Comodo could be quite formidable.

ifurn0 · February 24, 2019, 5:03am

“As companies continue to zero in on the silver bullet of “protection” without considering the redundancy and impotence of their security layers, the result is a porous security posture with limited capabilities.” ~Comodo

Sums it up.

1. What actually happened or you saw:
c:*.* any any any any any ask because of open vpn classified as windows operating system which is allow all
found over 100 suspicious outbound ip on legitimate safe before i gave up in despair

2. What you wanted to happen or see:

Firewall:
Learn and set specific rules for application:
Ok sure, set up a warning box to yell at me, hey stupid if this is an online game/torrent client/web browser/chat app where you will encounter an unlimited number of ips, and so make an unlimited number of rules, which will degrade performance until computer crashes.

Give the user 3 options:
1 Modify learning, so they can for example ignore ips and focus on ports change default learning period etc and add learned ip into specific network zones / port sets as an option.
2 Learn more, goes off to a help me documentation page explain ips ports etc.
3 Cancel.

Notifications:
Mouse hover IP show Whois who owns IP address (at least as an advanced settings option)
Right click on ip and open full. Whois.
Drag and highlight the ip, Single Double Triple click selections, right click copy.
Right-click on ip and check ip reputation databases. ipvoid
Right click on ip and telnet on port 80 and send a http get to see the code.
Right click on ip and allow / deny this specific connection. (factor in windows random ports)
Right click on ip / executable and show filtered logs. (for only that app / ip)
Right click on ip / executable and google it. file.net
Right click on port, look up port info. Speedguide
Right click on application and send to Virus total.
Right click on application and send hash to cloud and get hips baseline, ip/port requirements. (even crowdsourced because of games etc)
Right click on application and sandbox it/auto sandbox.
Right click on application and send to various online sandboxes for 3rd party validation. Hybrid-analysis.
Right click on application and temporally monitor it at various levels of of aggressive debugging and logging desired elements.
Right click on application and get detailed sandbox reports with various cloud based statistics and a malicious confidence score.
Right click on registry key and go to said key.
Right click on registry key and export, then allow.
Right click on registry key and google it.
Step back and forward though alert bubbles if you don’t catch them in time and pause on specific bubble.

Hips rules:
Application is trying to access a com interface reg key etc, which com interface.
Normal usage baseline, learns over time, sets tightest possible then shares. (opt in)
Checks new alert via hash table database gathers/pulls statistics. (opt in push/pull)
Timed hips disable, we can forget.
Hips options in install, not just disabled by default, also include learning.
On registry alert drop down arrow to show key more prominent easily overlooked.

Logs:
Pretty much same complaints apply all of above.
Easy right click filtering.
Persistent filters.
Saved filter profiles.
Quick search bar.
Row and column select and copy post filter.

Adding a rule:
In the drop down box for allow, deny, ask, have disable.
Add folder in other menu.

Application rules / Rulesets.
Compressing rules into specific Network zones / port sets.
Disable rule, Testing/not using.
Various forms of selection, mouse over whois.
Cloud learning of tight rules. (opt in push/pull and user set blacklist of cloud learn for ip, app, port etc)

Network zones:
Company column that scrapes whois Org name. ie Google Inc.
Range collum that scrapes whois range.
Organizational nesting for drop down menus games>Haflife>Cloudflare.
Sorting of ports / ip.
Various forms of selection and splitting into new network zone.
Quick search of network zone name.
Easy export into csv like with comma, tab and newline delimiter to eyeball for corruption pasting on forums / backup. (preferably human readable)
Bulk pasting Ips/Port with a comma / tab delimiter. Perhaps even CIDR format compatibility.

Vpn:
Supplement your income, separate product, scale it, remove limits, sell it.
Detailed comparison of competition here.

Browser hardening:

github.com

pyllyukko/user.js/blob/master/README.md

# user.js

**Firefox configuration hardening**

A [user.js](http://kb.mozillazine.org/User.js_file) configuration file for [Mozilla Firefox](https://www.mozilla.org/en-US/firefox/new/) designed to harden browser settings and make it more secure.

**This is a default template with every possible hardening measure enforced. See the [relaxed branch](https://github.com/pyllyukko/user.js/tree/relaxed) for a variant providing more usability**

[![Build Status](https://github.com/pyllyukko/user.js/actions/workflows/ci.yml/badge.svg)](https://github.com/pyllyukko/user.js/actions)

### Main goals

* Limit the possibilities to track the user through [web analytics](https://en.wikipedia.org/wiki/Web_analytics).
* Harden the browser against known data disclosure or code execution vulnerabilities.
* Limit the browser from storing anything even remotely sensitive persistently.
* Make sure the browser doesn't reveal too much information to [shoulder surfers](https://en.wikipedia.org/wiki/Shoulder_surfing_%28computer_security%29).
* Harden the browser's encryption (cipher suites, protocols).
* Limit possibilities to uniquely identify the browser/device using [browser fingerprinting](https://en.wikipedia.org/wiki/Device_fingerprint).
* Hopefully limit the attack surface by disabling various features.
* Still be usable in daily use.

This file has been truncated. show original

Ice-dragon really don’t like you zeroing out various uuid complains about a corrupted profile so you have to start it with -p

Sandbox:
Enable persistence option.
Saved session menu.
Ability to set deep debugging variable verbosity.
Precise approval of specific events (people are going to patch and keygen better to contain)
File export, save files etc.
Green border suppression option.
Launching of files from quarantine into untrusted sandbox.
Certain actions with a very high probability of being malicious immediately reversed and re run inside sandbox, and analyzed regardless of code signing.
Approve all changes from sandbox post reading of report (eg some open source)

General:
Export as wireshark filter pretty much everywhere every how, echo into a text file.
Deliver updates from a Comodo ip, fail-over to Cloudflare, for a CA its a bad look.
Permanent Yahoo opt out button.
Self check for corruption due to nested virtualization. Occasional update file refresh.
Anything but raw Credit Card info on website.
Various ? buttons linking back to documentation most notably proactive.
Blocked applications to show which rules affecting it.
Dark theme.
Easy No vpn leak button for untrained users.
Dns encryption
Various right click whats this? liking to documentation for descriptions in layman’s terms of ip/port reg etc.
“of recent process ?tree? actions” popup on mouse over block terminate and reverse, when simple mode is enabled
keep seamlessly integrating all of sysinternals with your own unique flavor.
Im sure most of your users including me will be happy to pay for all of the above.

While some features would requite substantial time and resources, most are trivial to implement and are absolutely essential. The firewall as it stands currently is a nightmare. Im looking for a replacement.

3. Why you think it is desirable:
UI is the greatest single piece of marketing for prospective enterprise clients, perfect it.
Techs with evolving custom rules will install Comodo as a diagnostic layer, then be happy to leave it for their customers.
It don’t matter if an alert is tripped if users don’t know how to interpret it. Help them learn with verification.
When exploits get famous, and reports referencing use of Comodo - again marketing.
For the sake of our sanity when setting tight minimalist ip whitelists.
Will make comodo vastly more popular with everyone skilled and unskilled alike

4. Any other information:
Still Thinking about what to add, and tweak but done.

ReeceN · February 24, 2019, 11:03am

Suggestions should be laid out in the proper format.

https://forums.comodo.com/wishlist-cis/required-wish-format-t102338.0.html

ifurn0 · February 24, 2019, 1:59pm

Done.

liosant · February 25, 2019, 8:59pm

Settings (default already has this protection, just the user does not)

Ploget · February 25, 2019, 9:39pm

Instead of posting reams of basic junk; why don’t you try reading and listening to experienced, common sense answers?

devilbat66 · February 26, 2019, 12:25am

I agree.

Never saw anyone do what he does on his Posts. He is basically trying to constrict 30 different subjects in a single topic.

What’s worse, for him everything is Comodo’s software to blame, even his Laptop overheating…

ifurn0 · February 27, 2019, 7:09am

You would be spitting thunder to if you manually typed out countless thousands of ips, ports. into tight, state full dynamic rules.
Then had then nuked by an update, and your heavily custom almost perfect battle-tested about:config and massive umatrix profile.
And had a wide away of profoundly strange memory issues ranging from almost bsod to graphical
and so on.

Safe by default? I doubt that. Sorry.
Harden x setting then safe? Read, understood, appreciated, set. I still doubt that.
World leading experts don’t say that and they are even hardening cpu micro code.
SeL4 Is best yet, Developers and others might like to play with. Github

I may take my risks but understand the implications and do my due diligence, make the checks and run the tests.

I changed the title to keep people happy.
Junk getting though my blood brain barrier has not helped my eloquence, what feature do you think is unnecessary and why?

Laptop running hot?
well i did have repeated incidents of laptop running very hot and fan at full throttle as would be for 100% cpu use for hours
Yet, when i looked at Windows, comodo, sysintenrals task manager it showed >2% cpu total, and not enough in the cpu time, cpu cycles, or io, to explain this.
Fixed already, i think, still watching carefully so i took note along with new flavor of the day.

Main request finally, almost done. Its been quite distracting, now i can start focusing on running more tests or having fun at leisure.

devilbat66 · February 27, 2019, 11:32am

Sorry but if you had true digilence you would know by long time Comodo is 99,9% bulletproof. Cruelsister is a former Malware writer and well known Youtube tester who failed to bypass Comodo multiple times. Even using Trusted-Signed Malware (Your biggest paranoy… err I mean, fear about Comodo). In her own words:

cruelsister post:2191:

My prior post, although I was giggling when I wrote it, was actually borne of frustration. I had just finished my next video testing a VERY well regarded AV with a BB against various worms. To test both the AV (dumb) detection as well as the BB (smart) detection I used 12 worm files- 7 in the Wild samples (to test the AV component) as well as 5 I coded myself (for the BB part). In addition I made a RAT/worm combo (it will fork into MSBuild for the RAT component, but has worm like facility for network spread and persistence.

I was pleased to note that I still retain my title of the Princess of Darkness my former colleagues gave me as my files did quite well. However when I tried the same zero day files (note that no dumb detection by an AV would be possible) against CF with just the sandbox at DEFAULT (Dear God!) they were just blown off as if I was a total incompetent.

So although as a Comodo user I was pleased, as a malware writer I was really rather upset.

Also professional Organizations like AV-test.org gave Comodo 100% rating on Zero-day protection in all of its tests. So I bet we should stop trusting in those skilled professionals, and instead, take the word of someone who constricts 500+ different subjects in a single Topic… ;D

ifurn0 · February 27, 2019, 1:29pm

This thread is not really the place for this…
In memory is my concern, and yes remotely on safe files running as any user, and yes even triggering a hips alert.
I am still mulling over the possibilities, limitations and implications of that.
More to learn, my curiosity is piqued.

Hilarious horror stories have been reasons for certificate revocations like private signing keys in sdk not the first, not the last, just recent.
Not to mention the occasional rogue CA
So yeah i am decidedly uncomfortable with the whole cross signing madness and massive CA list but it is a necessity.
Yes i saw the <99% average, Honestly? i don’t think i can be convinced, its still running on windows.
im also hiding behind an entire server farm and enterprise firewalls, security layers are fun.

Local isp junk, cable router is a different story however.
If there was persistence and problems were not deep corruption from nested virtualization?
Then it was most likely hiding there. Router was playing up and Ive been pretty through.

I like being paranoid, hardening is a great way to learn.
Hips also has its limitations, so i take the av scores while impressive with a grain of salt.
i am trying to improve them above

ReeceN · February 27, 2019, 10:01pm

If your paranoid come check out my wallpaper! https://forums.comodo.com/general-discussion-off-topic-anything-and-everything/comodo-wallpapers-t1017.0.html;msg880586#msg880586

Citizen_K · February 28, 2019, 4:59pm

I am happy to hear you are looking to learn about security and CIS. However you still talk and testify too much. You have to get off your soap box.

You need to break down your stream of thoughts into separate questions when you are not sure how things are working in CIS. When you think you found a vulnerability you need to break it down in a short and concise description of the nature of the vulnerability and provide us with test scenarios with steps of reproduction.

In the above processes you refrain from making broad sweeping statements, references to unrelated security issues, statements testifying being self acclaimed authority… etc… Just focus on technical merits. Your style of writing is getting old… and even older quickly.

ifurn0 · March 1, 2019, 2:35pm

I would also strongly prefer to keep this thread on topic and focused on the requested features at hand, and discuss their technical merits.
It may be best if i no longer respond to any post except for that in this thread.

Not sure weather to edit main post or to post here, or the other thread just to add this, its been passed on, 2 more features to add

1 export as wireshark filters, pretty much everywhere in all forms of selection
it just excoes it out into a text file
2 in network zones also add another column that scrapes ranges from whois

love it!