Firewall/Defense+ more secure than Win7 tools?

Hi, I use and recommend the Comodo Firewall for many years now. Since I am switching from XP to Win7, I wonder if the built in tools of Win7 can be as secure as the Comodo firewall and Defense+.

While Comodo is much easier to use, especially the firewall options, it seems to me that the User Account Control set to maximum and the new internal Windows firewall set to block all in all three domains (with individual exception rules for applications known by the user) offers the same level of protection from key loggers and backdoor connections.

If someone has a link to a study/test that proves the opposite, I would be very thankful.

My hope is that Microsoft finally offers an OS with tools to fully control all network connections, although they might not be easy to use. Please note that I am only talking about network control and not viruses/trojans/malware, since I am sure that third party software is still need to keep those from Win7.

PS: I know it is kind of awkward to ask in this forum, since you will obviously want to promote your product, but I think that the strength of Comodo is the ease of use and better performance compared to other third party firewalls, so it is still a highly recommendable product. I am just interested in the current security development of Win7. :slight_smile:

It’s a tricky question. Now that Windows uses a limited user account model by default, you would expect it to be as secure as Linux (in practice; Windows is actually more secure than Linux in theory, but let’s not get to that). Sure, you can run Windows without extra security software, and you would be fine, but people make mistakes. Maybe you’ll run an infected executable with full privileges by accident, or have unknowingly installed software which phones home without your permission. CIS (and other software) is there as a safeguard against those kinds of mistakes.

In theory, practice and theory are the same thing. In practice, however …


many official tests has shown that windows vista/7 are not really more secure than windows xp …

the biggest problem of windows is the weak structure of all components ,windows is an very old system and microsoft has long been recognized that windows has no future…

in 1-1,5 years comes windows 8 ,and after that the windows system will no longer continue… and must give way to midori the complete new microsoft operating system

for me ,in moment nothing can beat a linux system :slight_smile: and with selinux linux is unbeatable ;D

I don’t like Linux. (:AGY)

I don’t care about Linux.

Windows with "Comodo Internet Security is the best choice for those who want usability (where Linux is weak) with security.

(off topic) Both ends of the Windows-Linux spectrum are bad. On one side you have the “Windows is the best Linux is unusable TOC is high open source sucks” people, and on the other end are the “Windows sucks OMG Linux is free and secure fundamentally totally yeah” people. Both kinds of people need to do some more thinking. Do some kernel-mode programming in Windows to see how advanced the design is; try to modify Linux and see how valuable having source code is. Both platforms have benefits and drawbacks.

Anyway, back to the original topic. CIS really isn’t needed if your system is always up to date and you take security precautions. If you’re talking about a firewall though, I’d go with CIS simply because the UI is so much better than Windows’.

@Linux discussion
I need a Win OS on one partition, since I have to use Win only software for parts of my work, so my question is only about the networking security of Win7.

Your argument about granting access to a “known” application, e.g. filezilla.exe, is a good point, since one might have downloaded it from a corrupted source. So a signature checker is not included in the Win7 tools (AFAIK), but my guess is that the antivirus software would take care of it.

My question is, if a (by Win7 firewall) blocked application can still get network access by using some tricks to bypass it, for example as described here for the RC: Windows 7 RC UAC security vulnerability: Auto elevation – 4sysops
In this case, it is the standard setting of UAC, so it might be fixed by using the maximum setting. You guys might have found other issues while improving CIS, e.g. found hooks that Win7 is blind to.

The “Windows 7” alone has the capacity to avoid “leaks”? ???

If you run as a ordinary user (not admin.), use a software restriction policy, use the windows firewall, keep all your software up to date and turn on DEP you will be almost immune to malware. The same is true in XP.

Unfortunate, home versions do not have software restriction policy. Microsoft does not appear to think home users need/want to be secure. There is now a way to do it: PGS - Pretty Good Security | Wilders Security Forums

I bit of common sense will also help.

no off topic… show on my smileys :slight_smile: they says ,i have write this post with fun :wink: that was not exaggerated seriously

its correct that you say… windows/linux has both good and bad aspects (the bad sides of linux are dramatically less with every new release)

but when you see the very high speed of development in linux with every new version ,that is superior :slight_smile:

and windows? microsoft needs months/years to fix anything ,this is lame and has an touch of incapacity

btw many features of windows 7 ,integrated in better shape for years in linux…

sry but uac is the weak implemented feature in windows who is copied from linux sudo

sry this is not correct ,many malware is on an high technical level and can bypass windows security to get admin rights

Can we please stick to the OP`s wishes and discuss the advantages of having CIS on your Windows 7 operating system.
If you wish to discuss Linux v Windows v MacOS v xxxxx please open a topic in General Board.

In my opion the ease of use and controlability of outgoing connections afforded by CIS easily makes up for the amount of memory it uses.
That and Defence+ for knowing what`s doing what!

Thanks all,

yes we can! :wink:

Linux security is a joke. Do you really think having a limited/full user distinction is a better idea than a privilege/access-based system which Windows was designed for? Linux will fail spectacularly when more people begin to use it and are prone to social enigneering attacks. Linux doesn’t have a global object manager with ACLs like Windows has. Linux doesn’t even have filesystem ACLs by default. When MS changes Windows to utilise its privilege system even more, you won’t be seeing many viruses at all.

And speaking of jokes, software restriction policies are also a joke. They are implemented in user-mode by CreateProcess, and can easily be bypassed by some code patching or simply starting processes using the Native API.

i see you never have seen/use an linux system ,plz look for better information

fact is:
linux security is the strongest of all operating systems…
linux has an limited/root user & privilege/access-based system :slight_smile:
linux has acls in filesystem (ext3/ext4)

??? linux is no windows… all windows-based system calls didnt exist in linux… linux has an completly dfferent strukture of system calls ,kernel/user rights and access controls

btw selinux (selinux = cis hips³ in linux) is an linux kernel feature to make linux harder and stronger… against attacks/weak access controls

test: ubuntu 9.10 / fedora 12 or opensuse 11.2 to see what i mean

Let’s not go too off-topic.

??? linux is no windows... all windows-based system calls didnt exist in linux... linux has an completly dfferent strukture of system calls ,kernel/user rights and access controls

I wasn’t talking about Linux, I was talking about Windows. Unlike you, I can find problems with both Windows and Linux, not just the platform I dislike.

SRP is a simple windows tweak. It takes up no resources and doesn’t need updating. It’s also a very powerful anti-executable and I’ve yet to see it bypassed by real-world malware. I know there are POCs available out there (created by Didier Stevens I think) that can bypass SRP, but it requires an untrusted/unknown file to be run on the REAL system - something that shouldn’t be done if you want to be “100%” - you should always run these files virtualised with Sandboxie or in a sandboxed VM.

Regardless, LUA + SRP + DEP (or equivalent) is ample security for most people, and will protect you from 99.99999% of real-world malware.

stop talking nonsense…

you have no idea from linux ,but post only bull**** over linux oO that is !ot!

only in windows the policies are a joke ,not in linux

oO? i can find problems too ,wannabe expert… talk nonsense to others like you

What’s that meant to mean? Are you saying software restriction policies are secure simply because you won’t test them? That’s like saying having a ■■■■ password is secure just because you won’t “let” any untrusted/unknown people have your email address. The truth is it is very easy to bypass SRPs simply by using RtlCreateUserProcess or any non-CreateProcess-based method of starting processes. Dismissing that as just a POC is just ridiculous. Have you got any proof that this technique can’t be used easily by malware?

Sure, you can try to make sure you don’t run the wrong executables, but people make mistakes, and SRPs won’t protect you.

But can you explain how you are using SRPs against malware? Are you restricting the places from which programs you (the user) start?

If you control what can be run with LUA and SRP how can the program using RtlCreateUserProcess run to start the malware?

Who/what are you controlling in the first place? Are you preventing user mistakes or preventing programs from starting other programs? Keep in mind that starting programs isn’t the only way to execute code - SRPs won’t protect you against flaws in network services, and neither will LUA.