Being Comodo user and fan since a very long time (I think it was 2006 or 2007 when I moved here from Kaspersky? cannot remember) I think I can make this post as a scream of hater.
Yes, indeed - I am going to become a Comodo hater from some time.
I always loved this piece of code because there is no really free product with similar features. You really cannot find AV+FW+HIPS free of charge. You can? - OK tell me.
Also I loved it because it is not the product for “home-keepers” - actually it can be set to work in this mode, but also CIS has a number of advanced features that makes it really interesting for advanced users.
Everything I have mentioned is in Past Indefinite. Because latest CIS is going to be a nightmare…
Network Zone detection with Global Rules. Host Name is not resolved for ages - and still it is not. OK, I can live with it.
OpenVPN client when connected makes HIPS freeze sometimes. I have reported about that years ago. Every new version - still the problem exists. OK I will switch off HIPS when using VPN.
WSL settings for FW/HIPS. Why I cannot put into exclusions a group of files or folder with files? Why I need to put a policy for every file inside WSL? OK, it’s good - but every update in WSL makes me to create policies again and again. Any idea? No. And let’s be honest: do you want to restrict permissions in Linux running in WSL for security reasons? Haha, good luck.
WSL 2 does not work when CIS is installed. Never. You can switch it off - no help. Just a full uninstall.
Windows 10 global updates can fail with CIS. Why? I don’t know, but I could move to 2004 only when CIS was uninstalled.
False positives will never be proceeded when you hit “False positive” in AV warning message. Believe me - it’s better to add exclusion from the very beginning.
???..
What else I should “live with it” in future? Every year and every CIS update brings me new surprises. Yes, I remember - it’s free so no warranties, but I think it’s better to make it either a fully automotive for “home-keepers” - or put more efforts to support advanced users with advanced usage. Because this “advanced features” make advanced problems with non-expected behavior. Or it simply does not work - maybe it’s even better.
Initially Comodo was positioned as a best protection for almost everything - even modern threats. Now it becomes a threat.
Too bad and what a pity for a good old times…
P.S. Please do not forward me to bug reporting. I did it several times in past. And I’m tired of that. This post was just a scream of new hater - nothing more, nothing less…
OK, you’ve got me! But why it is not recommended by all AV vendors? For instance: when KES made it impossible to update Win10 - MS released an update to make it possible: https://support.kaspersky.ru/12628
CIS just recommends to uninstall itself. Good product, nice support.
I can give you more - but for what? If you are experienced in Comodo - you will already know what I mean. If not - OK, you will understand in some time of using.
1. Network Zone detection with Global Rules. Host Name is not resolved for ages - and still it is not. OK, I can live with it.
Care to elaborate on this? Host name does get resolved so I'm not sure what you mean here.
2. OpenVPN client when connected makes HIPS freeze sometimes. I have reported about that years ago. Every new version - still the problem exists. OK I will switch off HIPS when using VPN.
Something that Comodo and no one else has been able to replicate, and I have a hard time believing using OpenVPN would somehow interfere with HIPS, if anything I would expect a firewall issue but the firewall driver works with OpenVPN afaik.
3.WSL settings for FW/HIPS. Why I cannot put into exclusions a group of files or folder with files? Why I need to put a policy for every file inside WSL? OK, it's good - but every update in WSL makes me to create policies again and again. Any idea? No. And let's be honest: do you want to restrict permissions in Linux running in WSL for security reasons? Haha, good luck.
You can and it's called using [url=https://help.comodo.com/topic-72-1-766-9180-File-Groups.html]file groups[/url] but even then you won't need to as WSL binaries should always have the same file path, so again can you explain the issue further?
[b]4. WSL 2 does not work when CIS is installed. Never. You can switch it off - no help. Just a full uninstall.[/b]
I'm guessing using the latest 12.2 version you are experiencing this [url=https://forums.comodo.com/bug-reports-cis/ethernet-adapter-vethernet-wsl-cant-create-with-installed-comodo-t125940.0.html]reported issue[/url] which they are working on and does not affect the 6882 build.
5. Windows 10 global updates can fail with CIS. Why? I don't know, but I could move to 2004 only when CIS was uninstalled.
Interesting as many people had no problems performing upgrades with CIS, maybe has to do the method of which the upgrade happens, I know I had no issue when I used the upgrade assistant. But as ReeceN said, the best way to upgrade to newer Windows versions is to uninstall CIS prior the updating, then install after update completes.
6. False positives will never be proceeded when you hit "False positive" in AV warning message. Believe me - it's better to add exclusion from the very beginning.
Is this from the cloud scanner or actual AV real-time alert? If from cloud file rating yes I know what you mean but it doesn't always happen so it may be hard for them to fix.
in my case:
Cis not exact incompatible with windows updates (only windows update), but PCs olds are outdated about crash computers olds like (laptops olds or news, too to present that behavior or crash…);
NOTE: Windows update there is not authenticity check effective, often files windows update are corrupted. :-\
In my case www.blahblah.com is not always blocked - especially if IP of host was changed.
In my case working OpenVPN client causes HIPS to hang. FW works well. Yes I know the issue is very hard to replicate because even in my case it happens not always from the very beginning of VPN connection. Whatever - I was ready to give all logs and even remote access to my PC to show. But certainly it was not interesting for Support.
I want to add a folder to be excluded from control. Totally. In this case of WSL I have to add new policy rules for apt, for curl, for every binary used in WSL environment - and I don’t want it.
So are you telling me to roll back to old version rather than update to new one?
I am using a built-in Windows update mechanism. Why other similar products does not require uninstall prior update?
It’s a ■■■■ named ApplicUnwnt[at]0, Malware[at]0 etc. By the way cloud file rating is disabled - and I don’t want it. I want a simple scanner, no heuristics, no cloud. But CIS thinks in it’s own way…
In my case www.blahblah.com is not always blocked - especially if IP of host was changed.
IP addresses that get resolved when you set a host name are static, so of course it won't work if the IP address changes, which is why making rules based on host names is pointless.
I want to add a folder to be excluded from control. Totally. In this case of WSL I have to add new policy rules for apt, for curl, for every binary used in WSL environment - and I don't want it.
You are expecting CIS to do something that no other security suite does and that is to disable firewall and HIPS monitoring on a per application basis. Again you need to use rules as that is what rules are made for, you don't need to make one for each individual binary, as you can define a whole folder as a file group. Please read the help section on file groups.
So are you telling me to roll back to old version rather than update to new one?
If you want to specifically use WSL2 then yes, 12.1 should be avoided due to many issues that are fixed in 12.2. But if 12.2 prevents you from using WSL2, then you need to use 12.0.0.6882 until they release a new version that fixes the issue which they said they are working on it.
I am using a built-in Windows update mechanism. Why other similar products does not require uninstall prior update?]I am using a built-in Windows update mechanism. Why other similar products does not require uninstall prior update?
Because they aren't as advanced as CIS? Don't know why it is such an issue for people to uninstall then re-install for major Windows updates if they don't want to face issues with CIS. Then again many people don't have any problems updating while keeping CIS installed so it is better to take the safer approach.
It's a ■■■■ named ApplicUnwnt[at]0, Malware[at]0 etc. By the way cloud file rating is disabled - and I don't want it. I want a simple scanner, no heuristics, no cloud. But CIS thinks in it's own way...
Sounds like your talking about the real-time AV alerts which if you click Ignore and Report as a False Alert, it will set the file rating to trusted in the file list and you won't get AV detection alerts again.
As for the OpenVPN issue, I believe it has to do with CIS having connection problems performing certificate revocation checks on digitally signed applications when those applications get executed, it is something that currently can not be disabled even if cloud rating is turned off. CIS most likely can not reach OCSP servers when you are connected with OpenVPN thus causing delays with using such signed applications.
There are mutually exclusive statements in your reply.
So Comodo is too advanced in comparison with other similar products (Kaspersky for instance) so that’s why it requires full uninstall prior Windows update? OK.
But in the same time Comodo cannot dynamically resolve host names like good old Outpost could. But Comodo is more advanced. OK.
Also Comodo way of FW/HIPS working does not allow to work with WSL because of numerous alerts for linux binaries/scripts inside WSL. Also you need to revert back to old versions to work with latest WSL 2. But still Comodo is very advanced. OK.
OpenVPN freeze cannot be fixed by design - but Comodo is ADVANCED! REMEMBER THAT AND LIVE WITH IT!
So Comodo is too advanced in comparison with other similar products (Kaspersky for instance) so that's why it requires full uninstall prior Windows update? OK.
Never said it is required, just that it is the recommended safe way of avoiding issues but good job ignoring that other people don't have issues doing Windows upgrades with CIS installed.
But in the same time Comodo cannot dynamically resolve host names like good old Outpost could. But Comodo is more advanced. OK.
And how did it keep the IP addresses updated? Did it perform name resolution every second? Every time an application made network requests? On every boot up? And how do you know it did? For all you know it behaved the same way and the IP never changed.
Also Comodo way of FW/HIPS working does not allow to work with WSL because of numerous alerts for linux binaries/scripts inside WSL
Why are you so keen on ignoring the solution that I gave you with using file groups? It is so simple and easy to create a file group and add the folder of the linux distro directory to the file group and use that for HIPS and firewall rules.
Also you need to revert back to old versions to work with latest WSL 2.
That happens with any software when they get updated, new versions add unexpected bugs that requires using the previous version until a fixed version is released. Even MS releases updates that they have to pull because of issues it causes, which then requires people to do a system restore, but yes make a big deal about it when it happens with CIS.
And by advanced I was referring to what ReeceN said about how CIS hooks into and controls the system and the fact that CIS is designed with default-deny while other security suites are default-allow.
Are you performing statistics counting? Because in my case I have a lot of similar issues with Windows update. Yeah I can accept a general statistics - but in this case it is a really bad luck for all the people I know.
I don’t know. Ask ex-Agnitum coders. I think it’s better to perform on every application request or add a setting about using cached DNS reply or not. Yes< I know numerous request will affect performance - but why it is not possible to add the setting on per rule basis?
Because I simply don’t understand: from one side it is not possible to add folders in HIPS/FW rules - but I can add them to file groups and THEN in HIPS/FW rules. Why it’s not possible to simply add folders - it would be user-friendly rather than double action.
Please be more detailed. Are you going to say that all other similar products allows actions by default - and CIS doesn’t? Even in full automatic mode? Even for Trusted Installers? Interesting…
Also - regarding ApplicUnwnt[at]0, Malware[at]0. Do you know that when I press “Add to Exclusions” these alerts will popup again and again? And really - only “Report as False Alert” helps in this case. What does “exclusion” mean? Why “exclusion” is not stored?
And what does ApplicUnwnt[at]0, Malware[at]0 mean? Just remind you: heuristics and cloud are disabled. Very interesting detect.
Are you performing statistics counting? Because in my case I have a lot of similar issues with Windows update. Yeah I can accept a general statistics - but in this case it is a really bad luck for all the people I know.
For every 1 person who has issues and make posts about it, there is probably 2 or more who don't face any issues and thus won't say anything, so no I do not have any statistics but I can infer from the many users of CIS and use Windows 10, only a few are vocal about having issues. Also the majority of times it is caused by using incorrect CIS settings like disabling cloud lookup, so CIS doesn't get the chance to rate the new files as trusted thus they become unrecognized. In those cases its is the users fault for bricking their own system because they use settings that they don't understand what that does to overall system stability. Never mind all the complaints you can find of people not being able to upgrade no matter what security software they have because the update themselves are broken.
I don't know. Ask ex-Agnitum coders. I think it's better to perform on every application request or add a setting about using cached DNS reply or not. Yes< I know numerous request will affect performance - but why it is not possible to add the setting on per rule b
I don't know either but maybe make a wish request for it. I guess not many use host name feature so they really didn't put much thought into it.
Because I simply don't understand: from one side it is not possible to add folders in HIPS/FW rules - but I can add them to file groups and THEN in HIPS/FW rules. Why it's not possible to simply add folders - it would be user-friendly rather than double action.
Technically you can but it requires you to either type out the folder path and making sure you add the wildcard character at the end, or use browse > application then edit the path so it only contains the folder part and again add the wildcard character. But like I said it is better to use the file group because then you don't need to re-do the manual way of using a folder for each component for av/firewwall/hips/auto-containment rule.
The issue has been reported a month ago. A month, Carl!
Since Umesh left development has taken a dramatic slowdown which many of us users and moderators are frustrated with.
Please be more detailed. Are you going to say that all other similar products allows actions by default - and CIS doesn't? Even in full automatic mode? Even for Trusted Installers? Interesting...
For the most part yes if other products don't detect something as malware but is not known or trusted it is allowed to run, whereas CIS will block depending on which modules are being used. Trusted installers works better with trust files installed by trusted installers setting being enabled, but there are times when the parent process is a trusted installer that terminates and then the child process lose there installer status.
Also - regarding ApplicUnwnt[at]0, Malware[at]0. Do you know that when I press "Add to Exclusions" these alerts will popup again and again? And really - only "Report as False Alert" helps in this case. What does "exclusion" mean? Why "exclusion" is not stored?
Did you check the [url=https://help.comodo.com/topic-72-1-766-9162-Scan-Exclusions.html]scan exclusions[/url] to see if they do get added? I haven't had that type of issue unless I selected ignore once in the AV alert, once I used add to exclusions it did not alert again.
And what does ApplicUnwnt[at]0, Malware[at]0 mean? Just remind you: heuristics and cloud are disabled. Very interesting detect.
Those are local signature detection names and for application unwanted you can disable it with Detect potentially unwanted applications in file rating settings.
And yes: I don’t want any cloud because of my own development - and I don’t want to send any files somewhere. Comodo cannot work normally without it? OK, noted.
And thank you for File Rating Settings - for some reason I forgot to close that hole. Did it already, hope no strange detects in future.
2. OpenVPN client when connected makes HIPS freeze sometimes. I have reported about that years ago. Every new version - still the problem exists. OK I will switch off HIPS when using VPN.
I love HIPS, For me if I get issues like that, Ill would put "HIPS" in "Training mode" before I using the VPN. Then when in "Traing Mode" start up VPN and use it for a couple of minutes, then put it back to "Safe Mode" That should be good until next update. Also For the New VPN updates or Installation, I also put it in "Training mode" First before starting after that it goes right back to "Safe Mode".
Also when your VPN or anything that HIP’s keeps popping up on for whatever reason when is running, Run “Rating Scan” Can the ones that says “unrecognized” to “Trusted”. I generally run any new program before using “RatingScan”.
It prevents lot of potential issues with HIPS.
For some reason, Most computers work fine with a (Few to No) issues. There’s a few computers that seem to run into issues for some reason. I don’t know why. Luckily its only a very small percentage.
6. False positives will never be proceeded when you hit "False positive" in AV warning message. Believe me - it's better to add exclusion from the very beginning.
I agree, although some programs like legit(non-infected ones) keygens, patchs, and piracy stuff or certain adware. It might be fine for consumers, it wont do anything malicious (except for the laws that prohibit it (Like no bad effects even thought it gets flagged) But for business computers that is a big issue and that's why certain "Flase Flags" won't get removed
Then again, there are some false positives that haven’t got fix for whatever reasons it maybe
There are different ways to make HIPS working with VPN issue - but it certainly should be fixed by design, but not by "ways’.
As for detects - I know about Themida, stolen certificates and others - but it should be definitely marked not like “ApplicUnwnt[at]0”, “Malware[at]0”, or “Unknown”. Why other vendors use a strict terms for that - but not Comodo? Why I cannot add an exclusion for those detects using a strict name of threat?
