I have heard some good things about Comodo Internet Security. In fact, everything sounds perfect, except I keep hearing about a “trusted software list” or something along those lines, and that everything on this list is able to do whatever it wants, whenever it wants, which seems to defeat the point of a firewall/HIPS.
I have it downloaded, but before I went to the trouble of uninstalling my old firewall and installing Comodo, I just wanted to check that there was an option to disable the automatic bypass ability of software on Comodo’s trusted list.
Edit: I have also searched the forum, but (especially as I don’t have CIS installed for reference) the threads I have found seem quite ambiguous, some saying it can be disabled, some saying it can’t (or it could in a previous version, but not in the current version), or it can in one part of the program, but not in another.
Firstly, I want to clarify that the Firewall and Defense+ modules are separate and can be configured to treat Comodo-trusted programs differently. It is possible to make one or both ignore the trusted list.
Set the Firewall module to Custom Policy and, if you like, remove any predefined rules. Then any program that wants network access needs your permission, regardless of Comodo’s trusted list. This is how I run, and I find it usable after some training.
Set the Defense+ module to Paranoid and, if you like, remove any predefined rules. You might also need to disable the Defense+ Settings → Execution Control Settings → Treat unrecognized files as X option (this disables automatic sandboxing). Then any program that wants to do practically anything interesting will need your permission. If that doesn’t drive you nuts with frequent prompts for permission (do check the “remember” setting on the dialog), eventually you will teach Defense+ what to allow or block. You might need to manually edit some rules; for example, to allow a program to alter any .log file in a protected directory you can use a *.log pattern rather than clicking allow for every single .log file.
At the moment, I run with Defense+ in Safe mode, using Comodo’s trusted list. Maybe it’s not perfect, but I think I would go insane otherwise. I’m also fairly careful about what I choose to run in the first place. However, I have turned on the “Create rules for safe applications” option so that all programs have rules, and I can change the rules for each program if I want to block certain things. The Defense+ rules apply even to trusted programs, except any “Ask” rules will not result in a popup–these events will be Allowed automatically, i.e. Ask = Allow, but Block really does block even trusted programs in Safe mode. Another advantage to this approach is that I can switch to Paranoid mode at any time and my system will still be usable because the Defense+ rules for all my previously-used programs are already present. Then any new program will be treated as usual in Paranoid mode.
Ah, this sounds like what I was looking for. With regard to this “Custom Policy”, what exactly does the “Custom” refer to, and will it stay in “Custom Policy” mode permanently, or is it a temporary toggle?
This is how I run, and I find it usable after some training.
What exactly do you mean by "some training"? (You or the firewall? ;) )
Of course I train the firewall (I use a whip, and we both enjoy it…).
See Firewall → Firewall Behavior Settings. It will stay in that mode unless you change it.
Also consider what I wrote about Defense+. A program can get access to the network by using another program, e.g. a program can call an existing web browser (which you probably allow through the firewall) to access a server, rather than do it directly. Defense+ can block that, depending on the rules you have and how paranoid you are.
Ah yes, I think this is called application hijacking, or something like that? My current firewall detects this, I hope there is a simple setting for this (and similar things) in CIS.