Comodo Internet Security Premium Firewall

Comodo’s Firewall is far too strong for my PC’s. I have to disable it and enable Windows Firewall which makes my PC’s run faster. Why is that? Is it because there is too much security in CISP Firewall?

What security level is the firewall set to? My guess is that the trouble is related to your security configuration; probably you’re creating automatic allow rules. Every time an allow rule is created the entire configuration is updated to the registry. That takes time. Other than that there’s no real processing intensive activity that occurs with CIS.

Check to see if the Firewall security-level is either set to training or safe. Your best mileage will be with it set to custom policy at the expense of alerts that need to be responded to.

It is true that initially there is a lot of ‘learning’ CIS does, but over time this diminishes. Most alerts occur when an app is initially implemented. What I’ve found works best is to allow any alerts for any arbitrary new application until its fully functional, and then glom onto all the entries for that application in the log and create the rules by hand en masse and update all the rules for the app in one fell swoop.

Windows Firewall is actually not bad technology. However, what it will not protect you against is unsolicited outbound activity; all network connection attempts initiated by your computer will be allowed. So if NOTEPAD.exe, or CALC.exe wants to phone home to Bulgaria Windows Firewall will allow that.

Comodo’s Firewall was set at the default state—Safe Mode. You told me to set it to Custom Ruleset and that is what I did. Shall I keep it at the Custom Ruleset option? I have the Comodo Firewall enabled and I turned off the Windows Firewall. Anything else I need to do? My OS is Windows 10. I have Product Version 8.2.0.5005 and Database Version 24834.

Antone

I am noticing a big difference when you told me to set the Firewall to the Custom Ruleset. My computer is faster. Now is it completely safe to leave it on the Custom Ruleset? Let me know your thoughts.

Antone

Custom policy is the default security configuration; the others are designed for neophytes for least alerts at expense of performance hit.

In Firewall Behavior configuration ‘create rules for safe applications’ should be not ticked.

I have all alerts ticked - its going to alert for anything that happen - and I have disabled protect ARP cache (I’m not on a network were foreign elements can hijack peripherals), block fragmented IP datagrams. I have protocol-analysis and NDIS monitoring is enabled.

I have an explicit network security policy for DNS lookups. It uses the file-group DNS which is maintained in Defense+ HIPS:

Allow UDP out from in [NIC] to [DNS] source port ANY destination port 53

ANY application that needs to perform DNS lookup, i.e., UDP on port 53 to DNS servers - entered in the DNS network zone - are put in there. If it wants on the internets it has to do DNS lookup unless it uses explicit IP address. If its NOT in the DNS filegroup there’ll be an alert.

That is my second rule immediately after Windows Operating System. All other rules follow in order of decreasing use. He goes through the rules top to bottom for every IP access attempt until he finds a match. The same is true for all D+ rules too. So you want your most used apps at the top in both Firewall & D+. Works good - like butter - last long time.

I have an explicit network security policy for my browser, i.e., IceDragon:

Allow TCP ouf from in [local_0] to in [local_127] source port ANY destination port ANY
Allow TCP out from in [NIC] to ANY source port ANY destination port in [HTTP ports]
Allow TCP out from in [NIC] to ANY source port ANY destination port in [Adobe RTMP ports]
Allow TCP out from in [NIC] to in [webcs.yahoo] source port ANY destination port in [5050 / 843]
Allow TCP out from in [MIC] to in [174_129_amazonaws - firefox] source port ANY destination port 6667
block IP out from in [NIC] to in [67.192.0.0/255.255.0.0] where protocol is ANY
block IP out from in [NIC] to in [199.115.119.0/255.255.255.0] where protocol is ANY

Obviously the browser will be in the DNS filegroup - its always doing DNS lookups - but unless it wants to connect on a weird port I NEVER get an alert from the browser.

FYI webcs.yahoo are the web-mail eMail servers I need to connect to to get eMail. 174_129_amazonaws is the network zone to allow me access to Amazon web-site.

HTTP Ports is a port set defined as: 80, 81, 443, 8080
Adobe RTMP is a port set define as: 843, 1935

I also have port set called ‘80 / 443’ defined as: 80, 443; I make the distinction; I assume all ‘normal’ HTTP is on port 80. If the same IP shares port 80 & 443, then I make a rule using that port set. Otherwise all IP connection attempts are by default to port 80 explicitly.

As you use it you find out what ports particular applications want to connect to correlated to particular IP address. Sometimes it wants to access a particular IP address(s) to both port 80 & 443, but ALL of the other IP addresses it connects to are ALWAYS port 80. I make rules defining that explicitly.

I get alerted for anything specifically not explicitly allowed, and everything is neat and tidy.

Capiche? Or is that sound of jets going overhead?

NOTE: with the above scheme implemented, I almost NEVER get alerts from the browser except for weird ports. I allow but not remember for weird port access attempts by the browser. Now if I find I go to a web-site a lot that has a weird port requirement, I make a rule for THAT web-site IP address and THAT specific port(s). And the browser goes away and stops bothering me. Until the next weird port. Weird ports are used by web-sites for content deliivery, e.g., Flash and stuff. But most often they’ll access port 80 and 443 (SSL).

You just went way over my head. Ok… when I downloaded CISP, the firewall was set at Safe Mode not custom ruleset; so I assumed that this was the default state. I just changed it to custom ruleset because you advised me to in the first message. Since my PC’s are running faster, is it Ok to keep the Firewall at custom ruleset or no? This is all I need to know. I appreciate all the information you gave me and I will keep it in my Comodo Forum account for future reference.

Antone

To add; my default browser is Microsoft Edge. It runs very well on my PC’s and it is more secure than the other browsers. I had to uninstall Google Chrome because there were all kinds of spyware detections leaking privacy information. I feel very comfortable and safe using Microsoft Edge.

Antone

Custom policy should be the default way to run; you don’t get less security, you have more control.

I don’t know what your configuration is - right click the CIS icon and look in configuration - and if you’re using all CIS components you should be employing Proactive configuration. Then you can ensure that your Firewall security level is custom policy. For D+ HIPS you have similar security levels. The highest level of security will be Paranoid. As far as A/V there are two of note: statefull and on access. The latter will scan ANY file against the A/V defs EVERY time its accessed. Obviously there’s some overhead. The former will only do that if the file hasn’t been accessed since the A/V defs were updated last. After that it only checks to see if the file has changed since then, and if not it uses the file immediately.

If you like MS Edge as your browser, the rules I described will work for it too 99% of the time w/ out alert. I make use of network zones and port sets - keeps things nice and tidy - and have fixed IP addresses on my network. Using DHCP to get assigned IP addresses makes things a bit more fluid, but the principle remains the same. Those rules I defined work 99% of the time w/ out alerts.

Yes, I have changed the Firewall to Custom Ruleset. I believe I said that in one of the other messages. So I must be allset then if my computers are faster than before. Thanks!

If you’re only using Comodo Firewall then configuration is moot. If you’ve implemented the entire CIS security suite, i.e., A/V & Firewall & Defense+ (HIPS) then the particular configuration implemented will also come into play.

Each component I cited above has a security policy; for Firewall it is custom, safe or training policy, for A/V it is the type of inspection policy, i.e., statefull or on-access, and for D+ its either paranoid, safe, clean & training policy.

The particular configuration that you use bundles them together in various schemes of user intrusiveness. The less user intrusive the configuration (or policy) is, the more risk there is of adverse performance hits. These performance hits happen because rules get created automagically transparent to the user.

In my 6 years experience using CIS since v3.x, in virtually every single case performance degradation was due to fundamental CIS function security policy auto-update, i.e., rule making or queued alerts. There may be a whole bevy of alerts stacked up - one behind the other - awaiting user approval. The default behavor of CIS is to implicitly block anything unless explicitly allowed. There could plausibly be 20 alerts stacked in the queue spread between A/V, Firewall, and D+ ALL of them are blocked until you answer in the affirmative to allow (or deny explicitly).

The reason this occurs is because of multi-processor platformed multi-threaded environment within which fish-tank all applications live happily ever after . Quite a large number of apps do not respond kindly to not being granted their desires exactly when they ask. The better ones ask multiple times and then gracefully crash. The not so much graceful ones them keeps askin’ generating more alerts which by default are denied generating more app asks. Eventually the System - hanging on the cross - how much longer?

Your logs are your friend. Check your logs if things are wonky. Make sure that you get alerted to anything and everything; that’ll make you create rules just to get rid of the alerts. And then check your logs often, and most especially when things have been working right and not getting alerts.

Wait, wait, wait, what are these ICMP or UDP in from this IP? China is trying to access my system? o.k., we’re going to have to take steps.

BTW, you could always just PM me just to pick my brain. We could always decide, later, that our discussion may be useful to the community at large, and then we could make a string out of our PM discussion. Dunno. That would be pretty weird. :o

Oh, and lest I forget, in every single element of the CIS GUI there is a link “what does this do” and that opens a fairly comprehensive web-doc about the specific panel you are on. If you don’t understand what the on-line manual is telling you, that’s one thing. But if you haven’t even read the manual about what confuses you, God help you; I won’t; I have no sympathy for you whatsoever and I never have. Ever. I will never, ever, post that somebody should read the manual; I will cite the page in the manual there-upon can be found that which they desire; if I can post RTFM, I can cite chapter and verse in the manual.

I like CIS and I like helping people with using it. It is so close to enterprise grade security it’ll take your breath away if you ever see enterprise grade security applications. The only thing missing is the granularity. In the security field nobody’ll even look at you without a master degree in InfoSec and 10 years in the IT field. With CIS you have 98% of that, just not the salary. >:(