Comodo Firewall - Checksum Files?

I have just installed Comodo Firewall in a hope to find good firewall software for my new computer…

Perhaps there is a setting I am missing, but…

It looks like, at least by default, Comodo doesn’t hash executing files in its rulesets? This is also a flaw with Windows Firewall. That is, all that it checks for is a directory, and a filename.

So, I downloaded GRC’s LeakTest…

  1. Run LeakTest.
  2. Allow it in firewall. It connects.
  3. Download PuTTY.
  4. Rename LeakTest.exe to something else.
  5. Rename PuTTY.exe to LeakTest.exe, and put into same directory LeakTest ran from.
  6. Run new LeakTest.exe (PuTTY.exe), and the firewall allows it to communicate through without a problem.

That’s a big issue, in my mind. Malware can easily masquerade its presence as an allowed program, and you’ll be left with a false sense of security. That’s why Windows Firewall isn’t good enough for me.

Am I missing a setting or something? Thanks.

Yea your missing the fact that any unrecognized file wouldn’t be able to rename it self to replace an already existing file on the system. It would either be sandboxed which doesn’t allow writing the real file system, or if you use HIPS instead, you will be warned of the attempted modification of the protected file. For example, you download and run an unrecognized application that when run, copies or moves itself to say the install directory of your default browser if will either be sandboxed or you get an HIPS protected file alert.

Hrmm, that doesn’t satisfy the logic circuits…

ZoneAlarm Free, for example, creates a hash (SHA256, MD5, whatever) of every executable, and it prompts you when there is a mismatch…not that I’m advocating ZAF, as I, personally, think it’s terrible from an advanced user’s perspective - no offense to ZoneAlarm. Even Norton Personal Firewall as far back as NPF 2003 does.

Unless I have HIPS in “Paranoid Mode”, I get no prompts from the PuTTY.exe that was simply renamed to LeakTest.exe (after allowing LeakTest.exe outbound connectivity). I was allowed to rename LeakTest.exe, and PuTTY.exe, and to execute the newly named LeakTest.exe (PuTTY.exe), and it was allowed connectivity implicitly (there are no rules set up for PuTTY). When HIPS was in Paranoid Mode, it recognized that LeakTest.exe (PuTTY.exe) was trying to do something different than the original LeakTest.exe, and it prompted…along with about 100 other prompts from everything else running in the background. Using Firewall “Safe Mode”, Sandbox enabled, HIPS “Safe Mode”, and Viruscope enabled. I get that PuTTY isn’t malicious software, but the firewall shouldn’t, in my opinion, let it pass with these settings.

Anyway, thanks for your quick earlier response. I’m not bashing Comodo - I think it’s the best software I’ve tested so far. I’m used to Norton Personal Firewall, which I personally feel is the best firewall software ever created, but, unfortunately, doesn’t work on Windows 10 (the new suite does, of course, but it’s bloatware - I don’t want AV, and all that other ■■■■).

Comodo CIS allows users to do what they like, but protects them from anything else which may attempt to control your computer.

Sorry if you want total protection from yourself CIS will not suit you.


Hrmm, sorry if I offended, as that’s the stance that seems to being taken. Perhaps you think I’m a dummy, but I think Steve Gibson is pretty well respected in the security community…

…perhaps I have not become familiar enough with the HIPS/Sandbox features. Anyway, thanks for Comodo - it’s pretty comprehensive.

No, you have not offended anyone :slight_smile:

Just trying to explain how the user is protect, but not from himself.

For advance users who want to do anything they like CIS is ideal, well when I say anything it does stop you sometimes and needs to be totally disabled.