Don’t yet have CIS installed. Still investigating the technical merits of the freeware version of Comodo Internet Security (CIS) on Windows XP Pro SP-3.
One type of malware (if allowed to run on your host) is a TCP changer. That is, it goes into the TCP settings for your network devices to alter the DNS server to which your host will connect to resolve hostnames into IP addresses. By modifying the DNS server list in your TCP/IP settings, they can get you to use a compromised or malicious DNS server. That means when you try to visit a hostname that their DNS server will returned an IP address to their scam/phish/malicious web site.
Hopefully the TCP changer gets detected when it tries to install or run on your host but we all know that sigs for malware won’t cover zero-day malware hence the need for HIPS (host intrustion prevention system) functionality, like Defense+. What I’m wondering is if one of the registry keys protected by Defense+ include the following parent key and its subkeys use to define policies/excludes to the Windows firewall:
This has the list of IP addresses for whatever DNS servers are configured for use by your TCP/IP setup. If you’re using DHCP to dynamically assigned an IP address to your host then this list will probably be empty (unless you insert entries as overrides). I don’t use the DHCP server in the router to assign IP address addresses to my intranet hosts. I currently assign a static IP address to my hosts (since they are in my intranet - LAN-side of my router) but others in my family use the router’s DHCP server to get their IP address. The router is obviously not a DNS server so the one assigned by your ISP gets used. So my other family gets the ISP’s DNS server to use for lookups while I specified a static list of DNS servers to use for my own hosts (with the router as the last one in the list so it’s pass-through to the ISP’s DNS server gets used as a last resort). I don’t know how Comodo can protect which DNS server gets used if it is dynamically assigned via DHCP since the list of static DNS servers in the TCP/IP setup will be empty. In my case with a static IP address and a static list of DNS servers, I want to ensure that some malware doesn’t alter that list to point my lookups to a compromised or malicious DNS server.
Yes, I know about Comodo’s secure DNS server setup (TrustConnect) but I don’t want to use that plus I don’t think it’s part of the free CIS product and only in their payware versions. I don’t like using any DNS server that resorts to redirects to their or a 3rd party search engine. If the lookup fails then I want it to fail just like it’s supposed to for DNS specifications, not to succeed by pointing at some “helper DNS” page with search results.
— UPDATE —
Installed Comodo Firewall (since I didn’t want their Antivirus in the Comodo Internet Security suite, just Firewall and Defense+) in a virtual machine. This let me look at the configuration for Comodo Firewall.
Nope, there is no entry to protect the registry key that specifies the TCP/IP setup. That means even if you elect to use Comodo’s Secure DNS Servers (an option during the install that changes the DNS servers in your TCP/IP config), you might not be using them. Any TCP changer (whether malware, ransomware, or even goodware) that changes the list of DNS servers in your TCP/IP setup will be allowed to modify that registry key.
Under Defense+ tab → Computer Security Policy → Protected Registry Keys tab, there is the following entry:
Okay, but that’s for the backup copies, not the current copy. The current one is under:
Modifying these keys does NOT require installing a new service, so Comodo won’t be seeing a new service getting defined to Windows. Without protecting this key (and its subkeys), configuration of existing services is permitted and possibly without an alert.
Why would Comodo be protecting the backup copies of ControlSet and not the current one? Ah, wait a minute, something is starting to surface from my memory.
There are only 2 real hives in the registry: HKLM (local machine) and HKU (user). The others you see in regedit.exe or other registry editors are pseudo-hives that are duplicates or composites of values copied from HKLM and HKU. Remembering this made me remember that CurrentControlSet is actually a pointer to whichever ControlSet is identified as the current one. Hold one while I look in the registry …
I believe that defines which is the current control set. It has data items named:
These can have the same or different values. The data item named “Current” has a value of 2 which means CurrentControlSet is a duplicate of ControlSet002.
I had forgotten that CurrentControlSet was a pointer to whichever was the current-marked ControlSet??? registry key (and its subkeys). Okay, so because the source ControlSet??? registry keys are protected by Comodo then presumably the CurrentControlSet would also be protected. Well, I hope it works this way in Comodo.