Comodo's inbound protection is only BASIC(For Melih and Egemen, also)

Here is what I read on Wilders Security forums by STem and MasterTB:
The whole thread is only 2 pages long:

Basically it says:
the Intrussion Detection on Comodo is very basic compared to ESS. If I read the help corrected, ESS checks the content of every packet sent or received from the internet, whinch assures that it is safe, Comodo does not, COMODO JUST CHECKS FOR INCONSISTENCIES ON THE PROTOCOLS AND STUFF LIKE THAT, BUT NOT THE ACTUAL PACKETS BEING TRANSMITTED.
On the other hand ESS won’t pass any leak tests because it does not have HIPS like comodo V3 will have or like in some measure comodo V2.4 has. That being said ESS approach is not to let you download or run anything that compromise your security so that you don’t need a HIPS because everything on your machine is safe.

What do you think about that???

Checksum check (IMHO) should be done by any SPI firewall.
Malware can have a verified checksum. This in itself is not protection.
The firewall Engine in Eset checks the content of every packet not the packet checksum those are two different things.
http://www.winplanet.com/article/3847-.htm

And also personally I’d rather have ThreatFire than Comodo since identifing malicious software by comprehensive analysis of all behaviors is a better solution than just watching for isolated actions- I personally think this is what Comodo should do, too.

Here is the entire reviw of ThreatFire 3:
http://www.pcmag.com/article2/0,2704,2191333,00.asp

For inbound protection, in my opinion every firewall should have the following:

Fully-featured SPI (Stateful Packet Inspection) implementation firewall for the network layer as well as the program, behavior and kernel level (if it doesn’t match specific rulesets it should be blocked)

Fully-featured DPI (Deep Packet Inspection) for all layers as well (network layer, program behavior and etc…)

Fully-featured HIPS specifically designed for the network layer

Fully-featured NIPS (Network Intrusion Prevention System) for the network layer + A-VSMART technology

Identifing malicious software by comprehensive analysis of all behaviors down deeply down into the core of any/every malicious software

Personally, I think when it comes to inbound protection newest versions of ZoneAlarm Pro, Outpost Firewall Pro, Jetico 2.0.1.2, InJoy Firewall, Kerio Winroute Firewall (this is not the Sunbelt version, it has nothing common with Sunbelt Kerio Personal Firewall) Comodo is truly weak when it comes to inbound protection against hackers’ attacks.

Melih, Egemen, moderators and all other firewall experts could you tell me what exactly COMODO uses for inbound protection besides A-VSMART technology and what do you think about the thread above about inbound protection?

  1. Big thank you if you can explain me how does Comodo protect from hackers’ attacks and all other threats when it comes to strictly INBOUND protection, since I have 100% clean PC and that’s why inbound protection is so extremely important to me!

  2. What do you think about SPI, DPI and all other proposals that I made in my list to have an excellent inbound protection against all forms of Internet threats?

Big thank you to everyone (especially, to firewall experts) who can answer me this as well as participate in this thread!!!

Thanks a lot!!!

re: intrusion detection and Checksum

Its difficult to argue this way or the other without having some proof of weaknesses. Its like saying my car is faster than yours… Unless you show me by racing that your car is faster it will be difficult to know. Hence it would be great for people who are making these statements to give us PoC code to show us how our protection can be overcome. Then we can improve it. As everyone knows, we respond very quickly.

re: Identifying malicious software:
we can, according to our internal tests, identify around 60% of uknown malware and alert the user. How many % of the uknown malware do others identify as malware? Also, we are shortly going to be launching a service (TC) that will make it even eaiser for the end users. We believe in preventing, then giving as much information as possible to the user as to why we have prevented it. Behaviour analysis only prevents what it recognise, hence might let thru some unknown malware cos it doesn’t recognise its behaviour.

Again, we would love to see how we are “not protecting” our users by showing us a test code (PoC code etc). Do people who made these statement have any test code to bypass our protection? If so we would love to see it so that we can improve. If not, how can they make this statement?

thanks
Melih

Hi Ultrabot,

It would be too naive to claim that having a network based packet inspection can prevent malware from being downloaded and run.

Network Intrusion Detection and Prevention is conceptually similar to anti virus scanning such that packets are scanned for known signatures or patterns. It adds an additional layer of security but is far from being able to stop most of the known threats, never mind the unknown ones.

Malware can be trasmitted over an encrypted traffic, e.g., SSL, VPN or SSL based Jabber(IM) protocols. And even over the unencrypted traffic, detecting malware detection is not 100% guaranteed. When you compress some files and transfer it, are those packet inpections going to build the whole archieve, decompress it, and then scan? So they are svery limited and cant be assumed as the main line of defense.

And also personally I'd rather have ThreatFire than Comodo since identifing malicious software by comprehensive analysis of all behaviors is a better solution than just watching for isolated actions- I personally think this is what Comodo should do, too.

Here is the entire reviw of ThreatFire 3:
http://www.pcmag.com/article2/0,2704,2191333,00.asp

You can run every type of virus samples you can find from one of the virus bulletin sites and see that unlike other hips products, CFP heuristics detects a high number of them before being executed.

And after being executed, it cant breathe without am authorization. But the behavior analysis is an important concept too. CFP is going to have another feature, that is going to make the users’ happier and hassle free. We are crrently working on it and it should be available in the future releases. It is more than a behavior analysis and will come with possibly a couple of patents…

For inbound protection, in my opinion every firewall should have the following:

Fully-featured SPI (Stateful Packet Inspection) implementation firewall for the network layer as well as the program, behavior and kernel level (if it doesn’t match specific rulesets it should be blocked)

Fully-featured DPI (Deep Packet Inspection) for all layers as well (network layer, program behavior and etc…)

Fully-featured HIPS specifically designed for the network layer

Fully-featured NIPS (Network Intrusion Prevention System) for the network layer + A-VSMART technology

Identifing malicious software by comprehensive analysis of all behaviors down deeply down into the core of any/every malicious software

Personally, I think when it comes to inbound protection newest versions of ZoneAlarm Pro, Outpost Firewall Pro, Jetico 2.0.1.2, InJoy Firewall, Kerio Winroute Firewall (this is not the Sunbelt version, it has nothing common with Sunbelt Kerio Personal Firewall) Comodo is truly weak when it comes to inbound protection against hackers’ attacks.

Melih, Egemen, moderators and all other firewall experts could you tell me what exactly COMODO uses for inbound protection besides A-VSMART technology and what do you think about the thread above about inbound protection?

  1. Big thank you if you can explain me how does Comodo protect from hackers’ attacks and all other threats when it comes to strictly INBOUND protection, since I have 100% clean PC and that’s why inbound protection is so extremely important to me!

  2. What do you think about SPI, DPI and all other proposals that I made in my list to have an excellent inbound protection against all forms of Internet threats?

Big thank you to everyone (especially, to firewall experts) who can answer me this as well as participate in this thread!!!

Thanks a lot!!!

I have told my opinions about deep packet inspection or intrusion detection above. For desktop users, it is just an additional security layer which can not be considered the main line of defense. For server protection, it can help to protect against hackers, and automated tools. Noone considers, even for the server computers, this, as the main line of defense.

you have 100% clean PC:

1 - Lets assume you have an AV software. If AV signatures did not detect a threat, after some signature updates, you will be able to detect the virus later, possibly after all the harm done. None the less, lets assume this is acceptable. This would be generally be the only way you would be infected.

2 - Lets assume you dont have an AV but an intrusion detection system which scans network packets against some signatures:

Lets assume a known malware is going to be transfered:

  • If the malware is tranfered over an encrypted channel, you are vulnerable
  • If the malware is transfered over an unencrypted channel, but with an uncommon protocol that your IDS does not know, you are vulnerable
  • If the malware transfered, over an unencrypted channel, but with an infected setup file, you are vulnerable, especially if the file is large.
  • If the malware comes from another source than network, you are vulnerable

At the network layer, you are quite limited in terms of detection capabilities(you have a couple of packets and that all). Consider AV programs having everything(emulation, unpacking, heuristics etc) failing to detect malware. Never mind a fragment of malware inside a packet.

If your IDS does not know the malware, it can not detect it and even after the signature updates. Unlike an AV, it can do nothing after signature updates.

So an N-IDS, is a nice, additional layer of security. But it is not comparable to an H-IPS and can not be trusted as the main line of the defense. Would you trust a firewall only as your main line of defense?

Hi, Melih and Egemen!
It’s nice to see you both.
I deeply respect both of you and all other Comodo creators. You care about security and usability for your customers and you answer questions every time you can. If CFP ever becomes the shareware, it really doesn’t matter. I trust you more than any other company so far.

Too bad 3 of us can’t meet. I would even buy you a drink, but since I’m from live in the eastern part of the world it’s quite unrealistic scenario.

Basically the description I gave was made by Stem an firewall expert (Egemen you were debating with him in CFP Beta forum) but I wanted to hear your view of this.
I again thank you for being patient and for the answer.

Perhaps you want to join Wilders Security forums, to discuss it with Stem, it’s your choice, but I believe you’re extremely busy, both you and Melih:

The thing is my PC is 100% clean that’s why inbound protection is so important to me.
Also, where can I download Comodo Memory Firewall?
Is Comodo Memory Firewall compatible with CFP 3.0?

I mean I thought it’s impossible to have 2 firewalls on the same computer.

Again thank you for your time and patience and I also want to ask you about the fake mouse clicks attack that wasn’t passed in the latest review by PC Magazine (however it got nearly perfect rating).

Here is what Neil Rubenking said and described why CFP 3.0 failed fake mouse clicks attack:
“My wacky attempt to turn off protection using simulated mouse clicks did succeed, but just barely. The little program I wrote can fake a click in any location, but I didn’t give it a way to move slider controls. Setting the firewall to Disabled using fake clicks required pixel-perfect accuracy—there’s no way a malicious program could automate the process. CFP is fully armor-plated against attacks by the bad guys.”

If you don’t mind, could you explain how in the world he disabled CFP 3.0?

But how did Comodo 2.4 passed fake mouse clicks attack and CFP 3.0 doesn’t?

Again thank you.

Few more things:

  1. Could I ask you for a favor?
    For example, how do you both configure the protection of your CFP 3.0 at home?
    Could you give me any guide?
    But so far, I’ve been configuring easier parts of Comodo and everything went smooth, although I’m kind of paranoic and that’s why I use frequently Paranoid mode despite my PC is 100% clean.

This comes from my previous experiences when my hard disk was almost crushed by the quantity of malware I’ve received. Most likely I had over 800 real malware samples and tested all some of the anti-spyware and anti-virus products.

  1. I again have to apologize for the following question: here is why. Basically I asked guy named Nicola to test Comodo’s HIPS in the same way he did with Online Armor and especially Dynamic Security Agent in about 80 tests.
    The main problem is that I sent to Nicola several posts to ask him to test Comodo’s HIPS in all of these 80 tests of all kinds of malware, but even though I sent it to him and most likely an poster named Burito also sent it I didn’t see any review of Comodo’s HIPS. I apologize if I insist too much on this but here this guy is dealing with the closest you can today’s modern malware techniques to bypass and terminate HIPS techniques-this is why I consider it so important.
    Here is the website:
    http://membres.lycos.fr/nicmtests/Unhookers/unhooking_tests.htm

Here is the entire review of Dynamic Security Agent:
http://membres.lycos.fr/nicmtests/Dynamic-Security-agent-tests/DSA_index.htm

Is there any other way how to ask Nicola to test Comodo’s HIPS?

Big thank you for your time and patience. I only hope I wasn’t too intrusive.

Few more questions: For how long would Comodo support Windows XP systems since Windows 2000 systems support only CFP 2.4?
Will CFP 3.0 eventually support even Windows 2000 and Windows 2003 systems?
Thanks.

I think that in terms of inbound protection Comodo is no better or worse then most firewalls (CPF’s fame is built on leak testing), while ESS does indeed have an edge on paper.

My views on NIDS, DPI are close to that of Egemen, it’s nice to have but not so critical.

I would rather that behavior blocking like functions - this new TC…

Hi, Luketan!
I was hoping that you will answer.

  1. But how do you know an firewall is better than the other when it comes to the level of inbound protection?

  2. Let’s take ZoneAlarm Pro and Agnitum Outpost Firewall Pro (ZoneAlarm Pro still has small advantage)

  3. I consider these 2 firewalls the best/most powerful when it comes to inbound protection.
    What do you think about them?

Also, could you explain why do you consider ESS to be more powerful than current CFP when it comes to inbound protection?

Also, in the reviews of PC Magazine the inbound protection of ZoneAlarm Internet Security Suite and Kaspersky versions 7.0 were tested against the installation of 20 samples of known malware and 20 samples of unknown malware, too.
They basically prevented installation almost every known and unknown malware sample how is this possible?

Cheers and thanks!

Hi, Melih!
I’m fully aware of your approach,but how does CFP 3.0 protect against UNKNOWN malware (installation, execution and etc…)?

Basically, it was Stem an firewall expert who said that SPI and DPI should be integrated into any firewall, not me. But I wanted to hear your and Egemen’s opinion and I respect that you have answered me.
I’d also like to ask you something:
We all know PC Magazine rated CFP 3.0 as Editors Choice, but my question is:
Will Comodo’s techies in future version empower CFP’s self-protection by at least resisting fake mouse clicks attack-what do you think about it?
And I would like to also know will you make CFP 3.0 compatible with Windows 2000 and 2003 systems?

Thanks for everything.

CFP protects by not allowing any uknown application from running. so it works by only allowing trusted applications. Any new malware will not be in our safelist hence it won’t be allowed to run.

Fake mouse click attack: we will evaulate the risk to end users and if we think its a real and practical threat then we will protect against it.

v3 will not be win2k compatible.
thanks
Melih

Hi,Egemen!
Someone saw my post here and posted link in Wilders Security forums:

Here it is what Stem responded:
“A checksum of a packet could be seen as a checksum of a downloaded application. So, you download an application, download the checksum to verify, the result of this check, if it is correct or not will not tell you if that application is good or bad, only a fact if it is corrupted or not.”

Here is the entire thread:

basic, advanced or super duper,
the question is:
Which malware we don’t protect from?

If we can be shown from which practical attack we don’t protect, we will be more than happy to improve our firewall to cover that angle immediately.

thanks
Melih

I understand, thanks. However, I’d like to ask you what are future projects regarding Comodo Firewall besides identifying 60% of unknown malware?

TC is a big one
plus few other innovations we are patenting…that will make CFP even less noisy…:slight_smile:

Melih

and when TC, CAVS 3, and all the other projects are out… It’s going to be extremely powerful.

Especially when CAVS 3, Comodo Memory Guardian, Comodo BOCean and TC are all integrated into CFP… It will be very very very VERY good… I am looking forward to it.

Once again… Melih, Egemen, Comodo Staff… Keep up the superb work!

Josh.

What would the point to secure a machine paying a relevant performance hit?

Eveyone has the right to choose how much relevant is a performance hit to him.

I never enabled Packet checksum verification before. I only did when I had a NIC that handled such feature in hardware.
Althought I guess that an optional Deep SPI could become useful few times, I prefer an approach that provide a good outcome using the least resources.

IMO Security always involves a tradeoff with a certain number of resources (knowledge, costs, user friendliness and so on)