“As companies continue to zero in on the silver bullet of “protection” without considering the redundancy and impotence of their security layers, the result is a porous security posture with limited capabilities.” ~Comodo
Sums it up.
1. What actually happened or you saw:
c:*.* any any any any any ask because of open vpn classified as windows operating system which is allow all
found over 100 suspicious outbound ip on legitimate safe before i gave up in despair
2. What you wanted to happen or see:
Learn and set specific rules for application:
Ok sure, set up a warning box to yell at me, hey stupid if this is an online game/torrent client/web browser/chat app where you will encounter an unlimited number of ips, and so make an unlimited number of rules, which will degrade performance until computer crashes.
Give the user 3 options:
1 Modify learning, so they can for example ignore ips and focus on ports change default learning period etc and add learned ip into specific network zones / port sets as an option.
2 Learn more, goes off to a help me documentation page explain ips ports etc.
Mouse hover IP show Whois who owns IP address (at least as an advanced settings option)
Right click on ip and open full. Whois.
Drag and highlight the ip, Single Double Triple click selections, right click copy.
Right-click on ip and check ip reputation databases. ipvoid
Right click on ip and telnet on port 80 and send a http get to see the code.
Right click on ip and allow / deny this specific connection. (factor in windows random ports)
Right click on ip / executable and show filtered logs. (for only that app / ip)
Right click on ip / executable and google it. file.net
Right click on port, look up port info. Speedguide
Right click on application and send to Virus total.
Right click on application and send hash to cloud and get hips baseline, ip/port requirements. (even crowdsourced because of games etc)
Right click on application and sandbox it/auto sandbox.
Right click on application and send to various online sandboxes for 3rd party validation. Hybrid-analysis.
Right click on application and temporally monitor it at various levels of of aggressive debugging and logging desired elements.
Right click on application and get detailed sandbox reports with various cloud based statistics and a malicious confidence score.
Right click on registry key and go to said key.
Right click on registry key and export, then allow.
Right click on registry key and google it.
Step back and forward though alert bubbles if you don’t catch them in time and pause on specific bubble.
Application is trying to access a com interface reg key etc, which com interface.
Normal usage baseline, learns over time, sets tightest possible then shares. (opt in)
Checks new alert via hash table database gathers/pulls statistics. (opt in push/pull)
Timed hips disable, we can forget.
Hips options in install, not just disabled by default, also include learning.
On registry alert drop down arrow to show key more prominent easily overlooked.
Pretty much same complaints apply all of above.
Easy right click filtering.
Saved filter profiles.
Quick search bar.
Row and column select and copy post filter.
Adding a rule:
In the drop down box for allow, deny, ask, have disable.
Add folder in other menu.
Application rules / Rulesets.
Compressing rules into specific Network zones / port sets.
Disable rule, Testing/not using.
Various forms of selection, mouse over whois.
Cloud learning of tight rules. (opt in push/pull and user set blacklist of cloud learn for ip, app, port etc)
Company column that scrapes whois Org name. ie Google Inc.
Range collum that scrapes whois range.
Organizational nesting for drop down menus games>Haflife>Cloudflare.
Sorting of ports / ip.
Various forms of selection and splitting into new network zone.
Quick search of network zone name.
Easy export into csv like with comma, tab and newline delimiter to eyeball for corruption pasting on forums / backup. (preferably human readable)
Bulk pasting Ips/Port with a comma / tab delimiter. Perhaps even CIDR format compatibility.
Supplement your income, separate product, scale it, remove limits, sell it.
Detailed comparison of competition here.
Ice-dragon really don’t like you zeroing out various uuid complains about a corrupted profile so you have to start it with -p
Enable persistence option.
Saved session menu.
Ability to set deep debugging variable verbosity.
Precise approval of specific events (people are going to patch and keygen better to contain)
File export, save files etc.
Green border suppression option.
Launching of files from quarantine into untrusted sandbox.
Certain actions with a very high probability of being malicious immediately reversed and re run inside sandbox, and analyzed regardless of code signing.
Approve all changes from sandbox post reading of report (eg some open source)
Export as wireshark filter pretty much everywhere every how, echo into a text file.
Deliver updates from a Comodo ip, fail-over to Cloudflare, for a CA its a bad look.
Permanent Yahoo opt out button.
Self check for corruption due to nested virtualization. Occasional update file refresh.
Anything but raw Credit Card info on website.
Various ? buttons linking back to documentation most notably proactive.
Blocked applications to show which rules affecting it.
Easy No vpn leak button for untrained users.
Various right click whats this? liking to documentation for descriptions in layman’s terms of ip/port reg etc.
“of recent process ?tree? actions” popup on mouse over block terminate and reverse, when simple mode is enabled
keep seamlessly integrating all of sysinternals with your own unique flavor.
Im sure most of your users including me will be happy to pay for all of the above.
While some features would requite substantial time and resources, most are trivial to implement and are absolutely essential. The firewall as it stands currently is a nightmare. Im looking for a replacement.
3. Why you think it is desirable:
UI is the greatest single piece of marketing for prospective enterprise clients, perfect it.
Techs with evolving custom rules will install Comodo as a diagnostic layer, then be happy to leave it for their customers.
It don’t matter if an alert is tripped if users don’t know how to interpret it. Help them learn with verification.
When exploits get famous, and reports referencing use of Comodo - again marketing.
For the sake of our sanity when setting tight minimalist ip whitelists.
Will make comodo vastly more popular with everyone skilled and unskilled alike
4. Any other information:
Still Thinking about what to add, and tweak but done.