Defense+ file integrity detection

I was having really high hopes to replace the Tiny Firewall Pro i am using with Comodo (because of switching to vista) but i guess comodo is not there yet.

What a HIPS is for if it does not do INTEGRITY check on the executables with the original that the policy was applied to? You put some policy on executable and then modify this executable and the comodo does still think its the old executable and applies the same policy w/o even a warning…and thats how most of the malware comes to your pc … via some trusted system component who got hacked.

I really don’t get it why you guys don’t have that yet and seems like some of you don’t think its necessary…
All the serious HIPS have integrity checks…

(R) (S) (V) (CNY) (CWY) (B) (J) (L) (M) (CLY)

Well thats odd cause I can prove you wrong. I just downloaded the GRC leak test and ran it and it past. Then I deleted the entries of the leak test in the firewall and D+. Then I renamed the leak test like GRC says to. I renamed it Firefox.exe which is an already trusted program and guess what. D+ gave me an alert. Works fine for me.

Here is what i did:
put a notepad.exe in some folder. run it. allow all the activit (its the notepad…) downloaded some of the leaktests (the one which changes the desktop - breakout2.exe). replaced with it the notepad.exe in that folder… it ran using the notepad security ( it means it changed my desktop etc…)

now, maybe in your case firefox.exe is in the “my protected files”?

i tried puting that notepad.exe in “My safe files”, but there is still no integrity check for them either…what a joke again.

don’t get me wrong, i like comodo (at least the interface), but this is unaceptable non integrity check version.

I really really would suggest the developers to take a look at the Tiny Firewall Pro 6.5.xxxx . I think thats the best firewa//hips. I really really regretd CA bought them and shelved the tiny - seems like that , cuz their firewall is completely different.

I will be interested which files/group you put you firefox. But anyway, the fact is there is no integrity check. You may protect your files with some non modifying policy , but i can do that with the NTFS too… Why i need comodo HIPS then?

I do not use protected files. Everything is at default values from install except I use D+ in safe mode. Which option are you using D+ in I might ask? Do you know what all the different levels of D+ mean?

Paranoid Mode: This is the highest security level setting and means that Defense+ will monitor and control all executable files apart from those that you have deemed safe. The firewall will not attempt to learn the behavior of any applications - even those applications on the Comodo safe list. and will only use your configuration settings to filter critical system activity. Similarly, the firewall will not automatically create ‘Allow’ rules for any executables - although you still have the option to treat an application as ‘Trusted’ at the Defense+ alert. Choosing this option will generate the most amount of Defense+ alerts and is recommended for advanced users that require complete awareness of activity on their system.

Safe Mode: While monitoring critical system activity, the firewall will automatically learn the activity of executables and applications certified as ‘Safe’ by Comodo. It will also automatically create ‘Allow’ rules these activities. For non-certified, unknown, applications, you will receive an alert whenever that application attempts to run. Should you choose, you can add that new application to the safe list by choosing ‘Treat this application as a Trusted Application’ at the alert. This will instruct the firewall not to generate an alert the next time it runs. If your machine is not new or known to be free of malware and other threats as in ‘Clean PC Mode’ then Safe Mode’ is recommended setting for most users - combining the highest levels of security with an easy-to-manage number of Defense+ alerts.

Clean PC Mode: From the time you set the slider to ‘Clean PC Mode’, Defense+ will learn the activities of the applications currently installed on the computer while all new executables introduced to the system are monitored and controlled. This patent-pending mode of operation is the recommended option on a new computer or one that the user knows to be clean of malware and other threats. From this point onwards Defense+ will alert the user whenever a new, unrecognized application is being installed. In this mode, the files in ‘My Pending Files’ are excluded from being considered as clean and are monitored and controlled.

‘Installation Mode: Installer applications and updaters may need to execute other processes in order to run effectively. These are called ‘Child Processes’. In ‘Paranoid’, Safe’ and ‘Clean PC modes’, Defense+ would raise an alert every time these child processes attempted to execute because they have no access rights. Whilst in one of these 3 modes, Comodo Firewall Pro will make it easy to install new applications that you trust by offering you the opportunity to temporarily engage ‘Installation Mode’ - which will temporarily bestow these child processes with the same access rights as the parent process - so allowing the installation to proceed without the usual alerts

Tiny Firewall isn’t even listed in Matousec. Not even on the bottom so how good can it be.

  1. Tiny is not listed because CA bought them like 1-2 years ago.
  2. i use even paranoid mode. the same result. just do what i did and will see.

If you search the forums here, there are more post/complains/feedback about this missing feature. Is not just me and i am not trying to bash comodo…i want them to implement this so i can use it.
Some of the comodo developers/moderators are trying to explain that i don’t need this (haha, joke) because comodo does some more file protection or w/e their explanation is. Its a joke explanation because the user don’t know all the time what happens on the system. For example you run an install on a product and you don’t know what it modifies - what if its a malware and modifies a settings for which you have rules ? Here the integrity will help - next time you try to run a modified progy, you will get information.

Well it seems to me like your bashing. BTW I never download and install anything I do not know. I also scan everything before opening it. If I doubt the program I am installing then I Sandbox it.

I ran the SSS utility to test your theory, I treated it as a Trusted application so everything it will do will be allowed. I then renamed the SSS utility to ZZZ, I tried to create a registry entry with ZZZ and D+ popped up.


  1. Again, if you consider bashing constructive critique, this is your problem
  2. If you do all these things (sandbox, etc…) then why you need HIPS at all then? And the usual user don’t bother with these things…

Do what i did and lets see… What is the dialog box that poped up? I am testing comodo x64 on vista. maybe there is bug with it. would be happy if thats the case. Maybe i am not doing something right. Would be even happier if thats the case.

At this point, you are skipping something:

You manually replacing a file and a virus replacing/infecting a file are 2 different things and D+ default policy is aware of this fact. So unless you dont use explorer.exe, D+ will NOT allow any file replacements without any authorization. What makes you think that a virus can infect a file without being catched by D+?

To better understand please search this forum first. I have explained this before.

D+ is a sophisticated piece of security software, and you changing something manually will be known by D+ as a non-malicious act, and because of its intelligence manual modifications like what you did, will be allowed without disturbing you. Try to do that in a way that malware would and see how D+ will pounce on it! Pls give us “some” credit! We have innovated new ways of checking for integrity which is more efficient and doesn’t disturb the user as often!

Very true egemen. A virus has to run first and when it tries to run D+ will catch it. You are manually doing this which a virus cannot do invisibly. I Sandbox my browser when needed not my whole pc. If you use Sandboxie you still need and HIPS and AV and Firewall.

You are right. even if you run a sandbox you will still need to run security apps as some malware can jump out of a sandbox right into your OS.


Listen gpnx. Anyone who makes a thread and calls it " D+ what a joke" is clearly bashing. Why didn’t you go into the Comodo help area and ask why does D+ fail this. That would have been a better thing to do.

Feel free to move this thread to whatever is the appropriated forum. I didnt consider “what a joke” bashing… but if sounded like this i am sorry. As you see from my msg context i am not bashing, just trying to help improve it.

Why you still brining this “i alloweed it”… In this case yes, i did modify it…but even if i did, a normal HIPS will catch that a file was modified , thus his integrity was compromised.

Let see this scenario:
Some system component got hacked (there is incident with this all the time - just check the MS security bulletin). Sooo, a hacker gains access and changes stuff… HERE is where HIPS should help - notifying me that a piece of a trusted before exe/file got modified.

Lets see this scenario:
I run install program, i put it “threat as isntall bla bal” it has all rights etc…so it does modify stuff that i don’t know. THERE I NEED HIPS to tell me what/if something gets modified that should not. And, its a plan logic to not threat as same the app which has changed…

A hacker just cant gain access to your pc that easily. This is also why hardware firewalls are a must. my 2Wire Gateway DSL mode has a built in hardware firewall which keeps me plenty safe. There is a big difference between what a hacker cab do and what malware can do. When you treat something as an installer all that means is that the exe installer package you just doubled click on is being aloud to run. After your don installing and want to use that program you just installed D+ will give you alerts. And like I said. Why are you installing something you do not trust. Common sense of what your installing and knowing what your installing is the best and first line of defense.

Ok, you have sandbox, you have hardware firewall, etc… GOOD FOR YOU. But guess what??? When i am on the road with my laptop using wireless connection i dont have that. I have to really on my soft firewall. Please stop with your sandbox, hardware etc…

I really don’t get something. You have a feature you call “HIPS”… and it does not work as a HIPS is intended and instead of taking a note and implement what me and other people suggested you still brining this: don’t trust, be carefull etc… well, thats why I installed comodo - because i don’t trust . and i expec something that is suposed to do “HIPS” to do it right. Now, if you don’t want to implement this, then its ok, but don’t call your product “HIPS”… because it does not really protect.

If most of the competitors produtcs -Agnitum, ProSecurity etc does that (and they work prety much the same way comodo does)., then maybe this feature is good.

Again, i am not bashing, i like comodo and if it provides me this it will be my favorite filewall.

If you think about it, little more,from the common joe person, you will see that the integrity check is really really good think. The usual person install and uninstall often, it does not like to tweak stuff too much and it takes action (clicking allow/block etc) most of the time only when he see red message saying his IEXPLORER, NOTEPAD etc got modified when he didnt expect it (etc, after installing something, installing some actx control from a “bad” site, etc…)


As far as a normal HIPS catching it, egemen did say that Comodo created new and innovative ways to not bother the user and allow defense+ to do it’s job of protecting you. Perhaps this is one of those. Just asking you to consider the idea is all. As far as hackers getting into your system, while I have never been hacked (to my knowledge, and would rather not be) I’m inclined to think that other aspects of the defense+ and firewall combo would prevent the hacker from getting in, in the first place should you have the proper rules, permissions, etc. set.

Perhaps, in your case, modifying an executable from what really is an outside source acting inside your computer (hello hacker) would set off a defense+ alert while you modifying an executable already on your system from within the system will not set it off.

Did you happen to try the suggestion of modifying an executable like malware actually would? I’m curious to see what would have happened.

Lets see this scenario: I run install program, i put it "threat as isntall bla bal" it has all rights it does modify stuff that i don't know. THERE I NEED HIPS to tell me what/if something gets modified that should not. And, its a plan logic to not threat as same the app which has changed...

Here you confuse me. If you tell defense+ that it is safe to install then defense+ will let it install. If you want to be alerted to every single registry key that is changed and file that is created then don’t tell defense+ it is safe to install and it will create a pop up everytime something like that happens. That’s if you care. How is any HIPS or defense+ equivalent going to tell you what is modified that shouldn’t be. Those instructions are coded into the executable itself and without defense+, for lack of a better word, having a copy of the original that’s impossible. It should tell you what is modified, and it does. Unless you tell it not to. If you’re downloading something that you don’t trust you have no business on the internet, in my opinion. As far as telling you what has changed in the program after install, it will do that to.

I’d really like to understand this issue some more, I appreciate you going through this with us. But please, do take our suggestions as well.


I believe that one of the firewall developers just about told you straight that Comodo already had this “integrity check” already implemented, just not in a way you (and maybe some others would like). Personally, I’m inclined to believe the person that builds the product.