Comodo Firewall w/ Defense+ vs. ThreatFire [Merged Threads]

I’m starting to agree with ganda. I don’t really like D+, it’s just too much prompting for me. And when I use my USB stick (lots of portable apps) the popups are never ending since I have scripts to autorun a lot of things.

So I’ve got BOClean and ThreatFire as an active defense instead of D+. However it seems as though Comodo cut the balls of V3 if you disable D+. It failed tests 1 & 3 from the CPILSuite (I couldn’t get test 2 to run. Firefox process started, then ended with no browser windows).

I hate to go back to the V2 product that is no longer being developed, but unless V3 is going to be changed to provide the same protection as V2 WITHOUT having to run D+, I’m not sure what to do. After running CPILSuite I feel really vulnerable. And again, D+ really isn’t an option.

Are there plans to harden the V3 firewall with the same protection as V2? Or is it going to be necessary to run D+ now to get that protection?

don’t get me wrong, i love defense+ more than i love my sisters ;D
maybe comodo shouldn’t give the choice to install basic firewall only. i think defense+ is like V2’s application monitor. removing defense+ isn’t an option

Based on my reading, I had intended to install PC Tools ThreatFire v3 and Comodo Firewall. However, I was presented with Comodo Firewall’s Defense+. From what I’ve read, it was suggested that since ThreatFire is less taxing of resources and faster, to use that instead of Defense+.

I uninstalled and re-installed (rebooting when prompted) Comodo Firewall. This time, I opted out of Defense+, but did opt in with Firewall Leak Protection. After rebooting, lo and behold Defense+ was still installed and running in Clean PC Mode.

I read in the forums that disabling Defense+ altogether also disables Firewall Leak Protection.

Question: Is Firewall Leak Protection = Defense+ in Clean PC Mode?

Question: With Defense+ in Clean PC Mode, do I still need ThreatFire?

Question: Will Defense+ slow my computer more than ThreatFire?

Thank you for your help.


The fast answers are:

  1. Defense+ is your hips (Host Intrusion Prevention System) protection - protecting from unwanted behavior and thus adding leak protection.
  2. Naw, I’d do one or the other (assuming that your system is clean right now) but would consider raising the D+ level until paranoia abated.
  3. Depends on your os, system, set-up, configuration…but no, it wont.

You don’t need TF if you have D+ enabled. 2 HIPS is overkill. If you want use Sandboxie.

In anti-leak mode, Defense+ is still used, but just a subset of full Defense+.

I installed ThreatFire a few days ago, and have been using Comodo Firewall 3 with full Defense+ for about 2 months. Some of the following comments are only for people who use full Defense+.

Here are the benefits I see of using ThreatFire even if you have Comodo Firewall 3
a) ThreatFire can protect you if you misconfigure Comodo Firewall to be too permissive. The downside to having a lot of choices is that you can make the wrong choices.
b) If you temporarily disable Defense+, as I do when installing Windows Updates, you might forget to turn it back on, since the tray icon doesn’t change its appearance. ThreatFire is still there if Defense+ is off.
c) If you use ‘Installer or updater’ mode on an installer program that is malicious, ThreatFire is there for you.
d) If a malicious program takes down Comodo Firewall but not ThreatFire, ThreatFire is there for you.
e) ThreatFire’s advanced rules allows some rules you can’t specify in Comodo Firewall.
f) If rogue code from a buffer overflow exploit is executing within a process, ThreatFire may spot the bad behavior the rogue code performs. For example, if the rogue code from a buffer overflow exploit in your media player is keylogging code, and if Defense+ trains for the media player, then Defense+ will train to allow low-level keyboard access for the media player, but ThreatFire might warn of the keylogging. Note that if the rogue code does things such as download a file, or start another process, then Comodo Firewall may alert you also, depending on the Defense+ security policy for the given program.
g) If you’re not using full Defense+ (you mentioned you’re using a subset of Defense+ that is targeted towards anti-leaking), then you’re not using a full HIPS anyway, and thus ThreatFire is even more important to use, to monitor the things that are turned off in Defense+ in anti-leak mode.

I can’t answer that, but I have both running, and my not so new computer seems fine with both in terms of speed and stability, so far; it’s just been a few days I’ve used both together though. Both seem pretty lightweight. I am using v3.0.14.276 of Comodo Firewall, and v3.0.14.16 of ThreatFire. Some users have said newer versions of Comodo Firewall appear to use more processor time than earlier v3 versions, although I don’t recall if they said it was noticeable.

If there’s no issue with lagging or freezing using both then it should be fine.You’d need to find a detailed analysis of both in order to compare features.There’s probably detailed info over at Wilders or a similar forum.I tried an early version of threatfire and suffered horrible slowdown but evidently it’s improved now.I run CFP with D+ and Prevx together with no problems at all,although Prevx isn’t a typical HIPS it has some HIPS features.

Here are some more reasons to use ThreatFire, in addition to those listed in my previous post:
h) ThreatFire can detect some buffer overflows. Comodo Firewall cannot currently. Comodo does have a separate free product called Comodo Memory Firewall designed to handle buffer overflows.
i) When device drivers are being loaded, Comodo Firewall will in some cases give an alert about accessing the service control manager. Unfortunately, this same alert often appears for reasons other than loading a driver. ThreatFire, on the other hand, clearly alerts that a driver is about to loaded.
j) ThreatFire can warn if a process is about to be hidden, indicating possible rootkit activity. Comodo Firewall cannot do this.
k) ThreatFire can warn if exact copies of an executable file, possibly with a different name, are being made in the file system. This is a possible sign of a virus. Comodo Firewall can warn about executables being created, modified, and deleted in general, but no special mention is made that an exact copy is being created.
l) If Comodo Firewall has bugs that prevent full defense, ThreatFire is still there for you.

To be fair, if you’re a ThreatFire user, there are a number of reasons to also use Comodo Firewall, but that’s for another list…

I’ve had CPF with Defense+ and Threatfire installed for a couple of weeks without any apparent conflicts. As long as they don’t interfere with each other or overload my system, I like the idea of having layered protection.

Another reason to use ThreatFire, in addition to those listed in my previous posts:
m) ThreatFire can warn about a process sending email. Comodo Firewall also includes the port used, but the user could fail to notice it’s email-related if not looking closely or not knowledgable enough to know. Also, the user in Comodo Firewall may have given general Internet access permission upon first Internet access by the process, and therefore not know that the process is sending emails.

Unfortunately, I found a problem between ThreatFire and Comodo Firewall. See

The best practice for E-mail is to allow only mail servers addresses to be reached through mail ports (pop3 etc.)
all other requests for “mail ports” should be blocked within E-mail client Predefined Firewall Policies.

What I had intended to convey was a scenario such as this: Suppose you have your Comodo Firewall alert frequency level set to the default, Low or Very Low (I forget which). Suppose an application auto-updates, and therefore does need Internet access. Suppose that the first time the program asks for Internet access, it is for the auto update, and therefore the user chooses to allow Internet access permanently for the program. Under this scenario, you would never know if the program were secretly sending out emails, since you already allowed the program Internet access. However, ThreatFire could alert you specifically that the program is sending out emails.

Defensive+ gave me to much hassle. So, I turned it off. I think my system is locked down pretty good. Here is what I am running.

Comodo newest firewall with Defensive+ off
Comodo BOClean
Avira premium edition
Spybot S&D with immunize
Linksys befsr41 v4.0 router with newest firmware
Firefox with no script and Adblock Plus
SUPERAntiSpyware for system scanning once in awile

I believe thats about it. While nothing is safe proof. I think its alot more harder for things to get through if they tried with this stuff than with out it.

I also have both installed, due to ignorance of not being a security expert. However, point f is a good enough reason for me to keep both. It is actually a worrying hole.

Similarly worrying (but on another topic) is if I set my home LAN as trusted zone, then plug into another LAN while on business that uses the same network IP (198.168.1.**) then the guest LAN also become trusted. Not sure if comodo or other firewalls can get around such an issue, but alt least having TF will help spot any nasties.