How good is Comodo Internet Security?

On Mon, 29 Dec 2008 13:35:45 +0200, Nik Gr wrote:

You are much too pessimistic but then again paranoia can be a healthy approach to compute safely :) We can talk about this issue till the cows come home. There is no perfect operating system on the market. It is up to you to make it safe and secure to suit your personal computing/browsing habits. And there is no silver bullet; But running a LUA is one of the best way of running an os safely. A fully patched windows (NT) system is more secure (has less vulnerabilities) than a fully patched windows system with a 3rd party firewall (PFW) added to it. Even updating the OS is not enough. You have to make sure all other applications are patched as well to mitigate vulnerabilities. Security cannot be guaranteed. It's all about balancing risk. But I would at any time prefer a LUA approach to any security product which requires you to run as Administrator. You're already a big step ahead for understanding that the claim made by most makers of PFW's that outbound traffic control is a vital part of Internet Security is misleading, outrages and false! You have received some good links authored by well respected Internet experts for you to read and excellent advice especially from A50c-W, it's now up to you to implement accordingly. After you got used to your 'secured' operating system and browse responsibly, you may even find that you can get by without AV application and utilize monitoring tools such as AutoRuns and ProcessExplorer instead. Also, ensure you Back-Up regularly; Develop a Contingency Plan; Be prepared! Consider "What if..." Familiarize yourself with crash recovery tools and re-installing your operating system; Don't get caught flat-footed. (As a side note, I can flatten and rebuild my os in about than 3 hours; This beats scanning/updating with 'sophisticated/complex' AV apps.)

Most computer magazines and/or (computer) specialized websites are *biased* i.e. heavily weighted towards the (advertisement) dollar almighty! Make it a habit checking credentials of authors writing articles/messages in advertisement sponsored publications and take commercial messages with a ton of salt. How Security Companies Sucker Us With Lemons.

Good luck :)

No, it can't. Paranoia is by definition irrational fear. That does not help with computer security at all. In order to gain security you have to identify threats, break them down into manageable scenarios, and then find countermeasures to mitigate the risks the threats pose (or decide that you'll live with the risk). Paranoia will only get in the way, because it will prevent you from analyzing the situation in a rational way.

Be cautious. Be defensive. Do not be paranoid.

cu

59cobalt

Uh... what? Filtering traffic with a firewall means that you're not accepting connections to your service. If you don't want to accept connections to your service: why are you running it in the first place? If you do want to accept connections to your service: how would the firewall be protecting the service if it's passing on the packets anyway?

Besides, services are configured by the administrator, not by the user.

It isn't reliable. Plus, it can only detect malware *after* it already was executed. In which case you're already screwed.

It usually takes something from a couple hours to a couple days for new signatures to become available. Also, like I said before, virus scanners can only detect the *presence* of malware. They can *never* detect the

*absence* of malware. Anything that doesn't raise an alarm could still contain malware that isn't yet known. [...]

What for? Which attack scenarios do you see and how would a firewall protect you from them?

What for? Which attack scenarios do you see and how would a virus scanner protect you from them?

cu

59cobalt

Ï "Ansgar -59cobalt- Wiechers" Ýãñáøå óôï ìÞíõìá news: snipped-for-privacy@news.in-ulm.de...

I though that firewalls can block malicious per application traffic(tcp/udp packets) so to "filter" the valid stuff from the bad stuff. Doesn't filter mean distinguish?! It instead means block?

If I say I filter traffic with comodo on port 80 you mean it means blocking all incoming traffic to port 80? not sorting out?!

What is your point by that argument?

Maybe it can detect them when they are tryign to run in the 1st place by analyzing them and ask them if we allow them or not. Not all of them but some of them.

So even if AV vendors fall back 2 hours before update their sig databases, what good will it be since we will already be infected?

As you said firewalls can reliably protect our inbound traffic, that's reason 1. And maybe thay can help limit the infection by blocking suspicious outbound traffic of not so clever malware attempts. Correct?

It can't protect me form 0-day expl0its, BUT it can still help me remove known types of infections using its sig database. Correct?

Sorry for repeating my self but I need to make myself very clear if I MUST or MUST NOT use fw and avs. Iam deploying to you my way of thinkign so you can give the green or red light respectively along with reasons I can understand.

Thank you for your provided help up until now and they future one(hopefully to another thread since this has to end sometime ;)

Packet level filters can't do that. You need application level filters for every protocol in question to do that kind of thing. Apache running as a reverse proxy with mod_security is an example for a setup to filter HTTP traffic in that way.

For personal firewalls it usually means block, yes. There may be exceptions, but I have to see one yet.

You are the one using Comodo, so you tell me. It's what I would expect, though.

It's merely a correction to your statement.

That's what virus scanners are for. Personal firewalls try to restrict a program after it actually got executed. Did I mention that you're already screwed at that point?

You are able to sort out already known malware. Should (in addition to that) the scanner detect an infection later on (because the signatures were updated and the malware didn't f*ck up the scanner), you'll know that you're screwed and need to reinstall your system. Or re-create your profile in case only a normal user account was affected.

As explained above, packet level filtering can't do what you seem to expect. Application level filtering probably can, but it has other disadvantages:

a) It increases the latency of all connections, because packet reassembly and inspection take up time. b) Additional code means additional, possibly exploitable bugs. I already mentioned the case of W32/Witty.worm before. c) The additional configuration required for this kind of filtering will significantly increase your administrative workload.

Maybe, maybe not. I already explained that this is not reliable, and thus not a security measure. I also explained before, that the additional code needed for inspecting/blocking the traffic may *lead* to an infection.

No. It can help you detect infections. As for removing an infection, there are only two reliable ways to achieve that:

a) Determine exactly when the infection occurred and what was altered on the system afterwards (files and registry), and then take back those alterations. b) Reinstall the system from known-good media and restore your data from the latest backup.

It's neither "must" nor "must not". From what you have written up to now I don't see a necessity for you to run either of them, but the decision whether you want to use any of these is up to you. I can only point out what advantages or disadvantages I see with using them.

Sorry, but I know way too little of your actual setup and requirements to give that kind of advice. And I'd have to charge you if you wanted me to look into this matter that deeply.

cu

59cobalt

Ï "Ansgar -59cobalt- Wiechers" Ýãñáøå óôï ìÞíõìá news: snipped-for-privacy@news.in-ulm.de...

When on LUA ones get infected that means that the only damage that can take place is the files within the user account?

Other users account on the same pc and system files remain intact?

So if we are infected on LUA we just delete this user account for good and create another one with the same name under our admin account?

How? You can get infected without knowing you are at the time, so it would be even more difficult to actually find alternation to files and registry? That can only happen in my opinion if you can compare your current state of your OS to an actual clean one. If this can happen I wan to know how.

Okey it cant detect zero exploits, I agree with you.

Also you are saying that an AV can't successfully remove an infection by deleteting infected files? And the reason is because you believe that if the system was infected by unknown malware, one that AVs cant detect at the time, the malware except damaging windows itself will damage the AV mechanism as well?

If this is true then ALL AVs are futile to use, because they cant help protect our pc and cant clean them also.

Why peple buy antivirus apps?

All files that user has write access to. However, since users normally shouldn't have write access to executables, libraries and configurations outside their profile it's basically their profile, yes.

Yes. That is the main reason for using LUA.

You don't even have to delete the account. Just delete the profile (or rename it, so you can recover non-infected data from it, do forensic examinations, etc.).

Well, that's the tricky part. You need to have a baseline to compare against, e.g. checksums for all files and dumps of the relevant parts of the registry, so you can compare. You can't simply compare checksums of the files the registry is stored in, because Windows stores a lot of dynamic stuff in it, so it's constantly changing.

See above. Yes, that means a *lot* of maintenance.

You can't be sure of that (unless you have a known-good baseline to compare against). Read the link I provided for an explanation as to why that is.

Again it's "may", not "will". However, the problem is that you can never be sure that the malware hasn't tampered with the AV software (in case the malware was run with admin privileges, that is). And that's only one of the reasons.

Because the vendors spend a lot of money on talking people into buying their stuff?

cu

59cobalt

Ï "Ansgar -59cobalt- Wiechers" Ýãñáøå óôï ìÞíõìá news: snipped-for-privacy@news.in-ulm.de...

Currently iam logged in on windows vista as standard user "nik" but I'm a member of admin groups. Where can I see my profile so to alter it or delete it?

What the difference betweena user account and a user profile?

Where are profiles stored?

Will I be safe if every time I egt infected I delete my user profile?

Isn't there some Windows application or console command that will compare my current system files to clean ones on my dvd and re-overwrite the tampered files with its initial clean versions?

I leave alone the dump registry part. sicne the user installed programs and there is no way current registry size be the same as the after format registry.

baseline = a measure of cmparisation? checksum = comparisation of sizes between 2 files?

And last, I think ill just leave my routers hardware firewall enabled to filter(sort out) connections but an application level software firewall with statefull packet inspection would help as well, yes? I'm talking only for inbound protection.

Here are some more good-quality articles authored by Jesper M. Johansson for you to read during the holidays :)

Security Watch Revisiting the 10 Immutable Laws of Security, Part 1

Security Watch Revisiting the 10 Immutable Laws of Security, Part 2 Security Watch Revisiting the 10 Immutable Laws of Security, Part 3 Happy New Year :)

? "Kayman" ?????? ??? ?????? news: snipped-for-privacy@40tude.net...

Thank you very mich for the additional links you provided me. (are there the same articles in greek pehaps?)

And a Happy New and Fruitfull year to you too my friend!

The profile is your user's directory in the "Documents and Settings" folder. Open Explorer, click in the address bar, type %USERPROFILE% and press .

The profile is the directory where all of a user's configuration and data is stored. The account is the information Windows maintains for managing the user (username, password, location of the profile, etc.).

"%SystemDrive%\\Documents and Settings"

Normally you will. Provided your account didn't have elevated privileges.

However, since right now your account does have admin privileges, you have to take something else into consideration. Until Windows 2000 objects created by members of the group "Administrators" were owned by the group rather than the individual user. This was changed in XP and I presume also in Vista. Since your user "nik" has admin privileges, this user is the owner of all files/folders he created (e.g. when installing a program). Because of this ownership, that user will still have full access to those files/folders, even if you remove the user from the group "Administrators". If you don't change this, malware run by the user "nik" may still be able to compromise stuff outside the user's profile because of that.

You can:

- delete that user entirely and create a new limited user from the administrator account

- use that account as your admin account and create a new limited user

- change the ownership of files/folders under %Program Files% and %SystemRoot% to the group "Administrators"

In any case you should change the default ownership of objects created by members of the group "Administrators" to that group (there's a security option for that, which you can change with gpedit.msc).

Also I'd strongly recommend to change the default permissions on %SystemDrive% to full access for administrators and SYSTEM and read-only access for normal users or authenticated users. See the link below for an explanation of the reason why.

No. Windows' system files are digitally signed, and you can verify the signature with sigverif.exe, but you need to do that from a known-good system, and it won't check the registry and any other file except for Windows system files.

baseline = a set of checksums

Normally you'd use a cryptographic hash function for this kind of checksum:

If the router does stateful packet inspection, you don't need a software firewall to do it again. Make sure, though, that you disable UPnP on your router, and set a good password.

cu

59cobalt