Settings: Block nearly all

Help for v2
1

Hello all together,

my old Firewall made a lot of problems working with WinXP - so i decided to check comodo. Sounds good at all when reading all the comments and tests :slight_smile:

but …

i need an extremly closed pc. I’m developer and will block windows (system, modules, …) and all applications from contacting (or being contacted from) the internet.

After installing the comodo, i found out, that there is a list of “scanned applications” which are all set to “allowed” !! - SHOCK !

I made the following changes after the instalation:

  • Application Monitor: Deleted evythg but “System”, which is now set to “Block”, Mode is “Turn On”
  • Component Monitor: Deleted evythg, Mode is “Learning mode”
  • Network Monitor:

    Removed “TCP/UDP ALL out” - why is this rule defined and on ?? Everything can be sent !?
    Removed “ICMP In”
    Blocked “IP Out” - What ist the GRP Protocoll for ??

  • Comodo settings:

    Alert Frequency level => High
    Program settings: Only Protect own registry is checked now
    Adv. Attack Detection: Checked “Block all … while booting” and “Monitor other NDIS …”

What else can i do ?

The only application that should connect to the www ist Mozilla (Browser) and Thunderbird (E-Mail) - thats all. No updates, no Windows, no Firewallupdates, no Explorer … nothing else.

Looking forward to your help.

BTW: I’m from Germany and wish (if I use comodo in future) to help translating the GUI to german. I saw some discussions on overflying the forum :slight_smile:

Regards,
Malte

2

Hello malte and wellcome on Comodo Forum joining Comodo’s big family. :wink:

You might also want to disable the rule, which allows safe aplications silently:
Uncheck in Miscellanous: “Do not show alerts for aplications certified by Comodo”.
You can look on the topic Share Your Settings, where you can get or give some ideas.

3

malte,

CPF has a layered, rules-based approach to firewall security that is very different; it’s part of what makes it so strong. (Check out the two links in Melih’s post here, for independent professional testing results): https://forums.comodo.com/index.php/topic,4232.msg31793.html#msg31793

What this approach does is this:

The Network Rules establish how all inbound/outbound communication is allowed to occur.

The Application Rules establish what applications are allowed to communicate, within the context of the Network Rules.

The Component Monitor shows all the individual components/modules that make up all the applications, that are involved in that application’s ability to communicate.

As TheTOM_SK pointed out, if you go to Security/Advanced/Miscellaneous, and uncheck the “Do not show alerts for applications certified by Comodo” that will take away the default allow to scanned applications. Remove all applications that you do not wish to allow from the Application Monitor. You can further remove or block Components, if you wish. Then reboot your computer. If you find that applications are trying to connect, simply check the “remember” box in CPF’s alert popup, and choose “deny;” this will create a rule blocking that application.

The default Network Rules are in place because they have been found to be needed in order to allow the majority of users to be able to operate without impediment. There are no weaknesses inherent there. The Matousec test results from the link above are based on these default rules; the “Highest” security level they mention is accomplished by unchecking the “Do not show alerts…” as already mentioned. CPF is the most leak-proof software firewall to date.

If you do not need all of those rules for the way your computer needs to communicate, and you’re not on a network, you can remove them and replace with only two:

Rule 0: to allow your authorized communication outbound
Rule 1: to stop communication inbound.
(This type of setting is what I use, as I don’t need the others for my purposes)

They need to be in that order, as CPF reads the rules from the top down.

Hope that helps.

LM

PS: Please remember that both Mozilla and Thunderbird use explorer.exe as a Parent application; it’s just the way they work.

4

If you have scanned for known apps, there will be a lot of dll’s that is put auto in component monitor.

You don’t have to worry about the out rule, because it’s only if you start it yourself.
You can go extreeme with network monitor, but that’s gonna cost you a lot of time.
Before deleting the default rules, you should just block them and check the log box.
Now you can check the log, what you are blocking, and then put in new rules for apps that need a connection.

Since it only takes a few minutes to reinstall, I would do that if I where you.
The link Tom_SK gave you, will give you some useful tips.

If you decide to reinstall, you can go with auto, because you can change the settings later, and those rules is to get most things working with a normal PC.
Now, DON’T scan for known applications.
First go in to security/advanced/misc and uncheck “do not show alerts…” and raise the “alert freq…” slider to the top.
Uncheck auto updates.
If you are using the latest beta, go to security/advanced/Advanced Attack Detection and Prevention and put “buffer overflow detection” on high. Do set other settings in there to your taste.
Put component Monitor to ON. That is if you extremely paranoid… :wink: Read within quotes what it means to have it to ON: “This mode forces the firewall to check for the applications’ components in memory before granting them internet access.
If any application connects to outside, firewall checks all the loaded components and checks each against the list of components already allowed or blocked, if a component is found to be blocked, application is disallowed and if there are found components which are not there in the listing the pop-up shows a button “Show Libraries…” on clicking you can review the components and allow or block.”
A normal user should not do it like this, because it will drive you nuts… :wink:

Now, to lower the amount of popups, you can go to security/tasks and add the apps you are sure that they don’t need internet access, with the wizard “define a new banned application”, and do not set a parent.
Good luck. ;D

Edit: now you where faster than me again LM… :frowning:
Posting anyway… ;D

5

;D

You have good info, AOwl

LM