Enter your search terms

Submit search form

Security Navigation

Virus | Spam | Firewall | Firewall Basics Configuring Firewall | Blocking IP's Spyware |

Latest news

07 Jun 2008: Comodo Firewall Pro 3.0 Version 25.378 has been released to fix a number of problems. I have now been using Comodo for two weeks now and my impression becomes more favourable all the time. It's been a fairly steep learning curve but worth the effort.

Links:

• Comodo Products
• Comodo Forum

Configuring Your Firewall

The following provides an indication of some of the settings that I have found useful. For further details it is recommended you look directly at the User Forum. When you have a configuration that you feel comfortable about it is advisable to only make one change at a time and check it out. Otherwise you may have difficulty in reversing an error or even recalling what has been changed. The firewall vendors will claim that their firewall provides 100% security and the attackers will claim that they can always find a way to break into system. Perhaps both are correct because most users will invalidate the supplier claim by badly configuring the firewall. In addition there are so many break ins which are actually inside jobs - in other words someone has got to your machine from behind the firewall. If you add to this faults with the firewall software (witness the number of new versions), which the end user is expected to find and report back, using a firewall is not the panacea it is cracked up to be. However, by making sure your firewall is configured properly and checking logs you can improve matters.

I decided not to renew my licence for the new Outpost Firewall Pro 2008 after having had some bad experiences with performance, compatibility with other applications and unease with the general design. It became obvious that products were being released without adequate testing and that too much use was being made of the User Forum to make up for these shortcomings. It may be that things have changed and that later products are of a higher standard - if this is so, unfortunately it is too late for me because I have moved to the Comodo 3 Firewall Pro which is free. I waited a bit until the new version 3 was well bedded in and so far this has been a rewarding exercise. I have quite a few years as an Outpost Firewall user to allow me to make some comparisons as to how well Comodo fills the Firewall role.

Comodo Installation

When installing a different Firewall you need to make absolutely sure that all traces of the previous Firewall have been removed. With Outpost there are some notes posted on how to get rid of Outpost and I followed these as best I could. Because installing a new Firewall is a major change to your system it is as well to have your system and data backed up in case you hit major problems. The installation routine worked well, with no problems, apart from being suckered into installing Safe Surf. Against my better judgement I decided to install the SafeSurf toolbar even though I have a real aversion to all browser toolbars. This just confirmed my expectations when Firefox and IE7 started falling over for no apparent reason. Mozilla and Microsoft must have received many failure reports caused by this badly implemented piece of software. I suspect most of the problems were due to multiple timeouts, but I don't really want to go any further, because I should have known better after trying out Comodo Verification Engine which caused very similar problems. Anyway I reinstalled Comodo just to make sure all traces of Safe Surf were gone. I really believe that this sort of well intentioned software is best left to the builders of the browsers. I decided to install Defense+ which is proving to be a much better piece of judgement and I really find myself liking this approach more and more. For the moment I have stuck with the installation Security Settings particularly as I had a bit of a meltdown when changing to a different mode.

Comodo Updating and Comodo Internet Security

Towards the end of October 2008 I noticed that there was Comodo Internet Security 3.5 version available and I thought about installing this but decided not to (although if you read on you will find I actually did end up installing this). I looked at the forum and found that there was confusing advice on how to upgrade to version 3.5, so decided to hold off. I was very wary about anything that was integrated after my experiences with Outpost, and that was the main reason I passed. The next day I found Comodo ready to apply updates, so I went ahead and discovered that I was now running Comodo Firewall 3.5 - so far so good. Then I looked at Process Explorer after a reboot, to see that I was now running Comodo Internet Security 3.5. OK I'm not particularly bothered as the update seems to have gone well, all it means is that I am just using the Firewall element of CIS and not the Virus checker. As I don't want the virus checker at the moment I shall leave the Firewall running and see what develops. I can see why Comodo has done this - they ultimately want you to upgrade to the paid version of CIS and having a free Firewall Pro did not make for good advertising. I understand that some people on seeing the CIS 3.5 version available, uninstalled Comodo Firewall Pro 3.0 (after saving their configuration using the export command) and then installed CIS 3.5 but only taking the Firewall component. This seems to have been problematic in some cases, so based on my experience I would definitely advocate using the Comodo built in updater. What I am more upset about are the confusing messages that appeared on the forum and seemingly lack of communication skills shown by the developers. In spite of this I remain very satisfied with the product (it is still free at the moment and where else would you get such a highly rated firewall?). By the way I am still abit in the dark as to what version 3.5 has fixed.

Comodo Firewall Configuration

I am certainly not an expert in this area so for now I will give my experiences together with any comparisons, favourable or unfavourable, regarding Outpost Pro Firewall. I have decided not to make any special allowances for the fact that Comodo is a free product whereas Outpost Pro requires payment of an annual licence fee - so if Comodo is to be worthwhile running, it has to do the basics well, even if it does not have all the bells and whistles of its paid for competitors.

Firewall Security Level

When I installed Comodo the Firewall Security Level was set to 'Safe' mode. At the moment I intend to keep it at 'Safe' mode for the forseeable future. All of my findings below therefore refer to running the Firewall in 'Safe' mode unless explicitly detailed otherwise. So looking at what 'Safe' mode means, I see :-

• Network rules are applied - So I take this to mean that any Global Rule or any Application Rules in the Network Security Policy are used when checking what applications can or can't do. If there is no allow rule then the application is blocked.
• Outgoing application traffic initiated by safe applications are learnt - So if you have an application on the safe list (either Comodo or your own safe list), Comodo will generate a new application rule to cover outgoing traffic. I don't think you will get an alert when the new rule is created. It's also a sure thing that you will get an alert when there is incoming traffic to your application on the safe list. In fact I have seen this 'something like ...exe is on your safe list but is trying to .....
• Application traffic initiated by unknown applications are alerted to the user - So I guess this means inbound or outbound traffic for an application that is not on the safe list will receive an alert.

Setting Firewall Rules

On the Comodo Firewall page this is called 'Network Security Policy' so I had a look here to see what had been pre-configured. I was a little taken aback when I found this very much a 'do it yourself' effort and reminded me of my first look at the old Comodo 2.4 application. This is no reason to reject the firewall, but it does mean that less experienced users will have a hard time setting the firewall to give best protection. In the Comodo help system this is described as the nerve centre of the firewall to which I fully concur. Comparing to Outpost, this reminds me of the early days where the forum published an ideal configuration which one could edit, then they changed to a set of preset rules which made life for most users much easier. With Comodo you do have Predefined Firewall Policies but when Comodo searches your applications it does not automatically attach the appropriate Policy. Also when you inspect the Predefined policies, they are incomplete and not fully functional. So for example, the policy for an email client does not include any rule to attach to the internet - instead there is an 'ask' rule which means you have to answer an alert whenever you start up say, Thunderbird. In my opinion the most productive improvement to the Firewall would be the addition of a comprehensive set of predefined policies and rules for the most common applications. This should not be particularly difficult, given Comodo's extensive listing of trusted applications. On the plus side it does seem that Comodo takes note of these rule set changes when it releases new versions of the firewall. I used the supplied Browser ruleset for Firefox and IE7 and so far have not experienced any problems.
OK I took another look at the help file and am just beginning to comprehend that if I use the recommended 'Safe' mode, then I don't need to use the advanced features of setting Firewall rules. For example when I run an application that accesses the net it automatically generates a set of firewall rules that normally look like 'allow IP Out from IP Any where Protocol is any'. I guess this just about allows an application to do anything on the Net as long as it is outbound. I then found I could improve on some of these generated rules :- for example the Adaware Update Manager is an outgoing only could be replaced by the 'Outgoing' only policy. There are still further changes that could be made; like restricting it to TCP only and by making use of certain ports. Somehow, I don't believe Comodo learning mode is going to make these changes for you - it gives you a reasonably safe rule (but allowing more than necessary) and it is up to you to hone the rule. Let's hope at some stage Comodo will have more appropriate rules for commonly used applications, without the need to build each rule manually.

Time for Setting Up a Rule Example

In my work I use some database applications that use MySQL where the database is held on the local PC. When I ran these applications for the first time using 'Safe' mode, Comodo immediately set me up an application rule that looked like this :-

• Allow IP Out From IP Any To IP Any Where Protocol is Any

This was defined as a custom rule and everything worked

So I set up a new Predefined Firewall Policy and called it MySQL Application
For MySQL applications I need a rule 'Allow outbound TCP to remotehost 127.0.0.1 to REMOTE port 3306'
In Comodo speak, this looks like :-

• Allow TCP Out From IP Any To IP 127.0.0.1 Where Source Port Is Any And Destination Port Is 3306

After saving this, I went in to the Network Security Policy, Application Rules and changed 'The Use Custom Policy' to my Predefined Policy 'MySQLApplication'
So this is a fairly trivial example, but illustrates how rules can be tightened up, some advantages of using Predefined Policies because now all I have to do is change my Predefined Policy in one place and the rule(s) will get updated for all common applications.

Firewall Events

This screen is an easy way in to view the logs, both Firewall and Defense+. By mistake I managed to block the Comodo cfp.exe application which amongst other things does lookups on your safe files to see if they are recognized. Because it was blocked I received some events in the Firewall log, which provide all the information necessary to create very tight Firewall rules. The event log tells me that the protocol is UDP, the destination port is '53' (DNS) and the destination IP's for Comodo are 77.92.68.124 and 74.52.245.98. Usually, when constructing a rule I don't use the destination IP's because these can change fairly rapidly depending on the Company involved.

Trusted Applications

The Firewall page allows you to create a trusted application which means that you are allowing the application uncontrolled access to the internet both for inbound and outbound traffic. I have to say that in all the years I used Outpost Firewall, I never used Trusted application status and I don't intend to start now with Comodo. At the end of the day it is a matter of personal choice, but my choice is not to trust any application unless it is absolutely necessary because of the opportunities this can give unscrupulous vendors.

Blocking an Application

Sometimes, there may be no good reason why an application should need internet access, and so for safety reasons it may be worthwhile blocking the application. Comodo provides several ways of doing this :-

• Use the 'Define a New Blocked Application' shortcut on the Firewall tab
• Set up a block rule for the application using Network Security Policy
• Use the Predefined Firewall Policy 'Blocked Application'

Whichever method you adopt the blocked application will not be allowed to communicate with the internet. As an example I found the SysInternals Process Explorer had been granted outbound access by Comodo automatic rules creation. The only reason I could think of for needing to go on the internet would be maybe to validate a digital signature for running software - there is no automatic update facility. I am a great fan of the SysInternals software, but in this case I decided to block it, simply because I was not sure of what was going on.

Port Sets

Comodo provides a common list of Port Sets, so that when setting up Firewall Rules, the user can just specify the destination port as 'POP3/SMTP' instead of having to specify the numeric values (i.e. 110, 25, 143, 993, 995, 465 and 587). This makes for greater ease in specifying the rule and also more clarity in understanding the rule. The Comodo system is very flexible, so in the MySQL rule example you could create a new port set called 'MySQL Ports' with just 3306 as a member. In this case as there is only one member, probably not much point. Sometimes it can be useful to define other ports such as DNS which is port 53. I find it quite useful just having this feature as a lookup for the common TCP ports.

Comodo Logging

There is some logging within Comodo, but it is well tucked away - either go to the Firewall page, View Events or Defense+ page, View Defense+ Events and click on the 'More' button and there you will find logging for the Firewall and the Defense+ module. However, this is not detailed logging, just a summary of what Comodo regards as significant events such as when an application is blocked. This is an area that could be greatly expanded and does not allow a detailed analysis of what has been happening. However, it may well be that most users will find this type of logging sufficient to manage their system.

Firewall Behavior Settings

• General Settings tab - this is used to determine the operational mode of the firewall. The Comodo default and recommended mode for most users is to have this set to Safe Mode and having had a look at the other settings I can see no good reasons to change this at the moment.
• Alert Settings tab - Changing this will alter the number of alerts you receive. The Comodo default is low which seems to work fine for me and I also left all boxes ticked as per default.

Attack Detection Settings

Defense+ Configuration

I have decided to treat this as a separate section since this embodies all that's called Application Control in the Oupost Firewall and a lot more - maybe this is where the plus sign comes in. I know it's possible to run just the firewall without Defense+, but then this only provides half a solution, particularly as the network rules for the Firewall are quite difficult to configure and require quite a bit of expert knowledge to set up. The bad news is that using Defense+ is not for the faint hearted, because of the steep learning curve involved in using it properly.

System Scan

When you install Comodo and also at user request 'Scan My System' on the Defense+ page, Comodo will run a scan of your system looking for any malware, viruses or spyware. I have run this a few times and so far have not come across any threats; so I am curious to know how well this scan compares to say AVG8. From looking at the forums it appears that this performs very well with detection rates as good as the best. It does not check in real time so it is as well to keep your regular anti-virus program. Also if you are running a scan try running with your regular anti-spyware disabled to see how well this performs in terms of speed - it's very fast!

The Comodo Safelist

Aparently there are over 1 million files on the Comodo safelist as of mid January 2008, so maintaining this safelist is no mean feat. Comodo rely on their users to submit files that are not on the safelist for checking to see whether they can be added to the database and distributed to all users in updates and future releases.

• sigsdb.db - This is the signature database for the safelist (look in Documents and Settings/All Users/Application Data/comodo/db).
• custom.db - This contains your own safe files

Comodo finds file or application not on the Safelist - It looks like Comodo treats all your applications and files as safe on installation, which is probably why it does a scan across your system looking for viruses and trojans. However, once you install a new program or even a new version of a program and this is not on the safelist then this will be flagged in your pending files. In order to save work and alerts it might be better not to be too hasty in installing new versions of common programs. In fact from a security point of view this is no bad thing, since hopefully other users will discover the problems first while you maintain a stable system. So as an example I installed the latest Dell Security Center software because I wanted to diagnose a problem. This was not on the database, so I now have a mass of files sitting in 'My Own Safe Files', which I guess are now held on custom.db.

Defense+ Security Settings

When I installed Comodo the Defense+ Security Level was set to 'Clean PC' mode. Apart from a very brief flirtation with 'Safe' mode I intend to keep it at 'Clean PC' mode for the forseeable future. All of my findings below therefore refer to running Defense+ in 'Clean PC' mode unless explicitly detailed otherwise. In 'Clean PC' mode all the applications that have been installed prior to installation of Comodo are considered to be clean. However, any new executable or application that is not found on the Comodo Safe List will raise an alert and the new files will end up on My Pending Files waiting for Review. Until you have determined that they are safe, Comodo will not let you run any executable (could be a .exe, .dll, .sys, .bat etc.)

Pending Files

My understanding is that Pending Files will be created by Defense+ if files are created on your system after Comodo install and which do not appear on the Comodo Safe List under the following circumstances :-

• Install of a new application
• Install of an updated version of an existing application
• Run of an existing application that creates new file(s)

If you are running Defense+ in 'Clean Mode' then Comodo will stop you taking any action on the pending files until you have reviewed them. You can either :-
Assess whether they are OK and if so 'Move to' 'My Own Safe Files' - in which case you get an entry on the custom.db database allowing these files. If you believe they are unsafe then you can 'Move to' the Quarantine area.
The function of the 'Remove' button seems unclear and is not described in either the User Manual or the on-line help. By trial and error it looks like this command can be used to remove selected files from your own Safe List e.g when the file(s) no longer exist on your system.
The 'lookup' function performs a check to see if the file is known to Comodo. I guess it could happen that if you leave the pending files list long enough some of the files could end up on the Comodo safelist.
The 'Submit' button lets you send the file to Comodo for checking so that eventually it may end up on the safe list.
The 'Purge' button seems to delete all the Pending files on your system, It literally purges the entire Safe List. Quite different in fact from the on-line help and the User manual. My advice is to use this with caution.

Installing New Applications - Beware!!!

Comodo has a setting for new installations that will help you overcome some of the numerous alerts that Defense+ puts out. Note that this covers not only new applications, but new versions of applications. From some bitter experiences I have learnt that it is not always best to be the first to try a new application or new beta versions. If you really want to play it safety first then let others do the testing and look at the forum to see what the general level of reponse is like. A case in point is Comodo firewall version 3.0 where early releases seemed to have quite significant problems which looked like they were causing a lot of pain to users. However, by waiting a bit you can now be confident that the later versions stand up well and are reasonably robust provided you don't attempt anything outside normal usage. I am now confident enough that Comodo will provide an extremely good basis for long term Firewall protection and above all I am most impressed by the features of Defense+. I hasten to add I have no affilliation to Comodo, its forum or any other organisaion linked to Comodo.

What Happens to Your Safe List?

This is not in any user manual that I can see, but in fact the features in Comodo work quite well, when you know what's going on. Suppose you have a file that has been moved to your own Safe List. Then as time goes by the Comodo Safe List gets updated and subsequently your unknown file is regarded as safe by Comodo. So periodically you do look ups on your safe list and then Comodo will tell you that your file is safe and give you a dialogue to remove it from your Safe List. Once this is done the files are now on the Comodo safe list and are removed from your safe list. Fairly neat. However, some files will probably sit for ever on your safe list because it may be a niche piece of software (e.g. SharpDevelop a C# IDE) or Comodo just may not want to recognise items like 'Dell Support Center' which is digitally signed. For whatever reason, your Safe List is bound to get bigger. Also what happens to AVG .bin files which are downloaded each day - clearly Comodo will not want to update the Safe List to cater for a file name that changes each day. In this case I would just delete the old .bin files in AVG and also remove them from your Safe List.

Quarantined Files

As detailed above if you decide that a file looks unsafe you can quarantine it, which means that you will be unable to access it at all. I don't like to admit that I ended up with all my C: drive quarantined - all I can remember is that I wanted to block a file and was asked to remember my decision and I had just moved to 'Safe' mode. With that my whole PC was unusable, apart from being able to look at the explorer tree. The Comodo application cfp.exe, froze and so when I rebooted I found that cmdagent.exe was running which I could not terminate due to no access permissions. At this stage I came close to reinstalling Windows XP, but after carefully considering the options I found the only way out was to start up the PC in XP Safe mode with Administrator logon and then kill the cmdagent.exe process. To be on the safe side I decided to reinstall Comodo, even though I considered totally ending my short relationship with Comodo. The moral of the story is I am very wary about going into 'Safe' mode (I shall stick with 'Clean PC' mode until I get my confidence back) and I don't like asking Comodo to remember a decision. I have since discovered that Comodo are working on a solution to this problem which makes me very nervous for any future releases, if they make the situation worse. This experience is also my main reason for saying this software is not for inexperienced users - in all my mishaps with Outpost I never came close to an incident such as this. Firewalls are supposed to help you ward off attackers, and not by making your PC unusable to both you and the attacker.

My Own Safe Files

Comodo provides a means of looking at files that you have added to your own safe database, but the only means of checking a Comodo safe file is by using the 'lookup' method - looking at a million records would be a bit time consuming!!

Active Process List

The Active Process List is actually a tree view of the running processes on the PC, giving a very clear view of what is going on. This is much clearer than the process list in the XP Task List Manager, but is not as comprehensive as the SysInternals Process Explorer. Whichever you prefer it is nearly always revealing to see how many processes an average XP installation has even before doing real work. You just have to be a bit careful how you go about terminating processes, often involving running services.msc to change Automatic processes to Manual processes for those you don't want. The Active Process List is a step in the right direction, by making it clear what you are running and with this information you can decide if the process is absolutely necessary (note that most of the Microsoft processes are essential).

Protected Files

It is quite common for a Firewall to protect vital files and folders from change and Comodo is no exception. However, apart from giving default protection to Windows start up folders and executables it also allows you to specify your own files and folders that you may wish to protect. I have not tried this feature other than by using the default installation settings, but it looks like this could be useful under certain circumstances.

Protected Registry Keys

I have come across the idea of protecting certain registry keys against change in several other applications such as Outpost, Spybot (with its resident teatimer) and it is certainly a good idea to be warned whenever an application is attempting to modify one of the critical registry areas. Comodo uses this idea as part of Defense+ and takes it a step further by showing you which registry keys are currently protected; as default comprising Automatic Startup, Comodo keys, Internet Explorer keys and other Important keys. It takes the idea further by allowing you to select and add keys you want protected. At the moment I am going along with the default, but when Firefox 3 is released I may consider adding these keys to the list. In terms of usage it has not been too intrusive, so when an application is being installed which wants to be part of automatic startup there is always the choice of refusing the changed or new keys.

Trusted Software Vendors

It probably comes as no surprise that Comodo and Microsoft are regarded as trusted vendors in the default configuration and in fact if you read the help file these vendors are hardcoded into the application so that you cannot change or remove them. These are distinguished from trusted vendors you create yourself by being nominated 'Comodo defined trusted software vendors'. Whichever way it happens the end result is that any software that is installed from one of these trusted vendors goes on the Safe List, provided that files distributed bear the digital signature and have been digitally countersigned by a trusted authority. So armed with this knowledge, I had a look at the Dell Support Center software and examined sprtsvc.exe by right clicking and looking at properties. Sure enough there was a tab for Digital Signatures - Dell inc which when I right clicked showed me that Verisign had signed it. So I duly added Dell inc. to the list of Trusted Software Vendors. So I am intrigued to know what happens next time I install some software digitally signed by Dell. The first time round without Dell as a trusted vendor, all the Dell Support Center software got dumped into pending files, which I then had to move to My Safe List. Should I keep them on the Safe List or should I re-install Dell Support Center and find out what happens? I like the idea of Trusted Software Vendors but find it a pity that Comodo as default hasn't added to the hard coded list of Trusted Vendors. At the moment I am unsure what benefits having Trusted Vendor status has over non-trusted particularly when I find software from Dell Support Center not even having made the safelist. From what I have read on the subject, I now expect that the next time I download software that is digitally signed by one of my trusted vendors, it will not raise an alert (even if the software is not on the Comodo safe list) and the software will not be stored on pending files for review. Instead I expect it to be stored directly on my Safe List. I am interested to see what happens!!!

Comodo Miscellaneous Settings

The Miscellaneous page contains quite a few features that are essential for the smooth running of the Firewall. As I make use of these I will be updating this section.

Manage Configurations

As you make changes to your configuration, such as adding new application rules, creating trusted vendors and generally altering some of the default settings, it will become a real headache to remember exactly what your configuration looked like. Unfortunately, it is a fact of life (particularly with relatively new software) that either you or Comodo will screw up badly and there will be a need to get back to a stable configuration or even re-install the Firewall. So how much easier if you have exported your known and trusted configuration to a backup file. It would be nice to be able to read what's on the exported file but then I guess there would be too much temptation to tweak the exported file. So when there is a need to get back your trusted configuration, Comodo has an import function that will retrieve all your settings. I like this feature and it seems better than Outpost Firewall, where you had to do a manual save of the config file. Here's hoping Comodo exports and imports work when needed - so far I have not had to use the import facility, but it's nice to know I have my configuration safely backed up. Most people will be confused by what the labels mean when Exporting - what is the difference between 'COMODO - Optimum Security' and 'COMODO - Network Security'? I think (although I have not tested this) Optimum Security means your current settings and Network Security means the default settings. Quite a difference, at some stage I will check this out.

Check for Updates

From reading the forum I can see there were many problems with the automatic update function. Hopefully these are now fixed as from before Comodo 3.0.25.378; my experience is that the update to this version worked perfectly. It is something that Outpost Firewall has struggled with right from the start - normally I had to re-install the whole application because the server was always busy. Also, it is no mean feat to get an automatic update to a Firewall working, so Comodo should be congratulated, even if there were teething problems. There are also some comments about the frequency of software updates - normally if there are a lot of updates this means the software has not been fully tested - but then testing software of this size is not easy. So I believe it's good that problems are corrected promptly, rather than leaving a large user base running flakey software.

Settings

I noticed that the log file size was set to 0 mb on the default settings, but even with this setting events were still being logged, so I upped it to 2 mb as recommended, to see what happens (if anything!