/!\ firewall does NOT check CRC/MD5 signatures of trusted applications /!\

ok problem is simple :

when a program asks for internet access for the 1st time, if I trust it I can select “allow” and “remember my answer” so that the firewall won’t pop up again the next time it tries to connect

here’s the prob : if I slightly change the exe (so that its cryptographic signature is modified), the modified app can still access the net!
shouldn’t there be an alert saying the [trusted] app was modified?

PS. I have Firewall set to “Safe” and Defense+ set to “Paranoid”

Hi Urizen,

That’s a long time discussion on the board, devs state that they don’t need it because they monitor "who’ changes it… If you come from Kerio you will miss this alert yes, and i prefer to get notified also if a hash of an applications changes but it’s not there, and based on the dev’s responses it won’t be build in either…

You have to do some searching to find it somewhere on the forums…

CIS only checks the hashes when comparing a file to its white list. But if a malicious program tries to change another file (e.g. that .exe file that is connecting to the internet) then you will get a D+ alert about it. The reason you are not getting an alert when YOU change the file is becuase CIS is designed to allow YOU (the user) to modify files without triggering D+ alerts but other programs themselves would generate an alert when trying to modify other files.

so what is this white list - is it the list of apps that the user sets to permantently “allow” or is it something else, and can it be modified by the user?

PS. actually I do miss comodo v2.4 (which btw seemed far lighter on resources btw and I didn’t even install the antivirus in the present version), it was good at intercepting unwanted outbound connection attempts (I didn’t need a behaviour monitor because this is reserved for a separate antivirus app or something like Threafire, so as not to put all eggs in 1 basket if u get my drift)
the only reason I switched to newer version was because the v2 was no match for recent threats that are capable or terminating the firewall services

The white list is run by COMODO and the user cannot edit it.

"Application Recognition Database (Extensive and proprietary application safe list)

The Firewall includes an extensive white-list of safe executables called the ‘Comodo Safe-List Database’. This database checks the integrity of every executable and the Firewall will alert you of potentially damaging applications before they are installed. This level of protection is new because traditionally firewalls only detect harmful applications from a blacklist of known malware - often-missing new forms of malware as might be launched in day zero attacks.

The Firewall is continually updated and currently over 1,000,000 applications are in Comodo Safe list, representing virtually one of the largest safe lists within the security industry."

ok so I tried enabling Image Execution Protection (figured maybe the “image” part is about memorizing the hash of safe apps) but that didn’t work either

however I did notice that Image Execution Protection keeps giving alerts about apps that are already listed as safe - eg. “explorer.exe is trying to launch winamp.exe”, “explorer.exe is trying to launch winword.exe”, etc (explorer is safe & isn’t being modified in memory, so the fw should warn about the 2nd app only, not the 1st)

couple this with the fact that it does not even check the hash of explorer.exe (or other safe apps), and that makes the feature completely useless, so I disabled it again :confused:

at least that could be useful info for other users : Image Execution Protection can be safely disabled without sacrificing on security, this should save some CPU resources (useful for my rig which ain’t exactly the most recent)

From the helpfile:

Image Execution Control is an integral part of the Defense+ engine. If your Defense+ Security Level is set to 'Train with Safe Mode' or 'Clean PC Mode', then it is responsible for authenticating every executable image that is loaded into the memory.

Comodo Internet Security calculates the hash of an executable at the point it attempts to load into memory. It then compares this hash with the list of known/recognized applications that are on the Comodo safe list. If the hash matches the one on record for the executable, then the application is safe. If no matching hash is found on the safelist, then the executable is ‘unrecognized’ and you will receive an alert.

So i would object to the fact that you can safely disable this feature, specially if you are in Training mode or Clean PC Mode…

As it’s only active by default on the extended security profile “ProActive” a normal install will have it disabled by default.

that’s strange…help file says it checks the hashes, yet it does not

I altered the hash of explorer.exe which is listed as safe, and it didn’t react (Image Execution Protection was set to “aggressive”, firewall set to “safe” & defense+ to “paranoid”)

that’s why I disabled it (it’s only a nuisance since it keeps alerting about safe apps :frowning: )

Image Execution has nothing to do with HASH checking, just to let you know.

yeah I figured this out soon enough (hope they correct this in the help file) and that’s why I disabled it - it’s more of an inconvenience & doesnt really add to security (not against trojans anyway - fw blocks all leaktests with or without it)

It does add extra security. It makes sure that all exe’s are catched before execution.

yeah I know, but question is why does it act the way it does

for instance when I launch winamp : now as someone said above, IEP isn’t supposed to block apps launched by the users themselves (otherwise there’d be popups all the time)

now in this case the user doesn’t launch winamp directly, it is explorer.exe that launches it - ok fine, but explorer.exe is in the safe list, so IEP still shouldn’t intervene - yet it does ???

so basically IEP steps in when a safe app launches an unknown app chosen by the user. not good

Why? Execution is not a malicious action. If you do want that option though - Just turn image execution on like I have.

Old thread I know.

Just want to let you all know of a test I did. Run Firewall only, in Safe Mode. With updates disabled well before Firefox 5 came, I installed Firefox 5 (or let it update itself from within FF4). There was no Comodo pop-up. So apparently Comodo is content with the new Firefox having the same path as the old one. For sure didn’t check MD5 signature/hash.

(Reason for disabling updates: Had to do this since it annoyingly makes media players fall out of full screen, see other threads.)

Update: In the folder C:\Program\COMODO\COMODO Internet Security\database some files, like white.n and white.h, have been updated after I disabled updates. So it seems white list is kept fresh still then. For me, that’s good. I use inly the firewall part of CIS, and after it’s rules set has been set, it really doesn’t need updates, or it is ok to wait years between them. However, even though white.h and white.n have been updated by Comodo after I disabled automatic updates, it did not have the latest info, as I could see when I later asked Comodo to do an update manually…

(I posted this update at the end of this thread but it is not visible here, only if I start editing the thread…!)

You can take a read through this thread if you wish, not that there’s a definitive answer…

FF v5 is a digitally signed executable signed by Mozilla Corporation which is on the Trusted Software Vendors list. When it gets executed CIS won’t give a squeak indeed; it is a safe application. It determines if a file is safe using a SHA hash code look up.

I’m assuming that Comodo does not update it’s white list when I disabled automatic updating. That’s why I tested like I did. Upadates were disabled before FF5 was available.

Possibly this setting controls only program updates, and it might still update the white list. That isn’t clear in the help files.

Probably needs some more testing to be sure how it works. Unless someone here knows the answer. :slight_smile:

Edit: I noted that some files in folder C:\Program\COMODO\COMODO Internet Security\database are updated even with this setting disabled. Including files called white.h and white.n. Awfully small files to hold every white listed program (4+32kB). But otherwise a strong indication that the white list is updated even now.

That’s excellent then. I use Comodo as a “plain” firewall in Safe Mode, and as such, updates aren’t really necessary for security reasons (not at all like for an antivirus or if you use the entire CIS functionality), as long as it’s stable and no one changes the way the internet works. I can’t allow automatic updates since it makes media players jump out of full screen mode which is very annoying on an HTPC…

In the folder C:\Program\COMODO\COMODO Internet Security\database some files, like white.n and white.h, have been updated after I disabled updates. So it seems white list is kept fresh still then. For me, that’s good. I use inly the firewall part of CIS, and after it’s rules set has been set, it really dosn’t need updates, or it is ok to wait years between them.