Re: How good is Comodo Internet Security?

nik wrote:

Hello ppl,

I recently installed Comodo Internet Security and I would like to know your
opinion on this application and how trustworthy it is.
Will it keep my computer safe from online attcks and viruses given I don't
download vicius apps myseld and not visiting porn sites?

Comodo Firewall Pro is excellent. The included HIPS (Defense+) is
excellent.
The antivirus component sucks. It never got out of its beta status for
around 2 years to deliberately keep it out of independent testing to
prove/disprove its pest coverage. I've used Comodo's firewall (both in
v2 without HIPS and v3 with HIPS) and it is a top free firewall with
only one or two commercial firewalls being better. Typically it and
Tallemu's Online Armor (OA) are at the 2nd and 3rd position for
firewalls (free and paid). HIPS takes getting used to due to all the
prompts and why both CPF and OA include whitelists of known good apps to
reduce the prompt count although some users are more paranoid and want
prompting on all applications.

There are arguments (some very good by some highly educated network
experts) as to why a software firewall won't really protect you from
nasties (once they get deposited and become active on your host). The
Windows firewall or the one in your router are sufficient for outside
attacks (except you can still get DOS'ed) while they and better software
firewalls are really only good to keep the good apps obeying your wants
and the feeble malware constrained. HIPS can become daunting to many
users, especially non-experts because the prompts require knowledge of
the apps or OS that the typical user may not have. They make the wrong
choices, either clicking OK to every prompt which obviates the point of
the firewall and/or HIPS or constraining the actions allowed for a
process so that the app won't function correctly or can even cause OS
problems. Threatfire attempts to be a HIPS that is transparent to the
user (it is a behavioral analyzer) but it misses too much malware, has
false positives, and really doesn't work well with other security
products, like Avast's WebShield or GeSWall, causing problems of it
always stuck in "initializing" mode to s-e-v-e-r-e-l-y slowing your host
to where you believe it is hung. Nice idea but Threatfire doesn't work
well with other security products, and Threatfire isn't a total
solution. Of course, the user can decide to disable Defense+ (HIPS) in
CFP to eliminate all those prompts and having to investigate all those
choices.

I wouldn't bother with the antivirus component. Alas, Comodo has
decided to drop distribution of just their firewall and now is
distributing their Internet suite product but hopefully the CIS install
lets you NOT include their antivirus component. For antivirus, and for
something free, use Avast or Avira (but with Avira you'll need to find
the tricks to get rid of the splash screen and their adware nag on
updates). I like Avast better versus Avira that has had me waste too
much time on false positives. The paid versions of both include
additional protection features but I feel comfortable enough with the
free versions. Plus I use GeSWall Free to isolate the web browser using
stronger policies than just running under a LUA (limited user account)
token which simply removes some privileges from the browser's process.

GeSWall Free isolates *all* instances of the web browser no matter if it
was started directly or as a child process, like when clicking on a URL
link in an e-mail. DropMyRights, SysInternal's psexec, and other
similar utilites can run the web browser using a LUA token but only for
that particular instance of the web browser, not when started as a child
process of some other program. Online Armor has its Run Safer mode (and
the author of DropMyRights has his RunSafer utility to set restricted
policies on the web browser) that you can enable for an allowed
application to run under an LUA token but to turn it off means having to
wade through OA or rerun the policy utility to disable that option on
that program and that which is way too much hassle for me. Windows
Update, Adobe Flash update, and many other update or install sites will
not function with the browser under reduced rights or under GeSWall
under its isolated environment and severely reduced rights. I want the
web browser protected nearly most of the time but have an easy way to
switch to an unprotected mode, and GeSWall gives me that. I already
have virtual machines for more protection when trialing unknown or
untrusted software and didn't need another level of protection
granularity between restricting the web browser under my production
environment to running it unfettered but within a VM, so sandboxing was
needed by me and GeSWall fit the need to restrict my browser.

Exploits, like the recent one with IE that could deliver a small payload
due to a buffer overrun, are isolated within GeSWall or a sandbox so
this protects you until the browser gets updated. However, there is
also Comodo Memory Firewall (not a firewall but a memory protection
utility to guard against buffer overruns) which is better than the
software DEP in Windows XP or Vista (which only protects against one
specific type of SEH chain corruption). CMF covers what DEP covers and
more. Instead of trapping the payload that got through an exploit
through the browser, CMF would detect the overrun and prompt to have you
terminate the process. CMF is called SafeSurf in CPF; that is, CPF v3
now includes CMF renamed as SafeSurf (however, it also included the Ask
Toolbar garbage which you should uninstall using Add/Remove Programs
after completing the CPF + SafeSurf install).

Their web site has you downloading their CIS product when you try to
download just their CPF product. During the install, I'd suggest NOT
including their antivirus product. Use a better free antivirus program.
Do include the SafeSurf component (but follow with an uninstall of the
Ask Toolbar), or separately get CMF.

CIS all components: No.
CIS with all but antivirus: Yes.
Add a good antivirus program (Avast, Avira).
Logon under a limited Windows account, or run Internet-facing apps, like
the web browser, under LUA token, in an isolated environment, under
tighter policies, or sandboxed.

Note that you can add something like HIPS to the Windows firewall by
using software restriction policies. Use the group policy editor
(gpedit.msc) and go under Computer Config -> Windows Settings ->
Security Settings -> Software Restrictions -> Additional Rules. Add a
path to identify the program that you don't want to block from loading.
This can even be done for Microsoft's own wgatray.exe program. I use it
for some others that I never want to allow load.

After trialing many security products (all free for those that I
considered keeping for myself), my suite boiled down to:

VirtualPC 2007 (or VMWare Server)
- Test unknown or untrusted software.
- OS is clean (no security software). Prevents interference with good
programs. Lets bad programs exhibit their behavior since many will
quiesce when they detect that security software (although a few also
quiesce when they notice they are running inside a VM).
- VirtualPC is easier to use than VMWare but VMWare has some nice
additional features.

Windows Firewall
- Decided not to use HIPS anymore. Got tired of all the investigations
to make intelligent choices regarding the prompts.
- With the router's firewall, have double-layered inbound-only
protection.
- Other reasons not necessary to get into here but basically to simplify
my setup and for compatibility.

Avast Antivirus
- Standard, Network, and Web shields enabled.
- Other shields are disabled as they are not applicable (don't use the
apps covered by those shields) or don't want them (like e-mail scanning
which is superfluous and often causes timing or mail session problems).

GeSWall
- Provides isolated environment for web browsers.
- Enforces severe privilege restrictions on web browsers beyond just
using an LUA token.
- Isolates ALL instances of web browsers no matter if opened directly or
started as a child process.
- Allows easy switch to non-protected browser using a titlebar button.
Needed for Windows Updates and several other trusted sites.
- No noticed impact on browsing speed.
- Less interference than using a sandbox (most of which are no longer
available for free or no longer supported, and Sandboxie turns into
once-a-day nagware after its 30-day trial).
- Free whereas Bufferzone and Defensewall are not; however, free version
of GesWall only isolates web browsers but which is the primary infection
vector into a host with e-mail coming in 2nd place.

Returnil
- Saves changes to a differencing [virtual] disk. You can discard them
through a reboot.
- Enabling the protection does not require a reboot.
- Can test unknown or untrusted software in my production environment
but restore the drive back to its prior state to completely erase the
new software from the drive (and not even have to bother uninstalling
it).
- Similar products are Microsoft's SteadyState (free) and ShadowSurfer
(was free but no more).

All this stuff is free. It all works together, too, with no conflict
and no noticeable slowdowns (except when testing software inside a VM).
.

Quantcast