COMODO Firewall Pro - A poweruser's dream come true.


I’m an ex-ZoneAlarm user who was forced to move back to Windows Firewall when I adopted Windows Vista Beta 2 as my main Operating system(yes I know I’m crazy) and then when in late september I adopted the Vista-compatible Free firewall, I ran across some serious issues and decided it’s best to not keep it. ZA Pro for Vista was not released to this day, and I was stuck with Windows Firewall for over an year.

I came across CFP 3 on ieXwiki’s Vista software compatibility list but was very reluctant to adopt a beta after that debacle. In the end I decided to give 3.0.9 a go. I fell in love with it.



So what exactly was it about CFP that made me like it so much? To put it simply it’s the sheer richness of features and customizability that it offers and I could say the same for its resource demands - of all firewalls with such advanced features that I’ve tested this one is the lightest. I have not yet come across a firewall which can create custom rules to protect other programs against process termination or memory access. The fact that you can configure and create custom rules about what apps, registry keys or even files and folders a program has the right to access just turns it into the ultimate security policy tool. Imagine I can restrict IE or FireFox to only access its cache and a few isolated registry keys, I’m sandboxing them without the need of an annoying UAC or other methods of user access restriction. AND HOW MANY FIREWALLS HAVE YOU SEEN WHICH WOULD BE WILLING TO ACCEPT ASTERISK “*” TO DEFINE RULES FOR MULTIPLE FOLDERS?! It’s like every little shortcoming of other firewalls was answered here. The behaveiour control is simply superb. And of course IT’S ALL FREE.


Default config is where it loses, and where it’s lost before. By default, the firewall does not protect itself against process terminations. In the editor review on Softpedia, CFP revieved 4.5 start voting, was awarderd the Softpedia Pick, and a 5 star rating from the editor himself. I don’t think it gets any better than that. Do you know what his only con was against CFP? That it could be terminated easily via task manager. CFP’s process termination protection is misleading. You may think that just because you configured an app to be protected against termination it that will. But no, you have to have the function enabled FROM the general Defense+ settings. The per-app protections are only carried out then. Another thing I found annoying was keyboard and monitor protection vs. keyloggers or spyware. Sure it’s a sure stopper for them nasty little bugs, but stuff like games, media players or even FireFox triggers them! They’re too primitive.



Even if it wasn’t its features are nothing short of amazing. Now about the firewall itself. Once properly configured the firewall will behave like any high-end firewall out there. It will pass aany and all leak tests with flying colors. I’ve ran both web-based tests and portscans from other machines and I could not find my computer. Excellent job. Pop-ups for every application trying to access the internet, possibility to create advanced custom rules or even predefined profiles, all you would expect from a powerful corporate product, PRODUCTS WHICH I HAVE TRIED AND DID NOT HAVE AS MUCH POSSIBILITY OF TWEAKING SETTINGS AS CFP DID! It is a rebutable rival to any top-notch firewall out there.


Just like Defense+ default config is where it loses. I actually failed Shields Up and a few others at first because the firewall allowed IMCP traffic even though I had selected to configure it for perfect stealth yet I still had to delete the one Allow global rule that it creates AND add an IMCP block rule on top of the default Block rule before it passed. Also, perhaps important for every firewall paranoid out there, A FIREWALL WILL NEVER HIDE YOU FROM HACKERS WHO ARE LOOKING FOR YOU as long as you’re running applications which open up ports. Yahoo Messenger opens port 5101 which can be manually blocked without any loss in functionality. However, programs such as P2P clients like torrents NEED to keep an open port in order to communicate. If any of those cause you to fail a firewall test, the firewall is NOT to blame. Close the app and the port goes stealth again.



The firewall feels as if it was spawned by AVG or NOD32 in terms of performance. Its two processes will use, at the very most, a total of 10MB RAM, and I have yet to see CPU usage go over 0%. You can’t feel it’s there.


The only thing I found wrong with CFP performance was disk usage during log writing. Let’s say I fire up uTorrent and I’m downloading something. With all the new connections being made and unmade the firewall’s DoS protection starts blocking about 10 connections a second. Ten times a second my harddrive makes short sounds for each logged block attempt. It’s a killer. I had to disable logging. Other firewalls however, don’t have these issues. I suggest implementing a more effective algorythm for log writing.



Well it’s beta software… okay it’s RC1. What can you expect? Well you can expect alot from it. As a firewall it hasn’t caused me any major issues. In fact I believe the only issue it’s ever caused to my system was the first time I ran uTorrent. I set it to allow access and explorer froze… I crashed it and started it back up. 5 seconds later, same thing. And everytime I tried to bring it back up it did the same. All I had to do was log off and back on and the problem was gone. It has since never caused me any problems or conflict with any application. There is no traffic slowdown. With ZoneAlarm I had to wait about 0.5 seconds longer for my pages to load. CFP doesn’t lag transfers at all. My internet speed is the same. All applications are granted access as has been granted and blocked as has been blocked. It does all you tell it to do well. No internet connection crashes. No blue screens. Nothing. Never had a problem. Bravo!


The interface is still buggy. I’ve had the UI crash several times, some related to viewing the active connections, some to shutting down the client while the window was open. The buttons in the Misc tab sometimes remain half-colored after exporting the profile, but nothing really serious. It’s still not finished, and I expect these bugs will be corrected as the final release draws near.


I really don’t like the colors and the design is quasi-user friendly. I’m not really that bothered by its complexity and the fact that it’s harder to config as long as it does the job nicely. And thank heavens, that’s what CFP does best, though I must admit a few skins containing less white and more blue, orange, or green would be nice. I’m not one to give importance to the aspect of programs(just look at NOD32), I look at the technical side, and at that it pleases me very much. However, your average Joe will mind, and the most computer users are average Joes.



The firewall is an excellent traffic and behaveiour controller. It will defend the entire system without fail. Now there is only ONE thing it needs to defend with similar tenacity: itself. CFP already has process termination protection which, once configured properly, will not allow malware or hackers to shut it down. But what about vulnerabilities? Holes in the code? Exploits? Self-defense is the final step in maturing a security program, and it’s what sepparates the men from the boys.

So how is CFP doing? Matousec placed CFP 2 on third place, rating excellent on anti-leak tests and the highest non-maximum score achievable. In the summary there is only praise coming from the testers about how the firewall keeps traffic under complete control. It may sound like they’d be recommending it right? Well no they’re not. In fact they are warning those who want more serious protection to avoid it. Why is that?! On the CFP review page Matousec reports two highly critical and one critical vulnerability, which malware creators can easily use to bypass or disable the firewall altogether. And on top of that, there are several other highly critical bugs that they have not disclosed yet. They speak of CFP’s simple security design, and how easy it is to get around.

So far I do not know of any existing malware designed to strike at these vulnerabilities, and this would be largely because it is not a widespread firewall. The most targeted firewall would have to be Windows Firewall, followed by ZoneAlarm and then corporate solutions. Forum administrator Melih has stated that version 3, which I am running right now, shouldn’t have a critical bug left in it. Sounds reassuring. Only time will tell if the new design is effective…

I’m relying on Symantec AntiVirus 11 and its proactive protection to pick up on intruders before they can attack the firewall. Vulnerability fixing is perhaps the final step CFP has to make to become a universally-acknowledged high-end firewall solution.

CFP 3 plans to incorporate Memory Guardian some time in the future. With 90%+ of buffer overflow attacks gone some 33% of all existing malware in the world should become obsolete and with it any BO vulnerabilities - the most common of all vulnerabilities. All in all CFP is on the right track to fixing them…

Version 3 final is currently expected to be released within 4 days. I’m looking forward to what is perhaps the best free security solution ever created. Respects for your work thus far!

An excellent and well written review, thank you Searinox.


good writeup…
thanks for taking the time Searinox.

The good thing with Comodo is, now you can take part in our development process to get it developed to your liking :slight_smile:


Wow somebody actually bothered to read my mile-long rant? Thanks. We ranting geeks write it up that way. :smiley: I haven’t spoken of compatibility because I haven’t tested it on other machines, all I know is it plays nice with Symantec Endpoint Protection.

On what I’ve said about D+ and keylogger/trusted app annoyance: the direct disk access is NOT an annoyance. Only data recovery software triggers it, so I keep it on. If any malware tries to ■■■■■ up my boot record or file table I’ll know. :smiley:

I have to agree, that the log-writing technique is not very smart. The file that is by far the most fragmented one on my harddrive is the comodo logfile.