Are Windows firewall excludes monitored by Defense+ rules?

Don’t yet have CIS installed. Still investigating the technical merits of the freeware version of Comodo Internet Security (CIS) on Windows XP Pro SP-3.

One type of malware (if allowed to run on your host) is a TCP changer. That is, it goes into the TCP settings for your network devices to alter the DNS server to which your host will connect to resolve hostnames into IP addresses. By modifying the DNS server list in your TCP/IP settings, they can get you to use a compromised or malicious DNS server. That means when you try to visit a hostname that their DNS server will returned an IP address to their scam/phish/malicious web site.

Hopefully the TCP changer gets detected when it tries to install or run on your host but we all know that sigs for malware won’t cover zero-day malware hence the need for HIPS (host intrustion prevention system) functionality, like Defense+. What I’m wondering is if one of the registry keys protected by Defense+ include the following parent key and its subkeys use to define policies/excludes to the Windows firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy

This has the list of IP addresses for whatever DNS servers are configured for use by your TCP/IP setup. If you’re using DHCP to dynamically assigned an IP address to your host then this list will probably be empty (unless you insert entries as overrides). I don’t use the DHCP server in the router to assign IP address addresses to my intranet hosts. I currently assign a static IP address to my hosts (since they are in my intranet - LAN-side of my router) but others in my family use the router’s DHCP server to get their IP address. The router is obviously not a DNS server so the one assigned by your ISP gets used. So my other family gets the ISP’s DNS server to use for lookups while I specified a static list of DNS servers to use for my own hosts (with the router as the last one in the list so it’s pass-through to the ISP’s DNS server gets used as a last resort). I don’t know how Comodo can protect which DNS server gets used if it is dynamically assigned via DHCP since the list of static DNS servers in the TCP/IP setup will be empty. In my case with a static IP address and a static list of DNS servers, I want to ensure that some malware doesn’t alter that list to point my lookups to a compromised or malicious DNS server.

Yes, I know about Comodo’s secure DNS server setup (TrustConnect) but I don’t want to use that plus I don’t think it’s part of the free CIS product and only in their payware versions. I don’t like using any DNS server that resorts to redirects to their or a 3rd party search engine. If the lookup fails then I want it to fail just like it’s supposed to for DNS specifications, not to succeed by pointing at some “helper DNS” page with search results.

— UPDATE —

Installed Comodo Firewall (since I didn’t want their Antivirus in the Comodo Internet Security suite, just Firewall and Defense+) in a virtual machine. This let me look at the configuration for Comodo Firewall.

Nope, there is no entry to protect the registry key that specifies the TCP/IP setup. That means even if you elect to use Comodo’s Secure DNS Servers (an option during the install that changes the DNS servers in your TCP/IP config), you might not be using them. Any TCP changer (whether malware, ransomware, or even goodware) that changes the list of DNS servers in your TCP/IP setup will be allowed to modify that registry key.

Under Defense+ tab → Computer Security Policy → Protected Registry Keys tab, there is the following entry:

Important Keys:
HKLM\SYSTEM\ControlSet???\Services

Okay, but that’s for the backup copies, not the current copy. The current one is under:

HKLM\SYSTEM\CurrentControlSet\Services

Modifying these keys does NOT require installing a new service, so Comodo won’t be seeing a new service getting defined to Windows. Without protecting this key (and its subkeys), configuration of existing services is permitted and possibly without an alert.

Why would Comodo be protecting the backup copies of ControlSet and not the current one? Ah, wait a minute, something is starting to surface from my memory.

There are only 2 real hives in the registry: HKLM (local machine) and HKU (user). The others you see in regedit.exe or other registry editors are pseudo-hives that are duplicates or composites of values copied from HKLM and HKU. Remembering this made me remember that CurrentControlSet is actually a pointer to whichever ControlSet is identified as the current one. Hold one while I look in the registry …

HKEY_LOCAL_MACHINE\SYSTEM\Select

I believe that defines which is the current control set. It has data items named:

Default
Failed
Current
LastKnownGood

These can have the same or different values. The data item named “Current” has a value of 2 which means CurrentControlSet is a duplicate of ControlSet002.

http://support.microsoft.com/kb/142033

I had forgotten that CurrentControlSet was a pointer to whichever was the current-marked ControlSet??? registry key (and its subkeys). Okay, so because the source ControlSet??? registry keys are protected by Comodo then presumably the CurrentControlSet would also be protected. Well, I hope it works this way in Comodo.

Is it often the case that you need to execute files from untrusted sources?
I see comodo as additional protection to the usual required user-behaviour while having an antivirus, and as a protection against autorunners (thats why i personally dont use the auto sandbox of it).

About your headline:
Dont use two security programs for one layer at the same time.

I treat all downloads as untrusted regardless of the source. Microsoft’s updates are untrusted as are their utilities. Programs downloaded from anywhere are untrusted. Drivers from AMD, nVidia, or anywhere are untrusted. Hence the need for image backups to restore to a prior state. Trust is something earned, not merely assumed even for well-known sources. Being well-known as a source doesn’t make it a trusted source. A download is untrusted. It is untrusted when installed. Only after gaining familiarity with the operation and behavior of an installed download and after time does something gain your trust. That we’ve had to normally operate under a trust model in the past regarding operating systems and installations for them has somehow altered our definition of trust. Respect is something you give to some degree on first meeting but trust is earned over time. We all know what betrayal feels like and it isn’t from not being respected but from losing trust.

Before considering use of sandboxes, I have used image backups and virtual machines (and disk virtualization via Returnil) to let some software earn trust. I don’t just dole out absolute trust simply because of the source. Digitally signed software is an indicator that the source is not malicious but malware can be signed, too, and while not malicious the digitally signed well-known sourced software may still have undesirable behavior. Disk virtualization and virtual machines provide protection until trust is earned but they incur more overhead than I’d sometimes like to bother with so sandboxing represents a middle solution: not quite as isolative as true virtualization but sometimes sufficient as a comfortable level of security.

Be aware that I don’t even trust Comodo’s products. They, too, will have to earn trust which is something gained over time. For example, I mentioned TCP changers and Comodo’s installer is one of them. By default, its installer has enabled the choice to use Comodo’s secure DNS servers. That will alter the current TCP/IP setup regarding the DNS server list configured for your host. Most users won’t understand what that option does merely because it is presented in an installer screen. Even experts would have to research first (before installing) to know what that option will do. Maybe you are VPN’ing into your company’s network and they don’t permit use of external DNS servers (you must use theirs) so while it looks like a desirable option doesn’t mean it is desirable because the result could be that you no longer can browse anywhere because you won’t get any DNS lookups completed. That’s not my situation but my concern is ifComodo protects network configuration on the host an example of which would be the Windows firewall exclusions. It’s not just TCP changers (malware) that does this but even wanted program with undesirable behavior (goodware that you might have chosen to trust but really shouldn’t have). I’ve seen programs from well-known sources that modify those exclusions to permit their operation as their author designed it and perhaps it wants to listen on a port for external connections without alerting the user with Windows firewall prompts. They may not so much be hiding the fact that they added an exclusion as trying to be nice to the user by not having them worry about the alerts and figuring out whether or not to add the exclusion to the firewall. For common users this is probably okay but for experts they want to be notified that their firewall exclusions have been changed.

I am currently testing Comodo Firewall in a virtual machine to gain some trust that its operation and behavior are what I want. Comodo is a wel-known source but I don’t blindly give it it trust (that it does what I want and doesn’t hide what I don’t want). It will have to earn trust, not just assume it. The online manual isn’t very detailed so the only way to get those details is to ask here in the forums hoping someone expert enough can respond or go experiment with the product on a test host or in a virtual machine (although a real test host is better testing rather than using emulated hardware). I figured someone that already had CF installed and gain experience with it could go look in the security settings of Defense+ to see if it had a rule to cover the protection of the Windows firewall keys. That would provide an indicator if CF would protect other network-related keys, too. I didn’t get a quick response so I had to go look for myself by testing CF in a VM, plus reading up on CF raised so many other questions that self-testing was the only effective means of getting the answers.

I asked about trusted sources, because it sounds as if you have to face signed malware each day.

Its not like the world is waiting for one person to detect all hidden dangers. I mean, if you use a program that is not a newcomer, why has it to be you who detects a possible “misbehaviour”?

I rather use my computer, and think a few thoughts before i install something, than to get afraid and wasting time with testing everything. I dont get infected.
I use a combination of security things, so i DONT have to think all day about “this or that”.

The more you know, the more you dont have to gain.
But you choose to gain knowledge to rethink and redo it again and again.

Everyone who installs something should know this sentence: Know what you do, know what you marked, dont install blind. The dns is a window while installation. Its a choice.
In installers you can get “toolbars or whatever”. Thats no argument, “something is in an installer, so it must be there”.
The internet is giving you choices. Use it if you are able to make these.

After many years of your testings, you will realize that you didnt gained more protection, but wasted a lot of time.
How often did you find the hidden misbehaviour? Or do you just try to prove to yourself that theres nothing to find?

You can cover only things that you can look for after knowing it. Maybe you get infected by something that you dont know to look at… and you wasted all the time.

IF you find something, well, let the people know.
I am trying to say: Its not useless, but its most of the time not needed to act like you described.

If you want to label a program as trusted and thereby let it do anything it wants then you go right ahead. It’s your computer so you let others do whatever they want. That’s not what I do on my computer.

qttask. Is it needed for QuickTime? No, so why waste time loading it on login to detect that you configured it NOT to show its tray icon so it just unloads. It loads, it unloads, it wastes time and resources on Windows startup and login. And how would you know that qttask showed up as a startup entry? And why does it show up after you configured the program to not load it? And when you disable it using msconfig or SysInternals AutoRuns, why does that startup entry show up again after you use Quicktime player? Because Quicktime has an unwanted behavior of replacing its startup entry if found missing so you disabling it becomes obviated with them replacing it. That’s rude. If you like that they don’t honor the config settings then be happy with your choice. For me, I don’t want their startup entry reappearing so I use WinPatrol to not only disable the startup entry to but look for it again and, if found, will disable it again. I want it gone, the software won’t honor that choice, so I enforce it.

Why might I be the first to notice an unwanted behavior in an otherwise old or well-known program? Gee, perhaps it’s because I look, like using programs that tell me when a program makes a network connection that has nothing to do with networking. Don’t remember the program but it didn’t have any function that required a network connection other than a manual update check (and NOT an auto-update check). I wasn’t doing an update so why was the product phoning home? Why didn’t anyone else tell the author about this? Maybe they did but does that mean every user is going to know about it?

Why are you even using any security software that tells you about the behaviors or programs on your host if you’re going to let those automatically trusted apps do whatever they want? Why would you even go off on a tangent and claim that no one is waiting for one person to detect all dangers? I’m trying to protect myself, not everyone else. Also, have a “few thoughts” about a prgram will tell you nothing about how it actually operates. Some research - like what I’m doing HERE - will help but still you go somewhat blindly into using software. That’s why I have a scheme of testing in a virtual machine, using it on the real host but with the disk virtualized (Returnil), and then running it on the real host with security software watching it. For the install, I monitor all changes made by the install of the product so I can thoroughly eradicate it later. A product, just like a person, has to earn trust, not just get it automatically. You like to trust easily. I don’t.

After many years of gaining knowlege regarding malware, security, the OS, and other “security things”, I have more knowledge than you and HAVE obtained better protection. I’m sure your particular hobby would be considered a waste of time to others. That some users will expend the effort to research products and secure their host but do so only on their terms is something on which you don’t have the desire or energy to pursue but don’t expect your laziness to be typical of others, especially when already discussing security software in forums to address that topic.

I didnt try to speak about if its good or bad what you do. Just tried to let you know, its possible to have it easier and you dont get infected though.

Of course i look what things do. But not because the word in comodo is “treat as trusted”. I would name this point " treat as: i think, its ok". Its the wrong word, but the right point for usual things.

You are lucky. You can set comodo to paranoid mode. And you will get notified about anything! About the start entry about anything. I hope you dont get annoyed

Why do you use quicktime then? I wouldnt.
My start up is watched carefully. I am not lazy. But after years of pressing through all questions, i found out, it wasnt necessary for me. So i learned, and used the learning for having more comfort in the future. Without decreasing the real protection.

Maybe i wasnt clear: NEVER trust the internet, so dont mark programs as trusted in the firewall rules! Use custom mode for the firewall. And if you dont want to answer millions of ip questions, but you want to use a program online, let it go “outgoing”.
But in defense+, if you know that you will use this “messenger” which you loaded from “reputated magazine” for a regular time, and you dont want to press through all questions, you could better call it “treat as trusted”, than to disable the security software because it annoys .
But if you have fun with it, press all the buttons.
Nothing wrong here.

And when you say, my words wouldnt fit to discuss in a security forum, then you dont see that security should also mean, you dont need to defend actively all day yourself. Security gives a benefit.

Oh, your words make it a fact.
I am happy that my protection (including my acting) is good enough to have saved me from any infection. And i had so much time left to use my computer for what i got it.

What is your opinion about paranoid mode? Does it fit to your intention?

I am currently trialing a new security suite setup to determine what I might decide to change. This thread was not intended to devolve into personal opinions regarding how different users may employ the same security product in different ways. After all, even Comodo recognizes users want different behavior from the same product by the very presence of so many configuration options. You want to use security products your way so please be equally considerate in acknowledging that I may want to use them differently. I’ve been doing software and hardware QA for over 20 years so I investigate and test rather than just accept. Some folks like to take their cars into the repair shop to trust them to do the repair while others like to know more about just what the repair shop intends to do and some others will do it themself for most control. Depends on how involved the person wants to be. You want to be less involved and hope a security product does its best to protect you but I’m not your clone so I have a different purpose for using the same product where I get more involved. I’m sure there is some hobby or activity in which you are interested in which I have no interest. I have guns and enjoy hitting the shooting range and then I dismantle my guns for a thorough cleaning afterwards while others might just run a cleaning rod through the barrel. That’s all the maintainence they want to do but I prefer not only better cleaning but more understanding how the mechanism works, too. That I am more thorough in cleaning doesn’t mean they have to be AND visa versa.

As to Paranoid Mode, I may go that way if I find that I want more control or, at least, more information about what is happening on my host. Again this has to do with earning trust. If over time I see Comdo’s product has made correct decisions then I may start with Parnoid Mode and later reduce to Safe or Clean PC mode. Of course, starting in Paranoid Mode means I’ll be making the decisions and not Comodo so I won’t be able to see if Comodo would’ve made the correct decisions.

Right now I’m a bit busy in trialing various Comodo and other security and recovery products and cannot see that this discussion regarding personal opinions (in which I’m also guilty of getting sidetracked) has value in helping with those trials. Since no one else has chimed in to say whether I was right or wrong in my answer to myself (the update to my starter post in this thread), I’ll have to assume for now that I did find the answer and that the original question is resolved.

Look, you came suddenly to speak about my view as if it was wrong. As if i am stupid, lazy, blindly trusting. Thats wrong. I come from using paranoid mode for years

Initially, i just saw someone having a single question, but writing a book about this and that. Imagine all would do that, no one could find the time to read through all this.
Thats why i tried to say, maybe you suspect to much.

Now you call my words as suggestion to clone.
I had to “defend” my opinion. Which wasnt wrong. As my history proved. And you can clean your barrels like you want. I didnt want to discuss your way. I gave an example, and worded it with reasons. I saw, it could be helpfull for you to see, that it can be easier and safe too.

I was kind to read through your books, as no one answered. If you dont care what i say, at least, if you have a question, just write it. Dont explain to much unrelated things, to which people like me would try to answer additional.

If your (technical knowledge based) question is, if comodo monitors changings in the windows firewall exclusions, and you are having enough knowledge to look behind the buttons, then i would simply answer:
Use a better firewall then the one from windows. A two way firewall. So, if you try to use the comodo firewall with defense+, you dont need to worry about the windows firewall. Disable it, and have a better protection with comodo.

I choosed comodo at first as a firewall. Then i got defense+ with it. Win.
I dont use the sandbox of it, not the antivirus of it, and not the cloud features. (I use a sandbox and an antivirus though).

Btw, i dont know if in your country people would use the word “one” in a sentence if they speak about a “generalized you”. Maybe thats why we dont understand each other that well