I am not so certain that COMODO can detect a rootkit calling out to the net. (Depending on the rootkit, IE Kernal level, TCP/IP stack interference etc).
This is why installing COMODO or any product as Administrator and then using the computer as a Limited User makes it 99.99% impossible for this problem to occur.
If you run as a limited user and catch a rootkit, alot of them will just not install. Some will try and exploit the OS to gain Administrator rights (PATCH WINDOWS to avoid this). If a User Mode rootkit installs it will run under the Limited user rights (Can’t access your system files (AT ALL), can’t load drivers or services as the Administrator account)
Passwording your administrator accounts with a simple but strong password is worth doing too.
When you install the Firewall has the Administrator user rights which trumps out the rootkit running under a limited user rights.
Comodo can stop any type of program that tries to modify, or report back to a source online, if the program is not in the allow list, or safe applications list. Since a rootkit would not be in either of those I am assuming since a rootkit is nothing more then an application (that hides deeply in your system) it would have to go through the same steps with Comodo Personal Firewall. And even if the Rootkit were to try and hide by making itself look like a regular system process Comodo would detect the changes made and still ask you to Allow or Deny it. But this is all in theory. Egemen or one of the other Comodo staff would be able to answer this better.
P.S. I have split these posts from the original article by Mike so we do not pollute his topic.
Personally the only sure way is to stop a rootkit from installing at the same rights level as your security software is. This is the best solution.
Windows Vista, will make this alot easier of a task. On the topic of windows vista, third-party security software will not be needed as they are including a outbound/inbound firewall the only need will be antivirus.
To use the Vista properly, turn the outbound protection on
Create an administrative account in vista
Edit Local Security Policy Settings.
It is more of a work around then other ways, but it is free and effective.
Personaly I would never trust the built in Windows Firewall, even with Windows Vista, it is not as configurable as Comodo is as well, so overall I would rather pay a few MB of space for a much better firewall.
I personally think it will be a very strong firewall. The reason Linux is such as strong operating system is because it is a no-brainer to run as a “Safe” or “Limited” user and not the “Root” account. Microsoft have acheived this, the implementation they now have will be VERY secure and the windows firewall will serve just fine in vista because of the ability and ease running as a limited user has in vista.
Third Party firewalls are going to have to offer more protection, IE. Better traffic analyisis (Stats recording), (I would love this) and other nifty features to seperate themselves from Microsoft’s signicant improvement. Rootkit’s will be a thing of the past if you do not run as the Administrator!, and antivirus programs will be able to be installed as the root account, the user then logs of that and uses the limited account since the antivirus has “SYSTEM” level access and the virus is only able to install and run under silly “Limited user” rights, the antivirus can boot the virus allot easier.
What protection does the Vista Firewall offer that Comodo doesn’t? The Vista Firewall is fine for the simple user who doesn’t know much about security but those who do know more and would like to protect themselves (imo) the Vista Firewall is not for them, I know how the Vista firewall works, in fact at this very moment I am typing from Windows Vista with the Windows Firewall enabled. Comodo offers the same protection and much more then the Vista firewall probobly ever will.
Lets just say it is basicaly the same thing as the XP firewall except it somewhat protects you from outbound threats. It doesn’t show current connections or log anything, it does not show internet traffic, there is no indication that there is even a firewall on, the only indicator you get is the little popup asking you to block or unblock some applications, however you can go to the Control Panel and add blocked or allowed programs. In all honesty I wouldn’t trust it more then I trust the current XP firewall. I will post some screenshots later of it.
It may be good, it may not. But i feel more confident personally in a third-party firewall. I don’t care what anyone says but Security through Obscurity is a valid line of defence (Among others). Having a exploit in 1 product that will effect 90% of computer uses is just to tempting for a hacker to gain fame.