My problem is as follows:
Recently i had a new malware attack spreading all over my enterprise network. Surprisingly it only infected windows machines with Comodo firewall installed, apparently because comodo firewall by default allows all generated traffic initiated by applications digitally signed by Comodo stamping services (Malware included).
So, my question is:
How can i customize Comodo Firewall in order to block ALL but one traffic/applications (inbound/outbound) without exceptions and prevent it from asking further questions?
rule 1 – allow loopback traffic
rule 2 – allow“C:\Program Files\RDBv3\querydb.exe”
rule 3 – BLOCK ALL other traffic/applications/ports/protocols etc (inbound and outbound) WITHOUT ANY KIND OF EXCEPTION!!! (regardless of its digital signature)
I haven’t used Comodo for a couple of months now, so there is a chance that the interface of the version you are using is different from that which I last used, but you can check this out.
Bring up the Comodo interface window. In the “Summary” tab, look up “Network Defense”. Click on your current policy mode to open a dialog box, and in the “General Settings” tab set the Firewall Security Level to “Custom Policy Mode” by adjusting the slider. [To disable all alerts – In the same dialog, shift from “General Settings” to “Alert Settings” and uncheck all the “Enable alerts for xxx requests” boxes.] Click “OK”.
Go from the “Summary” tab to “Firewall” tab. Click on “Advanced”. Go to “Network Security Policy”. Work under “Application Rules”. If there are entries present over there, remove them. Click on “Add,” then select the path to your application using either “Running processes” or “Browse”. Apply to it “Trusted Application” from the available predefined policies. Click “OK”.
You would also need to add parent or dependent process(es) for it to function properly; also, you might need to allow some rights to svchost.exe. So I would rather that you don’t disable the alert boxes until you have figured out whether or not there are processes (other than “querydb.exe”) that might require some kind of access.
Hope this helps a bit. Have a nice time.