A new user's feedback on trying out Comodo Firewall

I have worked with many firewall applications over the years, and am very proficient in IT. When it comes to a desktop firewall, I find most of them are poorly designed and/or implemented. The best of the bunch (which, I should point out, is termed loosely) that I have found is ZoneAlarm. While it doesn’t offer the power and customizability that Comodo does, the way it’s laid out makes sense (unlike many other firewalls), and is easy to configure.

Kaspersky Internet Security, for example, is a nightmare and a complete mess. The way they designed it to work is horrible - that either an app is trusted or untrusted, not giving much in between, and making it either impossible to give apps the rights you want, or extremely complicated to do so.

When I found Comodo Firewall, I was for the first time hopefull. On paper, Comodo Firewall seemed intelligently designed - working in a similarly straightforward fashion as ZoneAlarm, but giving more control and granularity. This was, again on paper, ideal as an improvement over what I had been using for years.

So, I tried it out. And within a day, I had uninstalled Comodo, and re-installed ZoneAlarm.

I wanted to give you feedback as to why, and what I disliked about Comodo. I didn’t take notes at the time, so I’m sure there are things I am forgetting, but I’ll put down what I remember.

1. Applications were not necessarily automatically added to the software list the first time they were run. This is not good. The first time a new application runs, it should be automatically added to the software list so that it’s easy to set rules for it. This is especially important since many apps have multiple components, and knowing that a particular app needs to be set up doesn’t mean you know which part of it to point to.

2. Application names are not used in the software list. Most people are not going to immediately know what “vssadmin.exe” is. But if you list it as “Command line interface for Microsoft Volume Shadow Copy Service”, that’s a hell of a lot clearer, and allows people to make a more educated decision on it without having to look it up first. Many other firewalls do this, so I don’t understand why Comodo doesn’t. By all means, make sure it’s easy to pull up the actual path and filename, of course. But for the purposes of normal administration, make sure to list the normal name for each program!

3. System components were lumped together as a single “System” item. It is improper to assume that because it’s part of the O/S, it’s okay to give it full access. In ZoneAlarm, each individual item that starts and tries to get access gets put on the list seperately. A user can make individual choices for each and every component. Now, I don’t know if it’s possible to delete the default System item and add each component seperately - I hope it is. If not, then this is an immediate dealbreaker. But if it’s possible, than I simply dislike that this is done by default.

4. It is counter-intuitive, the way things are seperated between the basic section of the UI, and the advanced section. It makes more sense to be able to choose an Advanced mode, whereby all of it is available in one place.

5. Responsiveness of the application to configuration changes was unpredictable and not immediate. Granting rights to certain apps yielded no change in their restrictions. This yielded multiple troubleshooting steps, only to find out that several attempts and ten minutes later, they were now taking effect. Not because the rights were incorrectly set in the first place, but because either it didn’t take (in which case, Comodo is flaky), or because it doesn’t take effect immediately (which would be a serious design flaw).

6. I found the Defense+ to be too much trouble to work with. I don’t mind certain types of proactive defense systems that many security apps have - and I love that Comodo gives you such control. But I found it impractical to configure each and every possible program with the minutia of rights. I admit that this may simply be something that takes getting used to. I remember finding it annoying that one of the rights couldn’t be configured to be enabled by default for a given app. This didn’t sit right with me.

So, as I mentioned earlier, I’m sure there’s other stuff I’m forgetting, but that’s what I can remember at the moment.

I think Comodo has a lot of potential, and I sincerely hope that the developers will address some of the issues I encountered as this product gets revised, so that it becomes something I will be happy using in the future. But for now, it just doesn’t cut it for me.

All these suggestions are very good and valuable as feedback.

You will find that Comodo Firewall 4 (Comodo Internet Security 4), currently in BETA is going to suite your needs a whole lot better in terms of usability. It’s VERY quite and you will no longer get complicated Alerts, Sandboxing has made life a hell of alot easier in CIS 4.

Sandboxing in CIS 4 is very important:

Unknown applications - Run In Sandbox. Here these applications are simply run in the sandbox with no alerts, And Defense+ at the moment handles these specifically, Silently blocking critical file system/registry keys from such apps.

Trusted applications/installers/updaters: Run Outside the sandbox. Comodo has a MASSIVE whitelist, 40,000 files are added to the whitelist every day. These whitelisted/trusted apps are run with no alerts from installation to launch. However, when an UNKNOWN installer comes along, a user receives a ELEVATION Alert. The Alert language is same every time so users no longer read COMPLICATED and different alert language all the time.

So thanks to automatic and default deny sandboxing, Firewall is a combination of both default allow and default denny technology, handling unknown apps silently and allowing those trusted ones in with no alerts.

I strongly believe ver 4 will suite your needs when it’s released. As always, you can download the beta but development is still on going and there are incompatibilities at the moment with sandbox.

Josh

I’m sorry and VEEERY, very sad about what I’v read…

(sorry 3xist, I know that you do what you can with great honnor & respect)

Beta’s talking!!!

What about thousands of users of the CURRENT, OFFICIAL RELEASE USERS!!!

blah blah blah… try this, try that… tell-me if this works, tell-me if this happens when… it’s the only trully words I see… And many users with their computers locked, or working with 50%…

My heart is bleeding, my soul is crying, I still (?!!) trully love and believe in your principles (to Melih), but I wonder when your colaborates will GROW UP !!!

PLEEEASE… First full-finnish v3 until release v4, even beta’s! (And I’vd tried v4b…, as I’v being trying since v3 more than a year ago…). Prove yourself that you can reach your aim!

No more hearing “try this” for the next year is what we want. No more excuses…

Can you (Melih) do that? My customers are waiting for this… (those who are still on Comodo’s)

I like point 2 and 4.

A new GUI was promised long time ago but, well, wait for version 5 ! :-TD

It is fair comment that all you IT experts can pick and pull at all security systems and not just Comodo but the vast majority of users are exactly the opposite of IT experts and just want an efficient security system that works out of the box and keeps them safe from the vast amount of baddies out there on the interwebs and in my opinion Comodo CIS is the best one stop solution for that.

Grit:
I understand your review and found it very relevent, but as I say it is done from the point of view of an expert in IT. Why don’t you do another review but done this time from the point of view of a novice in IT. I think your conclusions would be different.

I hope there is a way to turn off this functionality. I do not want apps to be run and installed in a sandbox by default.

Again, I hope there is a way to turn off this functionality. I do not use whitelists - ever. And I make sure my clients don’t as well. Firewall functionality does not just protect against explicit malware, it also protects against over-eager developers who add call-home functionality to their apps. This causes a serious security vulnerability, and security sensitive companies have strict policies that lock this type of behavior down.

The whitelist feature is meaningless to me, as I want all apps to be fully monitored, and I want to know if they’re doing anything they shouldn’t - regardless of whether you think they’re okay or not.

And the sandbox feature is only valuable if I can manually choose to run apps with it. I would never allow it to run apps automatically in it, and if there is no way to shut that off, I would have to turn away from Comodo as a solution, completely.

I review it in the context of how I would use it and how I would set my clients up with it. Obviously a soccer mom who can barely turn on her machine without calling for help would have a different point of view. But that’s not my perspective, nor is it that of my clients.

1. Applications were not necessarily automatically added to the software list the first time they were run. This is not good. The first time a new application runs, it should be automatically added to the software list so that it's easy to set rules for it. This is especially important since many apps have multiple components, and knowing that a particular app needs to be set up doesn't mean you know which part of it to point to.

2. Application names are not used in the software list. Most people are not going to immediately know what “vssadmin.exe” is. But if you list it as “Command line interface for Microsoft Volume Shadow Copy Service”, that’s a hell of a lot clearer, and allows people to make a more educated decision on it without having to look it up first. Many other firewalls do this, so I don’t understand why Comodo doesn’t. By all means, make sure it’s easy to pull up the actual path and filename, of course. But for the purposes of normal administration, make sure to list the normal name for each program!

I just can’t agree more with this. In general, i think, that CIS GUI is quite poorly designed ( i mean both, usability and look&feel ), especially comparing to Norton 2010 and new Avast!. However i find CIS itself more powerful =)

I can’t 100% sure tell about future betas, but currently CIS4 lets you turn off the sandbox. And yes you can use it as a ondemand sandbox (but currently the sandbox is mostly crashing stuff from my experience…)

You can turn off the white-list to the same extent as in CIS3, but you will have to do some stuff slightly different…

First of all thank you very much for such an extensive reply. Second, I will simply reply and ask.

1. Applications were not necessarily automatically added to the software list the first time they were run. This is not good. The first time a new application runs, it should be automatically added to the software list so that it's easy to set rules for it. This is especially important since many apps have multiple components, and knowing that a particular app needs to be set up doesn't mean you know which part of it to point to.

Rules for Trusted programs should have been added to the software when running D+ in the default Safe Mode. Did you change the Defense + settings to Paranoid?

2. Application names are not used in the software list. Most people are not going to immediately know what "vssadmin.exe" is. But if you list it as "Command line interface for Microsoft Volume Shadow Copy Service", that's a hell of a lot clearer, and allows people to make a more educated decision on it without having to look it up first. Many other firewalls do this, so I don't understand why Comodo doesn't. By all means, make sure it's easy to pull up the actual path and filename, of course. But for the purposes of normal administration, make sure to list the normal name for each program!

Good point.

3. System components were lumped together as a single "System" item. It is improper to assume that because it's part of the O/S, it's okay to give it full access. In ZoneAlarm, each individual item that starts and tries to get access gets put on the list seperately. A user can make individual choices for each and every component. Now, I don't know if it's possible to delete the default System item and add each component seperately - I hope it is. If not, then this is an immediate dealbreaker. But if it's possible, than I simply dislike that this is done by default.

You can change or delete that group. It is in an odd place though: Defense + --> Common Tasks --> My Protected Files --> Groups.

4. It is counter-intuitive, the way things are seperated between the basic section of the UI, and the advanced section. It makes more sense to be able to choose an Advanced mode, whereby all of it is available in one place.

What do you mean with the basic section of the UI?

5. Responsiveness of the application to configuration changes was unpredictable and not immediate. Granting rights to certain apps yielded no change in their restrictions. This yielded multiple troubleshooting steps, only to find out that several attempts and ten minutes later, they were now taking effect. Not because the rights were incorrectly set in the first place, but because either it didn't take (in which case, Comodo is flaky), or because it doesn't take effect immediately (which would be a serious design flaw).

These apps are probably under All applications. Try dragging them to the part above the Windows System files

6. I found the Defense+ to be too much trouble to work with. I don't mind certain types of proactive defense systems that many security apps have - and I love that Comodo gives you such control. But I found it impractical to configure each and every possible program with the minutia of rights. I admit that this may simply be something that takes getting used to. I remember finding it annoying that one of the rights couldn't be configured to be enabled by default for a given app. This didn't sit right with me.

Because a HIPS is very chatty by its nature you can consider using Safe Mode (with underlying Comodo approved white list) for less noise. You can also try to make use of the My Trusted Software Vendors list for white listing. On a side note. I never used Zone Alarm Firewall Pro (use the free version in the past) does it give less alerts?And if so does it monitor less parameters?

So, as I mentioned earlier, I'm sure there's other stuff I'm forgetting, but that's what I can remember at the moment.

I think Comodo has a lot of potential, and I sincerely hope that the developers will address some of the issues I encountered as this product gets revised, so that it becomes something I will be happy using in the future. But for now, it just doesn’t cut it for me.

There will be usability improvements and changed in the GUI. They were promised for v4 but they won’t won’t make it to the final. They will come with one of the v4 versions.

this is in no particular order

2. Application names are not used in the software list. Most people are not going to immediately know what "vssadmin.exe" is. But if you list it as "Command line interface for Microsoft Volume Shadow Copy Service", that's a hell of a lot clearer, and allows people to make a more educated decision on it without having to look it up first. Many other firewalls do this, so I don't understand why Comodo doesn't.

I hope I understood this correctly,
Let’s switch your example "vssadmin.exe. with a more problematic one. Let’s use svchost.exe instead. There are multiable svchost.exe files. (Hitting "Ctrl + Alt + Del at the same time will show this) There are legit one and well as malware ones (if the computer gets infected) also even a legit one can be injected.

I do agree with you for the most part on this. I was thinking of this for example. Let use vssadmin.exe.
On the screen it should show

1. vssadmin.exe
2. a verified checksum for that file (not md5 checksum either, perferably sha*** checksum or whatever the future standard will be
3. company name and if it’s signed or not

A new GUI was promised long time ago but, well, wait for version 5 !

I personally rather have them KEEP working on bug files, reducing the AV signature, adding stuff to the AV like behavior monitoring, huestics, and such until it's considered the Anti-virus is great instead of just good. A cool looking GUI should be the last step. <---But this is just my opinion. I'm going to guess the GUI is being done in very tiny steps. (maybe there slowly testing the water to read peoples reactions before the next tiny step in the GUI

I love that Comodo gives you such control. But I found it impractical to configure each and every possible program with the minutia of rights. I admit that this may simply be something that takes getting used to.

Why don't you put Defence + in training mode for a few days, then put it back up. Or even disable "defense + " if you don't like component control.

The best thing I can say is to play with it’s features and give some input especially while it’s still in beta

Yes. I don’t use vendor based Trusted Programs for any security software. I configure security settings on a case by case basis for each and every application. Malware isn’t the only software that needs protecting against. Call home routines by otherwise legitimate software also must be stopped.

I meant the “Common Tasks” area. I need to flip back and forth between the “Common Tasks” and “Advanced” areas all the time. It gets extremely annoying. It’s more accurate to say that if a user is a power user, they will need access to the items in the “Advanced” section in addition to the items in the “Common Tasks” sections - but they should all be in one place. You’re better off having a toggle for “Advanced Mode” - and if it’s enabled, have everything in the same area.

I was already working with All Applications. I’m not sure the position on the list should make a difference insofar as whether changes in rights have taken effect or not.

I won’t use Safe Mode. I never use vendor white lists - ever.

It must have the application name as well. Not listing the name does not help anything - it hinders. Have the Application Name as the primary label - underneath it, in smaller grey text, have the full path. Then you can have additional information, such as the company name, whether it’s signed or not, etc…

I disagree completely. I’m not talking about aesthetics, I’m talking about useability. A sensibly designed UI makes a huge difference in the ability to manage and interact with an application. It can be the strongest most versatile app in the world - if you can’t find where the settings you need are, it’s a piece of garbage.

I won’t use training mode, because I don’t trust automated configurations. And don’t get me wrong, I do like component control - it was just too much trouble the way it’s set up here.

Component control in ZoneAlarm Pro means that even if you’ve set up rights for a particular application, if it uses or launches another component, an alert goes up requiring you to seperately authenticate that action. This was a good balance.

With Comodo, it felt like no application would run properly until I explicitly set it up in Comodo first. And by that, I’m not referring to network access, but simple system access. That part is what was too much.

Probably because putting D+ in training mode for a few days is a very bad idea…

Training mode will create an “allow” policy for anything and everything that tries to run on your system. In other words, malware can do anything it wants, and D+ will create rules to allow it to continue to do anything it wants.

Training mode should only be used for as short a duration as possible, and even then, only as a last resort due to the security risk.

Call home routines by otherwise legitimate software also must be stopped.

Adobe CS4 is the worst offender I know

. I don't use vendor based Trusted Programs for any security software

That's one of the ways to reduce the pop-ups. Although some people like the pop-ups, but most don't

I guess it comes down to a personal prefernce on the style on how they like to configure things.
On one of the computer I use has this configuration (I have different configuration styles for different computers. What comes in and out of the network(or internet) is most important to me. On “defense +” I have it on Paraonoid mode. I generally allow 90% of requests. I generally don’t care what any software does on the computer as long as it doesn’t slow the computer down, it’s what’s coming in and out is what I truly care about. I disabled autoplay for usb ports.

A cool looking GUI should be the last step.

You misunderstood me, jay.

I meant that the current version of the GUI lacks useability !

Apart from this, it is for me the best security solution out there.

A valid point

Component control in ZoneAlarm Pro means that even if you've set up rights for a particular application, if it uses or launches another component, an alert goes up requiring you to seperately authenticate that action. This was a good balance.

By default CIS will ask if an application tries to launch another one. It puzzles me why that doesn't happen in your case. ???

In one of your previous posts you mentioned that the amount of alerts of CIS was too much. You can actually choose what to monitor with CIS. That can be done under Defense + → Advanced → Image Execution Control Settings → Filters to check. In case you would like to monitor execution of dll files you can add them there as well.

It’s not that that didn’t happen. I was simply pointing out what component control meant in ZoneAlarm.

I don’t think I said that the alerts were too much, what I said was that Defense+ was too much trouble to work with. And by that, I meant that it seemed that no application would run properly until I configured it in Defense+ first.

With ZoneAlarm, all apps would run properly - but you might get alerts if they do something risky. With Defense+, it seemed that apps wouldn’t run correctly at all until you set the rights on what they could do on the system (I’m not talking about network access here). That’s what I didn’t like.

In reading your posts I see a very high and ,in my view, unnecessary degree of paranoia. There is also a very high degree of contradiction. You won’t use whitelists, but yet you want alerts from D+ to be reduced but at the same time ,to be alerted to every action a program takes. You can’t have it both ways. I personally want my security applications to automatically trust and allow known safe applications ,and for anything new and as yet unknown, handle them with the least amount of interaction required from me. That is what a well written application should do. I absolutely do NOT want to have to manually create rules for every single piece of software I install. As a matter of fact, I have never manually created a rule for anything in my 11 years on line and have yet to ever be infected or hacked.
Also, in many cases, these “call home” routines serve a very useful purpose. Many vendors only employ them to report crashes or as in the case of security programs, to check a more recent database for an application exhibiting a suspicious behavior. This helps them improve their product. Some use them to support free software by compiling user habits which they sell to advertisers. The second usage may be questionable to some but dangerous from a security standpoint? Most likely not.
It also strains credulity how anyone, even after the most cursory searches for reviews comparing products ,could settle on one that is at or near the bottom of almost every list. Zonealarm. Firewall reviewers rate it as almost useless.
I do not trust my computer to any “IT Experts”. I trust the software vendors more than I do them. Those people,if you really think about it, have a financial stake in their customers needing them on a continual basis to fix “problems”. Problems that I suspect they knew would happen so their services would be needed. Is this paranoia? Maybe, but no more so than the garbage put out there by many so called security experts.

Also, in many cases, these "call home" routines serve a very useful purpose. Many vendors only employ them to report crashes or as in the case of security programs, to check a more recent database for an application exhibiting a suspicious behavior. This helps them improve their product. Some use them to support free software by compiling user habits which they sell to advertisers. The second usage may be questionable to some but dangerous from a security standpoint? Most likely not. It also strains credulity how anyone, even after the most cursory searches for reviews comparing products ,could settle on one that is at or near the bottom of almost every list. Zonealarm. Firewall reviewers rate it as almost useless. I do not trust my computer to any "IT Experts". I trust the software vendors more than I do them. Those people,if you really think about it, have a financial stake in their customers needing them on a continual basis to fix "problems". Problems that I suspect they knew would happen so their services would be needed. Is this paranoia? Maybe, but no more so than the garbage put out there by many so called security experts.

I don't think it's possible to word it any better. :-TU

(:CLP)