Author Topic: Comodo LITE (just firewall and defense+)  (Read 16525 times)

Offline vix123

  • Comodo Loves me
  • ****
  • Posts: 123
  • I don't use an antivirus that doesn't pass VB100
Comodo LITE (just firewall and defense+)
« on: July 21, 2011, 04:14:41 AM »
Updated to add download locations for 5.12 and rationale for blocking Comodo

This is a personal approach to using Comodo, I have been doing this since 2010. It completely removes the antivirus files and the trusted vendors database, disables automatic updates, prevents automatic sandboxing of applications and prevents Comodo from phoning home. It reduces installation size by 84%. It's meant for advanced users who only need the firewall and maybe the proactive defense. If you like Comodo's Antivirus or you dislike creating firewall/defense+ rules, stop reading now.

Why:

Decreasing the installation size of bloated software helps maintain faster backups or use it in portable Windows and small virtual machines. The default installation takes more than 150 MB, fiddling with the installer options may decrease it to 130 MB but the following instructions will leave it at just 23 MB!

I find the omission of the Antivirus to be desirable as the Comodo Antivirus is not well regarded in established tests. I don't like it and I was not happy to see it taking development energy away from Defense+ which is quite respected in various tests.

Removing the "trusted" software vendors is a great modification; the whole idea was flawed from the beginning: A software vendor may be trustworthy in not taking malicious actions, their programs however can be hacked and then be used for malicious actions which Comodo will not block (as they seem to originate from a trusted vendor). Internet Explorer is an infamous example as it has been used for many years by hackers to take control of systems.

AutoSandboxing is bad for two reasons: Firstly, legitimate programs running in the sandbox will not function correctly if Comodo is uninstalled as their previous settings will be lost to them. Secondly, while the system may be safer from a hacked application in the sandbox, the malware can still expose any private data this application can access to the wrong people.

Blocking Comodo from phoning home is a matter of principle: despite several complains in the forum, Comodo will still try to connect to remote servers even if all related options are turned off. This is unacceptable in a security application which is meant to block unidentified or unwanted connections and therefore we have to tell Comodo to block itself.

So what we are left with? An excellent firewall with the greatest self-protection out there and Defense+, a powerful (although a little outdated) host intrusion prevention system.

How:

So, here is what to do to keep Comodo clean and neat with only the needed features:

1) Download the Comodo 5.12 installation package. It's no longer found on the official Comodo locations, but you can find it at Filehorse. The file size is 98,142,056 bytes. Big!

2) Extract the MSI installer. 7-zip is the easiest way to do this, just install this excellent free, open source archiver and right click on the large installer you got in the 1st step. Extract the files and find cis_setup_x86.msi (for 32 bit systems) or cis_setup_x64.msi (for 64bit systems) there.

3) Install Comodo from the MSI installer, unchecking the Antivirus option. DO NOT RESTART when the installation ends!

4) Unlink the Explorer integration of Comodo (context menu cluttering) by running the command
Code: [Select]
regsvr32 /u "%ProgramFiles%\COMODO\COMODO Internet Security\cavshell.dll" This is necessary to delete cavshell.dll in the next step.

5) Go to the Comodo installation directory and delete everything EXCEPT for these:
Code: [Select]
themes\default.set
themes\notheme.set
cfp.exe
cfpconfg.exe
cfplogvw.exe
cfpver.dat
cmdagent.exe
cmdhtml.dll
COMODO - Firewall Security.cfgx
COMODO - Internet Security.cfgx
COMODO - Proactive Security.cfgx

6) Run cfp.exe and apply the following settings:
    a) Firewall > Network Security Policy > Change the Firewall rule for Comodo to a blocked application.
    b) Firewall > Don't Create rules for safe applications
    c) Firewall > Show popup alerts (you may disable them later)
    d) Firewall > Don't show Trustconnect alerts (both)
    e) Firewall > Firewall security level > Custom policy
    f) Preferences > Don't Auto check program updates
    g) Preferences > Disable Comodo Message center
    h) Preferences > Update > Disable

Comodo will still try to phone home but we have already dealt with that in rule (a)

If you have installed proactive security, then the following options also apply:

    i) Defense+ > Don't create rules for safe applications
    j) Defense+ > Show popup alerts (you may disable them later after)
    k) Defense+ > Execution Control > Disable "treat unrecognized files as" (important!)
    l) Defense+ > Execution Control > Disable both "cloud" options
    m) Defense+ > Sandbox > Disable both "Automatically" detect/trust installers
   
7) Phew. You can now restart. The Firewall and Defense+ will work fine. Manual sandboxing will work if you need it (remember, Comodo-sandboxed applications can still read your documents so you better use a real virtual machine for trying dodgy stuff). You will be getting more alerts from Defense+ which is natural because software is now untrusted by default. Which I think was Comodo's philosophy until recently.

Auto update will not work but I have always had bad experiences with Comodo updates and I prefer to do them manually after reading feedback in the official forum. The built-in Diagnostics will naturally tell you about problems in your installation as well. But I beg to differ...
« Last Edit: August 06, 2014, 01:03:51 AM by vix123 »

Offline D Bone

  • Comodo Loves me
  • ****
  • Posts: 111
Re: Comodo Firewall/Defense+ lite (no antivirus, no trusted vendors)
« Reply #1 on: July 21, 2011, 10:46:45 PM »
Wow, that's a lot of re-engineering! 
Clean Install ~ Router NAT Firewall ~ Windows 7 Firewall ~ Bitdefender Antivirus Free ~ Chrome ~ Ghostery ~ Windows 7 System Image

Offline kagun

  • Left the Forums
  • Comodo's Hero
  • *****
  • Posts: 1141
Re: Comodo Firewall/Defense+ lite (no antivirus, no trusted vendors)
« Reply #2 on: September 14, 2011, 09:39:27 AM »
That is an extremely fine piece of information!  :-TU ;)

Offline Valentin N

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2867
  • Usability Study Group
    • My homepage at the moment
Re: Comodo Firewall/Defense+ lite (no antivirus, no trusted vendors)
« Reply #3 on: September 17, 2011, 03:18:55 PM »
wow. some people will be happy about this
Skype: comodohelper (Personal)

CEVPN: Valentin N

CIS 6.3

Keep CTM alive by voting


Online Redstraw

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 263
Re: Comodo Firewall/Defense+ lite (no antivirus, no trusted vendors)
« Reply #4 on: September 27, 2011, 04:04:46 AM »
wow. :o
But I find there is something wrong with the D+ log.
« Last Edit: August 11, 2012, 10:25:17 AM by Redstraw »

Offline VitRom

  • Comodo Family Member
  • ***
  • Posts: 62
Re: Comodo Firewall/Defense+ lite (no antivirus, no trusted vendors)
« Reply #5 on: October 12, 2011, 09:20:31 AM »
Looks very interesting.

But IMHO the cavshell.dll should b leaved inplace -- it's a handy tool

Offline vix123

  • Comodo Loves me
  • ****
  • Posts: 123
  • I don't use an antivirus that doesn't pass VB100
Re: Comodo Firewall/Defense+ lite (no antivirus, no trusted vendors)
« Reply #6 on: October 13, 2011, 03:27:13 AM »
But I find there is something wrong about the D+ log.

This isn't a problem -- when you allow an action in Defense+ it is recorded in the log but not as a prevented intrusion (since you allowed it!).

IMHO the cavshell.dll should b leaved inplace -- it's a handy tool

Perhaps if you wish to manually sandbox applications. Otherwise, in a sans-antivirus setup it's useless.

BTW, updated to show how to extract the MSI installer and also cmdinstall.exe can be removed without problems in uninstallation/upgrades (just tested it -- the msi installer will do these) for further space savings!

Offline VitRom

  • Comodo Family Member
  • ***
  • Posts: 62
Re: Comodo Firewall/Defense+ lite (no antivirus, no trusted vendors)
« Reply #7 on: October 14, 2011, 02:30:01 AM »
Better way to extract .MSI

U need:
1) Universal Extractor (my is 1.6.1) http://www.legroom.net/software/uniextract
2) CIS installer .exe (my is cfw_installer.exe)

Then:
1) UniExtract cfw_installer.exe (59M) => get folder [cfw_installer]
2) cd this [cfw_installer]
3) UniExtract cfw_installer.exe (94M) => get another [cfw_installer]
4) cd [cfw_installer/.rsrc/PACKED]
5) Find the two biggest files
6) The bigest one is the installer for x64, the second for x86

In my case it was
375 (32M) => 32bit.msi
376 (34M) => 64bit.msi


PS. Universal Extractor still very useful anyway
« Last Edit: July 27, 2012, 08:18:00 AM by VitRom »

Offline VitRom

  • Comodo Family Member
  • ***
  • Posts: 62
Re: Comodo LITE (just firewall and defense+)
« Reply #8 on: July 27, 2012, 08:15:32 AM »
After vix123 had updated his post to 5.10 I'll do the same with mine.

Now on 5.10 the best and the simplest way to extract MSI is a using of the 7-zip.

1. right-click on cfw_installer.exe|cis_installer.exe|cav_installer.exe
2. click on "7-zip >"
3. click on "Open archive"
4. ???
5. PROFIT!

You'll see an entire archive content with both x86 and x64 .MSI-s with a plain names.
« Last Edit: July 27, 2012, 08:19:13 AM by VitRom »

Offline neohush

  • Comodo Member
  • **
  • Posts: 38
  • I LOVE COMODO
Re: Comodo LITE (just firewall and defense+)
« Reply #9 on: July 28, 2012, 07:28:29 AM »
 ???  :-La  88)
I'm here with my friend, Mid-2010 MacBook :D

Offline vix123

  • Comodo Loves me
  • ****
  • Posts: 123
  • I don't use an antivirus that doesn't pass VB100
Re: Comodo LITE (just firewall and defense+)
« Reply #10 on: July 28, 2012, 09:17:46 AM »
Updated again to include Vitrom's 7-zip pointer. Very easy, and 7-zip is a great little tool to have. Thanks.

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 19345
Re: Comodo LITE (just firewall and defense+)
« Reply #11 on: July 28, 2012, 04:55:39 PM »
Updated for Comodo 5.10 major rewrite. Easiest extraction method, thx Vitrom.

This is a personal approach to using Comodo, I have been doing this since 2010. It completely removes the antivirus files and the trusted vendors database, disables automatic updates and prevents automatic sandboxing of applications. It reduces installation size by 84%. It's meant for advanced users who only need the firewall and maybe the proactive defense. If you like Comodo's Antivirus or you dislike creating firewall/defense+ rules, stop reading now.

Why:

Decreasing the installation size of bloated software helps maintain faster backups or use it in portable Windows and small virtual machines. The default installation takes more than 150 MB, fiddling with the installer options may decrease it to 130 MB but the following instructions will leave it at just 23 MB!

I find the omission of the Antivirus to be desirable as the Comodo Antivirus is not well regarded in established tests. I don't like it and I was not happy to see it taking development energy away from Defense+ which is quite respected in various tests.
On a side note. Detection rate has increased significantly:
http://www.shadowserver.org/wiki/pmwiki.php/AV/VirusMonthlyStats

it already has the best detection (as a single engine)!

Quote
Removing the "trusted" software vendors is a great modification; the whole idea was flawed from the beginning: A software vendor may be trustworthy in not taking malicious actions, their programs however can be hacked and then be used for malicious actions which Comodo will not block (as they seem to originate from a trusted vendor).
I have to object here. If the installer was hacked to have it contain a rogue version of an executable then the certificate of the installer is void and will not be trusted. There are a couple of malwares with signatures but I have never heard of one that could successfully hack an existing installer without breaking the certificate.

CIS will not allow an already installed executable to be hacked.

Quote
Internet Explorer is an infamous example as it has been used for many years by hackers to take control of systems.
Not a great example in light of the above.

Quote
AutoSandboxing is bad for two reasons: Firstly, legitimate programs running in the sandbox will not function correctly if Comodo is uninstalled as their previous settings will be lost to them.
That's true for any sandbox. It comes with the territory.
Quote
Secondly, while the system may be safer from a hacked application in the sandbox, the malware can still expose any private data this application can access to the wrong people.
A valid point.

Offline vix123

  • Comodo Loves me
  • ****
  • Posts: 123
  • I don't use an antivirus that doesn't pass VB100
Re: Comodo LITE (just firewall and defense+)
« Reply #12 on: July 28, 2012, 11:49:26 PM »
Thanks Eric. In regards to my sandbox argument, the point is about automatic sandboxing. Sandboxing an application manually by the user is OK (within this argument) as the user is taking the responsibility of losing the settings outside the sandbox. The hacks I've posted do not harm manual sandboxing as far as I tested.

Installers are not the problem in the trusted vendors philosophy; the installed applications are. eg, by default Comodo would trust a browser as it is signed by a reputable company. As such it could install a device driver and Comodo wouldn't object. Which means that an advanced Javascript exploit could cause a major security issue.

But isn't this exactly why I would be using a HIPS in the first place ?

Offline VitRom

  • Comodo Family Member
  • ***
  • Posts: 62
Re: Comodo LITE (just firewall and defense+)
« Reply #13 on: August 20, 2012, 06:16:29 AM »
If the [app] was hacked... then the certificate of the [app] is void and will not be trusted.
EricJH, pls remind what happens when a non-certified app was modified? Does CIS checks a hash of non-signed binaries or it hopes only on sig/cert trust layer?

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 19345
Re: Comodo LITE (just firewall and defense+)
« Reply #14 on: August 20, 2012, 06:04:06 PM »
Thanks Eric. In regards to my sandbox argument, the point is about automatic sandboxing. Sandboxing an application manually by the user is OK (within this argument) as the user is taking the responsibility of losing the settings outside the sandbox. The hacks I've posted do not harm manual sandboxing as far as I tested.

Installers are not the problem in the trusted vendors philosophy; the installed applications are. eg, by default Comodo would trust a browser as it is signed by a reputable company. As such it could install a device driver and Comodo wouldn't object. Which means that an advanced Javascript exploit could cause a major security issue.

But isn't this exactly why I would be using a HIPS in the first place ?
Exploits would most of the time be caught by the buffer overflow protection.

If you want to set tighter rules for browser then CIS then it will facilitate that. The default settings are aimed at users who want good protection with only a few alerts.
EricJH, pls remind what happens when a non-certified app was modified? Does CIS checks a hash of non-signed binaries or it hopes only on sig/cert trust layer?
When the binary is not signed  CIS will check the hash on execution and will protect is from being tampered with.

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek