Comodo Firewall

Anyone have any experience with this one?

It looks OK even if it takes up even more memory than ZA,
and it gives some more nice info (traffic monitor etc)

But one thing I noticed is that is stores all the configuration in the
registry (for programs, accesses, network rules etc). Can that be safe
(isn't that all to easy to hack then)?

ZA at least had it's own database...
--
Lars-Erik - http://home.chello.no/~larse/ - ICQ 7297605

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

B. Nice wrote:

> As any personal firewall it runs in the same environment as it is
> supposed to protect. What else do you need to know?

Why does many programs use the registry for mass storage.
I mean storing config data - yes. Storing 1000+ keys - no.
This got to slow down the registry, why is it so common.
--
Lars-Erik - http://home.chello.no/~larse/ - ICQ 7297605

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

Sebastian Gottschalk wrote:

> Anyway, ZA isn't any serious comparison, as it's totally broken, insecure
> and utterly useless. Comodo Firewall is just stupid by adding application
> control to an otherwise good packet filter.

It's the application control I llok for. I have a hardware firewall in
my router so I don't need that bit. But I want to "keep an eye" on
what programs is doing what (who is asking for server right, who is
sending things etc etc). So I'd like a program that just did that.
--
Lars-Erik - http://home.chello.no/~larse/ - ICQ 7297605

Re: Comodo Firewall

Lars-Erik Østerud wrote:


> It's the application control I llok for. I have a hardware firewall in
> my router so I don't need that bit. But I want to "keep an eye" on
> what programs is doing what (who is asking for server right, who is
> sending things etc etc). So I'd like a program that just did that.

No Personal Firewall can do it, all only claim that they can do it. Personal
Firewalls are snakeoil, forget them, they are useless, you don't need them
and can't trust them.

Wolfgang

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

Wolfgang Kueter wrote:

> No Personal Firewall can do it, all only claim that they can do it. Personal
> Firewalls are snakeoil, forget them, they are useless, you don't need them

I know "bad" programs can find ways round the application monitoring.
But I guess my AV software will take care of those applications.

I just want to monitor the normal everyday applications, to see what
they are doing, when they are sending/listening, and block the ones I
really don't like talking to the net.

This works for "nice" programs (both on ZA and Comodo), but to get
this I need to install all the stuff I don't need (firewall etc)
--
Lars-Erik - http://home.chello.no/~larse/ - ICQ 7297605

Re: Comodo Firewall

Sebastian Gottschalk wrote:

> What about 'netstat'? What about TCPView? In contrary to such "personal
> firewall", they do not employ any packet filter or hooking to try actually
> limiting programs, but only do what's actually achievable: monitoring.

Well, I stil like the possibility to stop "nice" programs from doing
stuff (like calling home). For most "nice" programs the application
monitoring in both ZA and Comodo can do this (for "bad" programs I
have avast! AV that will take care of that). But I donæt need the
firwall, packet analyzer, blockers etc etc). Just APPs monitoring.

> Anyway, why would one need such a thing? You should know what your programs
> are doing!

Like to stay informed. Like to know "who" is talking to other behind
my back (like: why does Word connect to Internet and send stuff) and
to be able to stop that for "nice/normal" programs as well...
--
Lars-Erik - http://home.chello.no/~larse/ - ICQ 7297605

Re: Comodo Firewall

Lars-Erik Østerud <.@.> wrote:
> Wolfgang Kueter wrote:
>> No Personal Firewall can do it, all only claim that they can do it.
>> Personal Firewalls are snakeoil, forget them, they are useless, you
>> don't need them
>
> I know "bad" programs can find ways round the application monitoring.
> But I guess my AV software will take care of those applications.
>
> I just want to monitor the normal everyday applications, to see what
> they are doing, when they are sending/listening, and block the ones I
> really don't like talking to the net.
>
> This works for "nice" programs (both on ZA and Comodo), but to get
> this I need to install all the stuff I don't need (firewall etc)

Try Port Reporter [1].

[1] http://support.microsoft.com/kb/837243

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Comodo Firewall

Lars-Erik =D8sterud schrieb:

> Wolfgang Kueter wrote:
>
> > No Personal Firewall can do it, all only claim that they can do it. Per=
sonal
> > Firewalls are snakeoil, forget them, they are useless, you don't need t=
hem
>
> I know "bad" programs can find ways round the application monitoring.
> But I guess my AV software will take care of those applications.

If these bad programs are running on your machine, your AV software has
very obviously not taken appropriate care of them. And your machine is
no longer your machine - be it with or without ZA or Comodo.

Regards
Thomas

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

Thomas Hertel wrote:

> If these bad programs are running on your machine, your AV software has
> very obviously not taken appropriate care of them. And your machine is

Why do you assume I have "bad" programs. I don't. Nothing at all :-)

I just want to "keep an eye" on the normal programs, and possibly stop
them from sending stuff (like Word, other MS programs, callbacks etc)
--
Lars-Erik - http://home.chello.no/~larse/ - ICQ 7297605

Re: Comodo Firewall

In article , .@. says...
> Anyone have any experience with this one?
>
> It looks OK even if it takes up even more memory than ZA,
> and it gives some more nice info (traffic monitor etc)
>
> But one thing I noticed is that is stores all the configuration in the
> registry (for programs, accesses, network rules etc). Can that be safe
> (isn't that all to easy to hack then)?
>
> ZA at least had it's own database...
>
Very wise to have an application firewall.Layered security is always
better than nothing at all.Commodo firewall has some HIPS elements in
it,application component control,application behavior checking ,and also
self protection which monitors registry keys.The firewall keys/files are
protected and commodo also has protection against process termination.If
it runs well for you and your happy with it then i would say its a good
choice.

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

Sebastian Gottschalk wrote:

> > I know "bad" programs can find ways round the application monitoring.
> > But I guess my AV software will take care of those applications.
>
> Yeah, your guesses...

You can do any better that the programs that are available. Of course
I have never gotten any viruses anyway. Just using common sense, not
opening suspicious mails. Not download suspicious software. Etc etc.

> Reality doesn't care for what you want.

I really didn't post here to get into a "religious" discussion :-)
But to hear if anyone had any programs to recommend to do this.

But it seems like all the posts in "comp.security.firewalls" are about
how "useless" ANY firewall is. Why not discuss the firwalls we do have

> It doesn't work, and I don't how you want to judge the actual abilities in
> a real-world scenario where custom-written malware simply shut's 'em down,

I'm NOT talkning about malware here. I'm talking about normal
programs. And it DOES work for those. I can see that when I stop a
program that asks for access - the programs is actually stopped (I can
see it on the activity, in the logs). So it DOES work for some
programs (the ones I use). I know it wonæt stop viruses, but that is
not what I'm out for either. I wish to control normal applications.
--
Lars-Erik - http://home.chello.no/~larse/ - ICQ 7297605

Re: Comodo Firewall

Sebastian Gottschalk wrote:

> 1. "nice" programs don't call home.

So you would then classify lots of "normal" programs from "normal"
vendors as viruses/trojans or somthing like that then. Even if they
stop calling home if I stop that in ZA (that "nice" anyway isn't it)

> 2. There isn't even one example of a "nice" program phoning home as you
> claim. This is a big vapor threat.

So the alerts about those program wanting to access the net, what are
they? I don't really think ZA or Comodo would alert if they did not
try? Do you? And if I stop them (the programs on my system anyway)
they don't send anything (no network activity), so it does work...
--
Lars-Erik - http://home.chello.no/~larse/ - ICQ 7297605

Re: Comodo Firewall

Sebastian Gottschalk wrote:

> What about configuring the programs instead, as any reasonable person would
> do?

For those where that is possible - of course. For the rest. Well :-)
--
Lars-Erik - http://home.chello.no/~larse/ - ICQ 7297605

Re: Comodo Firewall

In article <4p4ni4Ff82bfU1@news.dfncis.de>, seppi@seppig.de says...
> bassbag wrote:
>
> > Very wise to have an application firewall.
>
> That's exactly the contrary of wisdum.
>
> > Layered security is always better than nothing at all.
>
> Layered security is a buzzword spilled out by clueless people.
Why dont you advocate it then?
> > and also self protection which monitors registry keys.
>
> Yeah... and for what reason? It's trivial to circumvent.
Not as trivial as the rubbish you spout
>
> > The firewall keys/files are protected and commodo also has protection
> > against process termination.
>
> And that's the usual highlight of the bullshit. You really don't know much
> about the Windows NT kernel, d you?
As much as you know about application firewalls
>
> > If it runs well for you and your happy with it then i would say its a good
> > choice.
>
> And what about security? After all, that's the topic.
Im sure the poster knows enough about security to make his own mind up.
>
> Anyway, why should he listen so someone who is even too stupid to add a
> valid email address to the From: header?
He doesnt have to ,he may choose a fool like you instead.
>
me

Re: Comodo Firewall

In article , .@. says...
> Anyone have any experience with this one?
>
> It looks OK even if it takes up even more memory than ZA,
> and it gives some more nice info (traffic monitor etc)
>
> But one thing I noticed is that is stores all the configuration in the
> registry (for programs, accesses, network rules etc). Can that be safe
> (isn't that all to easy to hack then)?
>
> ZA at least had it's own database...
>
I guess you already know about layered scurity.Theres a nice write up
here from those "clueless" people at the NSA.Perhaps they should employ
Mr Gottschalk for thier security needs instead.
http://66.102.9.104/search?
q=cache:Ey9MYav_X80J:www.nsa.gov/snac/support/WORMPAPER.pdf+ unknown+virus
es+that+have+been+detected+using+HIPS&hl=en&gl=uk&ct=clnk&cd =1
&client=firefox-a

me

Re: Comodo Firewall

Lars-Erik Østerud wrote:
> B. Nice wrote:
>
>> As any personal firewall it runs in the same environment as it is
>> supposed to protect. What else do you need to know?
>
> Why does many programs use the registry for mass storage.
> I mean storing config data - yes. Storing 1000+ keys - no.
> This got to slow down the registry, why is it so common.

it's the windows way of doing things -- also the achilles heal !
I always hated the registry; totally non-portable solution.

B. Nice wrote:
>As any personal firewall it runs in the same environment as it is
>supposed to protect. What else do you need to know?

true if you're careless enough to login as admin and then run IE.
the LUA concept runs users at limited access rights and thus only the
registry for the current user can be attacked -- and the PF is protected.

--
try a random act of kindness today -- you just might surprise even
yourself :)

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

In article <4p4ts4Fh6l1dU1@news.dfncis.de>, seppi@seppig.de says...
> bassbag wrote:
>
> >>> Layered security is always better than nothing at all.
> >> Layered security is a buzzword spilled out by clueless people.
> > Why dont you advocate it then?
>
> Because the term "defense in depth" describes the real non-misunderstood
> concept without any buzz.
Ahh i see....a bit like half a dozen of one and six of the other.
>
> >>> and also self protection which monitors registry keys.
> >>
> >> Yeah... and for what reason? It's trivial to circumvent.
> > Not as trivial as the rubbish you spout
>
> I'd say it's even more trivial. For spouting rubbish, you need to be
> creative - restoring an API hook (either usermode or kernelmode) is a
> trivial thing of some few codelines that simply do the obvious (e.g.
> documented!) thing.

I guess your much more creative than i gave you credit for.
> >>> The firewall keys/files are protected and commodo also has protection
> >>> against process termination.
> >>
> >> And that's the usual highlight of the bullshit. You really don't know much
> >> about the Windows NT kernel, do you?
> > As much as you know about application firewalls
>
> Then you should be able to spot the obvious flaw.
>
Ohh i do ..i do.
me

Re: Comodo Firewall

Sebastian Gottschalk wrote:
>
>
>
> No. This is a place to discuss about real firewalls, VPN and network
> communication as well as serious host-based packet filters (whereas
> 'serious' excludes the common 'personal firewall' shit and strange ideas
> about non-working application control).

I must've missed the charter for this newsgroup.

Care to repost it?

Notan

Re: Comodo Firewall

Sebastian Gottschalk wrote:

> Are you talking about an empty set of programs? You could at least try to
> name an example which we will easily deconstruct.

Have mentioned several programs that send without I asking for it.

Even MS MediaPlayer send thing even if the checkbox not to send
anything is checked. Word does. I have disk defraggers that insist on
connecting to the net (why on earth do they need that) etc etc etc.

But all of these ARE stopped by ZA (and probalbly Comodo, haven't
testet with that one yet). So if you can't stop ALL communication you
can stop some (from programs that don't use "back-ways" to send stuff)

So again. This is NOT a discussion of security holes. This is a
question on what programs I can use to do the same thing as ZA and
Comodo to check/stop appplications that try to send/act as servers
using the "normal" way (no fancy programming to use advanced ways).

So in that context: What programs will give me that functionality
without using 30MB of my memory and adding FW and other stuff that I
allready have in my router. That is as simple as it is :-)
--
Lars-Erik - http://home.chello.no/~larse/ - ICQ 7297605

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

Lars-Erik ?sterud <.@.> wrote:
> B. Nice wrote:
> > As any personal firewall it runs in the same environment as it is
> > supposed to protect. What else do you need to know?
> Why does many programs use the registry for mass storage.
> I mean storing config data - yes. Storing 1000+ keys - no.
> This got to slow down the registry, why is it so common.

I agree. The registry is implemented terribly incompetent.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Comodo Firewall

Lars-Erik ?sterud <.@.> wrote:
> I just want to monitor the normal everyday applications, to see what
> they are doing, when they are sending/listening, and block the ones I
> really don't like talking to the net.

Why don't you configure these applications not to communicate?

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Comodo Firewall

Sebastian Gottschalk wrote:
> 1. "nice" programs don't call home.

They do. This often is called "online software update", and is an
important feature.

The misunderstanding is, that nice programs of course can be configured
wether to communicate or not. And not-so-nice programs cannot be
configured and cannot be prevented from communicating.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Comodo Firewall

Lars-Erik ?sterud <.@.> wrote:
> Even MS MediaPlayer send thing even if the checkbox not to send
> anything is checked.

Really? Being correctly configured not to do so? Could you describe
an example?

> Word does.

I doubt that.

> But all of these ARE stopped by ZA

I doubt that. Zone Alarm claims to do so, but this is just wrong. If
you're talking about programs, where the author has no doubtful
intentions, then configuring will be enough. If the author has such
intentions, then she/he will ignore Zone Alarm.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Comodo Firewall

Volker Birk wrote:

> Why don't you configure these applications not to communicate?

Have done that were possible. But some of them still cause a "trying
to connect to internet" :-/
--
Lars-Erik - http://home.chello.no/~larse/ - ICQ 7297605

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

Lars-Erik ?sterud <.@.> wrote:
> Volker Birk wrote:
> > Why don't you configure these applications not to communicate?
> Have done that were possible. But some of them still cause a "trying
> to connect to internet" :-/

Please give an example.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Comodo Firewall

Volker Birk wrote:
> Sebastian Gottschalk wrote:
>> 1. "nice" programs don't call home.
>
> They do. This often is called "online software update", and is an
> important feature.
>
> The misunderstanding is, that nice programs of course can be
> configured wether to communicate or not. And not-so-nice programs
> cannot be configured and cannot be prevented from communicating.

Well, they can, provided the programmer was stupid enough. However,
depending on the incompetence of malware-developers doesn't have
anything to do with security. Not in my book at least.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Comodo Firewall

Lars-Erik Østerud wrote:

>But it seems like all the posts in "comp.security.firewalls" are about
>how "useless" ANY firewall is. Why not discuss the firwalls we do have

All groups change over time. This one used to have a wealth of advice
and good discussion about software FWs. Now it doesn't.
You're being very patient whilst being mercilessly trolled.

Re: Comodo Firewall

On 12 Oct 2006 12:52:22 +0200, Volker Birk wrote:


>
> Please give an example.
>
> Yours,
> VB.

The PC game HOMM5, just one of many.

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

In article <4p7gadFhlu57U1@news.dfncis.de>, seppi@seppig.de says...
> Garrot wrote:
>
> > On 12 Oct 2006 12:52:22 +0200, Volker Birk wrote:
> >
> >>
> >> Please give an example.
> >>
> >> Yours,
> >> VB.
> >
> > The PC game HOMM5, just one of many.
>
> According to Wikipedia, Heroes Of Might And Magic V contains the copy
> protection SecuROM 7.x, which is well-known to be a (real, not just
> potential) privilege escalation vulnerability. Therefore I and any informed
> reasonable person considers it as malicious software, but not legitimate.
>
> In other words: If you wanna play your games on a Windoze box, get a
> separate non-connected computer. Those common computer games and a serious
> workspace are mutually exclusive.
>
Why not just use an application firewall?
me

Re: Comodo Firewall

Sebastian Gottschalk wrote:
> > I agree. The registry is implemented terribly incompetent.
> It's a simple database with B+ tree architecture and a hash table to
> address the individual nodes.

It's terribly slow, so it's terribly incompetent.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

In article <452e8d8f@news.uni-ulm.de>, bumens@dingens.org says...
> Sebastian Gottschalk wrote:
> > > I agree. The registry is implemented terribly incompetent.
> > It's a simple database with B+ tree architecture and a hash table to
> > address the individual nodes.
>
> It's terribly slow, so it's terribly incompetent.
>
> Yours,
> VB.
>
Perhaps you need a modern computer...no slowdowns for me.
me

Re: Comodo Firewall

Garrot wrote:
> On 12 Oct 2006 12:52:22 +0200, Volker Birk wrote:
>> Please give an example.
>
> The PC game HOMM5, just one of many.

I have never played nor installed Heroes of Might and Magic. Could you
provide any details on how and what it's phoning home (Wireshark trace
or something)?

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Comodo Firewall

Garrot wrote:
> On 12 Oct 2006 12:52:22 +0200, Volker Birk wrote:
> > Please give an example.
> The PC game HOMM5, just one of many.

Aha. And you cannot configure? Why not unplugging the net while gaming?
If it's a network game, you have to communicate anyways.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Comodo Firewall

Sebastian Gottschalk wrote:
[Registry]
> Just to say that it's not slow. :-)

IBTD. Just open Registry Editor, and search for a key.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

Sebastian Gottschalk wrote:
> Volker Birk wrote:
> > Sebastian Gottschalk wrote:
> > [Registry]
> >> Just to say that it's not slow. :-)
> > IBTD. Just open Registry Editor, and search for a key.
> You may understand that searching for an entry is not the common operation
> this database was optimized to, because this doesn't match with usual
> programs' requirements. Rather try looking up with known names/paths or
> enumerating small lists of values in one key, programmatically!

And why must it be so slow? It is very common to use it, at least I'm
using it so commonly.

It's just because they're incompetent.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

Sebastian Gottschalk wrote:
> > And why must it be so slow?
> Because you cannot optimize for every scenario?

With databases, this is not true. There is exactly no single reason, why
it has to be so slow.

Please try to understand indexing.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

Sebastian Gottschalk wrote:
> Volker Birk wrote:
> > Sebastian Gottschalk wrote:
> > [Registry]
> >> Just to say that it's not slow. :-)
> > IBTD. Just open Registry Editor, and search for a key.
> You may understand that searching for an entry is not the common operation
> this database was optimized to

I'm really not interested in this. There is a functionality to search.
It's slllllowwww. This is dumb, because this is completely unneccesary.

The implementation is incompetent.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Comodo Firewall

Sebastian Gottschalk wrote:
> Why should one add indexing to a specialized database that doesn't require
> fast searching? Just makes it more complex.

Just makes it usable. If you don't want to offer a feature, don't offer
it in UI.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

Sebastian Gottschalk wrote:
> With your argumentation, you should also say that debuggers are useless,
> because it's a big hassle to debug programs.

It is very easy to create an appropriate index, so searching the
registry is very fast.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

On Thu, 12 Oct 2006 20:36:05 +0200, Sebastian Gottschalk wrote:


> According to Wikipedia, Heroes Of Might And Magic V contains the copy
> protection SecuROM 7.x, which is well-known to be a (real, not just
> potential) privilege escalation vulnerability. Therefore I and any informed
> reasonable person considers it as malicious software, but not legitimate.
>
> In other words: If you wanna play your games on a Windoze box, get a
> separate non-connected computer. Those common computer games and a serious
> workspace are mutually exclusive.

That's not what I'm talking about. It also phones home to see how often the
customer plays the game.

Re: Comodo Firewall

On 12 Oct 2006 21:16:06 +0200, Volker Birk wrote:


> Aha. And you cannot configure? Why not unplugging the net while gaming?
> If it's a network game, you have to communicate anyways.
>
> Yours,
> VB.

I don't even onw the game. just know about it's "behavoir". Personally, I
do disco from the interent when playing games, except MP games, but most
people don't and most people don't even know it is phoning home. Anyway, my
point is that you can stop it from phoning home with a firewall with app
control. I don't use such a firewall myself though.

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

On Fri, 13 Oct 2006 21:27:02 +0200, Sebastian Gottschalk wrote:


>
> It's malware. We're talking about legitimate applications.

It's a game, the publisher says it is legitimate. I say otherwise.

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

Garrot wrote:
> Anyway, my
> point is that you can stop it from phoning home with a firewall with app
> control.


Maybe. And maybe not. If they're phoning home for malicous reasons, you
cannot be sure that the "Personal Firewall" can prevent this.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Comodo Firewall

Sebastian Gottschalk wrote:
> > It is very easy to create an appropriate index, so searching the
> > registry is very fast.
> And it would be a waste of memory and CPU cycles in normal mode of
> operation.

And it would be not relevant.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Comodo Firewall

Talking about Comodo. After starting "application behaviour"
monitoring I get a lot of strange messages about programs (that are
clean and "good") modifying memory, adding libraries to each other
etc. Very annoying. Especially since there is nothing wrong :-(

Posted this to the Comodo forum. No answeres. What do you make of
these messages. Seems very strange to me. Very strange indeed:


After surfing a while (giving both WebWasher and Internet Explorer
"Allow" I suddenly get a new request for Internet access from sevarel
programs (among them "trillian" ICQ/MSN agent, WebWasher ad-filter and
Avast! web-scanner). I can see why the two latter has to do with
Internet Explorer, but not what IE used Trillian for. And why do I get
this alarming message in the lower part of the alert:

"C:\Program Files\Internet Explorer\iexplore.exe has loaded
C:\WINDOWS\SYSTEM32\shell32.dll into c:\program
files\Trillian\trillian.exe using a global hook which could be used by
keyloggers to steal private information." (the message is equal for
"wwasher.exe" and "ashWebSv.exe", same warning about "iexplore.exe"
and "shell32.dll", but shouldn't they be "safe" applications).

Also got some similar message involving "expolrer.exe" and
"iexplore.exe when surfing on some newspaper web-site :-(

Ohhh BTW: If I deny these request all h**l is loose. Then I'm no
longer able to access any web-pages using any browsers. Even if all
applications still have "allow" inside Comodo. Have to restart the
system to get things back to working again (ok, actually it works if I
stop the "application monitor", but that is not really a safe and good
solution :-)

This is getting very annoying. Anyone know what is happening (I'm
almost ready to go back to ZA now :-)

Here are some messages from the log if that can say anything that will
give a solution:

Date/Time :2006-10-13 00:05:43
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (trillian.exe)
Application: c:\program files\Trillian\trillian.exe
Parent: C:\Program Files\Oppstart\Oppstart.exe
Protocol: TCP Out
Destination: 207.46.106.41:1863
Details: C:\Program Files\Internet Explorer\iexplore.exe has loaded
C:\WINDOWS\SYSTEM32\shell32.dll into c:\program
files\Trillian\trillian.exe using a global hook which could be used by
keyloggers to steal private information.

Date/Time :2006-10-13 00:06:45
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (wwasher.exe)
Application: C:\Program Files\WebWasher\wwasher.exe
Parent: C:\WINDOWS\explorer.exeProtocol: UDP Out
Destination: 129.240.2.3:dns(53)
Details: C:\Program Files\Internet Explorer\iexplore.exe has loaded
C:\WINDOWS\SYSTEM32\shell32.dll into C:\Program
Files\WebWasher\wwasher.exe using a global hook which could be used by
keyloggers to steal private information.

Date/Time :2006-10-13 00:06:46
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (ashWebSv.exe)
Application: C:\Program Files\Alwil avast!\ashWebSv.exe
Parent: C:\WINDOWS\SYSTEM32\services.exe
Protocol: TCP Out
Destination: 195.92.253.137:http(80)
Details: C:\Program Files\Internet Explorer\iexplore.exe has loaded
C:\WINDOWS\SYSTEM32\shell32.dll into C:\Program Files\Alwil
avast!\ashWebSv.exe using a global hook which could be used by
keyloggers to steal private information.

Date/Time :2006-10-13 00:07:01
Severity :High
Reporter :Application Monitor
Description: Application Access Denied
(wwasher.exe:129.240.2.3:dns(53))
Application: C:\Program Files\WebWasher\wwasher.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Destination: 129.240.2.3:dns(53)

Date/Time :2006-10-13 00:07:04
Severity :High
Reporter :Application Monitor
Description: Application Access Denied
(ashWebSv.exe:195.92.253.137:http(80))
Application: C:\Program Files\Alwil avast!\ashWebSv.exe
Parent: C:\WINDOWS\SYSTEM32\services.exe
Protocol: TCP Out
Destination: 195.92.253.137:http(80)
--
Lars-Erik - http://home.chello.no/~larse/ - ICQ 7297605

Re: Comodo Firewall

Lars-Erik Østerud wrote:
> [snip]
> This is getting very annoying. Anyone know what is happening (I'm
> almost ready to go back to ZA now :-)

Honestly, Lars, why do you torture yourself with this stuff?

I worried about things like that when I got a cable connection 4 years
ago. I tried some firewalls programs and followed this newsgroup, but
there was always some new piece of information that disturbed my newly
acquired understanding of computer security.

Then I began to notice the advice of our German friends here. So I used
netstat and Ethereal and similar programs that helped me understand
what was actually going on. And then I learned how to stop services and
setups that made my machine vulnerable. Nothing but peace and quiet
since then, WITHOUT any sort of firewall.
--
Tore

Re: Comodo Firewall

Tore Lund wrote:

> Honestly, Lars, why do you torture yourself with this stuff?

Well, I like testing things :-) And I hoped that someone here had the
tech knowledge to know what those strange warning really are about. I
don't belive that normal programs would load their code into other
applications. So there's gotta be somethig strange here, right?
--
Lars-Erik - http://home.chello.no/~larse/ - ICQ 7297605

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

In article ,=20
b__nice@hotmail.com says...
> On Sat, 14 Oct 2006 11:17:08 +0200, Lars-Erik =D8sterud <.@.> wrote:
>=20
> >Talking about Comodo. After starting "application behaviour"
> >monitoring I get a lot of strange messages about programs (that are
> >clean and "good") modifying memory, adding libraries to each other
> >etc. Very annoying.
>=20
> Of course.
>=20
> >Especially since there is nothing wrong :-(
>=20
> Of course.
>=20
> >Posted this to the Comodo forum. No answeres.
>=20
> Of course.
>=20
> >What do you make of these messages. Seems very strange to me. Very stran=
ge indeed:
>=20
> I made a similar post about this on July 29th. Those messages are
> completely useless for anyone but programmers.
>=20
> >After surfing a while (giving both WebWasher and Internet Explorer
> >"Allow" I suddenly get a new request for Internet access from sevarel
> >programs (among them "trillian" ICQ/MSN agent, WebWasher ad-filter and
> >Avast! web-scanner). I can see why the two latter has to do with
> >Internet Explorer, but not what IE used Trillian for. And why do I get
> >this alarming message in the lower part of the alert:
> >
> >"C:\Program Files\Internet Explorer\iexplore.exe has loaded
> >C:\WINDOWS\SYSTEM32\shell32.dll into c:\program
> >files\Trillian\trillian.exe using a global hook which could be used by
> >keyloggers to steal private information." (the message is equal for
> >"wwasher.exe" and "ashWebSv.exe", same warning about "iexplore.exe"
> >and "shell32.dll", but shouldn't they be "safe" applications).
> >
> >Also got some similar message involving "expolrer.exe" and
> >"iexplore.exe when surfing on some newspaper web-site :-(
> >
> >Ohhh BTW: If I deny these request all h**l is loose. Then I'm no
> >longer able to access any web-pages using any browsers. Even if all
> >applications still have "allow" inside Comodo. Have to restart the
> >system to get things back to working again (ok, actually it works if I
> >stop the "application monitor", but that is not really a safe and good
> >solution :-)
>=20
> Why not? According to your own words, it makes no difference for you
> in terms of security. It only leads to "denial of service".
>=20
> >This is getting very annoying. Anyone know what is happening=20
>=20
> You installed the software. You should know :-)
>=20
> >(I'm almost ready to go back to ZA now :-)
>=20
> Oh yes. Go ahead and dump a silly security concept in favour of
> another one.
>=20
> >Here are some messages from the log if that can say anything that will
> >give a solution:
> >
> >Date/Time :2006-10-13 00:05:43
> >Severity :High
> >Reporter :Application Behavior Analysis
> >Description: Suspicious Behaviour (trillian.exe)
> >Application: c:\program files\Trillian\trillian.exe
> >Parent: C:\Program Files\Oppstart\Oppstart.exe
> >Protocol: TCP Out
> >Destination: 207.46.106.41:1863
> >Details: C:\Program Files\Internet Explorer\iexplore.exe has loaded
> >C:\WINDOWS\SYSTEM32\shell32.dll into c:\program
> >files\Trillian\trillian.exe using a global hook which could be used by
> >keyloggers to steal private information.=20
> >
> >Date/Time :2006-10-13 00:06:45
> >Severity :High
> >Reporter :Application Behavior Analysis
> >Description: Suspicious Behaviour (wwasher.exe)
> >Application: C:\Program Files\WebWasher\wwasher.exe
> >Parent: C:\WINDOWS\explorer.exeProtocol: UDP Out
> >Destination: 129.240.2.3:dns(53)
> >Details: C:\Program Files\Internet Explorer\iexplore.exe has loaded
> >C:\WINDOWS\SYSTEM32\shell32.dll into C:\Program
> >Files\WebWasher\wwasher.exe using a global hook which could be used by
> >keyloggers to steal private information.
> >
> >Date/Time :2006-10-13 00:06:46
> >Severity :High
> >Reporter :Application Behavior Analysis
> >Description: Suspicious Behaviour (ashWebSv.exe)
> >Application: C:\Program Files\Alwil avast!\ashWebSv.exe
> >Parent: C:\WINDOWS\SYSTEM32\services.exe
> >Protocol: TCP Out
> >Destination: 195.92.253.137:http(80)
> >Details: C:\Program Files\Internet Explorer\iexplore.exe has loaded
> >C:\WINDOWS\SYSTEM32\shell32.dll into C:\Program Files\Alwil
> >avast!\ashWebSv.exe using a global hook which could be used by
> >keyloggers to steal private information.
> >
> >Date/Time :2006-10-13 00:07:01
> >Severity :High
> >Reporter :Application Monitor
> >Description: Application Access Denied
> >(wwasher.exe:129.240.2.3:dns(53))
> >Application: C:\Program Files\WebWasher\wwasher.exe
> >Parent: C:\WINDOWS\explorer.exe
> >Protocol: UDP Out
> >Destination: 129.240.2.3:dns(53)
> >
> >Date/Time :2006-10-13 00:07:04
> >Severity :High
> >Reporter :Application Monitor
> >Description: Application Access Denied
> >(ashWebSv.exe:195.92.253.137:http(80))
> >Application: C:\Program Files\Alwil avast!\ashWebSv.exe
> >Parent: C:\WINDOWS\SYSTEM32\services.exe
> >Protocol: TCP Out
> >Destination: 195.92.253.137:http(80)
>=20
> As I told you already in my first reply, those messages come up
> because the Commodo firewall is monitoring what is going on - but has
> no clue whatsoever about what is good and what is bad and therefore
> has to ask the just as clueless user.
Of course it doesnt have a clue.It just reports.Its a tool.Maybe you are=20
clueless but many others are not.
>=20
> To me that has nothing to do with security unless you are a programmer
> who can make a reasonable guess about what is actually happening.
It has plenty to do with security,and you dont have to be a programmer to=
=20
understand it...hence its popularity...its just you are unable /unwilling=
=20
to understand what its reporting to you.
>=20

me

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

In article ,
b__nice@hotmail.com says...
> On Sat, 14 Oct 2006 18:00:04 +0100, bassbag
> wrote:
>
>
>
> >> To me that has nothing to do with security unless you are a programmer
> >> who can make a reasonable guess about what is actually happening.
> >It has plenty to do with security,and you dont have to be a programmer to
> >understand it...hence its popularity...its just you are unable /unwilling
> >to understand what its reporting to you.
>
> If you honestly believe that the average user understands what it
> means and can act accordingly the clueless one here obviously is you.
>
> /B. Nice
>
>
Its quite easy to understand .Why do you assume everyone is as cluless as
yourself?
me

Re: Comodo Firewall

In article <4pckuhFi6r36U1@news.dfncis.de>, seppi@seppig.de says...
> B. Nice wrote:
>
> > On Sat, 14 Oct 2006 18:00:04 +0100, bassbag
> > wrote:
> >
> >
> >
> >>> To me that has nothing to do with security unless you are a programmer
> >>> who can make a reasonable guess about what is actually happening.
> >>It has plenty to do with security,and you dont have to be a programmer to
> >>understand it...hence its popularity...its just you are unable /unwilling
> >>to understand what its reporting to you.
> >
> > If you honestly believe that the average user understands what it
> > means and can act accordingly the clueless one here obviously is you.
>
> Beside that, these information even don't give a programmer any idea if
> they're legitimate or not.
>
Of course the information reports are legetimate.Please provide proof
that they are not.
me

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

On Sat, 14 Oct 2006 11:37:05 +0200, Tore Lund wrote:


> Then I began to notice the advice of our German friends here. So I used
> netstat and Ethereal and similar programs that helped me understand
> what was actually going on. And then I learned how to stop services and
> setups that made my machine vulnerable. Nothing but peace and quiet
> since then, WITHOUT any sort of firewall.

Those same people will tell you stopping services isn't going to make you
more secure either.

Re: Comodo Firewall

On 14 Oct 2006 09:14:02 +0200, Volker Birk wrote:


>
> Maybe. And maybe not. If they're phoning home for malicous reasons, you
> cannot be sure that the "Personal Firewall" can prevent this.
>
> Yours,
> VB.

I can never be sure I am virus free just because an AV program reports I am
either. May as well drop all security on my PC and let it flap in the wind.

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

On Sat, 14 Oct 2006 20:40:30 +0200, Sebastian Gottschalk wrote:


> What does "drop all security" mean in your content? A normal PC carefully
> "flapping in the wind" shouldn't be initially compromisable in first place.

But they are compromised every day.

Drop all security would mean. Turn off the XP software firewall, uninstall
AV software, anti-spyware/adware software, HOSTS file IP address
filtering, never scan for rootkits, don't bother with a port monitor, stop
running under a limited user account too. I would still keep the router
though.

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

On Sun, 15 Oct 2006 02:56:44 +0200, Sebastian Gottschalk wrote:


> What's your problem with understanding that keeping up with patches and
> otherwise acting carefully (e.g. knowing what you do) does not pose any
> security problem, and that your additional shit hardly provides any new,
> real or user-understandable measures?

Because I've been bitten by adware before and know you have to take
precautions against malware besides what you say. Unless, of course, you
are willing to run a web browser with all scripting turned off.

Re: Comodo Firewall

Garrot wrote:
> I can never be sure I am virus free just because an AV program reports I am
> either. May as well drop all security on my PC and let it flap in the wind.

This is not true. Because this is a common argument, please feel free to
read <43228b5a@news.uni-ulm.de>

If you're missing this in your News archive now, you can find it here
i.e.:

http://news.hping.org/comp.security.firewalls.archive/3395.h tml

BTW: you should not depend on your Virus Scanner for security against
malware. You should have a better concept. The Virus Scanner can help
to filter out incoming already known viruses (like a Spam Filter for
viruses), it will not prevent you from getting arbitrary viruses.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Comodo Firewall

Garrot wrote:
> Because I've been bitten by adware before

Maybe you should be careful, which browser you're using and what you're
downloading.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

In article , yoyyassin@gmail.com=20
says...
> Wolfgang Kueter wrote in
> news:egii3n$vkt$1@news.shlink.de:=20
>=20
> > Lars-Erik =D8sterud wrote:
> >=20
> >=20
> >> It's the application control I llok for. I have a hardware firewall
> >> in my router so I don't need that bit. But I want to "keep an eye" on
> >> what programs is doing what (who is asking for server right, who is
> >> sending things etc etc). So I'd like a program that just did that.
> >=20
> > No Personal Firewall can do it, all only claim that they can do it.
> > Personal Firewalls are snakeoil, forget them, they are useless, you
> > don't need them and can't trust them.
> >=20
> > Wolfgang
> >=20
> >=20
> >=20
> >=20
>=20
> Yes Wolfgang, that is correct indeed!
>=20
> Read this: http://www.samspade.org/d/firewalls.html
>=20
> Yo!
>=20
A 6 year old article is a very good example of the current state of=20
application firewalls.Perhaps you should mention to readers not to use=20
innoculate it AV anymore either.
me

Re: Comodo Firewall

Post removed (X-No-Archive: yes)

Re: Comodo Firewall

In article <4531eb1d@news.uni-ulm.de>, bumens@dingens.org says...
> Garrot wrote:
> > Because I've been bitten by adware before
>
> Maybe you should be careful, which browser you're using and what you're
> downloading.
>
> Yours,
> VB.
>
Yes...IE and firefox are out......
http://netsecurity.about.com/gi/dynamic/offsite.htm?zi=
1/XJ&sdn=netsecurity&zu=http%3A%2F%2Fsecunia.com%2Fadvisorie s%2F21906%2F

I guess you use kidsplorer Volker?
http://www.devicode.com/kidsplorer/

me

Re: Comodo Firewall

On 15 Oct 2006 10:02:37 +0200, Volker Birk wrote:


> Maybe you should be careful, which browser you're using and what you're
> downloading.
>
> Yours,
> VB.

Yes, I agree. I've learnt my lesson now. That was in the early days of XP
and using IE. I now use Firefox with the noscript extension so only the
websites I define can run java script. I like Opera better but the noscript
extension is why I use Firefox.

Re: Comodo Firewall

On 15 Oct 2006 10:01:20 +0200, Volker Birk wrote:


> BTW: you should not depend on your Virus Scanner for security against
> malware. You should have a better concept. The Virus Scanner can help
> to filter out incoming already known viruses (like a Spam Filter for
> viruses), it will not prevent you from getting arbitrary viruses.
>
> Yours,
> VB.

I don't. I don't even have my AV software running in the background. I just
use it to scan files I download and maybe once a month I will do a full
system scan.

Re: Comodo Firewall

Garrot wrote:
> On Sat, 14 Oct 2006 11:37:05 +0200, Tore Lund wrote:
>> Then I began to notice the advice of our German friends here. So I
>> used netstat and Ethereal and similar programs that helped me
>> understand what was actually going on. And then I learned how to
>> stop services and setups that made my machine vulnerable. Nothing
>> but peace and quiet since then, WITHOUT any sort of firewall.
>
> Those same people will tell you stopping services isn't going to make
> you more secure either.

They will? o_O

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich