Firewall instead of Avast 6

Hello.

I have been using Avast (Pro) for years, since 2004. I have been thinking to change to Comodo Firewall, and i want to know what you think. I have used Comodo 4 years ago, but having a firewall with an AV was too much and i didn’t really need it.

I have never been infected for the last 3 or 4 years, and i am only using Avast to:
1. Block malware on Web pages, i use Opera (blocking malicious scripts etc).
2. Run insecure and suspicious files in sandbox (good sandboxing from malware).

Updated questions: [b]1.[/b] How well does it block malicious stuff on the websites, if it does so? [b]2.[/b] Is the sandbox totally 100% safe to run malicious apps in? [b]3.[/b] How good is the self-defense of comodo?

I’d like to know if it’s any good to change to a firewall instead, because i only work with safe files and have taken all the security precautions the system (W7U-64) can allow. What i basically need, is to block malware on web pages and a good sandbox where i can run everythins suspicious. I do not need any AV protection.

What do you think? In case i change, will i get a good level of protection on areas i need?
Thanks.

PS: I have recetly been trying CIS on a VM, and noticed that there is no “Launch in sandbox” button if you right-click on a shortcut. Any way to fix it?

Hi and welcome. I can’t comment about Avast pro, but I can say CF is a worthy product.
I personally use Comodos Av as well but CF is a very safe firewall, with Comodos Firewall and Sandbox comes along with Defense +. For more information the links below might be worth a read.
Right click run is Sandbox only works with executables. Hope this helps.

http://help.comodo.com/topic-72-1-170-1633-Defense+-Tasks---Introduction.htm

Thanks for your reply, but some of my questions are still unanswered.

1. How well does it block malicious stuff on the websites, if it does so?
2. Is the sandbox totally 100% safe to run malicious apps in? (Seems like a stupid question already after the SSTS tests).
3. How good is the self-defense of comodo?

Except that, i’ve tested CF with D+ with SSTS on the settings i’d use on my real machine, and it worked nice, but comodo failed some kill and system shutdown tests (the application does not seem to be defending itself on default settings, how do i keep the default settings and make comodo to defend itself?)

If CF fullfilles all of the above requirements, i am changing ASAP. The only and only way i can possibly get infected, is if the firewall does not block malicious scripts on web pages when i am using different browsers.

To b851029. Sorry I am not much help, and I do hope someone else with more knowledge about this replies to you soon. Good luck and all the best.

CIS does not have a web site filter. Comodo does not believe in an abundance of shields, they only make a computer needlessly slow. When a malware hits the HD or memory it is still early enough for detection.

[b]2.[/b] Is the sandbox totally 100% safe to run malicious apps in? (Seems like a stupid question already after the SSTS tests).

There is no such thing as 100% security. Only a con artist will try to sell you 100% security. To have an idea of the protective capabilities of CIS. During testing of v5 egemen the head developer told us that they tested the sandbox against 15,000 pieces of malware and none of them managed to infect the system.

[b]3.[/b] How good is the self-defense of comodo?

Very good. Only when the user allows a program to run a driver, read kernel access, then it is end of exercise for every security program.

Except that, i've tested CF with D+ with SSTS on the settings i'd use on my real machine, and it worked nice, [b]but[/b] comodo failed some kill and system shutdown tests :

Shut down is not seen as a security problem by Comodo.

( (the application does not seem to be defending itself on default settings, how do i keep the default settings and make comodo to defend itself?)

How do you mean? Under what circumstances and which process is getting killed?

If CF fullfilles all of the above requirements, i am changing ASAP. The only and only way i can possibly get infected, is if the firewall does not block malicious scripts on web pages when i am using different browsers.
[/quote]

There were some websites, that tried to crash my browser and that could be a problem sometimes. Some websites also managed to plant DLL and EXE files in my temp directories, however they failed at launching them for some reason, even tho avast shields were off. The same script was blocked if i turned the shields on.
So as i understand, CF will block any malware that gets onto my pc this way?

This was just a figure of speech. If a malware that is not designed to break out of the sandbox does not infect the system, my question is answered.

On default settings, a tool from Level 2 in this set kills cfp.exe.

Description: Kill3 checks whether the tested product can be terminated by an untrusted process through sending it a shutdown message.

And unfortunately, almost every other self-defense test tool from this set manages to kill cfp.exe using different techniques. I can password-protect my settings in order to make few of the tools useless, but the process can still be killed by others. When cfp.exe is killed, other tools maintain the ability to do what they are supposed to, unless i set settings to "[i]Block all unknows requests if the application is closed[/i]". The D+ does not ask when the tool is trying to access its process. This worries me.

That’s when the buffer overflow detection may protect

Some websites also managed to plant DLL and EXE files in my temp directories, however they failed at launching them for some reason, even tho avast shields were off. The same script was blocked if i turned the shields on.
So as i understand, CF will block any malware that gets onto my pc this way?

Indeed, assuming it has signatures to detect them. Since the malicious scripts or files are not known they will be sandboxed. That should prevent damage from being done to the computer.

This was just a figure of speech. If a malware that is not designed to break out of the sandbox does not infect the system, my question is answered.

On default settings, a tool from Level 2 in [url=http://www.matousec.com/projects/security-software-testing-suite/]this[/url] set kills [b]cfp.exe[/b]. And unfortunately, almost every other self-defense test tool from this set manages to kill cfp.exe using different techniques. I can password-protect my settings in order to make few of the tools useless, but the process can still be killed by others. When cfp.exe is killed, other tools maintain the ability to do what they are supposed to, unless i set settings to "[i]Block all unknows requests if the application is closed[/i]". The D+ does not ask when the tool is trying to access its process. This worries me.

I never tried the Matousec test kit so I cannot comment on the reason why cfp.exe got terminated.

When cfp.exe is not running cmdagent.exe will still do the job of filtering. When an unknown file is being run cmdagent.exe cannot talk to cfp.exe to show an alert and will therefor deny the file to run; the Default Deny principle. This can be easily tested.

I think the “Block all unknow requests if the application is closed” setting is meant for the boot time situation. Be careful with this setting though.

Are you completly sure about this? Because on default settings, some files from the test kit managed to do their job, like purging the comodo’s folder (that ofcourse killed it) after cfp.exe was killed (the tool was giving a warning when cfp.exe wasn’t closed).

I will test this once more tomorrow :), but i think Avast’s self-defense looks better. It prevents known malware from running if the user interface is terminated, and it still protects itself.
CF is not an AV, but it should at least block all unknown applications when cfp.exe is dows, it did not when i was doing my first tests. And when cfp.exe was down, one of the other test apps purged the comodo’s folder with success.

All the files were being sandboxed, so i had to turn that feature off. I think that made the difference, but if an app you trust is infected, it can do what it wants by deleting any file in case you decide to run the app outside the sandbox, and it terminates cfp.exe first…

I am 100% of this as I tested it before I wrote my reply.

Because on default settings, some files from the test kit managed to do their job, like purging the comodo’s folder (that ofcourse killed it) after cfp.exe was killed (the tool was giving a warning when cfp.exe wasn’t closed).

I am not familiar with the Matousec test kit. Either you gave the Matousec test kernel access by allowing to load a driver or there is a problem. Giving kernel access is basically end of exercise as the program then has the same rights as CIS or any other security program.

I will test this once more tomorrow :), but i think Avast's self-defense looks better. It prevents known malware from running if the user interface is terminated, and it still protects itself.

That's what one would expect that an av protects its self against malware it knows.

CF is not an AV, but it should at least block all unknown applications when cfp.exe is dows,

It does unless kernel access was allowed or you found a bug.

it did not when i was doing my first tests. And when cfp.exe was down, one of the other test apps purged the comodo's folder with success.

Again, did you give kernel access or not?

All the files were being sandboxed, so i had to turn that feature off. I think that made the difference, but if an app you trust is infected, it can do what it wants by deleting any file in case you decide to run the app outside the sandbox, and it terminates cfp.exe first...

When you trust a file and give it all rights it wants then you are at the mercy of detection and its heuristics.

When disabling the sandbox and starting to use D+ then when the user makes a mistake there is no AV to save you. A mistake would be to allow a driver or service to be installed where you don’t fully trust the program.

A HIPS like D+ is not for the faint hearted. That’s why the sandbox and whitelistining were introduced; to protect the majority of user who do not want to go in depth.

Can the Matousec test programs you used take down cfp.exe and erase the installation folders when they are run in the sandbox?

When you disabled the sandbox for further testing did you allow the Matousec test programs to install a driver (or service) or not? Installing driver or service is end of exercise as the program has the same rights as CIS and any other security program.

“SSTS is based on the idea of independent programs that attempt to bypass various features of the security software. Each test of SSTS is directed against a single feature or against a few closely connected features of the security software”.

I did not give any special rights to the program, i just double-clicked it like any other application. I was logged into the enabled administrator’s account.

I am pretty sure the mistake wasn’t on my side.
Let’s imagine a real situation, you need to launch an application which you think is safe. But it is infected, so when you launch it outside the sandbox, the D+ should react on an attempt to close cfp.exe. It does not.

Please view this video i recorded. (29 MB, direct link) It’s only 6 minutes long but shows what i did.
This test was made on a clean system (sorry, forgot the english LPK), W7-64 with a created account (Built-in administrator account was disabled and not used).
I did not install any drivers, or anything to kill CF on purpose.

The applications from the test kit are using similar methods to those malware would/could use.

No, but if we imagine a real situation when you have to run an infected application, that you think is safe.
D+ should react on everything that tries to access or terminate its process. I am worried, because avast has proper defense here, it will not allow any software to kill its files, services, or anything else. The system can still get damaged, because system files are not protected, but i didn’t test CF on this (if it does not protect the system when UI is down, it equals to avast - so it can’t be worse then avast )

So to sum up, CF seems very nice but one thing worries me. If something will launch outside the sandbox, it can terminate cfp.exe and then will succesfully do its bad purpose… So if you can help me to fix that one (except setting D+ to Paranoid mode), i will gladly change!

My answer may be a bit off topic because you’re asking about CIS.
But considering the two points quoted above:

1 You can use http://noscript.net/ (Firefox only)
2 There’s probably no better Sandbox then http://www.sandboxie.com/

You can, as well, use http://www.mywot.com/ as another browser add-on, and it doesn’t hurt to have Avast on the background.

After my recent tests, i think i will be changing to CF.
But can anyone please comment on the video and tell, why can we delete the files after cfp.exe is closed?

Yes, the comment is easy, you started with a simple question and ended up with…

As to the video, why should anyone download a file from a member with 5 (6) posts?

If his purpose was to disseminate a virus through a video he did not take a very efficient route. He comes across as a genuinely interested and concerned user.

Thanks for the video b851029 that was very helpful in getting to understand what is going on.

First of all. Using the shutdown mechanism and then stopping the shutdown sequence that is a truly cunning and shrewd idea. Is that yours or do the props go to somebody else?

Using the shutdown mechanism can shut down both cfp.exe (the client) and cmdagent.exe (which does the actual filter work). With cmdagent.exe shut down the self protection of CIS is down. With only cfp.exe terminated the self protection would still be working because of Default Deny I would think. Did you check with Task Manager to see if cmdagent.exe was running or not?

I did some testing to see for myself how things are working as it is a good thing to go back to the source. I made a batch file that tries to delete the 7za.dll in the CIS installation folder and ran it in various scenarios. I disabled the sandbox and cloud look up and had D+ set to safe mode.

In scenario 1 where I shut down the client (cfp.exe) the batch file could delete the 7za.dll. You have to wait several seconds for cfp.exe to close here.

In scenario 2 where I shut down the client (cfp.exe) and enabled Block all unknown requests if the application is closed the batch file was not able to delete the 7za.dll.

In one of my previous posts I mentioned I had tested what CIS would do with the client closed. I did that with the firewall part assuming that would cover D+ as well. In this I set the Firewall to Custom Policy and let a known program, NOS Teletekstbrowser, with no rule in Application Rules connect to the web. It was not able to connect as I had expected as a result of Default Deny.

In scenario 1 I would have expected the batch file to be blocked from deleting because it is an unknown file and Default Deny would deny its actions. That did not happen.

This goes against against what I believe how D+ works.

I dropped egemen, the head developer, to see if my logic is flawed or not.

It’s a part of SSTS testing kit, the props goes to Mautosec.

Yes i checked it, cmdagent could not be killed using all of the tools up to level 4. I will continue the test again later with the settings you mentioned.

This is what worries me, without the “Block all unknown requests if the application is closed”, any 3rd-party app is able to delete comodo’s files (and system files too, i will test that again later).
I don’t know if it was intended this way, but good you contacted a dev.

Thanks for your help here I will check this thread once in a while so please post if anything on-topic comes up, or if devs have anything to say!

I though the stopping of the shut down sequence was done by you. Is the stopping of the shutdown sequence done by the test file or by you?

Yes i checked it, cmdagent could not be killed using all of the tools up to level 4. I will continue the test again later with the settings you mentioned. This is what worries me, without the "Block all unknown requests if the application is closed", any 3rd-party app is able to delete comodo's files (and system files too, i will test that again later). I don't know if it was intended this way, but good you contacted a dev.

Thanks for your help here I will check this thread once in a while so please post if anything on-topic comes up, or if devs have anything to say!

I got word from egemen. He said

Yes if cfp.exe is closed by the user, this wil be the case. However, if it is somehow terminated by an atacker, it will block all the unknown requests.

That was new to me. Termination by user gets treated differently than hostile termination.

Everything you saw on the video is done by the program. It also tried to terminate explorer.exe, and i forgot to remove that from its config file, but as the description on Matousec’s says

Kill3 checks whether the tested product can be terminated by an untrusted process through sending it a shutdown message.

I don’t know what exactly this tool does, but you can always see the source code.

So i wonder how CF differs user termination from hostile termination. You can try it yourself anytime, install CF on a clean system and try to run the application without the sandbox, don’t forget to configure the test kit (edit config file first, then run distribute.bat, and then you can start testing).
Maybe that’s too much doing just for a single worried user, but that’s just an option.

I have changed to CF today, as it seems alot better, tho i am worried about any possible ways harmful software can shut down cfp.exe. I just want to know why unknown application was able to do what it did.

There are test apps from the test kit that can shut down the process (and then the files can be deleted), and malware could possibly use it. But malware comes with other malicious code which will possibly get detected.
Can some developers comment on my thread ? Or is it unnecessary?

I have my best opinions about CF. It has improved greatly in these years!
I have a question, how do i suggest features? I have tried in several topics but i can’t post there nor create threads

You can post suggestions in the CIS wishlist topic - Comodo Forum

You will need to be logged in to post. Click the NEW TOPIC button above the top of the topics list.

I think you will be pleasantly surprised at how effective CIS is when properly configured.

One starting point, change the configuration to PROACTIVE, instead of the default INTERNET. To change this, do a right click on the sytem tray icon for CIS, select CONFIGURATION and then select COMODO PROACTIVE SECURITY.

This adds a few extra monitoring vectors in Defense+.

HTH
Ewen

P.S> Welcome to the forums.

What are the exact differences between Firewall and Proactive configurations, except the small ones i see in the D+ Monitoring Settings tab?