Home Tags Stealthing

Tag: Stealthing

Comodo Firewall 10

The firewall component in modern versions of Windows is quite effective, so the market for third-party personal firewall utilities is shrinking. Paying for a personal firewall seems especially silly when Windows has one built in.

Comodo Firewall 10 is free, and it does a lot more than the basics.
In addition to protecting your PC against attacks from the Internet and controlling how programs utilize your Internet connection, it includes a secure browser, sandbox-style virtualization, a Host Intrusion Protection System, and more.
It performs all expected personal firewall tasks, but not all of the bonus features worked

Comodo's main competition is Check Point ZoneAlarm Free Firewall 2017, and there are quite a few similarities between the two.

Both companies also offer a free antivirus, for starters.

And you can also get a combined firewall and antivirus from both. With ZoneAlarm, you can convert either the antivirus or firewall to the combined product with just a click. With Comodo, you upgrade to the free edition of Comodo Internet Security.

Shared with Antivirus

The majority of Comodo Firewall's features are also found in Comodo Antivirus 10.
I'll refer you to my review of the antivirus for full details on these features. Here's a summary.

Both Comodo products offer a new, attractive user interface with two similar themes named Lycia and Arcadia.

These two feature a big status panel at left and four button panels at right; they just use slightly different colors and icons.

Those who prefer the previous edition's look can choose the Modern theme.
If you're nostalgic for really old editions of Comodo, the Classic theme gets you that look.
In addition, the main window for both products can display either a Basic View or an Advanced View; the latter puts more statistics and action items in easy reach.

While both Comodo products are free, they also both push you to pay in one way or another. Unless you carefully read all screens and popups, you'll find that without realizing it you've agreed to change all of your browsers to use Yahoo as home page, new tab, and default search engine. You'll see messages offering help from the GeekBuddy tech support system, and indeed a GeekBuddy agent will happily chat with you. However, if you want the tech to perform any kind of remote repair or remediation, you'll have to pay.

Comodo Firewall does not in itself include an antivirus component, but its File Rating component checks files against Comodo's cloud database when you access them.
If the database identifies a process as malware, or as a potentially unwanted program, Comodo terminates the process and pops up a notification. You also get a popup offering GeekBuddy services.

File Rating is also a feature of the antivirus, but in testing I found that other protection layers always kicked in before File Rating had a chance.

Both the firewall and the antivirus can automatically sandbox programs that aren't recognized by the database. However, this feature is enabled by default in the antivirus, disabled in the firewall.

A sandboxed program runs in a virtual environment, unable to permanently change important system areas. When you empty the sandbox, all virtualized changes vanish. You can actively launch any program in the sandbox, or open a fully virtualized desktop, isolated from the regular desktop.
It's similar to the SafePay desktop in Bitdefender Antivirus Plus 2017.

The main feature of the virtualized desktop is the Comodo Dragon browser.

By virtualizing your online transactions, you protect them from manipulation by other processes.

The Dragon browser includes a useful collection of bonus apps, among them a media downloader, a price-comparison tool, and a tool for quickly sharing or searching text from Web pages.

Both Comodo products include a Host Intrusion Prevention System (HIPS), but it's disabled by default in the antivirus, enabled in the firewall.

This is not a tool for foiling attempts to exploit vulnerabilities in the operating system and popular programs. Rather, when it detects suspicious behavior by a program, it asks you what to do. You can allow the behavior, block it, or choose to treat the program in question as an installer.
I tested it with a collection of utilities that share certain behaviors with malware.

Comodo only blocked the installer for one, and when I opted to treat it as an installer, I had no further problem.

The HIPS quite reasonably cast suspicious on a test utility that launches Internet Explorer and forces it to open malware-hosting URLs.

It's worth noting that ZoneAlarm's OSFirewall feature functions in much the same way. When I fully enabled the OSFirewall feature, ZoneAlarm flagged behaviors by both good and bad programs.

While Comodo Firewall isn't an antivirus itself, it includes the option to create an antivirus rescue disk, and the process of creating this disk is quite easy. You can also use it to launch Comodo's cleanup-only tool to wipe out persistent malware.

Firewall Features

As you can see, this product has a lot in common with Comodo Antivirus, but don't worry; there are plenty of firewall-specific functions too.

Each time you connect to a new network, it asks whether it's a home, work, or public network. When you're connected to a public network, Comodo puts all the system's ports in stealth mode, meaning they can't be seen from outside.
It's true that Windows Firewall also accomplishes this feat, but Comodo does it just as well. Unlike Windows Firewall, Comodo lets enthusiasts get an alert on each unsolicited connection attempt.

As noted earlier, Comodo's HIPS feature does not try to block attacks that exploit vulnerabilities in the OS or critical files.

The same is true of ZoneAlarm.
Symantec Norton Security Premium is the champ in this area.
In testing, it blocked more exploits than any other recent product, and it did so at the network level, before the exploit even reached the test system.

When the firewall detects an attempted network connection by a new program, it asks you what to do about it. You can choose to allow the attempt, block it, or treat the suspect program as a browser or FTP client.
If you choose to block access, you can also terminate the program, or terminate it and reverse its actions.

Testing Comodo with my hand-coded browser, I found the firewall query appeared only after three distinct warnings from the HIPS.
I also tried a few leak tests, programs that attempt to evade firewall control by manipulating or masquerading as trusted programs.

These triggered plenty of HIPS warnings, as well as firewall warnings.
I had to turn off the File Rating component for this test, because it terminated them as potentially unwanted programs.

While Comodo's HIPS and firewall popups aren't as overwhelming as they were a few versions ago, they still give the user a lot to consider. Most user really won't know whether a program should be allowed to access the DNS/RPC Client service, or access a protected COM interface.

The firewall components in Norton and Kaspersky Internet Security track suspicious behaviors, but perform their own internal analysis rather than expecting the user to make complex security decisions.

ZoneAlarm pioneered the concept that a personal firewall must defend itself against attack.
If malware can disable firewall protection programmatically, the protection isn't worth much, right? I couldn't find any Registry entry that would serve as an off switch for Comodo Firewall, and when I tried to terminate its process I got an Access Denied message.

Security products typically rely on one or more Windows services as well—Comodo has four.
I found that I could stop three of them, but not the fourth, the most essential one. However, I managed to set its startup mode to Disabled. On reboot, Comodo offered to fix the problem, after which it was fine.
Still, I'm happier with a product like ZoneAlarm or Norton that simply prevents all modification of its Windows services.

Website Filtering

Many antivirus products include a browser-protection component that helps steer users away from malicious or fraudulent URLs.

Comodo Antivirus does not. However, the firewall adds a component called Website Filtering. My contact at the company explained that Website Filtering blocks access to URLs found in Comodo's malicious URL database, but does not attempt to block phishing sites.

To evaluate this component's efficacy, I launched the malicious URL blocking test that I apply to each antivirus.

This test uses a feed of very new malware-hosting URLs supplied by MRG-Effitas.
I use URLs discovered in the last day or two, so they're very new.
I launch each one and note whether the product blocked access to the dangerous URL, wiped out the malicious payload, or completely ignored the danger.

Normally I keep at this test until I have data for 100 malware-hosting URLs. However, after processing 50 without any response from Comodo, I quit.
I suspect that Comodo's blacklist database of malicious URLs isn't updated frequently enough to detect the most recent dangers.

By contrast, Avira Antivirus blocked 93 percent of the URLs in this test.

Does the Job

Comodo Firewall 10 does everything a personal firewall should do, stealthing ports against outside attack and preventing betrayal from within by programs misusing your Internet connection.
In addition, it offers sandboxing, a secure browser, HIPS, reputation-based file rating, and more. However, some of these bonus features are too techie for the average user, and they don't all contribute to the task of a personal firewall.

Our Editors' Choice in the dwindling collection of free personal firewalls is Check Point ZoneAlarm Free Firewall 2017.
It, too, handles all the basic tasks, and it resists direct attack better than Comodo.
It does offer a collection of bonus features as well, but most are easier for the average user to comprehend.

For the tech expert, Comodo can be great, make no mistake.

But ZoneAlarm is better suited for the average user.

Back to top

PCMag may earn affiliate commissions from the shopping links included on this page.

These commissions do not affect how we test, rate or review products.

To find out more, read our complete terms of use.