Rather than start a new, but very similar thread, I’ll add to this one.
After my experiments below I went with a complete CIS install after a fresh OS install. I tested with the CLT and got 330/340 (coat was the hold out) and was quite satisfied. Some time passed and tested again, now back to the 30/340 results I was originally getting. I don’t know why or how that changed. Seems almost useless to have a protection system installed that doesn’t protect. The only source of comfort is it seems to be an honest test, and not some shady CLT will only “pass” when Comodo is installed. I tend to look at computer security products as Snake Oil, but this feels like this a legit product/company. It’s just frustrating when everything seems to be setup properly, but still doesn’t work. Please let me know, if there’s something else to try or do. Here are the details:
Windows XP Professional SP3
CIS: 4.1.150349.920
Comodo Firewall and Defense+ are both in Safe Mode
Proactive Security configuration is active
Stealth ports was set to "Block all incoming connections
Sandbox disabled
Verified no CLT entries in Firewall->Network Security Policy
Verified no CLT entries in Defense±>Computer Security Policy
Diagnostics find nothing wrong with my installation
NO initial pop-up asking to Allow/Block running CLT.exe
The only popups are during the ICMP/DNS tests which I cancel.
The only tests that pass are:
MissingDriverLoad
ICMP
DNS
Original Message:
After having the mbr infected last week, I did what everyone does, install firewall/antivirus software. After trying out a few apps I went with Avira AntiVir and Comodo Internet Security (without the antivirus). I thought everything was working as I’d get the occasional alert, and usually it was for some MS Windows process (svchost). Then, I turned on utorrent (completely unrelated to the mbr infection, seriously) without getting a single alert from CIS AND in utorrent there was the green check mark showing the port is open for incoming connections. That’s when I did some researching and found the settings I should be using and the CLT. After doing some trials I feel I am right back where I started.
OS: XP SP3 (with XP firewall off)
For all the tests:
Comodo CIS - refers to Firewall and Defense+ (no AV) Release Date: June 2, 2010
Comodo Firewall and Defense+ were both in Safe Mode
Proactive Security configuration was active
Stealth ports was set to "Block all incoming connections
Sandbox disabled
Allowed the first alert so CLT would run
Blocked everything else
1 ) Avira AntiVir (w/ Guard enabled) + Comodo CIS
CLT score: 30/340
Restored OS from ghost image without any apps installed. Then installed and tested in order:
2 ) Windows XP firewall
CLT score: 20/340
3 ) Comodo CIS
CLT score: 330/340 - it failed Impersonation: Coat if you were wondering
4 ) Comodo CIS + Avira AntiVir (w/ guard enabled)
CLT score: 30/340
5 ) Comodo CIS + Avira AntiVir (w/ guard disabled)
CLT score: 30/340
Uninstalled Avira AntiVir
6 ) Comodo CIS
CLT score: 50/340
Uninstalled Comodo CIS and reinstalled it (restarted after each operation)
7 ) Comodo CIS
CLT score: 30/340 CIS
What gets me is that without leak testing I wouldn’t know there was something wrong. There’s the green check mark in the summary->System Status. More->Diagnostics says there’s nothing wrong with my installation. Until I can rest easy mismatching my AV and Firewall, I’ll guess go with CIS with antivirus. Might as well keep out the infection with a strong firewall than rely on a scanner to find it.
The tests that usually pass are:
RootkitInstallation: MissingDriverLoad
InfoSend: ICMP Test
InfoSend: DNS Test
Q1) Does this mean the firewall works consistently and Defense+ doesn’t?
Q2) Am I doing it right?
Q3) Any have suggestions to try before I conclude my experiments?
Thanks