Installation guide/tutorial for CFP v3

There are a lot of questions answered or avoided entirely by using the following steps when you initially install and set up CFP v3.

For those users familiar with CFP 2.x, this version of the firewall should be a breath of fresh air. Gone are the days of endless OLE Automation and other Application Behavior Analysis alerts. :wink:

Section 1: Preparing for Installation

1a. Uninstall any previous third-party (non-OEM) firewall; if you have WinXP, turn OFF Windows Firewall. Reboot. In general, I recommend uninstalling in SafeMode to avoid driver and service conflicts that may otherwise occur.

1b. If you have a dedicated HIPS program running, I recommend turning it off temporarily while you install and set up CFP v3 (I would include registry protection applications in this category as well). It may block some components and not warn you, thus causing conflicts and improper installation. You can reactivate it once you have CPF up and running.

1c. If you have an active/real-time antivirus or antispyware applications running, I recommend turning these off (completely disable all real-time function) temporarily while you install CFP v3. Although they should not conflict directly, the load on the system may result in installation problems.

Section 2: Installing Firewall and Defense+ (HIPS module). During installation, you have the option to install both FW and HIPS, or just FW. We’re going through a “basic” installation of both. We’re not choosing any “advanced” options such as allowing inbound connections (for p2p, file/print sharing, ICS), custom configurations, etc. There are other tutorials geared toward these things, which can be accomplished later on.

2a. Install CFP. For you visual types, I have captured screenshots for every step of the way. Rather than post 12 screenshots, I’ve attached a PDF file of this tutorial with all screenshots contained therein. So to see the screenies in context, please download and read through that. The first one simply reflects the need for step 1a.

2b. The next picture simply starts the Installer. Obvious, yes? :wink:

2c. The EULA. Read it, run EULALyzer on it, etc. If you don’t agree with it, don’t install the product… By the way, if you click “I Decline” you won’t be able to install. I wouldn’t mention any of this except there are have been questions in the past about EULAs. Basically you just need to be aware that if you don’t agree, don’t install. If you install, you’re agreeing to the EULA. A note about Comodo’s EULA – the language in it is chosen to protect Comodo, and does not mean that you cannot install the application on more than one computer. Comodo would appreciate you doing a separate download for each installation, as this helps them track the usage, but Melih has stated more than once that it’s not mandatory; it’s to protect them against people redistributing the software in a manner not approved by Comodo.

2d. Where to install? It’s best to choose the default location. If you go with a custom filepath for the installation, it might cause problems (not saying it will, just that it may).

2e. The start of the Configuration Wizard. This is where our options will start showing up.

2f. Like I said, we’re doing both FW and HIPS, so we’ll take the top option. Just choosing “Basic Firewall” means that the HIPS won’t be installed, you won’t have protection against trojans, keyloggers, leaktests, etc (all the things a HIPS module would do). Even though you install HIPS now, you can still disable it later; for those who only want to install the FW, you can still enable the HIPS module later on, as it will be there.

2g. This next option is where we enable the built-in, fully digitally signed and encrypted safelist (or whitelist). This is a list of applications which Comodo has fully analyzed in their labs and is known to be safe and legitimate. Comodo creates a digital cryptographic signature for the application, and placed in their encrypted safelist. When an application on the computer runs, it is matched against this list; if the cryptographic signature is an exact match, the program is allowed to continue; if it doesn’t match, you will be given an alert in accordance with your security settings, so that you can take appropriate action. If the application has been tampered with, or merely has the same name as a known application, it won’t match. As of mid-January 2008, there are more than 1 million signed applications in Comodo’s safelist database, and it continues to grow based on user submissions (please do use the Submission feature to send more apps to Comodo for analysis, even if you consider/know them to be safe).

This safelist is one of the strong features of v3, and is there to make using a powerful HIPS as easy as possible. You may choose not to use the safelist, but you will have 1000 popups a minute (or maybe more…)!

2h. If you use ICS, p2p applications, or file/print sharing (such as on a corporate LAN), you need to allow unsolicited inbound connections. Since we’re doing a “basic” setup here, we’re choosing “No, I don’t”; there are tutorials for ICS, p2p applications, and so on here in the forums to help you set it up later on – don’t worry about not being able to get it going if you skip the step here.

2i. Here’s another place we’re going with “basic” rather than a custom setup. This is the best way starting out, as you can still refine your settings as you go. If you were to choose Custom Settings here you’d be given more options (and it would be quite easy for you to lock the HIPS module down way too tight to be easily used.

2j. Now you’re done, and just need to reboot! Yay!

  1. After rebooting, CFP v3 will start with Windows. Firewall will be set to “Train with Safe Mode” which means that the safelist discussed earlier will be used to allow known applications to access the internet as needed (including Windows updates, etc). Defense+ (HIPS) will be set to “Clean PC Mode” which presumes that every application (executable) on your machine is safe (not to be confused with the safelist, which is a different thing). This is fine, since you shouldn’t be installing the FW if your computer isn’t “clean” anyway. :wink: However, this means that if you have proof of concept applications already on your machine (such as leaktests) and run them, they will be allowed! In order to test v3 against such things, you must change to Train with Safe Mode before running them.

3a. Shortly after logging into Windows, you get the following popup from CFP, that it has detected a new network, and provides options to either be visible to the network (you will need this for corporate LAN and/or file/print sharing), or not have CFP tell you when new networks are detected. It states that you may close the window to skip it. I will tell you that you have to at least click OK (without choosing anything) or this will reappear every time the FW starts.

You may tell it not to detect networks, but that is actually a security feature – if someone physically added a 2nd network card, or wormed their way into your wireless network and started changing things, attempted to subvert your system by running a virtual network adapter, etc, this will help you be warned. So just a quick explanation about that.

  1. Installation Mode. On v3’s Summary page, toward the bottom in the Defense+ section you will see a line that says, “Switch to Installation Mode”, right next to an icon commonly used for installation packages. Before you install any new application, click this to switch modes. This allows v3 to monitor the installation process so that the HIPS won’t interfere with the install, but still protect your machine from other unrelated processes running which shouldn’t be.

When you do this and run the installation package, you will first get an alert that explorer.exe is accessing the installation executable; you may respond with Allow (but not Remember). The next alert will be that the installation executable is attempting to run (and access something); select in the dropdown to “Treat as an Installer” but not Remember (see screenshot). This will allow the installation to occur several levels deep (such as a completion after reboot, as some applications do). But if something new unrelated to the installation attempts to run, v3 will alert you.

  1. While following these installation steps will provide you the “out of the box” security that Comodo is already famous for, please be aware that this does not mean you won’t have any problems. This is the case with any and all computers, along with any and all software; there are a lot of variables involved, and some combinations of configurations just don’t play well together. That’s where this Forum, and Comodo’s Support site, are invaluable. Use the Advanced Search feature to narrow your results to the Firewall, to look for similar problems. If you have questions that aren’t answered, or need clarification, just ask; someone will be glad to help (Note: the Moderators are not Comodo employees, but volunteer users). When posting a new topic, please keep the Subject line concise and accurate to describe the problem (for example, “CPF blocks IE7” rather than, “Help! It doesn’t work!”). Also please look, and post, in the v3 section of the firewall boards, as 2.4 is still an active supported application; if you post in the wrong area, it will confuse the matter and interfere with our ability to answer your question.

Welcome to your new Comodo Firewall Pro v3 ~ Happy Hunting!


[attachment deleted by admin]

******* Update ********

Effective version, step 2f from above needs to be modified as follows.

When you choose to install the Basic firewall, you are now presented with a sub-option that encourages you to enable leak-prevention in the absence of the full HIPS (Defense+) module. Enabling leak protection invokes D+ on a limited basis. You will get HIPS alerts, but not about every process and change on the system; they will only relate to internet-connecting applications and potential hijackings of those applications.

I am not changing it above, as the PDF with screenshots is not being changed to reflect this update (cuz I don’t have the time right now). But since it’s a very minor change, I don’t think it should cause too many problems. :wink: At the moment, I am not sure what steps would need to be taken to turn it into the full HIPS after the fact, since it’s already active. I’ve looked at the settings, and it would appear that this is an internal switch, rather than external. I could be wrong, though…