CFP 3's Defense+

Hi, everyone!

First of all, just let me congratulate you guys on this wonderful piece of software: It’s been sometime since I’ve left the old ZA behind and started looking for a really good firewall that wouldn’t make me wait 2 to 3 mins after booting just to load itself into memory: You guys nailed it! (:CLP)
I have some questions, though, since I’m a newbie here :), but I’d like to give you a background first: I have around 18 years of experience (using, operating, assembling, configuring, repairing and even some programming) with PCs, and although I’m kind of a “minimalist nut”, for some time now, I have on my system 2 AVs (currently Avast & Anti-Vir) updated & ran “manually” monthly, 2 anti-spywares (currently Ad-Aware 2007 & Spybot S&D) updated & ran “manually” pretty much every 15 days, 2 resident “anti-spyware prevention progs” (Spybot’s TeaTimer & Spyware Blaster) updated “manually” every 15 days, 1 anti-trojan (A-squared) updated and ran (you guessed it… :)) every 15 days, and since I, well, pretty much “know my way” around the Net, I rarely - if ever - get any sorts of viruses, worms, trojans, etc.
So, my questions are:

  1. Besides all the “checks” I do pretty much all the time on my system, should I still use Defense+ full on, or can I just use CFP 3 + “Leak Protection”, or not even that?
  2. If I need it on, what sort of policies should I use - what do you use - for normal, general, non-MS programs like, for instance, JWPce, CDBurner XP Pro, VLC, Winamp, DVDShrink, Photo Plus, Skype, etc.? “Trusted Application”? “Limited”?

Thank you very much in advance & “kudos” for Comodo,
XVoX.

Greetings, and welcome to the forums!

Setup looks fine, tho you might want to ditch TeaTimer (uses a lot of resources for such a small program). Also, if you enable Defense+, it’ll offer around the same protection, but Defense+ includes a lot more protection options

Defense+ isn’t like antiviruses. It protects against known and unknown threats. Also, seeing as you don’t have any real-time antivirus, I would recommend Defense+ to be fully enabled.
Defense+ offers protection for whole your system, while ‘Leak Protection’ will only protect against some methods malware might use to phone home.
Also, if you go for the ‘full version’ of Defense+, you can go to Defense+ → Advanced → Defense+ Settings → Monitor Settings, and choose what you want Defense+ to monitor.
If you’re computer is clean, you can use Clean PC Mode, which will threat all applications installed before CFP 3 as trusted, but you’ll be prompted about new ones.
Else, you can use Training Mode and run all applications you normally use, so that Defense+ will create rules for them automatically.
If you’re a power-user, with some understanding of what the different options are, you could go for Paranoid Mode, and configure the applications manually.

Normally, it’s safe to set them to ‘Trusted’, but else, do like I wrote above, and use Clean PC Mode or Training Mode.

Cheers,
Ragwing

If you running Avast and Avira in real time thats not a good idea. 2 av’s at once doesn’t mean you will be better protected.

I think he’s only running them on-demand.

Hi, Ragwing & Vettetech, and thank you very much for your help.

Sorry for initially posting in the wrong thread.
Vettetech, as Ragwing said, I’m running all this on-demand only… Else I wouldn’t be able to get anything done at all here! :slight_smile:
Ragwing, I followed your advice and turned TeaTimer off and took it out of system startup: The system is certainly booting faster now… :slight_smile: Also, Defense+ is fully enabled and running in Clean PC Mode, for now, which actually takes me to my next questions:

  1. For how long do you think I should leave Defense+ on Clean PC Mode before going to (at least) Safe Mode? 1, 2 months maybe?
  2. The “safe executables” referred to by Defense+ Settings on Safe Mode will only be the “Trusted Applications”? What about in Paranoid Mode?
  3. I’m considering creating a Predefined Security Policy - if there isn’t such already - for most “safe” applications that allows them to use pretty much all system resources, as long as they don’t try to do any “persistent” changes in the system or its settings, like modifying registry keys, putting themselves in the “Initialization” folder of the “Start” menu, or even nosy stuff without consulting me, like “sending anonymous statistics”, auto-updating, etc., in which case I’d want Defense+ to alert and ask me what to do. This would be especially useful with apps such as Real Player, Quicktime or even Windows Media Player, that, while being “genuine apps”, have the annoying habit of trying to go unnoticed running sneaky stuff like realsched, qt, etc. on the background. So can you help me setting the Access Rights & Protection Settings? I mean, I have to do more than only setting “Protected Registry Keys” to “Ask”, right?
  4. Finally, is there a way to set the alerts - only the ones that ask you to decide something - to remain on the screen indefinitely until I decide to allow the action or not, instead of any number of secs?

Well, once again, thank you very much for your help,
XVoX.

Hi XVoX,

To answer some off your questions, “Clean PC Mode” You would use if you are SURE your computer is Clean off malware. Clean PC Mode also provides “pending files” which you can submit to Comodo for analysis or you can simply remove them from time to time as the list builds up. Clean PC Mode also assumes all current installed applications on your computer are assumed safe, So 0 pop ups will be received for them, But for unknown ones or new ones entering the pc, You will receive pop ups. Safe Mode is to learn applications & allowing+Denny apps… Use that setting only if you are not sure your computer is clean off malware. I don’t recommend Paranoid mode- It really will drive you paranoid & only recommended for advanced users.

That’s to answer most off your questions. I also recommend you read my sticky here.

Thanks,
Josh

For any program that may come into contact with malicious content, I would recommend not using Trusted Application, Windows System Application, or similar predefined policies. These type of programs can encounter buffer overflow exploits, malicious scripts, etc.

To prevent persistent changes to valuable places and also executable execution, in your policy, set these to Ask: Run an executable, Device Driver Installations, Protected Registry Keys, Protected Files/Folders, Disk. The rest you can set to Allow. But beware, that with these settings, malware could still do things such as modify other processes and then have the modified processes carry out malicious activities.

Yes. In Defense+ Settings and also in Firewall Settings, change ‘keep an alert on screen’ setting to a large number.

Hi, 3xist & MrBrian, and thank you very much for your help!

3xist, thank you very much for your answer to my “Clean PC”/“Safe”/“Paranoid” question, I think I got it now.
MrBrian, thank for your answers and you have a point there: I’d still be vulnerable to some malware with these settings… I think I’m going to use this policy only with a few well known programs, and put every other app on the default “Custom Policy” (“Ask” for everything): This way, I can decide what CFP should do in each circunstance on a case-by-case basis. Anyway, I’d like to ask you some other questions:

  1. Is there a way to transfer the files from “My Pending Files” or “My Own Safe Files” to the “Computer Security Policy” area, so that I could give them specific permissions instead of just telling Comodo they are “safe”?
  2. I’ve been also trying to put “notepad.exe”, for instance, which is actually on the system folder, in the “Windows System Applications” group in the “Computer Security Policy” section, but I’ve had been unsuccesful so far. Isn’t there a way to do that?
  3. Finally, I’ve noticed that when browsing through some sites for a while on Firefox but then leaving them, even if I have only one tab open and I’m looking at just one site, CFP’s Firewall indicates something like 30+ outbound connections from Firefox for a while, even after I closed the other pages, as long as I don’t close Firefox. Is this normal? If so, why? I mean, I "whois"d some of the addresses, and some of them weren’t even sites I visited: They were backbones or big Internet corporations, from Japan to the States… Given that I’m in Brazil, shouldn’t my backbones be from here? Also, sometimes I’m browsing just one page, but there are like 3 or 5 connections to the same site, even to the same port. Why is that?
    At last, I’d like to make a suggestion to the Comodo team: Wherever there is an address field on CFP, I think it’d be a good idea to have a “whois” option on the right click menu.

Anyway, once again,
Thank you very much for your help and sorry for taking so long to reply,
XVoX

  1. I don’t believe so. However, you can delete unwanted entries manually.
  2. This should work. Are you getting an error message?
  3. Normal. Third parties often deliver ads, help with website analytics, etc.

You’ll need to go to Defense+ → Common Tasks → My Protected Files, and blick ‘Groups…’ to the right.
From here, you’ll be able to add file(s) to ‘Windows System Applications’.

Cheers,
Ragwing

Hi, MrBrian & Ragwing, and thank you very much for your help!

Removing the entries from “My Pending/Safe/etc. Files” as MrBrian said and then doing what Ragwing said answered my questions 1 and 2, and thank you for answering number 3, MrBrian. I’m only having one problem here, and I was hoping you guys could help me: If I add some app to the “All Aplications” group (on “My File Groups”, on “My Protected Files”), even though it appears on the “All Applications” group in “My Computer Security Policy”, where it has a “Custom Policy” - “Ask” for everything, when I run the file, CFP only warns me what the app is doing instead of asking me if I allow it or not, and creates a second entry for the same app, outside of the group, with that permission set to “Allow”. Shouldn’t it consult the “All Applications” policy and ask me? Also, does the “Custom Policy” on the “All Applications” group mean that all in that group will follow that policy or that each app may have its own custom policy?

Thank you very much, once again,
XVoX.

You’re welcome :slight_smile:

You shouldn’t have to add an app to the ‘All Applications’ group, since it already has all applications in default settings. CFP honors the ‘allow’ and ‘block’ settings in the ‘All Applications’ group, but not the ‘ask’ settings. (If CFP honored the ‘ask’ settings of the ‘All Applications’ group, how would you ever be able to specify individual policies for separate programs?) Also, make sure the ‘All Applications’ group appears at the top of the Computer Security Policy list, since list order makes a difference to enforcement order. You should place programs before ‘All Applications’ in the list only for those programs that you want to exclude from enforcement of the policy in ‘All Applications’.