Comodo Firewall not much better than others

Melih,

The version v2.5 and v3.0 will have the bugs, reported by Matousec, fixed?

Best Regards

2.4 will have some bugs fixed according to the big boss:

https://forums.comodo.com/index.php/topic,4232.msg35327.html#msg35327

And I am sure v2.5 and 3.0 will have more bugs fixed :slight_smile:

Very glad to hear that… :smiley: (R) (L)

Just use a HARDWARE F/W with CPF and you have the best there is!

After using Kerio PF 2.1.5 for over a year (without any single BSOD), I descided to use the latest Comodo PF, and after 14 days, my BSOD-counter is at 17.

So, It’s back to the ONLY properly working firewall, Kerio. :-\

PROPERLY working? On my system that software dinosaur was the one causing BSOD problems. And, I might add to that, sometimes it failed to notice new programs, i.e. it did not always notify me about program updates. Not very safe, if you ask me.
To each his own.

So just because it doesn’t work for you…it doesn’t work for anybody else? :wink:

“ONLY properly working firewall” ? Come on…Comodo Firewall work just fine here…so Kerio is NOT the “ONLY properly working firewall” :wink:

But if you didn’t stay and tell us more about your problems, we can’t help you!

As you get so many BSOD on your computer, there must be some problems there.

We will try to help you if you come back, otherwise…have fun with your Kerio firewall :slight_smile:

Tell Matousec to get stuffed, basicly they are like 5 year olds, let me play with youre toys & ill be youre friend, in Australia we call them back stabbers. (:AGY)

It seems to me that the biggest “security” problem with CPF is the “fault 40”
This fault is caused by “something” located 40 cm from the monitor.
Rules-based firewalls that don’t try to hide what they are need to be
configured properly to provide optimal protection.
If you make a wrong rule you might be leaving your door wide open .

How anyone can trust ZoneAlarm is beyond my comprehension :

It seems that ZoneAlarm Security Suite has been phoning home, even when told not to. Last fall, InfoWorld Senior Contributing Editor James Borck discovered ZA 6.0 was surreptitiously sending encrypted data back to four different servers, despite disabling all of the suite’s communications options. Zone Labs denied the flaw for nearly two months, then eventually chalked it up to a “bug” in the software -- even though instructions to contact the servers were set out in the program’s XML code. A company spokesmodel says a fix for the flaw will be coming soon and worried users can get around the bug by modifying their Host file settings. However, there’s no truth to the rumor that the NSA used ZoneAlarm to spy on U.S. citizens.

http://www.infoworld.com/article/06/01/13/73792_03OPcringley_1.html

I have been running CPF in VMware for some time and used “WhireShark” to monitor
any unwanted communication-attempts. I didn’t find any so now it’s on my host-OS…

If the Firewall is only for blocking ports, then they are a waste for anyone with a NAT router (as that has a firewall doing that allready). I miss a product that will ONLY monitor program access (programs accessing net or acting as servers). That’s all I need. The NAT router will take care of the rest.

I would beg to differ on that point. All a NAT (Network Address Translation) router does is create a different internal IP address, and make sure that doesn’t match the external (visible to the internet) IP address - in simple terms. By definition, a NAT router is not a hardware firewall, nor does it specifically include a hardware firewall. This is a common misconception.

In order to make sure that your router is/does have an integrated hardware firewall, you have to check the specs of the router. Most routers nowadays have NAT, as that is deemed a good thing, but not all have a firewall; if it doesn’t specifically say it has a firewall, it probably doesn’t. Even if it does have a firewall, it is possible that it has to be activated via the internal controls, and at that, it’s probably fairly limited in its capabilities, if you’ve not spent a lot of money on it (good hardware firewalls are not cheap…).

LM

I have not seen a common NAT router in Norway without firewall. Even my very cheap NAT router has a hardware firewall. And GRC.com rates it the best when I test. So I really only need the application monitor part of a software firewall. But that is not available separate (to save RAM and CPU) :frowning:

Very true, at least with Comodo’s layered approach to security. I have seen a lot of software firewalls that do not include any sort of connection-monitoring; only application-based monitoring. While that sounds good, it’s also good to realize the difference between hard & soft firewalls.

The hardware FW in the router has a job to keep bad things Out (this will not stop you from getting viruses/trojans/malware; only unauthorized access attempts). The software FW has a job to keep bad things In (this is for once you have gotten some form of malware). If the soft FW only monitors applications trying to get out, then it doesn’t provide a full range of protection against the tricks that modern malware use.

I understand your desire to reduce CPU load; it’s always a balance to determine the appropriate level of security versus risk versus system performance. Comodo (IMO) does a good job trying to provide a solid, reliable FW that is not a resource hog (some of the same FWs I mentioned, that only monitor applications, still consume far more resources than Comodo’s). CPF could use less, and I think it will get there; but at present it’s not too bad (IMO, again).

LM

I also have a Anti-Virus software of course that scan all incoming files (mail-scan, web-scan, network-scan).

But, you say Comodo is modular. Today I only use “Application Monitor” and “Network Monitor”. Still it uses more resources than ZoneAlarm. Will I save much RAM and CPU usage if I disable “Network Monitor” as well (my anti-virus also have a “Network Shield”, maybe it’s kind of “double up” :slight_smile:

I do not personally advise turning off any of the various layers/modules of CPF; this cripples the protection. If you’re going to do that, you might as well use Windows Firewall, which will provide the same protection at that point (virtually none). I don’t mean that as a slam on anyone; it just doesn’t make much sense to have a firewall with the strength of CPF, and then turn off portions of it to try to make it use less resources. That defeats the purpose of it, and makes it no better than any other.

To answer your question, I don’t know how much RAM or CPU resources you would save by turning off Network Monitor. I don’t find it to be overly draining on my system, and don’t feel inclined to reduce my security level in order to find out. :wink:

As I understand it, most AV “webshield” applications work kind of like a proxy to your browser, trying to filter out malware that might be being downloaded. It’s not watching for Outbound traffic; it would be more like filling in the gaps of your router’s firewall, rather than duplicating a software firewall’s activity. The thing with AV programs is that being signature-based, they will always be behind the curve in trying to find and stop malware; if the DAT file is not an exact match for the malware, it won’t “find” it. Further, a lot of AV cannot actually remove the malware, and removal tools are needed, specific to that virus/trojan/etc. The point is, the software is not 100% security; with even the best AV, AS, even a HIPS, you can still get infected; that’s where a software firewall comes in. That’s not a plug for CPF, it’s just a fact; that is, in essence, the last line of defense.

The plug for CPF is that there is at least one documented instance of CPF finding and stopping malware that was trying to get back out of a user’s computer. The user’s AV program had definitions which would find a similar virus, and could (as it turned out) actually identify the virus he had. However, it didn’t stop the infection, it did not identify the file on access (only on-demand), and once identified, could not quarantine or remove the virus. CPF, however, due to its layered rules approach to security, reported that something was wrong and prompted the user to block the connection. You just don’t find that type of protection from other firewalls; CPF goes above-and-beyond to provide outstanding security. Turning off aspects of that makes it all go away…

You may do as you wish with CPF’s various security rules. However, I do not consider that to be a wise decision, and cannot in good conscience recommend it.

LM

The Windows Firewall lacks the monitor for “server programs” don’t it?
And that is the most dangerous ones. So ZA or Comodo is a must there.
My hardwall firewall “hides” me (true stealth), and blocks bad packets/dos attacks.
Comodo application monitor stops programs from sending/acting as servers.
What else does the other modules in Comodo really add to that?

Well, let’s take a quick walk-thru of a potential scenario…

The most memory-intensive part of CPF is the Application Behavior Analysis. Yet this is how CPF spots various types of hijacking of known applications. But let’s say you’ve turned that off, to save memory.

Windows updates is a known vulnerable aspect of the system, but let’s say that you want to update Windows, so you have it on. At any rate, you know about it, and it’s familiar to you.

You’ve also turned off Network Monitor, because you’re concerned about its memory resources, so you’re relying on the Application Monitor to save you. :wink: The AM works in conjunction with the NM, so all traffic is controlled by the NM Rules. Without the NM, applications can communicate however they want… there’s no guideline.

Now, Windows Updater comes under attack from a malware that you pick up off the internet, that your AV doesn’t catch. Windows Updater tries to connect to the internet. Application Monitor may alert you, but then again, it’s a known application, so maybe not… AFter all, you’ve turned off ABA, which would see that something has changed.

So you allow it, and it connects off to the new mothership of malware. Boom!

However, even with ABA off, if UPdater were to be corrupt and try to connect outward, it could ONLY do so in the context of the NM rules. This could seriously limit its ability to wreak havoc, depending on how you’ve structured those rules.

Bottom line is, in CPF, the layered rules work together, and EVERYTHING happens in the context of the Network Monitor rules. That is, all allowed applications (App Monitor) are only allowed to connect in a way that is approved by the Network Monitor. If you disable the NM, then there are no stipulations on how an application can connect. If you disable the Component Monitor, you have no control over what loads with each application, which also loosens your security. With both those turned off, the only thing left would be to increase your alert frequency to Very High and generate Application popups for every single IP, Port, etc that you have to connect to. You’ll end up with thousands of entries in the AppMonitor for Comodo to sift through. Which would probably use more resources than the combined/layered security that it is designed with.

Remember, CPF was created by some very educated, talented, knowledgeable people whose whole job is security. What is provided with CPF is there for a reason; disable at your own risk. :wink:

LM

The Application Behavior Analysis I turned off because it flooded me with false messages. ALL Internet programs triggered warnings about using each other. It got so annoying that I had to turn it off. If they don’t fix this in some way it’s useless (got message like “Firfox” is using “Agent” to connect etc, complete BS message, as Firefox and Forte Agent don’t use the other to communicate. Also got these kind of message for many other programs that all are OK. It’s like “Cry Wolf”. After a while you ignore them…

The Network part is still on BTW, I was only thinking about turning it off if it didn’t add anything I didn’t have. I also don’t pre-trust ANY application. So even the sage ones must be allowed access, and I give access on port and IP level (my mail program only have mail-ports on my mail-server etc etc)