I took a random web app that was not recognized as any valid program and launched it once,
which opened a dialog where I gave approval.
Next, I modified the file in an editor, modifying random bytes.
Finally, I reran the app, and Comodo gave it web access without notifying me it had changed.
This seems like a crucial missing feature that Zone Alarm has had for a long time.
Fixed in CIS 2011, the current BETA should already be hash based instead of path based.
How do I download the beta?
The beta can be found here.
I just installed the beta. Firewall 5.0.157302.1066 on Windows 7 64-bit.
I reran my test, and it still fails. (Create foo.exe, make a rule to give it access, check that it has unprompted access, modify it, rerun it.) So it’s still not using a hash.
(I’m only talking about net access here, not Defense+.)
Very sad. I need to make a decision soon and had hoped the beta would work right.
Is it too late to get that feature into the final release?
I think this release will only have it for D+
Unfortunately, it’s not practical to try to configure D+ to try to capture all the ways
an executable registered with the firewall can change. In its stock configuration,
D+ caught me trying to overwrite one executable with another, but it didn’t catch
me renaming a bad executable to use the name of a registered app. (I.e., say we
have good.exe and bad.exe, and good.exe has an approved firewall rule. Rename
good.exe=>other.exe, bad.exe=>good.exe, then when the new good.exe tries
to access the web, it gets through with no prompt.)
It’s the equivalent of trying to tail a suspect around town all day to see whether he
picks up contraban rather than just searching him once at a checkpoint.
Your competition, ZA, has offered that feature for something like 10 years.
Comodo is still no perfect, as no security software is.
One of the main cons is that it only achieves a high security level with custom settings, whereas a lot of people, maybe including those of Comodo themselves, try to make believe that whatever security software would be both highly secured and user friendly.
Some people have, in this same forums, advocated along with Comodo or alone, for expert security tools, but they are also very user unfriendly.
The question is therefore to know if Comodo is enough for Mr. Smith when facing whatever theoretical threats, including the ones you made yourselves.
But one sure thing is that comparing to ZA is not fair, not according not to me but to, e.g., Matousec: ZA stays “for something like ten years” in the worst security softwares ever
http://www.matousec.com/projects/proactive-security-challenge/results.php
You can’t either dissociate pure firewall and HIPS: facing today’s threats, there’s no future for single firewalls if not operated with their own or a third-party HIPS, and in these conditions, saying that Comodo fails because the threat is intercepted not by the firewall but by defense+ does not seem to be a valid argument.
But that’s the point, Defense+ didn’t intercept the attack. I renamed the executables and
the bad one got web access with impunity.
I even put all executables in the protected file list in Defense+ when I checked this, and still
no detection. I’d be willing to use Defense+ and not complain if it solved the problem.
Seems like it would be easy to add a hash to the firewall program list as an option, it doesn’t
even have to be on by default. Configurability makes for great software.
This is a user initiated “rename” if real malware would use this trick how would it have entered the system in the first place? It should have been detected, before it’s able to “rename” what ever file that happens to be on the rulebase.
I agree that having this verified on Hash and alerted again if changed would be better, but Comodo also likes to keep the nr of alerts as low as possible and has protection against normal browser hijacking.
But as the are changing D+ already and are preparing for IPv6 support on the firewall I suppose it will see the light of day in some v5 version…