-so-nice
things behind your back. I can only hope that practices like that will be discovered
(not least because of Comodo and its dedicated users and developers), and will
indeed lead to PR nighmares for the respective companies (at worst) or to these
companies going belly-up (at best ).

Thanks for your detailed explanations. What I like about Comodo is that it gives users the
choice of what level of protection they want. [ at ]the developers: please keep it that way.

I have now chosen to use the basic F/W only (no D+) but thanks to this discussion I am
now 100% aware of the potential shortcomings and of the potentially very "leaky"
outbound protection. But I have decided that this is the right setting for my personal
purposes. This is not to say that I would recommend anyone else to do so


This is a indeed a great forum and a great firewall.
All the best,

raynor

[kail]

No problem, glad I could help.

I'll lock this topic now. If you need it re-opened at any point, just send a PM to any active Mod.

[Tags:]