The simple fact of the matter is that some people like more control, some people like less.
Neither way is any better than the other, and you’ll likely never change anyone’s opinion.
Saying that someone appears to exhibit unnecessary paranoia with how they prefer to run their machine really serves no constructive purpose other than to possibly upset that person. Opinions are fine, but is voicing that opinion in this way necessary?
We get it… You like things automatic. Others do not. No need to try and belittle someone because they don’t think like you. Saying, “this is how I like to run it” is absolutely fine, but essentially saying, “this is how I run it, and so should everybody else because it’s perfectly adequate and anything more is paranoia” is pushing it a little bit…
Incorrect. It’s not that I want alerts from Defense+ to be reduced - but I don’t want the default status for applications to be that they cannot run properly until you manually go in and set up system rights for it. That is not a contradiction, it is common sense useability.
That may be your experience, but I work in a much tougher set of circumstances. I do not want to have to manually create rules for apps before they will run at all, but I absolutely want to set rules for network access on an individual basis. And even then, not to start with - but only as needed. Meaning that as soon as an application tried to obtain network access, I want to know about it and configure it’s rights at that time.
If you have the luxury of avoiding this level of caution, then good for you. But don’t make the mistake of thinking that everyone else falls in the same boat.
It’s not up to you, or to any developer to decide what information to send out and when to send it. Each person’s PC is their own property. Nowadays, PCs hold more intimate details about people’s lives then diaries ever did. Opening a port and engaging in communication without the prior and full knowledge and consent of the user is inexcuseable.
Oh, I’m sure the developers can justify why they would like the information. But being useful to them does not give them the right to take it from you. I’ve seen companies get hacked because internal software called home and sent detailed information about their networks, O/S, and software that was intercepted and then used to gain ingress into their systems. I’ve also seen unethical developers deliberately code their apps to send confidential information back to them.
I’m sorry, but you are dead wrong. You can argue all day long as to how call home routines benefit the developer. In the end, that still doesn’t justify them taking the information without a user’s full knowledge and consent, nor does it counter a user’s right to prohibit that communication.
I use hardware/server level firewalls for the heavy duty external attacks. The desktop firewalls are more to prevent outgoing attacks, breaches, and call home routines then anything else. And for that, ZoneAlarm is perfectly functional.
Your wording was a bit unclear - either you’re saying that IT experts have a financial stake but vendors do not, or vice versa. In either case, I’m sure you can see the logical fallacy that exists.
Vendors are the ones who are inherently not to be trusted because every single one of them will try to convince you that their app is the best and does everything you need it to - they’ll lie through their teeth to do it because of their financial stake in your patronage.
IT consultants (not just any “Holiday Inn Express” self declared gurus) are paid to wade through the propaganda all the vendors are sending out and tell you what the real deal is. With IT consultants, the key is finding one that is truly knowledgeable and skilled. But with vendors, they are almost universally untrustworthy insofar as their own claims on their own products.
That test does not address issues of useability, only the final effectiveness. In the real world, you cannot work with one without the other.
I guarantee you, if you unplug your computer from all sources of electricity, you will never get a virus, trojan, spam, or any other type of malware either. One hundred percent effective, including a full heuristic effect in that you will be immune from all future versions of malware as well.
That’s better than Comodo, because Comodo will have to continue to update their product to address new versions of malware, whereas my solution is 100% future proof.
Then I am afraid CIS is not suited for your needs. Cornerstone of CIS is the Default Deny principle. Every program gets stopped until it is allowed by either whitelisting or the user’s consent. I don’t think that will change any time soon.
That may be your experience, but I work in a much tougher set of circumstances. I do not want to have to manually create rules for apps before they will run at all, but I absolutely want to set rules for network access on an individual basis. And even then, not to start with - but only as needed. Meaning that as soon as an application tried to obtain network access, I want to know about it and configure it's rights at that time.
The latter is possible with the firewall set to Custom Policy mode.
Incorrect. It's not that I want alerts from Defense+ to be reduced - but I don't want the default status for applications to be that they cannot run properly until you manually go in and set up system rights for it. That is not a contradiction, it is common sense useability
I have never had to manually set up rules for anything to work properly. You may get an initial popup when installing something you know to be safe but telling CIS to treat it as an installer or updater and then entering installation mode when prompted takes care of that. If the application is something you want more control over then you can allow or block the actions detected individually. Having to do that is not really the default mode. It is a choice that you make yourself.
Putting CIS in Clean PC mode will also eliminate almost all popups for things you installed before installing CIS itself. I personally,and many others, use Clean PC as the preferred setup. That probably would not suit you but as I said before, you can't have things both ways. Either you retain full control or you delegate control to the program. The choice is yours and actually, the default installation of CIS does not require all the interactions you don't care for. The upcoming V4 has been promised to require even less.
I work in a much tougher set of circumstances. I do not want to have to manually create rules for apps before they will run at all, but I absolutely want to set rules for network access on an individual basis. And even then, not to start with - but only as needed. Meaning that as soon as an application tried to obtain network access, I want to know about it and configure it's rights at that time.
I going to bet your configuring it at a enterprise corporation level. You have to set thing up (To put it in simple terms, piece by piece). With everything so specific, some enterprises don't use a anti-virus.
For what “Dch48” is saying makes more scents when configuring security at the desktop level.
Default Deny is perfect when it comes to network access. But I don’t like it when it comes to system rights. I don’t recall when I tried it out, but is there an easy way to change the default rights given to applications by Defense+? And for that matter, it bothered me that the option wasn’t even there to configure an application to allow “Run an executable”.
I think, if I remember correctly, Defense+ assigned default values for applications to block things like process terminations, device driver installations, certain registry keys, the DNS client service, memory, disk access, etc… How is that not going to cause major functionality issues with most applications?
Well, it’s true that the majority of what I do is going to be for enterprise environments. But to be honest with you, I run my own system the same way, and this is how I’ll set things up for other individuals as well so long as they’re willing to let me train them on what to do.
I’ll admit that if I were setting up a system for an 86 year old grandma who could barely tell the difference between the PC and the toaster, I would set things up considerably differently - but that’s not my target client 99% of the time.
Actually that option is there but it’s buried within the rule itself. You have to edit the rule. Most of the time CIS will create the rule in such a way that it asks if the app tries to run another executable. If you allow it, that file is added to a list of allowed things to be run. If for some reason the existing rule for an app is set to block all attempts to run anything else, then you are able to change that. You can change it to allow all attempts if you so wish or to ask or block.
Have you tried running JUST the firewall (disabling Defense+)?
This will still allow you to set network rules on a per case basis, but would leave the internal accesses alone and allow the apps to run (internally) unfettered.
The next time I give Comodo a try, I’ll do that. If a new major version is close to being released, I might as well wait for that before experimenting further.
