Professional Documents
Culture Documents
Comodo Firewall Pro 3.0 User Guide
Comodo Firewall Pro 3.0 User Guide
TM
User Guide
Comodo Firewall Pro 3.0 User Guide 1
Table of Contents
Comodo Firewall Pro Introduction ................................................................................................................................ 4 What's New in Comodo Firewall Pro ........................................................................................................................... 7 Installation ..................................................................................................................................................................... !"stem #e$uirements ................................................................................................................................................ %& !tartin' Comodo Firewall Pro .................................................................................................................................... %& (eneral Na)i'ation and Firewall !ummar" .............................................................................................................. %7 *nderstandin' +lerts .................................................................................................................................................. ,Firewall Tas. Center ........................................................................................................................................................ ,/ Networ. !ecurit" Polic" .............................................................................................................................................,0 Pre1defined Firewall Policies ..................................................................................................................................... &% +ttac. 2etection !ettin's .......................................................................................................................................... &4 Firewall 3eha)ior !ettin's ......................................................................................................................................... &0 4iew Firewall 5)ents ................................................................................................................................................... /6 2efine a New Trusted +77lication ............................................................................................................................. // 2efine a New 3loc.ed +77lication ............................................................................................................................ /0 !tealth Ports Wi8ard ................................................................................................................................................... 74iew +cti)e Connections ........................................................................................................................................... 7, M" Port !ets ................................................................................................................................................................ 7& M" Networ. 9ones ...................................................................................................................................................... 70 M" 3loc.ed Networ. 9ones ....................................................................................................................................... 06 2efense: Tas.s ;)er)iew ............................................................................................................................................... 04 4iew 2efense: 5)ents ................................................................................................................................................ 07 M" Protected Files ...................................................................................................................................................... 6 M" <uarantined Files .................................................................................................................................................. 4 M" Pendin' Files ......................................................................................................................................................... /
M" ;wn !afe Files ....................................................................................................................................................... 0 4iew +cti)e Process =ist .......................................................................................................................................... 6-M" Trusted !oftware 4endors ................................................................................................................................. 6-6 !can M" !"stem ........................................................................................................................................................ 6-/ M" Protected #e'istr" >e"s .................................................................................................................................... 6-0 M" Protected C;M Interfaces .................................................................................................................................. 666 Com7uter !ecurit" Polic" ........................................................................................................................................ 664 Ima'e 5?ecution Control !ettin's .......................................................................................................................... 6%Predefined !ecurit" Policies .................................................................................................................................... 6%% 2efense: !ettin's ..................................................................................................................................................... 6%, Miscellaneous ;)er)iew ................................................................................................................................................ 6% Mana'e M" Confi'urations ...................................................................................................................................... 6,& 2ia'nostics ................................................................................................................................................................ 64Chec. for *7dates .................................................................................................................................................... 646 !ubmit !us7icious Files ........................................................................................................................................... 64, 3rowse !u77ort Forums .......................................................................................................................................... 64/ @el7 ............................................................................................................................................................................ 647 +bout .......................................................................................................................................................................... 640 +bout Comodo ............................................................................................................................................................... 64
Introduction
2hat3s 4ew *n Comodo Firewall Pro *nstalling Comodo Firewall Pro + stem 5e$uirements +tarting Comodo Firewall 6eneral 4a"igation and Firewall +ummar 7nderstanding 8lerts
The remaining three sections of the guide co"er e"er aspect of the configuration Comodo Firewall Pro. 8d"anced users interested in configuring their own securit policies and rules ma want to ma!e 34etwor! +ecurit Polic 3 and 3Computer +ecurit Polic 3 their starting points.
Common Tas.s (iew Firewall 9"ents ,efine a 4ew Trusted 8pplication ,efine a 4ew 'loc!ed 8pplication +tealth Ports 2i/ard (iew 8cti"e Connections : Port +ets : 4etwor! ;ones : 'loc!ed 4etwor! ;ones
+d)anced 4etwor! +ecurit Polic Predefined Firewall Policies 8ttac! ,etection +ettings Firewall 'eha"ior +ettings
Common Tas.s (iew ,efense- 9"ents : Protected Files : <uarantined Files : Pending Files : Own +afe Files (iew 8cti"e Process =ist : Trusted +oftware (endors
+d)anced Computer +ecurit Polic Predefined +ecurit Policies *mage 9xecution Control +ettings ,efense- +ettings
Miscellaneous
O"er"iew of :iscellaneous Tas!s *nterface +ettings :anage : Configurations ,iagnostics Chec! For 7pdates +ubmit +uspicious Files 'rowse +upport Forums )elp 8bout
Comodo Firewall Pro has alwa s offered the highest le"els of perimeter securit against inbound and outbound threats ? meaning ou get the strongest possible protection against hac!ers& malware and identit thie"es. 4ow we1"e impro"ed it again b adding new features such as +tealth :ode to ma!e our PC completel in"isible to opportunistic port scans. 2i/ard based auto#detection of trusted /ones. Password protection of firewall settings. ,iagnostics to anal /e our s stem for potential conflicts with the firewall and much more. N5WA Intuiti)e (ra7hical *ser Interface +ummar screen gi"es an at#a#glance snapshot of our securit settings. 9as and $uic! na"igation between each module of the firewall. +imple point and clic! configuration ? no steep learning cur"es. 4ew completel redesigned securit rules interface # ou can $uic!l set granular access rights and pri"ileges on a global or per application. The firewall also contains pre#set policies and wi/ards that help simplif the rule setting process.
IMP#;452A !ecurit" rules interface
(ersion 3.0 gi"es offers more control o"er securit settings than e"er before. 7sers can $uic!l set granular internet access rights and pri"ileges on a global or per application basis using the flexible and eas to understand 67*. This "ersion also sees the introduction of pre#set securit policies which allow ou to deplo a sophisticated hierarch of firewall rules with a couple of mouse clic!s. IMP#;452A +77lication 3eha)ior +nal"sis CFP 3.0 features ad"anced protocol dri"er le"el protection # essential for the defense of our PC against Tro%ans that run their own protocol dri"ers. Im7ro)edA 5)ent lo''in'
(ersion 3.0 features a "astl impro"ed log management module ? allowing users to export records of firewall acti"it according to se"eral user#defined filters. 'eginners and ad"anced users ali!e will greatl benefit from this essential troubleshooting feature. N5WA +dded new BTrainin' ModeC and 'Clean PC' Mode This mode enables the firewall and host intrusion pre"ention s stems to automaticall create 0allow1 rules for new components of applications ou ha"e decided to trust& so ou won1t recei"e pointless alerts for those programs ou trust ? the firewall will learn how the wor! and onl warn ou when it detects trul suspicious beha"ior. N5WA Windows !ecurit" Center Inte'ration Comodo Firewall Pro 3.0 is full recogni/ed b 2indows (ista@AP +ecurit Center as a trusted firewall. IMP#;452A +77lication #eco'nition 2atabase D5?tensi)e and 7ro7rietar" a77lication safe listE Comodo Firewall Pro includes an extensi"e white#list of safe executables called the 0Comodo +afe#=ist ,atabase1. This database chec!s the integrit of e"er executable and Firewall Pro will alert ou of potentiall damaging applications before the are installed. This le"el of protection is new because traditionall firewalls onl detect harmful applications from a blac!list of !nown malware ? often#missing new forms of malware as might be launched in da /ero attac!s. Firewall Pro is continuall" u7dated and currentl" o)er 6F---F--- a77lications are in Comodo !afe listF re7resentin' )irtuall" one of the lar'est safe lists within the securit" industr". N5WA !elf Protection a'ainst Critical Process Termination (iruses and Tro%ans often tr to disable our computer1s securit applications so that the can operate without detection. Comodo Firewall Pro protects its own registr entries& s stem files and processes so malware can ne"er shut it down or sabotage the installation. IMP#;452A !ubmit !us7icious Files to Comodo 8re ou the first "ictim of a brand new t pe of sp wareB 7sers can help combat /ero#hour threats b using the built in submit feature to send files to Comodo for anal sis. Comodo will then anal /e the files for an potential threats and update our database for all users.
Installation
'efore ou install Comodo Firewall Pro& read the installation instructions carefull re$uirements listed in this chapter. and also re"iew the s stem
Installation Process
To install& download the Comodo Firewall Pro setup files to our local hard dri"e. Csetup.exe can be downloaded from httpD@@www.personalfirewall.comodo.com E
!T5P 6G *ninstall ;ther Firewall Pro'rams 'efore ou install Comodo Firewall Pro& ou must uninstall an third part Firewall programs installed in our PC. This is necessar as other firewall programs ma interfere with the installation of Comodo Firewall Pro and reduce the protection offered b it. Clic! Yes.
!T5P %G Welcome dialo' bo? The set up program starts automaticall and the 2elcome wi/ard is displa ed. 8t this time& ou ma cancel the install process or continue with the Comodo Firewall Pro +etup program. Clic! !e"# to continue.
10
!T5P ,G =icense +'reement 2hen Comodo Firewall Pro is installed for the first time& ou must complete the initiali/ation phase b reading and accepting the license agreement. 8fter ou read the 9nd#7ser =icense 8greement& clic! Yes to continue installation. *f ou decline& ou cannot continue with the installation.
11
!T5P 4G =ocation 2estination Folder On the ,estination 2i/ard page& confirm the location of the Firewall installation files. To install the program in the default destination location& clic! !e"#. The default destination director is the C:\Program Files\Comodo\Firewall.
*f ou do not wish to install the Firewall files in the default location& to install to a different folder& clic! $%&'() and select another folder. Clic! O> to continue with the installation process.
12
!T5P &G !et *7 !tatus 3o? 8 setup status dialog box is displa ed. Fou will see a progress bar indicating that files are being installed.
!T5P /G Welcome !creen 8 configuration wi/ard dialog box will open. Clic! G4extG to continue with installation.
13
!T5P 7G Install 2efense: 4ext ou choose which t pe of installation Cand protection le"elE ou would prefer D
14
The choices e?7lainedG Firewall with 2efense: D#ecommendedE 1 This is the most complete option and offers the greatest le"el of securit . Choosing this will install Comodo Firewall Pro3s )ost *ntrusion Pre"ention + stem # G,efense-G # in addition to the pac!et filtering firewall. ,efense- can stop malware& "iruses& tro%ans and worms before the e"er get a chance to install themsel"es b bloc!ing their abilit to ma!e changes to our operating s stem& applications& registr & running processes and important s stem files. This extra la er of protection represents an significant increase in securit and is recommended for the "ast ma%orit of users. Firewall D'=ea. Protection' o7tion N;T chec.edE1 This option is onl recommended for e"*erien+ed firewall users that ha"e alternati"e )ost *ntrusion Pre"ention software installed on their s stems. Choosing this option will install O4=F the pac!eting filtering networ! and will not offer lea! protection # essential for bloc!ing malicious software Cli!e worms and tro%ansE from ma!ing outgoing connection attempts. This isn3t to sa this option is an unwise choice Cthe networ! firewall is one of the strongest a"ailable # offering highl effecti"e and configurable inbound and outbound protectionE but it is important to realise that& on it3s own& it does not offer the lea! protection afforded b ,efense-. *f ou do not wish to install the full ,efense- option but still want lea! protection then we ad"ise ou chooseD Firewall Dwith '=ea. Protection' o7tion chec.edE 1 This option installs the pac!et filtering firewall as abo"e and some& but not all& ,efense- functionalit to pro"ide effecti"e lea! protection against malware. +implisticall spea!ing& this option will monitor the acti"ities of suspicious executables and will alert the user when an internet connection lea! could occur. Certain monitoring and file@folder protection is& howe"er& disabled under this configuration. This option will create a protection le"el that is similar to& but slightl more secure than& the protection offered b Comodo Firewall Pro H.I.
15
!T5P 0G Install Comodo !afe!urf 3rowser Toolbar The Comodo +afe+urf Toolbar protects against data theft& computer crashes and s stem damage b pre"enting most t pes of 'uffer O"erflow attac!s. This t pe of attac! occurs when a malicious program or script deliberatel sends more data to a target applications memor buffer than the buffer can handle # which can be exploited to create a bac! door to the s stem though which a hac!er can gain access. Comodo de"eloped the +afe+urf Toolbar explicitl to protect end# users from these !inds of attac!s whilst the browse the *nternet. 8fter installation& the program will monitor and protect the memor space of all applications that are running on our s stem and immediatel bloc! an buffer o"erflow attac!s. 8part from pro"iding another essential la er of protection& the toolbar also pro"ides one#clic! access to news& search& shopping. a built in pop#up bloc!er. is compatible with all ma%or browsers and can be separatel uninstalled or disabled at an time after installation.
8fter re"iewing the 97=8 and installation options& clic! 34ext3 to continue. !T5P G !tartin' confi'uration 4ext& the installer will begin configuring our s stem and cop ing the application signature database to our computer.
16
!T5P 6-G Malware !cannin' !etu7 4ext& Comodo Firewall Pro will scan our computer3s fixed dri"es for the presence of !nown malware and "iruses. *t is strongl recommended that ou run the scan as it will help ensure that ou computer en%o s the maximum protection le"els right from the first installation of the firewall. Clic! Next to begin the scan. *f ou don3t wish to scan at this time then un#chec! the 3+can : + stem for :alware3 box and clic! 3Finish3.
17
!T5P 66G !cannin' Pro'ress and #esults Comodo Firewall Pro will now scan our fixed dri"es for the presence of !nown "iruses and tro%ans.
18
The example abo"e shows a t pical list of disco"ered malware. ' default& all disco"ered malware is selected Cchec!mar!edE. *f ou Clic! G+a"e 8sG& the detected malware can be sa"ed in our s stem. Clic!ing 3,elete 8ll3 will instruct Comodo Firewall Pro to attempt to delete the selected malware. CThis is the recommended optionE. *f ou clic! 39xit3 2*T)O7T deleting the listed malware& ou will be gi"en the following reminderD
Clic! 34o3 to s!ip malware deletion and proceed to the last stage # #estartin' Hour !"stem. Clic! 3Fes3 to return to the scan results screen to delete the disco"ered malware.
!T5P 6%G #estart "our s"stem Four s stem must be restarted in order to finalise the installation. Please sa"e an unsa"ed data and Clic! Finish to reboot. 7nchec! the 35estart 4ow3 option *f ou would rather reboot at a later time.
!T5P 6,G +fter "ou restart "our machineG 8fter restarting& if our computer is connected to a home or wor! networ!& then ou will be prompted to configure it at the 34ew Pri"ate 4etwor! ,etectedJ3 dialogD
20
!te7 6G 9"en home users with a single computer will ha"e to configure a home networ! in order to connect to the internet Cthis is usuall displa ed in the +tep K text field as ou networ! cardE. :ost users should accept this name. !te7 %G *f ou wish our computer to accept connections from other PC3s in this networ! or for printer sharing& then also select this option Ce.g. a wor! or home networ!E. This will then become a trusted networ!. 7sers that onl ha"e a single home computer connecting to the internet should a"oid this setting. +elect 3,o not automaticall detect new networ!s3 *f ou are an experienced user that wishes to manuall set#up their own trusted networ!s Cthis can be done in 3: 4etwor! ;ones3 and through the 3+tealth Ports 2i/ard3E Fou must select O> to confirm our choice. *f ou clic! on 3Close3 button& all the networ! connections will be bloc!ed.
8fter first rebooting& all users are offered the opportunit to upgrade to Comodo Firewall Pro Plus. Comodo Firewall Pro Plus is a "irus protection and remo"al ser"ice that deli"ers securit and peace of mind abo"e and be ond traditional anti#"irus solutions. From %ust L3M per ear& Comodo experts will remotel diagnose then cleanse our s stem of malware and "iruses if our machine should become infected. 8fter totall eradicating the malicious software using a range of specialist securit tools & our experts will then reconfigure our firewall to set our computer up for maximum securit . Comodo Firewall Pro Plus is a"ailable in two ser"ice offerings D
Comodo Pro Plus # 2arrant Onl # L3M per ear. (irus remo"al and s stem remediation in the e"ent our PC becomes infected b malware. H incidents per ear. N Comodo Pro Plus # 2arrant - *nstallation # LOM per ear. +ame incident based remediation ser"ice as abo"e P=7+ expert installation and configuration of our firewall.
7sers that ta!e ad"antage of the Pro Plus warrant will en%o the peace of mind afforded b ha"ing securit experts on call HI hours a da to help out in case of emergenc . !cenario oneG *f no malware remains on our s stem after the earlier scan then will see the following information dialog after 2indows startupD
21
+elect 3Fes& *3m *nterested...3 then 34ext P3 to be directed to the Comodo website where ou can find more details about the warrant and to complete the registration process. +elect 34o& than!s3 then 34ext P3 if ou are not interested in upgrading to Comodo Firewall Pro Plus. The Comodo Firewall Pro interface will then open. !cenario TwoG *f an malware could not be automaticall deleted Cbecause doing so would be harmful to important files or to our computerE then ou will see the following dialog boxD
I ha)e an +14!M+#T subscri7tion and would li.e to use it # For existing warrant holders onl . +electing this option Cand clic!ing O>E will connect to the Comodo ser"ers so ou can begin placing a re$uest to remo"e the
22
malware on our machine. Comodo Firewall Pro will automaticall lin! the malware scan results to our account. 8fter professionall remo"ing the malware& our experts will also configure our firewall for optimal securit .
I do not ha)e an +14!M+#T subscri7tion but would li.e to subscribe 1 5egister for an 8#(+:85T warrant and get Comodo experts to remo"e the malware for ou before professionall installing and configuring our firewall for optimal securit . *f ou select this option Comodo Firewall Pro will open our internet browser and connect to the Comodo website to complete the ordering process. >ee7 them $uarantined and close this windowG . Clic!ing 34o3 at this dialog will s!ip the application@ser"ice engagement process and restart our computer. The identified malware will automaticall be rendered harmless and can be manuall re"iewed and@or remo"ed at a later time b "isiting the $uarantine section of Comodo Firewall Pro.
Clic! O> to continue onto the Comodo Firewall Pro :anagement interface.
Comodo Firewall Pro mana'ement interface 8fter installation& the Comodo Firewall Pro shortcut will be displa ed on the 2indows des!topD To start Comodo Firewall Pro& double#clic! on the shortcut Cor the tra iconE and the management interface will open.
Four computer is automaticall protected b the firewall e"er time ou start it. Fou do not ha"e to explicitl start the firewall to protect our computer.
23
Closing this window will exit the Comodo Firewall Pro management interface. The firewall will remain acti"e& protecting our computer& in the bac!ground. To completel shut the program down& right#clic! on the Comodo Firewall Pro and select 39xit3. *f ou choose to exit& ou will see a dialog box confirming whether ou want to exit or not.
*f ou choose to exit& the Firewall will be disabled and will not protect our PC.
24
!"stem #e$uirements
To ensure optimal performance of Comodo Firewall Pro& please ensure that our PC complies with the minimum s stem re$uirements as stated belowD 2indows (ista C'oth 3H#bit and 6I#bit "ersionsE 2indows AP C'oth 3H#bit and 6I#bit "ersionsE *nternet 9xplorer (ersion Q.K or abo"e 6I :' a"ailable 58: 60 :' hard dis! space for 3H#bit "ersions and R0:' for 6I#bit "ersions
Sust double clic! the shield icon to start the main firewall interface. C' right#clic!ing on the tra icon& ou can access short cuts to other firewall settingsE.
%. Windows 2es.to7
Sust double clic! the shield icon in the des!top to start Comodo Firewall Pro.
,. !tart Menu
25
Fou can also access Comodo Firewall Pro "ia the 2indows +tart :enu.
7sing an of the methods outlined abo"e will lead ou to the main interface as shown belowD
26
Persistent Navigation
Comodo Firewall Pro is di"ided into four main areas indicated b the icons at the top right hand corner of the interface. 9ach of these areas contains se"eral sub#sections that allow ou total control o"er configuration of the firewall and defense- settings.
!ummar" # contains at#a#glance details of firewall settings& acti"it and new. +ee the 3+ummar 3 section for more details. Firewall # clic!ing this icon will ta!e ou to the 3Firewall Tas!s3 configuration area. 8d"anced users are ad"ised to first "isit the 4etwor! +ecurit Polic area for an introduction to firewall policies and rule creation 2efense: # clic!ing this icon will ta!e ou to the 3,efense-3 configuration area. 8d"anced users are ad"ised to first "isit the Computer +ecurit Polic area for an introduction to ,efense- policies and rule creation Miscellaneous # clic!ing this icon will ta!e ou to the 3:iscellaneous3 options section which contains se"eral areas relating to o"erall configuration.
Firewall !ummar"
' default& the management interface displa s the 3+ummar 3 area information. Fou can access this area at an time b selecting the 3+ummar 3 tab as shown abo"e.
27
6. !ummar"D
!"stem !tatus # shows s stems acti"it and recommendations on actions ou need to perform. Networ. 2efense # The 34etwor! ,efense3 area containsD
The total number of intrusion attem7ts that the firewall has bloc.ed since installation Hour current Firewall !ecurit" =e)el Cor 3Firewall 'eha"iour +ettingE is shown in blue& underlined font. 3Safe Mode3 is the Firewall securit setting in the example shown abo"e. Comodo Firewall Pro allows ou to $uic!l customi/e firewall securit b using the Firewall +ecurit =e"el slider to mo"e between preset securit le"els. Clic!ing on this blue text opens the firewall beha"ior settings panel and allows ou to ad%ust the securit le"el to our own preferences. This section also allows ou to configure the fre$uenc of alerts. For a complete explanation of this part of the firewall& please see 3Firewall 'eha"ior +ettings3.
InboundJ;utbound Connections. 8 numerical summar of currentl acti"e inbound and outbound connections to and from our computer. :ore details on acti"e connections can be found in the 3(iew 8cti"e Connections3 section of 3Firewall Tas!s3 and the 3Traffic3 section on the summar screen.
28
'!to7 +ll +cti)ities' J '#estore +ll +cti)ities' # 8llows ou to toggle networ! acti"it on or off. +pecificall & clic!ing 3+top 8ll 8cti"ities3 will instantl bloc! all incoming and outgoing networ! connections # placing the firewall in the 3'loc! 8ll :ode3 of 3Firewall +ecurit +ettings3. +imilarl & clic!ing 35estore 8ll 8cti"ities3 will re#implement our pre"ious Firewall +ecurit =e"el
The total number of sus7icious acti)ities that 2efense: has bloc.ed since installation. Hour current 2efense: !ecurit" =e)el # shown in blue& underlined font. 3Safe Mode3 is the ,efensesecurit setting in the example shown abo"e. Comodo Firewall Pro allows ou to $uic!l customi/e the ,efense- securit le"el using a con"enient slider to mo"e between preset securit le"els. Clic!ing on this blue text opens the ,efense- +ettings panel allows ou to $uic!l access this slider to ad%ust this securit le"el to our own preferences. This section also allows ou to configure the fre$uenc of alerts. For a complete explanation of this section& please see 3,efense- +ettings3. Number of Currentl" +cti)e Processes # 8 $uic! summar of all processes@applications that are running on our computer. Fou can see in#depth details of all running processes b in the 3(iew 8cti"e Processes3 module of ,efense- Tas!s. Number of files waitin' for "our re)iew 1 The number of files currentl in the 3: Pending Files3 section. +ee the 3: Pending Files3 section of this help guide for more details. '!witch to Installation Mode' J ' !witch to Pre)ious Mode' # 8llows ou to $uic!l toggle between 3,efense- *nstallation mode3 and our most recent ,efense- +ecurit =e"el. 3*nstallation :ode3 allows ou to $uic!l install or run an application that ou trust which is& as et& un!nown to Comodo Firewall Pro. For more details& see ,efense- +ettings.
%. @i'hli'hts # The )ighlights section displa s information about +ecurit 8lerts and 4ews related to Comodo Firewall Pro T latest Critical securit updates. Clic!ing on the text in the )ighlights box ta!es ou to the Comodo website to read more details. ,. Traffic 1 The summar screen of Comodo Firewall Pro displa s a bar graph showing the applications that are currentl connected to the internet and are sending or recei"ing data. The summar also displa s the U of total traffic each application is responsible for and the filename of the executable. Clic!ing on an application leads to the more detailed 3(iew 8cti"e Connections3 interface. 4. Ti7 of the 2a" 1 This section contains helps ou to use Comodo Firewall Pro to its maximum potential b displa ing information about features ou ma ha"e missed.
*nderstandin' +lerts
8fter first installing Comodo Firewall Pro& it is li!el that ou will see a number of pop#up alerts. This is perfectl normal and indicates that the firewall is learning our the beha"ior of our applications and establishing which programs need *nternet access. 9ach alert pro"ides information and options to allow or bloc! an re$uest and to instruct the firewall how to beha"e in future. +lerts ;)er)iew Comodo Firewall Pro alerts come in two "arieties& Firewall 8lerts and ,efense- 8lerts. 'roadl spea!ing& Firewall alerts inform ou about networ! connection attempts& whereas ,efense- alerts tell ou about the beha"ior of application on our s stem. *n both cases& the alert can contain "er important securit warnings or ma simpl occur because ou are running an application for the first time. Four reaction should depend on the information that is presented at the alert.
!e)erit" =e)el The upper strip of both ,efense- and Firewall alerts are color coded according to ris! le"el. This pro"ides a fast& at#a# glance& indicator of the se"erit of the alert. )owe"er& it cannot be stressed enough that ou should still read the 3+ecurit Considerations3 section in order to reach an informed decision on allowing or bloc!ing the acti"it . Hellow +lerts # =ow +e"erit # *n most cases& ou can safel appro"e these connection re$uest or acti"it . The 35emember m answer for this application3 option is automaticall pre#selected for safe re$uests ;ran'e +lerts # :edium +e"erit # Carefull read the 0+ecurit Considerations section before ma!ing a decision. These
30
alerts could be the result of a harmless process or acti"it b a trusted program or an indication of an attac! b malware. *f ou !now the application to be safe& then it is usuall o!a to allow the re$uest. *f ou do not recogni/e the application performing the acti"it or connection re$uest then ou should bloc! it. #ed +lerts # )igh +e"erit # These alerts indicate highl suspicious beha"ior that is consistent with the acti"it of a tro%an horse& "irus or other malware program. Carefull read the information pro"ided when deciding whether to allow it to proceed. 4ow that we3"e outlined the basic construction of an alert& let1s loo! at how ou should react to themD @ow !hould I answer the Firewall +lertsI Points to considerD K. Carefull read the 3+ecurit Considerations3 section. Comodo Firewall Pro can recogni/e thousands of safe applications. CFor example& *nternet 9xplorer and Outloo! are safe applicationsE. *f the application is !nown to be safe # it is written directl in the securit considerations section along with ad"ice that it is safe to proceed. +imilarl & if the application is un!nown and cannot be recogni/ed ou will be informed of this. *f it is one of our e"er da applications that ou want to grant internet access to then ou should 38llow This 5e$uest3 Cit ma be the case that the application has not et been added to the safe application database etE. *f ou don3t recogni/e the application then we recommend ou select 3'loc! This 5e$uest3 but don3t select the 35emember : 8nswer3 chec!box. *n all cases& clic!ing on the name of the application will open a properties window that can help ou determine whether or not to proceedD
H. *f ou are sure that it is one of our e"er da application& tr to use the 3Treat This 8pplication 8s3 option as much as possible. This will deplo a predefined firewall polic on the target application categor . For example& ou ma choose to
31
appl the polic 32eb 'rowser3 to the !nown and trusted applications 3*nternet 9xplorer3& 3FireFox3 and 3Opera3 . 9ach predefined polic has been specificall designed b Comodo to optimi/e the securit le"el of a certain t pe of application.
*f ou do not see the 3Treat this 8pplication 8s3 option& ou should clic! 3:ore Options3. 5emember to chec! the box 35emember : 8nswer3. 3. *f Comodo Firewall Pro reports beha"ior consistent with that of malware in the securit considerations section then ou should bloc! the re$uest 84, clic! 35emember : 8nswer3 to ma!e the setting permanent. @ow !hould I answer the 2efense: +lertsI Points to considerD K. 8s with Firewall 8lerts& carefull read the 3+ecurit Considerations3 section. Comodo Firewall Pro can recogni/e thousands of safe applications. *f the application is !nown to be safe # it is written directl in the securit considerations section along with ad"ice that it is safe to proceed. +imilarl & if the application is un!nown and cannot be recogni/ed ou will be informed of this. *f it is one of our e"er da applications that ou want to grant execution rights to then ou should 38llow This 5e$uest3. *f ou don3t recogni/e the application then we recommend ou select 3'loc! This 5e$uest3 but don3t select the 35emember : 8nswer3 chec!box. *f ou don3t recogni/e the application then we recommend ou select 3'loc! This 5e$uest3 but don3t select the 35emember : 8nswer3 chec!box.
H. 8"oid using the 3*nstaller or 7pdater3 polic if ou are not installing an application. This is because treating an application as an 3*nstaller or 7pdater3 grants maximum possible pri"ileges onto to an application # something that is not re$uired b most 3alread installed3 applications. *f select 3*nstaller or 7pdater3& ou ma consider using it temporaril with 35emember : 8nswer3 left unchec!ed.
3. Pa special attention to 3,e"ice ,ri"er *nstallation3 and 3Ph sical :emor 8ccess3 alerts. 8gain& not man legitimate applications would cause such an alert and this is usuall a good indicator of malware@root!it li!e beha"ior. 7nless ou !now for a fact that the application performing the acti"it is legitimate& then Comodo recommend bloc!ing these re$uests.
32
I. Protected 5egistr >e 8lerts usuall occur when ou install a new application. *f ou ha"en3t been installing a new program and do not recogni/e the application re$uesting the access& then a 3Protected 5egistr >e 8lert3 should be a cause for concern.
33
Q. 3Protected File 8lerts3 usuall occur when ou tr to download or cop files or when ou update an alread installed application. 2ere ou installing new software or tr ing to download an application from the internetB *f ou are downloading a file from the 3net& tr to use the 38llow without 5emembering3 option to cut down on the creation of unnecessar rules within the firewall. *f an application is tr ing to create an executable file in the 2indows director Cor an of its subdirectoriesE then pa special attention. The 2indows director is a fa"orite target of malware applications. *f ou are not installing an new applications or updating 2indows then ma!e sure ou recogni/e the application in $uestion. *f ou don3t then 3'loc! This 5e$uest3 without chec!ing the 35emember : 8nswer3 box. *f an application is tr ing to create a new file with a random filename e.g. Ghughbasd.dllG then it is probabl a "irus and ou should bloc! it permanentl b selecting 3Treat 8s3 3*solated 8pplication3 Cthird down in the graphic belowE.
6. *f Comodo Firewall Pro reports a malware beha"ior in the securit considerations section then ou should bloc! the re$uest permanentl b also selecting the 35emember : 8nswer3 option. 8s this is probabl a "irus& ou should also submit the application in $uestion to Comodo for anal sis. O. 7nrecogni/ed applications are not alwa s bad. Four best lo"ed applications ma "er well be safe but not et included in the Comodo certified application database. *f the securit considerations section sa s V*f xxx is one of our e"er da applications& ou can allow this re$uestW& ou ma allow the re$uest permanentl if ou are sure it is not a "irus. Fou ma report it to Comodo for further anal sis and inclusion in the certified application database. R. *f ,efense- is in Clean PC :ode& ou will probabl be seeing the alerts for an new applications introduced to the s stem # but not for the ones ou ha"e alread installed. Fou ma re"iew the 3: Pending Files3 section for our newl installed applications and remo"e them from the list for them to be considered as clean. M. 8"oid using VTrusted 8pplicationW or V2indows + stem 8pplicationW policies for ou email clients& web browsers& *: or PHP applications. These applications do not need such powerful access rights. K0. *n 3Paranoid :ode3& 3+afe mode3 and 3Clean PC3 mode& Comodo Firewall Pro will ma!e it eas to install new applications that ou trust b offering ou the opportunit to temporaril engage 3*nstallation :ode3. *f ou are installing a new& un!nown application. ,efense- will alert ou with a pop#up notification and& as ou want to allow this application to continue installing& ou should select 3Treat this application as an *nstaller or 7pdater3. Fou will subse$uentl see the followingD
34
35
Common Tas.s
3Common Tas!s3 allow ou to create rules for applications and networ! connections through a series of shortcuts and wi/ards. Clic! on the lin!s below to see detailed explanations of each area in this section. (iew Firewall 9"ents ,efine a 4ew Trusted 8pplication ,efine a 4ew 'loc!ed 8pplication +tealth Ports 2i/ard (iew 8cti"e Connections : Port +ets : 4etwor! ;ones : 'loc!ed 4etwor! ;ones
36
+d)anced Tas.s
38d"anced Tas!s3 enables more experienced users to define firewall polic and settings at an in#depth& granular le"el. Clic! on the lin!s below to see detailed explanations of each area in this section. 4etwor! +ecurit Polic Predefined Firewall Policies 8ttac! ,etection +ettings Firewall 'eha"ior +ettings
37
'oth application rules and global rules are consulted when the firewall is determining whether or not to allow or bloc! a connection attempt. For Outgoing connection attempts& the application rules are consulted first then the global rules. For *ncoming connection attempts& the global rules are consulted first then application specific rules.
+ee 6eneral 4a"igation for a summar of the na"igational options a"ailable from the main 4etwor! +ecurit Polic inter# face. +ee the section 3 8pplication 5ules3 for help to configure application rules and policies +ee the section 36lobal 5ules3 for help to configure global rules and to understand the interaction between global and ap# plication rules.
38
(eneral Na)i'ationG +dd... # On the 38pplication 5ules3 tab this button allows the user to 8dd a new 8pplication to the list then create it3s poli# c . On the 36lobal 5ules3 tab it enables ou to add and configure a new global rule using the 4etwor! Control 5ule inter# face. 5dit... # 8llows the user to modif the selected rule or application polic . +ee O"er"iew of Policies and 5ules& Creating and :odif ing 4etwor! Polic and 7nderstanding 4etwor! Control 5ules. #emo)e... # ,eletes the currentl polic or rule
Mo)e *7 # 5aises the currentl selected rule or polic up one row in the priorit list. 7sers can also re#prioriti/e policies or re#assign indi"idual rules to another application3s polic b dragging and dropping. Mo)e 2own # =owers the currentl selected rule or polic down one row in the priorit list. 7sers can also re#prioriti/e policies or re#assign indi"idual rules to another application3s polic b dragging and dropping. Pur'e # 5uns a s stem chec! to "erif that all the applications for which policies are listed are actually installed on the host machine at the path specified. *f not& the polic is remo"ed& or 3purged3& from the list. 7sers can re#order the priorit of policies b simpl dragging and dropping the rule in $uestion. 8lternati"el & select the rule ou wish to re#prioriti/e and clic! either the 3:o"e 7p3 or 3:o"e ,own3 button. +77lication #ules +ee O"er"iew of Policies and 5ules for an explanation of rule and polic structure and how these are represented in the main 8pplication 5ules interface +ee 8pplication 4etwor! 8ccess Control interface for an introduction to the rule setting interface +ee Creating and :odif ing 4etwor! Policies to learn how to create and edit networ! policies +ee 7nderstanding 4etwor! Control 5ules for an o"er"iew of the meaning& construction and importance of indi"idual rules +ee 8dding and 9diting a 4etwor! Control 5ule for an explanation of indi"idual rule configuration.
;)er)iew of Policies and #ules 2hene"er an application ma!es a re$uest for internet or networ! access& Comodo Firewall Pro will allow or den this re# $uest based upon the Firewall Polic that has been specified for that application. Firewall Policies are& in turn& made up from one or more indi"idual networ! access rules. 9ach indi"idual networ! access rule contains instructions that deter# mine whether the application should be allowed or bloc!ed. which protocols it is allowed to use. which ports it is allowed to use and so forth.
*f ou wish to modif the firewall polic for an applicationD ,ouble clic! on the application name to begin 3Creating or :odif ing 4etwor! Polic 3 +elect the application name& right#clic! and choose 39dit3 to begin 3Creating or :odif ing 4etwor! Polic 3 +elect the application name and clic! the 39dit... button on the right to begin 3Creating or :odif ing 4etwor! Poli# c 3
*f ou wish to modif an indi"idual rule within the polic D ,ouble clic! on the specific rule to begin 38dding and 9diting a 4etwor! Control 5ule3 +elect the specific rule right#clic! then choose 39dit3 to begin 38dding and 9diting a 4etwor! Control 5ule3 +elect the specific rule and clic! the 39dit...3 button on the right to begin 38dding and 9diting a 4etwor! Control 5ule3
7sers can also re#prioriti/e policies or re#assign indi"idual rules to another application3s polic b dragging and dropping. 8lthough each polic can be defined from the ground up b indi"iduall configuring its constituent rules& this practice would be time consuming if it had to be performed for e"er single program on our s stem. For this reason& Comodo Firewall Pro contains a selection of predefined policies according to broad application categor . For example& ou ma choose to appl the polic 32eb 'rowser3 to the applications 3*nternet 9xplorer3& 3FireFox3 and 3Opera3. 9ach predefined polic has been specificall designed b Comodo to optimi/e the securit le"el of a certain t pe of application. 7sers can& of course& modif these predefined policies to suit their en"ironment and re$uirements. For more details& see Predefined Firewall Policies. +77lication Networ. +ccess Control interface 4etwor! control rules can be added@modified@remo"ed and re#ordered through the 8pplication 4etwor! 8ccess Control in# terface. 8n rules created using 8dding and 9diting a 4etwor! Control 5ule will be displa ed in this list.
40
Comodo Firewall Pro applies rules on a per packet basis and applies the first rule that matches that pac!et t pe to be fil# tered Csee 7nderstanding 4etwor! Control 5ules for more informationE. *f there are a number of rules in the list relating to a pac!et t pe then one nearer the top of the list will be applied. 7sers can re#order the priorit of rules b simpl dragging and dropping the rule in $uestion. 8lternati"el & select the rule ou wish to re#prioriti/e and clic! either the 3:o"e 7p3 or 3:o"e ,own3 button. To begin creating networ! policies& first read 3O"er"iew of Policies and 5ules3 then 3Creating and :odif ing 4etwor! Policies.3 Creatin' and Modif"in' Networ. Policies To begin defining an application3s networ! polic & ou need ta!e two basic steps. CKE +elect the application that ou wish the polic to appl to. CHE Configure the rules for this application3s polic . D6E !elect the a77lication that "ou wish the 7olic" to a77l" to *f ou wish to define a polic for a new application Ci.e. one that is not alread listedE then clic! the '+dd...' button in the main application rules interface. This will bring up the 38pplication 4etwor! 8ccess Control3 interface shown belowD
41
'ecause this is a new application& ou will notice that the 38pplication Path3 field is blan!. C*f ou are modif ing an existing polic & then this interface will show the indi"idual rules for that application3s polic E. Clic! the 3+elect3 button.
Fou now ha"e 3 methods a"ailable to choose the application for which ou wish to create a polic # File 6roups. 5unning Processes and 'rowse... Cto applicationE DiE File (rou7s # choosing this option allows ou to create firewall polic for a categor of pre#set files or folders. For ex# ample& selecting 39xecutables3 would enable ou to create a firewall polic for an file that attempts to connect to the in# ternet with the extensions .exe .dll .s s .ocx .bat .pif .scr .cpl . Other such categories a"ailable include 32indows + stem 8pplications3 & 32indows 7pdater 8pplications3 & 3+tart 7p Folders3 etc # each of which pro"ide a fast and con"enient wa to appl a generic polic to important files and folders. To "iew the file t pes and folders that will be affected b choosing one of these options& ou need to "isit the ,efense- area of Comodo Firewall Pro b na"igating toD ,efense- P : Pro# tected Files P 6roups... :ore details on Files and File 6roupings is a"ailable in this help guide in the : Protected Files and : <uarantined Files sections. DiiE #unnin' Processes 1 as the name suggests& this option allows ou to create and deplo firewall polic for an pro# cess that is currentl running on our PC.
42
Fou can choose an indi"idual process Cshown abo"eE or the parent process of a set of running processes. Clic! 3+elect3 to confirm our choice. C4ote # 8 more detailed and powerful 3(iew 8cti"e Process =ist3 is a"ailable in the ,efense- Tas! Center E DiiiE 3rowse... Dto a77licationE 1 this option is the easiest for most users and simpl allows ou to browse to the location of the application for which ou want to deplo the firewall polic . *n the example below& we ha"e decided to create a fire# wall polic for the Opera web browser.
)a"ing selected the indi"idual application& running process or file group& the next stage is to Configure the rules for this application3s polic . D%E Confi'ure the rules for this a77lication's 7olic"
43
There are two broad options a"ailable for creating a polic that will appl to an application # 7se a Pre#defined Polic or 7se a Custom Polic . DiE *se a Predefined Polic" 1 +electing this option allows the user to $uic!l deplo a existing polic on to the target ap# plication. Choose the polic ou wish to use from the drop down menu. *n the example below& we ha"e chosen 32eb 'rowser3 because we are creating a polic for the 3Opera3 browser. The name of the predefined polic ou choose will be displa ed in the 3Treat 8s3 column for that application in the 8pplication 5ules interface. C4oteD Predefined Policies& once chosen& cannot be modified dire+#ly from this interface # the can onl be modified and defined using the Predefined Firewall Policies interface. *f ou re$uire the abilit to add or modif rules for an application then ou are effecti"el creat# ing a new& custom polic and should choose the more flexible 7se Custom Polic option instead.E
DiiE *se a Custom Polic"1 designed for more experienced users& the 3Custom Polic 3 option enables full control o"er the configuration of firewall polic and the parameters of each rule within that polic .
44
Fou can create an entirel new polic or use a predefined polic as a starting point b D Clic!ing the 38dd..3 button to add indi"idual networ! control rules. +ee 38dding and 9diting a 4etwor! Control 5ule3 for an o"er"iew of the process. 7se the 3Cop From...3 button to populate the list with the networ! control rules of a Predefined +ecurit Polic 7se the 3Cop From...3 button to populate the list with the networ! control rules of another applications polic
6eneral tipsD *f ou wish to create a reusable polic for deplo ment on multiple applications& we ad"ise ou add a new Pre#defined Firewall Polic Cor modif one of the existing ones to suit our needsE # then come bac! to this section and use the 37se Pre#defined Polic 3 option to roll it out. *f ou want to build a bespo!e polic for ma be one or two specific applications& then we ad"ise ou choose the 37se a Custom Polic 3 option and create our polic either from scratch b adding indi"idual rules Cclic! the 38dd..3 buttonE or b using one of the built#in policies as a starting point. *nderstandin' Networ. Control #ules 8t their core& each networ! control rule can be thought of as a simple IF T@5N trigger # a set of conditions Cor attributesE pertaining to a pac!et of data from a particular application and an action it will enforce if those conditions are met. 8s a pac!et filtering firewall& Comodo Firewall Pro anal ses the attributes of every single pac!et of data that attempts to enter or lea"e our computer. 8ttributes of a pac!et include the application that is sending or recei"ing the pac!et& the protocol it is using& the direction in which it is tra"eling& the source and destination *P addresses and the ports it is at# tempting to tra"erse. The firewall will then tr to find a networ! control rule that matches all the conditional attributes of this pac!et in order to determine whether or not it should be allowed to proceed. *f there is no corresponding networ! con# trol rule& then the connection will be automaticall bloc!ed until a rule is created.
45
The actual conditions CattributesE ou will seeN on a particular 4etwor! Control 5ule are determined b the protocol cho# sen in 8dding and 9diting a 4etwor! Control 5ule .
*f ou chose 3TCP3& 37,P3 or 3TCP and 37,P3& then the rule will ha"e the formD +ction K Protocol K 2irection K!ource +d1 dress K 2estination +ddress K !ource Port K 2estination Port *f ou chose 3*C:P3& then the rule will ha"e the formD +ction K Protocol K 2irection K!ource +ddress K 2estination +d1 dress K ICMP 2etails *f ou chose 3*P3& then the rule will ha"e the formD +ction K Protocol K 2irection K!ource +ddress K 2estination +d1 dress K IP 2etails +ctionG The action the firewall will ta!e when the conditions of the rule are met. The rule will show 3+llow3& 33loc.3 or 3+s.3.LL Protocol G +tates the protocol that the target application must be attempting to use when sending or recei"ing pac!# ets of data. The rule will show 3TCP3& 3*2P3& 3TCP or *2P3& 3ICMP3 or 3IP3 2irection G +tates the direction of traffic that the data pac!et must be attempting to negotiate. The rule will show 'In'F ';ut' or 'InJ;ut' !ource +ddress G +tates the source address of the connection attempt. The rule will show 'From' followed b one of the followingD IP F IP ran'e F IP Mas. F Networ. 9one F @ost Name or Mac +ddress 2estination +ddress G +tates the address of the connection attempt. The rule will show 3To3 followed b one of the followingD IP F IP ran'e F IP Mas. F Networ. 9one F @ost Name or Mac +ddress !ource PortG +tates the portCsE that the application must be attempting to send pac!ets of data through. 2ill show 3Where !ource Port Is3 followed b one of the followingD 3+n"3& 3Port M' & 3Port #an'e3 or 3Port !et3 2estination Port D +tates the portCsE on the remote entit that the application must be attempting to send to. 2ill show 3Where !ource Port Is3 followed b one of the followingD 3+n"3& 3Port M' & 3Port #an'e3 or 3Port !et ICMP 2etails G +tates the *C:P message that must be detected to trigger the action. +ee 8dding and 9diting a 4etwor! Control 5ule for details of a"ailable messages that can be displa ed. IP 2etails G +tates the t pe of *P protocol that must be detected to trigger the actionD +ee 8dding and 9diting a 4et# wor! Control 5ule to see the list of a"ailable *P protocols that can be displa ed here.
Once a rule is applied& Comodo Firewall Pro will monitor all networ! traffic relating to the chosen application and ta!e the specified action if the conditions are met. 7sers should also see the section 36lobal 5ules3 to understand the interaction between 8pplication 5ules and 6lobal 5ules.
46
* If you chose to add a descriptive name when creating the rule then this name will be displayed here rather than it's full parameters See the next section! '"dding and #diting a Network $ontrol %ule'! for more details ** If you selected '&og as a firewall event if this rule is fired' then the action will be post fixed with '( &og' )e g *lock ( &og+
+ddin' and 5ditin' a Networ. Control #ule The 4etwor! Control 5ule *nterface is used to configure the actions and conditions of an indi"idual networ! control rule. *f ou are not an experienced firewall user or are unsure about the settings in this area& we ad"ise ou first gain some bac!# ground !nowledge b reading the sections 3 7nderstanding 4etwor! Control 5ules3 & 3O"er"iew of 5ules and Policies3 and 3Creating and :odif ing 4etwor! Policies3. (eneral !ettin's
+ctionG ,efine the action the firewall will ta!e when the conditions of the rule are met. Options a"ailable "ia the drop down menu are 3+llow3& 33loc.3 or 3+s.3. ProtocolG 8llows the user to specif which protocol the data pac!et should be using. Options a"ailable "ia the drop down menu are 3TCP3& 3*2P3& 3TCP or *2P3& 3ICMP3 or 3IP3 CnoteD our choice here alters the choices a"ailable to ou in the tab structure on the lower half of the interfaceE 2irectionG 8llows the user to define which direction the pac!ets should be tra"eling. Options a"ailable "ia the drop down menu are 'In'F ';ut' or 'InJ;ut' =o' as a firewall e)ent if this rule is firedG Chec!ing this option will create a entr in the firewall e"ent log "iewer when# e"er this rule is called into operation. Ci.e. when 8== conditions ha"e been metE.
47
2escri7tionD 8llows ou to t pe a friendl name for the rule. +ome users find it more intuiti"e to name a rule b it3s in# tended purpose. C 38llow Outgoing )TTP re$uests3E. *f ou create a friendl name& then this will be displa ed to represent instead of the full actions@conditions in the main 8pplication 5ules *nterface and the 8pplication 4etwor! 8ccess Control interface. TCP3 or 3*P23 or 3TCP or *2P' *f ou select 3TCP3 or 37P,3 or 3TCP or 7,P3 as the Protocol for our networ!& then ou will ha"e to define the source and destination *P addresses and ports recei"ing and sending the information.
!ource +ddress and 2estination +ddressG K. Fou can choose an *P 8ddress b selecting 38n 3 .This menu defaults to an *P range of 0.0.0.0# HQQ.HQQ.HQQ.HQQ to allow connection from all *P addresses. H. Fou can choose a +ingle *P address b selecting 3+ingle *P3 and entering the *P address in the *P address text box& e.g.& KMH.K6R.H00.KK3. 3. Fou can choose an 3*P 5ange3 b selecting *P 5ange # for example the range in our pri"ate networ! and enter# ing the *P addresses in the +tart 5ange and 9nd 5ange text boxes. I. Fou can choose 3*P :as!3 b selecting *P :as!. *P networ!s can be di"ided into smaller networ!s called subnet wor!s Cor subnetsE. 8n *P address@ :as! is a subnet defined b *P address and mas! of the networ!. 9nter the *P address and :as! of the networ!. Q. Fou can choose an entire networ! /one b selecting 3;one3 .This menu defaults to =ocal 8rea 4etwor!. 'ut ou can also define our own /one b first creating a ;one through the 3: 4etwor! ;ones3 area. 6. Fou can choose a named host b selecting a 3)ost 4ame3 which denotes our *P address. O. Fou can choose a :8C 8ddress b selecting :8C 8ddress and entering the address in the address text box. 5?clude Di.e. N;T the choice belowE The opposite of what ou specif is applicable. For example& if ou are creating an 38llow3 rule and ou chec! the 39x# clude3 box in the 3+ource *P3 tab and enter "alues for the *P range& then that *P range will be excluded . Fou will ha"e to create a separate 38llow3 rule for the range of *P addresses that ou ,O want to use.
48
K. Fou can choose an port number b selecting 38n 3 # set b default & 0# 6QQ3Q. H. Fou can choose a +ingle Port number b selecting 3+ingle Port3 and selecting the single port numbers from the list. 3. Fou can choose a Port 5ange b selecting 3Port 5ange3 and selecting the port numbers from the From and To list. I. Fou can choose a predefined Port +et b choosing 38 +et of Ports3. *f ou wish to create a port set then please see the section 3: Port +ets3.
ICMP 2hen ou select *C:P as the protocol in 6eneral +ettings& ou will be shown a list of *C:P message t pe in the 3*C:P ,etails3 tab alongside the +ource 8ddress and ,estination 8ddress tabs. The last two tabs are configured identicall to the explanation abo"e. Fou will not see the source and destination port tabs.
ICMP 2etails *C:P C*nternet Control :essage ProtocolE pac!ets contain error and control information which is used to announce net# wor! errors& networ! congestion& timeouts& and to assist in troubleshooting. *t is used mainl for performing traces and pings. Pinging is fre$uentl used to perform a $uic! test before attempting to initiate communications. *f ou are using or ha"e used a peer#to#peer file#sharing program& ou might find ourself being pinged a lot. +o ou can create rules to al# low @ bloc! specific t pes of ping re$uests. 2ith Comodo Firewall Pro ou can create rules to allow@ den inbound *C:P pac!ets that pro"ide ou with information and minimi/e securit ris!.
K. T pe in the source@ destination *P address. +ource *P is the *P address from which the traffic originated and des# tination *P is the *P address of the computer that is recei"ing pac!ets of information.
H. +pecif *C:P :essage & T pes and Codes. 8n *C:P message includes a :essage that specifies the t pe& that is& the format of the *C:P message. 2hen ou select a particular *C:P message& the menu defaults to set its code and t pe as well. *f ou select the *C:P message t pe 3Custom3 then ou will be as!ed to specif the code and t pe. 3. *f ou want to be alerted when this rule is met & chec! the box 0Create an alert when this rule is fired1. IP 2hen ou select *P as the protocol in 6eneral +ettings & ou will be shown a list of *C:P message t pe in the 3*C:P ,e# tails3 tab alongside the +ource 8ddress and ,estination 8ddress tabs. The last two tabs are configured identicall to the explanation abo"e. Fou will not see the source and destination port tabs.
IP 2etails +elect the t pes of *P protocol that ou wish to allow. The *P protocols listed are *C:P C *nternet Control :essage Proto# colE& *6:P C *nternet 6roup :anagement ProtocolE& 66P C6atewa #to#6atewa ProtocolE & TCP C Transmission Control ProtocolE 7,P C7ser ,atagram ProtocolE and P7P CParc 7ni"ersal Pac!etE.
(lobal #ules 7nli!e application rules& which are applied to and triggered b traffic relating to a specific application& 6lobal 5ules are applied to 8== traffic tra"eling in and out of our computer.
50
Comodo Firewall Pro anal ses e"er pac!et of data in and out of our PC using combination of 8pplication and 6lobal 5ules. For Outgoing connection attempts& the application rules are consulted first and the global rules second. For *ncoming connection attempts& the global rules are consulted first and the application rules second.
Therefore& outgoing traffic has to 3pass3 both the application rule then an global rules before it is allowed out of our s stem. +imilarl & incoming traffic has to 3pass3 an global rules first then application specific rules that ma appl to the pac!et. 6lobal 5ules are mainl & but not exclusi"el & used to filter incoming traffic for protocols other than TCP or 7,P. The configuration of 6lobal 5ules is identical to that for application rules. To add a global rule& clic! the 38dd...3 button on the right. To edit an existing global rule& right clic! and select 3edit3. +ee 8pplication 4etwor! 8ccess Control interface for an introduction to the rule setting interface +ee 7nderstanding 4etwor! Control 5ules for an o"er"iew of the meaning& construction and importance of indi"idual rules +ee 8dding and 9diting a 4etwor! Control 5ule for an explanation of indi"idual rule configuration
51
To "iew or edit an existing predefined polic D ,ouble clic! on the Polic 4ame in the list +elect the Polic 4ame in the list& right#clic! and choose 39dit3 +elect the Polic 4ame and clic! the 39dit... button on the right
To add a new predefined polic & clic! the 38dd...3 button. This will launch the polic creation dialog shown below.
52
8s this is a new predefined polic & ou will need to name it in the text field at the top. *t is ad"ised that ou choose a name that accuratel describes the categor @t pe of application ou wish to define polic for. 4ext ou should add and config# ure the indi"idual rules for this polic . +ee 38dding and 9diting a 4etwor! Control 5ule3 for more ad"ice on this. Once created& this polic can be $uic!l called as a 3Predefined Polic 3 when creating or modif ing a networ! polic .
53
TCP Flood J *2P Flood J ICMP Flood Flood attac!s happen when thousands of pac!ets of data are sent from a spoofed *P source address to a "ictim3s ma# chine. The "ictim3s machine automaticall sends bac! a response to these re$uests Ca +F4 pac!etE and waits for an ac# !nowledgment Can 8C> pac!etE. 'ut& because the were GsentG from a spoofed *P address& the "ictim3s machine will ne"# er recei"e an responses@ac!nowledgment pac!ets. This results in a bac!log of unanswered re$uests that begins to fill up the "ictim3s connection table. 2hen the connection table is full& the "ictim3s machine will refuse to accept an new con# nections # which means our computer will no longer be able to connect to the internet& send email& use FTP ser"ices etc. 2hen this is done multiple times from multiple sources it floods the "ictim machine& which has a limit of unac!nowledged responses it can handle& and ma cause it to crash.
54
' default& Comodo Firewall Pro is configured to accept traffic using TCP& 7,P and *C:P protocols at a maximum rate of pac!ets per second for a set duration of time. The defaults are for all three protocols are set at H0 pac!ets per second for a continuous duration of H0 seconds. The number of pac!ets per second and the maximum duration that the firewall should accept pac!ets at this rate can be reconfigured to the user3s preference b altering the appropriate field. *f these thresholds are exceeded& a ,O+ attac! is detected and the Firewall goes into emergenc mode. The firewall will sta in emergenc mode for the duration set b user. ' default this is set at KH0 seconds. 7sers can al# ter this time length to their own preference b configuring )ow long should the firewall sta in emergenc mode while the host is under ,O+ attac!B *n emergenc mode& all inbound traffic is bloc!ed except those pre"iousl established and ac# ti"e connections. )owe"er& all outbound traffic is still allowed. 7sers also ha"e the option to configure how long to bloc! incoming traffic from a host suspected of perpetrating a port scan. The default is Q minutes. ,uring this time& no traffic will be accepted from the host. @ow lon' should a sus7icious host be automaticall" bloc.ed after it attem7ts a 7ort scanI *f a port scan is detected& the Firewall identifies the host scanning our s stem as suspicious and automaticall bloc!s it for a set period of time # b default Q minutes. ,uring these Q minutes& the suspicious host cannot access the user3s s s# tem but the users s stem can access it. @ow lon' should the firewall sta" in emer'enc" mode whilst the host is under 2;! attac.I 2hen a ,O+ is detected& the Firewall goes into emergenc mode for a fixed period of time # set b default to KH0 sec# onds. 7sers can configure the length of time to their own preferences. Protect the +#P Cache Chec!ing this option means Comodo Firewall Pro will start performing stateful inspection of 85P C8ddress 5esolution ProtocolE connections. This will bloc! spoof 85P re$uests and protect our computer from 85P cache poisoning attac!s The 85P Cache Cor 85P TableE is a record of *P addresses stored on our computer that is used to map *P addresses to :8C addresses. +tateful inspection in"ol"es the anal sis of data within the lowest le"els of the protocol stac! and com# paring the current session to pre"ious ones in order to detect suspicious acti"it . $a+,-round , #very device on a network has two addresses- a M"$ )Media "ccess $ontrol+ address and an I. )Inter, net .rotocol+ address /he M"$ address is the address of the physical network interface card inside the device! and nev, er changes for the life of the device )in other words! the network card inside your .$ has a hardcoded M"$ address that it will keep even if you install it in a different machine + 0n the other hand! the I. address can change if the machine moves to another part of the network or the network uses 12$. to assign dynamic I. addresses In order to correctly route a packet of data from a host to the destination network card it is essential to maintain a record of the correlation be, tween a device's I. address and it's M"$ address /he "ddress %esolution .rotocol performs this function by matching an I. address to its appropriate M"$ address )and vice versa+ /he "%. cache is a record of all the I. and M"$ ad, dresses that your computer has matched together )ac!ers can potentiall alter a computer3s 85P cache of matching *P@:8C address pairs to launch a "ariet of attac!s in# cluding& ,enial of +er"ice attac!s& :an in the :iddle attac!s and :8C address flooding and 85P re$uest spoofing. *t should be noted& that a successful 85P attac! is almost alwa s dependent on the hac!er ha"ing ph sical access to our networ! or direct control of a machine on our networ! # therefore this setting is of more rele"ance to networ! administra# tors than home users. 3loc. 'ratuitous +#P frames 8 gratuitous 85P frame is an 85P 5epl that is broadcast to all machines in a networ! and is not in response to an 85P 5e$uest. 2hen an 85P 5epl is broadcast& all hosts are re$uired to update their local 85P caches& whether or not the 85P 5epl was in response to an 85P 5e$uest the had issued. 6ratuitous 85P frames are important as the update our machine3s 85P cache whene"er there is a change to another machine on the networ! Cfor example& if a networ! card is replaced in a machine on the networ!& then a gratuitous 85P frame will inform our machine of this change and
55
re$uest to update our 85P cache so that data can be correctl routedE. 9nabling this setting ou will bloc! such re# $uests # protecting the 85P cache from potentiall malicious updates. 'Miscellaneous' tab
3loc. fra'mented IP 2ata'rams 2hen a connection is opened between two computers& the must agree on a :ass Transmission 7nit C:T7E. *P ,ata# gram fragmentation occurs when data passes through a router with an :T7 less than the :T7 ou are using i.e when a datagram is larger than the :T7 of the networ! o"er which it must be sent& it is di"ided into smaller 3fragments3 which are each sent separatel . Fragmented *P pac!ets can create threats similar to a ,O+ attac!. :oreo"er& these fragmentations can double the amount of time it ta!es to send a single pac!et and slow down our download time. Comodo Firewall Pro is set b default to bloc! fragmented *P datagrams i.e the option 'loc! Fragmented *P datagrams is chec!ed b default.
2o Protocol +nal"sis Protocol 8nal sis is !e to the detection of fa!e pac!ets used in denial of ser"ice attac!s. Chec!ing this option means Comodo Firewall Pro chec!s e"er pac!et conforms to that protocols standards. *f not& then the pac!ets are bloc!ed.
56
2o Pac.et Chec.sum 4erification 9"er pac!et of data sent to our machine has a signature attached. 2ith this option enabled& Comodo Firewall Pro will recalculate the chec!sum of the incoming pac!et and compare this against the chec!sum stated in the signature. *f the two do not match then the pac!et has been altered since transmission and Comodo Firewall Pro will bloc! it. 8lthough this feature has securit benefits it is also "er resource intensi"e and our internet connection speed ma ta!e a large hit if chec!sum "erification is performed on each pac!et. This feature is intended for use b ad"anced users and Comodo ad"ise most home users not to enable this feature.
Monitor other N2I! 7rotocols than TCPJIP This will force Comodo Firewall Pro to capture the pac!ets belonging to an other protocol di"er than TCP@*P. Tro%ans can potentially use their own protocol dri"er to send@recei"e pac!ets. This option is useful to catch such attempts. This option is disabled b defaultD because it can reduce s stem performance and ma be incompatible with some protocol dri"ers.
57
3loc. +ll ModeD The firewall bloc!s all traffic in and out of our computer regardless of an user#defined configu# ration and rules. The firewall will not attempt to learn the beha"ior of an applications and will not automaticall create traffic rules for an applications. Choosing this option will effecti"el pre"ent our computer from accessing an networ!s& including the internet.
58
Custom Polic" ModeD The firewall applies O4=F the custom securit configurations and networ! traffic policies specified b the user. 4ew users ma want to thin! of this as the 3,o 4ot =earn3 setting because the firewall will not attempt to learn the beha"ior of an applications. 4or will it automaticall create networ! traffic rules for those applications. Fou will recei"e alerts e"er time there is a connection attempt b an application # e"en for applica# tions on the Comodo +afe list Cunless& of course& ou ha"e specified rules and policies that instruct the firewall to trust the application3s connection attemptE. *f an application tries to ma!e a connection to the outside& the firewall audits all the loaded components and chec!s each against the list of components alread allowed or bloc!ed. *f a component is found to be bloc!ed& the entire application is denied internet access and an alert is generated. This setting is ad"ised for experienced firewall users that wish to maximi/e the "isibilit and control o"er traffic in and out of their computer.
!afe modeD 2hile filtering networ! traffic& the firewall will automaticall create rules that allow all traffic for the components of applications certified as 3+afe3 b Comodo. For non#certified new applications& ou will recei"e an alert whene"er that application attempts to access the networ!. +hould ou choose& ou can grant that applica# tion internet access b choosing 3Treat this application as a Trusted 8pplication3 at the alert. This will deplo the predefined firewall polic 3Trusted 8pplication3 onto the application. 3+afe mode3 is the recommended setting for most users # combining the highest le"els of securit with an eas # to#manage number of connection alerts.
Trainin' Mode D The firewall will monitor networ! traffic and create automatic allow rules for all new applications until the securit le"el is ad%usted. Fou will not recei"e an alerts in 3Training :ode3 mode. *f ou choose the 3Training :ode3 setting& we ad"ise that ou are K00U sure that all applications installed on our computer are as# signed the correct networ! access rights. .i*D 7se this setting temporaril while pla ing an online game for the first time. This will suppress all alerts while the firewall learns the components of the game that need internet access and automaticall create 3allow3 rules for them. 8fterwards ou can switch bac! to our pre"ious mode.
2isabledD ,isables the firewall and ma!es it inacti"e. 8ll incoming and outgoing connections are allowed irre# specti"e of the restrictions set b the user. Comodo strongl ad"ise against this setting unless ou are sure that ou are not currentl connected to an local or wireless networ!s.
>ee7 an alert on screen for ma?imum DnE seconds ,etermines how long the Firewall will show an alert for without an user inter"ention. ' default& the timeout is set at KH0 seconds. Fou ma ad%ust this setting to our own preference. '+lert !ettin's' tab 7sers can configure the amount of alerts that Comodo Firewall Pro generates using the slider on this tab. 5aising or low# ering the slider will change the amount of alerts accordingl . *t should be noted that this does not affect our securit & which is determined b the rules ou ha"e configured Cfor example& in 34etwor! +ecurit Polic 3 E. For the ma%orit of users& the default setting of 3=ow3 is the perfect le"el # ensuring ou are !ept informed of connection attempts and suspi# cious beha"iors whilst not o"erwhelming ou with alert messages. The 8lert Fre$uenc settings refer onl to connection attempts b applications or from *P addresses that ou ha"e not C etE decided to trust. For example& ou could specif a "er high alert fre$uenc le"el& but will not recei"e an alerts at all if ou ha"e chosen to trust the application that is ma!ing the connection attempt.
4er" @i'hD The firewall will show separate alerts for outgoing and incoming connection re$uests for both TCP and 7,P protocols on specific ports and for specific *P addresses& for an application. This setting pro"ides the highest degree of "isibilit to inbound and outbound connection attempts but leads to a proliferation of firewall alerts. For example& using a browser to connect to our internet home#page ma generate as man as Q separate alerts for an outgoing TCP connection alone. @i'hD The firewall will show separate alerts for outgoing and incoming connection re$uests for both TCP and 7,P protocols on specific ports for an application. MediumD The firewall will show alerts for outgoing and incoming connection re$uests for both TCP and 7,P pro# tocols for an application. =owD The firewall will show alerts for outgoing and incoming connection re$uests for an application. This is the setting recommended b Comodo and is suitable for the ma%orit of users. 4er" =owD The firewall will show onl one alert for an application.
Chec.bo?es 9nable 8lerts for TCP 5e$uests @ 9nable 8lerts for 7,P 5e$uests @ 9nable 8lerts for *C:P 5e$uests # *n con%unction with the slider& these chec!boxes allow ou to fine#tune the number of alerts ou see according to protocol.
60
Column 2escri7tions K. +77lication # indicates which application or process propagated the e"ent. *f the application has no icon& the de# fault s stem icon for executable files will be used. H. +ction # indicates how the firewall reacted to the connection attempt. 3. Protocol # represents the Protocol application attempted to use to create the connection. This is usuall TCP@*P or 7,P # which are the most hea"il used networ!ing protocols. I. !ource IP # +tates the *P address of the host that made the connection attempt. Q. !ource Port # +tates the port number on the host at the source *P which was used to ma!e this connection at# tempt. 6. 2estination IP # +tates the *P address of the host to which the connection attempt was made. This is usuall the *P address of our computer. O. 2estination Port # +tates the port number on the host at the destination *P to which the connection attempt was made. This usuall indicates the port number on our computer. R. 2ateJTime # contains precise details of the date and time of the connection attempt. '#efresh' # reloads and updates the displa ed list to include all e"ents generated since the time ou first accessed the 3Firewall 9"ents3 area 'More ...' # clic!ing this button loads the full& Comodo Firewall Pro =og (iewer module. +ee below for more details on this module. =o' 4iewer Module This area contains a full histor of logged e"ents for both the Firewall and ,efense- modules. *t also allows ou to build custom log files based on specific filters and to export log files for archi"ing or troubleshooting purposes.
61
The =og (iewer :odule is di"ided into two sections. The left hand panel displa s a set of hand & pre#defined time Filters for both the Firewall and ,efense- e"ent log files. The right hand panel displa s the actual e"ents that were logged for the time period ou selected in the left hand panel Cor the e"ents that correspond to the filtering criteria ou selectedE Filterin' =o' Files Comodo Firewall allows ou to create custom "iews of all logged e"ents according to user defined criteria. Prese# .ime Fil#ers/ Clic!ing on an of the preset filters in the left hand panel will alter the displa in the right hand panel in the following wa sD Today - ,ispla s all logged e"ents for toda . This Week # ,ispla s all logged e"ents during the past O da s. This Month - ,ispla s all logged e"ents during the past 30 da s. All the Times # ,ispla s e"er e"ent logged since Comodo Firewall Pro was installed. C*f ou ha"e cleared the log histor since installation& this option shows all logs created since that clearanceE. The example below shows an example displa when the ,efense- =ogs for 3Toda 3 are displa ed.
!o#e/ /he type of events logged by the 'Firewall' component of $omodo Firewall .ro differ to those logged by 1efense3 component /his means the information and the columns displayed in the right hand panel will change depending on
62
which type of log you have selected in the left hand panel For more details on the data shown in the columns! see either 4iew Firewall #vents or 4iew 1efense3 #vents User 0e1ined Fil#ers/ )a"ing chosen a preset time filter from the left hand panel& ou can further refine the displa ed e"ents according to specific filters. The t pe of filters a"ailable for Firewall logs differ to those a"ailable for ,efense- logs. The table be# low pro"ides a summar of a"ailable filters and their meaningsD Firewall Filters 2ate ? displa s onl defined dates 2efense: Filters
the e"ents between two user 2ate ? displa s onl the e"ents between two user defined dates the e"ents +77lication Name ? displa s onl the e"ents propagated b a specific application
Protocol ? displa s onl the e"ents that in"ol"ed a Tar'et Name ? displa s onl the e"ents that in"ol"ed a specific protocol specified target application
!ource IP address ? displa s onl the e"ents that +ction? displa s e"ents according to the response Cor originated from a specific *P address action ta!enE b the firewall.
!ource Port ? displa s onl the e"ents that originated from a specific port number
2estination IP address # displa s onl the e"ents with a specific target *P address
2estination Port # displa s onl the e"ents with a specific target port number
+ction ? displa s e"ents according to the response Cor action ta!enE b the firewall. Choices are 0'loc!ed1& 8llowed1 and 07n!nown1
Fou can access the user defined filters in two wa s # CiE Filter :enu # access b clic!ing 2Fil#er 3 Firewall 4o-s 5 0e1ense6 4o-s 3 Fil#er 7y...2 CiiE Context +ensiti"e :enu # right clic!ing on an e"ent will also allow ou to specif the additional filters
63
5?7ortin' =o' Files to @TM= 9xporting log files is useful for archi"ing and troubleshooting purposes. There are two wa s to export log files using =og (iewer interface # using the context sensiti"e menu and "ia the 3File3 menu option. 8fter ma!ing our choice& ou will be as!ed to specif a name for the exported html file and the location ou wish to sa"e to. CiE File :enu
Firewall Logs # will export the Firewall log that is currentl being displa ed in the right hand panel Ce.g. *f ou ha"e selected 3This wee!3 in the Firewall tree then that is the log file that will be exportedE Defense+ Logs # will export the ,efense- log that is currentl being displa ed in the right hand panel All # will export 8== logs for 8== T*:9 for both ,efense- and Firewall as a single html file.
CiiE Context +ensiti"e :enu # right clic! in the log displa window to export the currentl displa ed log file to html.
64
Fou can export a custom "iew that ou created using the a"ailable Filters b right clic!ing and selecting 39xport To )T:=3 from the context sensiti"e menu. 8gain& ou will be as!ed to pro"ide a filename and sa"e location for the file.
65
8d"anced users can reconfigure the parameters of this rule in the section 34etwor! +ecurit Polic 3. To begin defining a new trusted applicationD K. Clic! on 1efine a New /rusted "pplication lin! in Firewall Tas!s P Common Tas!s. H. 8 dialog box will appear as!ing ou to select the application ou want to trust.
66
4. Fou now ha"e 3 methods a"ailable to choose the application that ou want to trust # 3File (rou7s3. 3#unnin'
Processes3 and '3rowse3... Dto a77licationE. File (rou7s # choosing this option allows ou to choose our application from a categor of pre#set files or fold# ers. For example& selecting 39xecutables3 would enable ou to create an allow rule for an file that attempts to connect to the internet with the extensions .exe .dll .s s .ocx .bat .pif .scr .cpl . Other such categories a"ailable in# clude 32indows + stem 8pplications3 & 32indows 7pdater 8pplications3 & 3+tart 7p Folders3 etc # each of which pro"ide a fast and con"enient wa to batch select important files and folders. To "iew the file t pes and folders that will be affected b choosing one of these options& ou need to "isit the ,efense- area of Comodo Firewall Pro b na"igating toD ,efense- P : Protected Files P 6roups... #unnin' Processes # as the name suggests& this option allows ou to choose the target application from a list of processes that are currentl running on our PC. 3rowse... Dto a77licationE 1 this option is the easiest for most users and simpl allows ou to browse to the lo# cation of the application which ou want to trust. Q. 2hen ou ha"e chosen the application using one of the methods abo"e& the application name will appear along with its locationD
Clic! "pply to confirm our choice. The new 38==O2 8== 59<79+T+ 3 rule for the application ta!es effect im# mediatel . 2hen this application see!s internet access Comodo Firewall Pro will automaticall grant it.
67
8d"anced users can "iew and edit the parameters of this new rule in 34etwor! +ecurit Polic 3. Cfor example& ou later re# ali/e that a program reall ought to be allowed some le"el of internet accessE To begin defining a new bloc!ed applicationD K. Clic! the 1efine a New *locked "pplication lin! in Firewall Tas!s P Common Tas!s. H. 8 dialog box will appear as!ing ou the select the application that ou want to be bloc!edD
4. Fou now ha"e 3 methods a"ailable to choose the application that ou want to bloc! # 3File (rou7s3. 3#unnin'
Processes3 and '3rowse3... Dto a77licationE.
68
File (rou7s # choosing this option allows ou to choose our application from a categor of pre#set files or fold# ers. For example& selecting 39xecutables3 would enable ou to create a bloc! rule for an file that attempts to con# nect to the internet with the extensions .exe .dll .s s .ocx .bat .pif .scr .cpl . Other such categories a"ailable in# clude 32indows + stem 8pplications3 & 32indows 7pdater 8pplications3 & 3+tart 7p Folders3 etc # each of which pro"ide a fast and con"enient wa to batch select important files and folders. To "iew the file t pes and folders that will be affected b choosing one of these options& ou need to "isit the ,efense- area of Comodo Firewall Pro b na"igating toD ,efense- P : Protected Files P 6roups... #unnin' Processes # as the name suggests& this option allows ou to choose the target application from a list of processes that are currentl running on our PC. 3rowse... Dto a77licationE 1 this option is the easiest for most users and simpl allows ou to browse to the lo# cation of the application which ou want to bloc!. Q. 2hen ou ha"e chosen the application using one of the methods abo"e& the application name will appear along with its locationD
Clic! "pply to confirm our choice. The new bloc! and log rule for the application ta!es effect immediatel . 2hen this application see!s internet access Comodo Firewall Pro will automaticall den it and record an entr in the (iew Firewall 9"ents interface.
Clic! the option ou would li!e more details onD ,efine a new trusted networ! # stealth m ports to 9(95FO49 else 8lert me to incoming connections # stealth m ports on a per#case basis
70
,efine a new trusted networ! # stealth m ports to 9(95FO49 else +electing this option means our machine3s ports will be stealthed Cin"isibleE to e"er one 9AC9PT those net# wor!s that ou specif as trusted. To begin the wi/ard& clic! the 34ext3 button3. 8 dialog box will appear as!ing ou to choose the new trusted /oneD 3.
*f ou ha"e alread configured a networ! /one then lea"e the upper option selected and choose our de# sired networ! from the 3;one 4ame3 drop down box and clic! 3Finish3. *f ou ha"e not et defined a /one ou wish to trust& ou can do so in the 3: 4etwor! ;ones3 area of the firewall. ;# To manuall define and trust a new /one from this dialog box& chec! the box 'I would like to define a new network'
71
9nter the *P range for the /one for which ou want our computer to be "isible # starting from the +tart *P to the 9nd *P Cor specif a +ubnet :as!E Clic! 'Finish' to create the new ;one rule.
*f ou wish to add more than one /one& simpl repeat this wi/ard. 7sing the 31efine a new trusted network , stealth my ports to #4#%50N# else3 option will create a new trusted /one b adding the following rules in the 36lobal 5ules3 interfaceD
The specific parameters of the descripti"e rule name abo"e areD +llow X IP X ;ut X From +n" IP +ddress X To N9;N5O X Where Protocol is +NH +llow X IP X In X From N9;N5O X To +n" IP +ddress X Where Protocol is +NH *f ou would li!e more information on the meaning and construction of rules& please clic! here. +lert me to incomin' connections 1 stealth m" 7orts on a 7er1case basis Fou will see a firewall alert e"er time there is a re$uest for an incoming connection. The alert will as! our permission on whether or not ou wish the connection to proceed. This can be useful for applications such as Peer to Peer networ!ing and 5emote des!top applications that re$uire port "isibilit in order to connect to our machine. +pecificall & this option will add the following rule in the 36lobal 5ules3 interfaceD 3loc. X ICMP X In X From +n" IP +ddress X To +n" IP +ddress X Where Messa'e is 5C@; #5<*5!T *f ou would li!e more information on the meaning and construction of rules& please clic! here 3loc. all incomin' connections 1 stealth m" 7orts to e)er"one +electing this option means our computer3s ports are in"isible to all networ!s& irrespecti"e of whether ou trust them or not. The a"erage home user Cusing a single computer that is not part of a home =84E will find this option the most con"e# nient and secure. Fou will not be alerted when the incoming connection is bloc!ed& but the rule will add an entr in the firewall e"ent log file. +pecificall & this option will add the following rule in the 36lobal 5ules3 interfaceD 3loc. +nd =o' X IP X In X From +n" IP +ddress X To +n" IP +ddress X Where Protocol is +n" *f ou would li!e more information on the meaning and construction of rules& please clic! here
72
Column 2escri7tionG K. Protocol +hows the application that is ma!ing the connection. the protocol it is using and the direction of the traf# fic. 9ach application ma ha"e more than one connection at an time. H. !ource DIP G PortE # The source *P 8ddress and source port that the applications connecting through. *f the ap# plication is waiting for communication and the port is open& it is described as 0=istening1. 3. 2estination DIP G PortE # The destination *P 8ddress and destination port that the application is connecting to. This will be blan! if the 3+ource3 column is 3=istening3. I. 3"tes In # 5epresents the total b tes of incoming data since this connection was first allowed Q. 3"tes ;ut # 5epresents the total b tes of outgoing data since this connection was first allowed
Conte?t !ensiti)e Menu 5ight clic! on items in the list to see the context sensiti"e menu.
73
*f ou wish to "iew the full path of the application& right clic! on the application name select 3+how Full Path3. *f ou wish to terminate a connection belonging to an application& right clic! on the specific connection and clic! 3Terminate Connection3
74
The name of the port set is listed abo"e the actual port numbers that belong to that set. The default port sets shipped with Comodo Firewall areD @TTP PortsD R0 and II3. These are the default ports for http traffic. Four internet browser will use this ports to connect to the internet and other networ!s. P;P,J!MTP PortsD KK0& HQ& KI3& MMQ& I6Q. These are the ports that are t picall used b mail clients li!e Outloo! 9x# press and 2in:ail for communication using the POP3& +:TP and *:8P protocols. Pri)ile'ed PortsG 0#K0HI 1 This set can be deplo ed if ou wish to create a rule that allows or bloc!s access to the pri"i# leged port range of 0#K0HI. Pri"ileged ports are so called because it is usuall desirable to pre"ent users from running ser"ices on these ports. 4etwor! admins usuall reser"e or prohibit the use of these ports.
To 8dd a new port set& ou need toD CiE ,efine a name for the set
CiiE +elect the port numbers ou want to belong to this named set 2efine a name for the set # Clic! the 38dd...3 button on the right hand side and select 38 4ew Port +et...3 from the drop down menuD
75
4ext t pe a name for the port set. *n the example below& we ha"e chosen to name our port set 38 test port set3
Clic! 8ppl . The new port set will appear in the main port set listD
+elect the port numbers ou want to belong to this named set # 5ight clic! on the name of the new port set and select 38dd...3 from the menuD
+pecif 38n 3 to choose all ports. specif a single port or define a port range b t ping the start and end port num# bers. Clic! 8ppl to commit our choice. *f ou wish to add more ports to this set then repeat the process from 3+elect the port numbers ou want to belong to this named set3
76
To edit the name of an existing port set # select the name of the set in the list Ce.g. )TTP PortsE and clic! 39dit...3 to bring up the naming dialog. To add port numbers to an existing port set # right clic! on the set name and clic! 3add..3 as shown earlier O5 se# lect the port set name& clic! the 38dd..3 button on the right and select 38 new port3 from the drop down menu. To modif or change the existing port numbers in a port set # right clic! O4 the port number ou wish to change and select 39dit..3 O5 select the actual port number Cnot the port set nameE and clic! the 39dit... button on the right.
2hen defining or modif ing a networ! control rule& an port sets listed in this interface& including an new ones ou cre# ate& will be a"ailable for selection and deplo ment in the 3+ource Port3 and 3,estination Port3 tabs b selecting 38 set of Ports3 D
77
To access the 3: 4etwor! ;one3 interface Cabo"eE& clic! on 3My Network @ones3 in Firewall Tas!s P Common Tas!s Note 6D 8dding a /one to this area does not& in itself& define an permission le"els or access rights to the /one. This area allows to define the /ones so ou can $uic!l assign such permissions in other areas of the firewall. Note %G 8 networ! /one can be designated as 3Trusted3 and allowed access b using the 3+tealth Ports 2i/ard3 C8n ex# ample would be our home computer or networ!E Note ,D 8 networ! /one can be designated as 3'loc!ed3 and denied access b using the 3: 'loc!ed 4etwor! ;ones3 in# terface. C8n example would be a !nown sp ware siteE Note 4D 8n application can be assigned specific access rights to and from a networ! /one when defining an 8pplication 5ule. +imilarl & a custom 6lobal 5ule can be assigned to a networ! /one to all acti"it from a /one. Note &D ' default& Comodo Firewall Pro will automaticall detect an new networ!s C=84& 2ireless etcE. This can be dis# abled in the :iscellaneous ? +ettings area of the firewall. To add a New Networ. 9oneF ou need to CiE ,efine a name for the /one CiiE +elect the addresses to be included in this /one.
78
K. 2efine a name for the 8one # Clic! the 38dd...3 button on the right hand side and select 38 4ew 4etwor! ;one...3 from the drop down menuD
H. 8 dialog box will appear as!ing ou to specif new /one3s name. Choose a name that accuratel describes the networ! ou are creating.
3. Clic! 8ppl to confirm our /one name. This will add the name of our new /one to the : 4etwor! ;ones listD
I. 4ext ou ha"e to !elect the addresses to be included in this 8one. 5ight clic! on the name of the new /one and select 38dd...3 from the menuD
Q. The 38dd a 4ew 8ddress3 dialog allows ou to specif an address b t ping an *P address. an *P range. an *P ad# dress mas!. a host name or a :8C address.
Clic! 38ppl 3 to confirm our choice. The new /one will now appear in the main list along with the addresses ou assigned to it. Once created& a networ! /one can beD
<uic!l called as 3;one3 when creating or modif ing a networ! polic <uic!l called and designated as a trusted /one from the 3+tealth Ports 2i/ard3 interface <uic!l called and designated as a bloc!ed /one from the 3: 'loc!ed 4etwor! ;ones3 interface
To edit the name of an e?istin' Networ. 9one # select the name of the /one in the list Ce.g. homeE and select 39dit...3 to bring up the naming dialog. To add more addresses to an e?istin' Networ. 9one # right clic! on the /one name and clic! 38dd...3 as shown earlier O5 select the /one name& clic! the 38dd..3 button on the right and select 38 4ew 8ddress... from the drop down menu. To modif" or chan'e the e?istin' address in a 8one # right clic! on the address Cnot the /one nameE and select 39dit..3 O5 select the actual address Cnot the /one nameE and clic! the 39dit... button on the right.
80
3: 'loc!ed 4etwor! ;ones3 can be accessed b na"igation to 3Firewall Tas!s P Common Tas!s P : 'loc!ed 4etwor! ;ones. Note 6 # Fou must create a /one before ou can bloc! it. There are two wa s to do this CiE 7sing 3: 4etwor! ;ones3 to name and specif the networ! ou want to bloc! CiiE ,irectl from this interface using 34ew bloc!ed address...3 Note % # Fou cannot reconfigure pre,existing networ! /ones from this interface. Ce.g.& to add or modif *P addressesE. Fou need to use 3: 4etwor! ;ones3 if ou want to change the settings of existing /ones. 2en" access to a s7ecific networ. b" selectin' a 7re1e?istin' networ. 8one and desi'natin' it as bloc.ed Clic! the 38dd..3 button at the top right and select 3Networ. 9ones3 then the particular /one ou wish to bloc!.
81
Clic! 38ppl 3 to confirm our choice. 8ll traffic intended for and originating from computer or de"ices in this /one will now be bloc!ed.
2en" access to a s7ecific networ. b" manuall" definin' a new bloc.ed 8one Clic! the 38dd..3 button at the top right and select 3+ New 3loc.ed +ddress3 . This will launch the following dialog where ou can specif the *P addressCesE& *P :as!& )ost 4ame or :8C address that ou wish to bloc!.
8fter clic!ing 38ppl 3 to confirm our choice& the addressCesE ou bloc!ed will appear in the main interface. Fou can modif these addresses at an time b selecting the entr and clic!ing 39dit3
82
Clic! 38ppl 3 to confirm our choice. 8ll traffic intended for and originating from computer or de"ices in this /one will now be bloc!ed. (*e+ial !o#e/ $reating a blocked network ?one implements a 'block all' global rule for the ?one in =uestion 2owever! unlike when you create a '/rusted @one'! this rule is not displayed or editable from the global rules tab of the Network Se, curity .olicy interface /his is because whereas you are likely to be trusting only a few ?ones! there is the potential that you will have to block many /he constant addition of such block rules would make the interface unmanageable for most users
83
84
+d)anced 38d"anced Tas!s3 enables more experienced users to define ,efense- securit polic and settings at an in#depth& granu# lar le"el. Clic! on the lin!s below to see detailed explanations of each area in this section.
Computer +ecurit Polic Predefined +ecurit Policies *mage 9xecution Control +ettings ,efense- +ettings
85
Column 2escri7tionG K. +77lication # indicates which application or process propagated the e"ent. *f the application has no icon& the de# fault s stem icon for executable files will be used. H. +ction # indicates !ind of action. 3. Tar'et # represents the location of the target file. I. 2ateJTime # contains precise details of the date and time of the access attempt. '#efresh' # reloads and updates the displa ed list to include all e"ents generated since the time ou first accessed the 3,efense- 9"ents3 area. 'More ...' # clic!ing this button loads the full& Comodo Firewall Pro =og (iewer module. +ee below for more details on this module.
=o' 4iewer Module This area contains a full histor of logged e"ents for both the Firewall and ,efense- modules. *t also allows ou to build custom log files based on specific filters and to export log files for archi"ing or troubleshooting purposes.
86
The =og (iewer :odule is di"ided into two sections. The left hand panel displa s a set of hand & pre#defined time Filters for both the Firewall and ,efense- e"ent log files. The right hand panel displa s the actual e"ents that were logged for the time period ou selected in the left hand panel Cor the e"ents that correspond to the filtering criteria ou selectedE Filterin' =o' Files Comodo Firewall allows ou to create custom "iews of all logged e"ents according to user defined criteria. Prese# .ime Fil#ers/ Clic!ing on an of the preset filters in the left hand panel will alter the displa in the right hand panel in the follow# ing wa sD Toda # ,ispla s all logged e"ents for toda . This 2ee! # ,ispla s all logged e"ents during the past O da s. This :onth # ,ispla s all logged e"ents during the past 30 da s. 8ll the Times # ,ispla s e"er e"ent logged since Comodo Firewall Pro was installed. C*f ou ha"e cleared the log histor since installation& this option shows all logs created since that clearanceE. The example below shows an example displa when the ,efense- =ogs for 3Toda 3 are displa ed.
87
!o#e/ /he type of events logged by the 'Firewall' component of $omodo Firewall .ro differ to those logged by 1efense3 component /his means the information and the columns displayed in the right hand panel will change depending on which type of log you have selected in the left hand panel For more details on the data shown in the columns! see either 4iew Firewall #vents or 4iew 1efense3 #vents
User 0e1ined Fil#ers/ )a"ing chosen a preset time filter from the left hand panel& ou can further refine the displa ed e"ents according to specific filters. The t pe of filters a"ailable for Firewall logs differ to those a"ailable for ,efense- logs. The table below pro"ides a summar of a"ailable filters and their meaningsD Firewall Filters 2ate ? displa s onl the e"ents between two user defined dates +77lication Name ? displa s onl the e"ents propagated b a specific application Protocol ? displa s onl the e"ents that in"ol"ed a specific protocol !ource IP address ? displa s onl the e"ents that originated from a specific *P address !ource Port ? displa s onl the e"ents that originated from a specific port number 2estination IP address # displa s onl the e"ents with a specific target *P address 2estination Port # displa s onl the e"ents with a specific target port number +ction ? displa s e"ents according to the response Cor action ta!enE b the firewall. Choices are 0'loc!ed1& 8llowed1 and 07n!nown1 2efense: Filters 2ate ? displa s onl the e"ents between two user defined dates +77lication Name ? displa s onl the e"ents propagated b a specific application Tar'et Name ? displa s onl the e"ents that in"ol"ed a specified target application +ction? displa s e"ents according to the response Cor action ta!enE b the firewall.
Fou can access the user defined filters in two wa s # CiE Filter :enu # access b clic!ing 2Fil#er 3 Firewall 4o-s 5 0e1ense6 4o-s 3 Fil#er 7y...2 CiiE Context +ensiti"e :enu # right clic!ing on an e"ent will also allow ou to specif the additional filters
88
5?7ortin' =o' Files to @TM= 9xporting log files is useful for archi"ing and troubleshooting purposes. There are two wa s to export log files using =og (iewer interface # using the context sensiti"e menu and "ia the 3File3 menu option. 8fter ma!ing our choice& ou will be as!ed to specif a name for the exported html file and the location ou wish to sa"e to. CiE File :enu
Firewall Logs # will export the Firewall log that is currentl being displa ed in the right hand panel Ce.g. *f ou ha"e selected 3This wee!3 in the Firewall tree then that is the log file that will be exportedE Defense+ Logs # will export the ,efense- log that is currentl being displa ed in the right hand panel All # will export 8== logs for 8== T*:9 for both ,efense- and Firewall as a single html file.
CiiE Context +ensiti"e :enu # right clic! in the log displa window to export the currentl displa ed log file to html.
Fou can export a custom "iew that ou created using the a"ailable Filters b right clic!ing and selecting 39xport To )T:=3 from the context sensiti"e menu. 8gain& ou will be as!ed to pro"ide a filename and sa"e location for the file.
To manuall add an indi"idual file. file group or process& clic! the 38dd3 button. Clic! here for a description of the choices a"ailable when selecting a file.
5?ce7tions 7sers can choose to selecti"el allow another application Cor file groupE to modif a protected file b affording the appro# priate 8ccess 5ight in 3Computer +ecurit Polic 3 . 8 simplistic example would be the imaginar file 38ccounts.xls3. Fou would want the 9xcel program to be able to modif this file as ou are wor!ing on it& but ou would not want it to be ac# cessed b a potential malicious program. Fou would first add the spreadsheet to the 3: Protected Files3 area b clic!ing the 38dd3 button then 3'rowse...3 to 38ccounts.xls3. Once added to 3: Protected Files3& ou would go into 3Computer +ecu# rit Polic 3 and create an exception for 9xcel so that it alone could modif 3accounts.xls3.
8nother example of where protected files should be gi"en selecti"e access is the 2indows s stem director at 3cDYwin# dowsYs stem3H3. Files in this folder should be off#limits to modification b an thing except certain& Trusted& applications li!e 2indows 7pdater 8pplications. *n this case& ou would add the director cDYwindowsYs stem3HYN to the 3: Protected Files3 area CN Z all files in this director E. 4ext go to 3Computer +ecurit Polic 3& locate the file group 32indows 7pdater 8p# plications3 in the list and follow the same process outlined abo"e to create an exception for that group of executables.
The 36roups...3 button allows the user to access the 3: File 6roups3 interfaceD
File groups are hand & predefined groupings of one or more file t pes. Creating a file group allows ou to $uic!l deplo a Computer +ecurit Polic across multiple file t pes and applications. This interface allows ou to Create a new File 6roup b clic!ing the 38dd3 button 9dit the names of an 9xisting File 6roup or File b right#clic!ing and selecting the 39dit3 button 8dd a file to an existing file group b selecting the File 6roup name from the list then clic!ing 38dd P +elect From P....3 5e#assign files to another file group b dragging and dropping
!o#e/ /his area is for the creation and modification of file groups only 5ou will not be able to modify the security policy of any applications or files from here /o do that! you should use the $omputer Security .olicy interface or the .redefined Security .olicy Interface
To manuall add an indi"idual file. file group or process& clic! the 38dd3 button. Clic! here for a description of the choices a"ailable when selecting a file.
8dditionall & files can be transferred into the : <uarantined Files module using the 3:o"e to..3 button in the 3: Pending Files3 and 3: Own +afe Files3 areas.
The 36roups...3 button allows the user to access the 3: File 6roups3 interfaceD
File groups are hand & predefined groupings of one or more file t pes. Creating a file group allows ou to deplo a cus# tom or predefined computer securit polic across multiple file t pes and applications. The 3: File 6roups3 interface allows ou toD Create a new File 6roup b clic!ing the 38dd3 button 9dit the names of an 9xisting File 6roup or File b right#clic!ing and selecting the 39dit3 button 8dd a file to an existing file group b selecting the File 6roup name from the list then clic!ing 38dd P +elect From P....3 5e#assign files to another file group b dragging and dropping
4ote # This area is for the creation and modification of file groups onl . Fou will not be able to modif the securit polic of an applications or files from here. To do that& ou should use the Computer +ecurit Polic interface or the Predefined +ecurit Polic *nterface.
*n order to access pending files& na"igate toD ,efense- Tas!s P Common Tas!s P : Pending Files.
The 3=oo!up...3 button allows ou to chec! for information on the files b consulting the master Comodo safelist& +e# lect the fileCsE ou want to chec! and clic! the &ookup button. This will contact Comodo ser"ers to conduct a search of Comodo3s master safe list database to chec! if an information is a"ailable about the file in $uestion. *f no information is a"ailable& ou are presented with the option to submit them to Comodo for anal sisD
Clic!ing the G+ubmitG button will automaticall begin the file submission process.
8fter sending the file to us& our de"elopers will determine whether or not it represents a threat to our securit . *f it is found to be trustworth & it will be added to the Comodo safelist. Csee the section +ubmit +uspicious Files for more details on thisE Fou can manuall add files to the Pending Files list b clic!ing the 38dd..3 button and either browsing to their location on our hard dri"e or selecting a running processD
The 3:o"e to...3 option allows ou to transfer the files out of the 3: Pending Files3 area and into either the : Own +afe Files or : <uarantined Files areas of ,efense-D
Files can also be transferred into this module b clic!ing the 3:o"e to...3 button in the 3: Own +afe Files3 area.
Clic! the 38dd3 button to manuall imports files or processes into this areaD
The 3:o"e to...3 option allows ou to transfer the selected files out of the 3: Own +afe Files3 area and into either the : Pending Files or : <uarantined Files areas of ,efense-D
The 3=oo!up...3 button allows ou to chec! for information on the selected files b consulting the master Comodo safe# list& This will contact Comodo ser"ers to conduct a search of Comodo3s master safe list database to chec! if an informa# tion is a"ailable about the file in $uestion. *f no information is a"ailable& ou are presented with the option to submit them to Comodo for anal sisD Clic!ing the G+ubmitG button will automaticall begin the file submission process. This is particularl useful in the case of 3: Own +afe Files3 as it will allow the files ou !now to be safe to be added to the master Comodo safelist. This list will then be distributed to all other installations of the firewall and allow all users to trust these files.
5ight clic! on an process toD !how the full 7athG ,ispla s the location on our location of the executable in addition to it3s name TerminateG +huts down the currentl selected process Terminate and $uarantineG +huts down the currentl selected process and places the executable into the : <uaran# tined Files section of ,efense-.
100
Clic! here to read bac!ground information on digitall signing software Clic! here to learn how to 8dd @ ,efine a user#trusted "endor $a+,-round :an software "endors digitall sign their software with a code signing certificate. This practice helps end#users to "erif D CiE Content !ourceD The software the are downloading and are about to install really +omes 1rom #8e *u7lis8er #8a# si-ned i#. CiiE Content Inte'rit"D That the software the are downloading and are about to install 8as no# 7e modi1ied or +orru*#9 ed sin+e i# was si-ned. *n short& users benefit if software is digitall signed because the !now who published the software and that the code has# n3t been tampered with # that are downloading and installing the genuine software. The 3(endors3 that digitall sign the software to attest to it3s probit are the 3rd part software de"elopers. These are the compan names ou see listed in the first column in the graphic abo"e. )owe"er& companies can3t %ust 3sign3 their own software and expect it to be trusted. This is wh each code signing certifi# cate is counter#signed b an organi/ation called a 3Trusted Certificate 8uthorit 3. 3Comodo C8 =imited3 and 3(erisign3 are two examples of a Trusted C83s and are authori/ed to counter#sign 3rd part software. This counter#signature is critical to the trust process and a Trusted C8 will onl counter#sign a "endor3s certificate after it has conducted detailed chec!s that the "endor is a legitimate compan .
101
8ll files that are signed b the listed 3"endors3 will be automaticall trusted b the ,efense- module of Comodo Firewall Pro. Cif ou would li!e to read more about code signing certificates& see httpD@@www.instantssl.com@code#signing@E. One wa of telling whether an executable file has been digitall signed is chec!ing the properties of the .exe file in $ues# tion. For example& the main program executable for Comodo Firewall Pro is called 3cfp.exe3 and has been digitall signed. 'rowse to the CdefaultE installation director of CDYProgram FilesYComodoYFirewall 5ight clic! on the file 3cpf.exe3 +elect 3Properties3 from the menu Clic! the tab 3,igital +ignatures3 Cif there is no such tab then the software has not been signedE
This will displa the name of the C8 that signed the software as shown belowD
Clic! the 3,etails3 button to "iew digital signature information. Clic! 3(iew Certificate3 to inspect the actual code signing certificate. Csee belowE
102
*t should be noted that the example abo"e is a special case in that Comodo& as creator of 3cpf.exe3& is both the signer of the software and& as a trusted C8& it is also the counter#signer Csee the 3Countersignatures3 boxE. *n the "ast ma%orit of cases& the signer or the certificate Cthe "endorE and the counter signer Cthe Trusted C8E will be different. +ee this exam# ple for more details.
+ddin' and 2efinin' a user1trusted 4endor 8 software "endor can be added to the 3Trusted +oftware (endors3 list in two wa sD ' reading the "endor3s signature from an executable file on our local dri"e ' reading the "endor3s signature from an running process
Clic! the add button on the right hand side and select 35ead from a signed executable...3. 'rowse to the location of the ex# ecutable our local dri"e. *n the example below& we are adding the executable 3Fahoo:essenger.exe3.
103
8fter clic!ing 3Open3& Comodo Firewall will chec! that the .exe file is signed b the "endor and counter#signed b a Trust# ed C8. *f so& the "endor Csoftware signerE will be added to the Trusted (endor listD
*n the example abo"e& Comodo Personal Firewall was able to "erif and trust the "endor signature on Fahoo:essen# ger.exe because it had been counter#signed b the trusted C8 3(erisign3. The software signer 3FahooJ *nc3 is now a trust# ed "endor and is added to the list. 8ll future software that is signed b the "endor 3FahooJ *nc3 will be automaticall added to the Comodo safe list 74=9++ ou change this setting in ,efense- settings.
104
Comodo Firewall Pro also allows ou to add a trusted "endor b selecting from processes that are currentl running on our PC. To do this& clic! the 38dd...3 button and select 3Choose from a running process...3D
+elect the signed executable that ou want to trust and clic! the 3+elect3 button. Comodo Firewall Pro will perform the same certificate chec! as described abo"e. *f the firewall cannot "erif that the software certificate is signed b a Trusted C8 then it will not add the software "endor to the list of 3: Trusted (endors3 . *n this case& ou will see the following error messageD
!o#e/ /he 'My /rusted Software 4endors' list displays two types of software vendors Aser defined trusted software vendors , "s the name suggests! these are added by the user via one of the two methods outlined earlier /hese vendors can be removed by the user by selecting and clicking the '%emove' but, ton "ll software created by user certified vendors is automatically added to the firewall safelist $omodo defined trusted software vendors , /hese are the vendors that $omodo! in it's capacity as a /rusted $"! has independently validated as a legitimate company $omodo certified vendors are hardcoded into the firewall and cannot be removed "ll software created by $omodo certified vendors is automatically added to the firewall safelist
105
+can progress is displa ed at the top of the interface and an suspicious files are displa ed in the 3+can 5esults3 pane. The scan can be paused or stopped at an time b clic!ing the appropriate buttons at the lower right corner. 2hen the scanner has finished chec!ing our hard dri"e& ou will see the 3+can Complete3 interface which contains details of an malware that was disco"eredD
106
The 3+can 5esults3 pane displa s a list of all suspicious files detected during the scan The 3+tatus3 column displa s the name of the threat that was disco"ered. *n other words& the name of the malware that has infected the file listed in the 3=ocation3 column The 3=ocation3 column displa s the location and filename of the infected file or malicious executable.
To delete all the listed files& clic! the 3,elete3 button. Clic!ing 39xit3 will close the +can + stem interface and return the user to the main interface.
3ac.'round infoG The name of the threat Cstatus columnE can often be different to the actual file name stated in the 3=ocation3 column. This is especiall true in the case of Tro%an horse programs which are specificall re#named to resemble or duplicate the name of recogni/able& trusted programs. Cfor example a tro%an called 'IBstealByourBcreditBcardBdetails exe' ma be re#named after the *nternet 9xplorer executable 'iexplore exe' in an attempt to fool the user into granting it internet access or to allow it to run in the first place. Comodo Firewall Pro3s scanner o"ercomes this b chec!ing the digital signature of all the files it scans against a 3blac! list3 of the digital signatures of !nown malicious programs. This means it will detect all infected files # including those that attempt to mas$uerade as another program.
107
Fou can import additional registr !e s that ou wish to protect b clic!ing the 38dd3 buttonD
The 35egistr 6roups3 option allows ou to batch select and import predefined groups of important registr !e s. Comodo pro"ide a default selection of 38utomatic +tartup3 C!e sE& 3Comodo >e s3& 3*nternet 9xplorer >e s3 and 3*mportant >e s3. The 35egistr 9ntries....3 option opens the 2indows registr editor within the Comodo Firewall Pro interface and allow ou to select indi"idual !e s. Fou can add items manuall b browsing the registr tree in the right hand pane. ,rag T drop specific registr !e s into the 3+elected *tems3 pane. To add item manuall enter its name in the field and press the '3' button.
108
The 36roups...3 button allows the user to access the 3: 5egistr 6roups3 interfaceD
10
This interface allows ou to Create a new registr !e 6roup b clic!ing the 38dd3 button 8dd !e s to our new group b selecting the 5egistr 6roup name from the list then clic!ing 38dd P +elect From P 5egistr >e ...3 8dd !e s to a preexisting group b selecting its name from the list then clic!ing 38dd P +elect From P 5egistr >e ...3 9dit the names of existing registr !e 6roup or indi"idual !e b right#clic!ing and selecting the 39dit3 button 5e#assign registr !e s to another group b dragging and dropping
110
Fou can import additional CO: interfaces that ou wish to protect b clic!ing the 38dd3 buttonD
The 3CO: 6roups3 option allows ou to batch select and import predefined CO: interfaces.
111
The 3CO: Components....3 option allows ou to add indi"idual CO: components. Fou can add items manuall b brows# ing the components in the right hand pane. ,rag T drop specific components into the 3+elected *tems3 pane. To add man# uall add a component3 enter its name in the field and press the '3' button.
112
CO: groups are hand & predefined groupings of CO: interfaces. This interface allows ou to Create a new CO: 6roup b clic!ing the 38dd3 button 8dd components to our new group b selecting the group name from the list then clic!ing 38dd P +elect From P CO: components...3 8dd !e s to a pre#existing CO: group b selecting its name from the list then clic!ing 38dd P +elect From P CO: components...3 9dit the names of existing CO: 6roup or indi"idual component b right#clic!ing and selecting the 39dit3 button 5e#assign CO: components to another group b dragging and dropping
113
(eneral Na)i'ationG +dd... # 8llows the user to 8dd a new 8pplication to the list then create it3s polic . +ee the section 3Creating or :odif ing a ,efense- +ecurit Polic 3. 5dit... # 8llows the user to modif the ,efense- securit polic of the selected application. +ee the section 3Creating or :odif ing a ,efense- +ecurit Polic 3. #emo)e # ,eletes the current polic . 4ote # ou cannot remo"e indi"idual applications from a file group using this inter# face # ou must use the 3: File 6roups3 interface to do this. Pur'e # 5uns a s stem chec! to "erif that all the applications for which policies are listed are actuall installed on the host machine at the path specified. *f not& the polic is remo"ed& or 3purged3& from the list. 7sers can re#order the priorit of policies b simpl dragging and dropping the application name or file group name in $uestion. To alter the priorit of applications that belong to a file group& ou must use the 3: File 6roups3 interface. Creatin' or Modif"in' a 2efense: !ecurit" Polic" To begin defining a application3s ,efense- polic & ou need ta!e two basic steps.
114
CKE +elect the application or file group that ou wish the polic to appl to. CHE Configure the securit polic for this application. D6E !elect the a77lication or file 'rou7 that "ou wish the 7olic" to a77l" to *f ou wish to define a polic for a new application Ci.e. one that is not alread listedE& clic! the 38dd...3 button in the main Computer +ecurit Polic interface. This will bring up the 38pplication + stem 8cti"it Control3 interface shown belowD
'ecause ou are defining the ,efense- securit settings for a new application& ou will notice that the 38pplication Path3 field is blan!. C*f ou were editing an existing polic instead& then this interface would show that polic 3s name and path.E Clic! the 3!elect3 button to begin
Fou now ha"e 3 methods a"ailable to choose the application for which ou wish to create a polic # File 6roups. 5unning Processes and 'rowse... Cto applicationE
CiE File (rou7s # choosing this option allows ou to create a ,efense- securit polic for a categor of pre#set files or folders. For example& selecting 39xecutables3 would enable ou to create a ,efense- polic for all files with the extensions .exe .dll .s s .ocx .bat .pif .scr .cpl . Other such categories a"ailable include 32indows + stem 8pplications3 & 32indows 7pdater 8pplications3 & 3+tart 7p Folders3 etc # each of which pro"ide a fast and con"enient wa to appl a generic polic to important files and folders. To "iew the file t pes and folders that will be affected b choosing one of these options& ou need to "isit the 3: File 6roups3 interface. The 3: File 6roups interface can be accessed either of the following methodsD 4a"igate to ,efense- P Common Tas!s P : Protected Files then clic! the 3: 6roups3 button.
115
4a"igate to ,efense- P Common Tas!s P : <uarantined Files then clic! the 3: 6roups3 button.
CiiE #unnin' Processes # as the name suggests& this option allows ou to create and deplo a ,efense- polic for an process that is currentl running on our PC.
Fou can choose an indi"idual process Cshown abo"eE or the parent process of a set of running processes. Clic! 3+elect3 to confirm our choice. CiiiE 3rowse... Cto applicationE # this option is the easiest for most users and simpl allows ou to browse to the location of the application for which ou want to deplo the ,efense- securit polic .
116
*n the example below& we ha"e decided to create a securit polic for the Opera web browser. )a"ing selected the indi"idual application& running process or file group& the next stage is to Configure the rules for this application3s polic .
There are two broad options a"ailable for selecting a polic that will appl to an application # 7se a Pre#defined Polic or 7se a Custom Polic
CiE *se a Predefined Polic" # +electing this option allows the user to $uic!l deplo a existing securit polic on to the target application. Choose the polic ou wish to use from the drop down menu. *n the example below& we ha"e chosen 3=imited 8pplication3. The name of the predefined polic ou choose will be displa ed in the 3Treat 8s3 column for that ap# plication in the Computer +ecurit Polic interface.
!o#e/ .redefined .olicies! once chosen! cannot be modified directly from this interface , they can only be modified and defined using the '.redefined Security .olicies' interface If you re=uire the ability to add or modify settings for an specific application then you are effectively creating a new! custom policy and should choose the more flexible Ase $ustom .oli, cy option instead CiiE *se a Custom Polic"# designed for more experienced users& the 3Custom Polic 3 option enables full control o"er the configuration specific securit polic and the parameters of each rule within that polic . The Custom Polic has two main configuration areas # 8ccess 5ights and Protection +ettings. *n simplistic terms 38ccess 5ights3 determine what the application can do to other processes and ob%ects whereas 3Protec# tion +ettings3 determine what the application can have done to it b other processes. +ccess #i'hts # The Process 8ccess 5ights interface allows ou to determine what acti"ities the applications in our custom polic are allowed to execute. These acti"ities are called 38ccess 4ames3.
117
Clic! here to "iew a list of definitions of the 8ction 4ames listed abo"e and the implications of choosing to 8s!& 8llow or 'loc! for each setting. 9xceptions to our choice of 38s!3& 38llow3 or 3'loc!3 can be specified for the polic b clic!ing the 3:odif ...3 button on the right.D
+elect the 38llowed 8pplications3 or 3'loc!ed 8pplications3 tab depending on the t pe of exception ou wish to create.
118
Clic!ing 38dd3 will allow ou to choose which applications or file groups ou wish this exception to appl to. Cclic! here for an explanation of a"ailable optionsE *n the example abo"e& the default action for 3%un as an executable3 is 3"sk3. This means ,efense- will generate an alert as!ing our permission if 3Opera.exe3 tried to run another program. Clic!ing 3:odif 3 then adding 3Outloo!.exe3 to the 38l# lowed 8pplications3 tab creates an exception to this rule. Opera.exe is now allowed to run 3Outloo!.exe3 but an alert will be generated if it tries to run an other application. Protection !ettin's 1 Protection +ettings determine how protected the application or file group in our polic is against acti"ities b other processes. These protections are called 3Protection T pes3.
+elect 3Fes3 to enable monitoring and protect the application or file group against the process listed in the 3Protection T pe3 column. +elect 34o3 to disable such protection. Clic! here to "iew a list of definitions of the 3Protection T pes3 listed abo"e and the implications of acti"ating each setting. 9xceptions to our choice of 3Fes3 or 34o3 can be specified in the application3s polic b clic!ing the 3:odif ...3 button on the right. Clic! 38ppl 3 to confirm our setting.
11
8d%ust the slider to our preferred protection le"elD +''ressi)e # This setting instructs ,efense- to intercept the file t pes listed in the 3Files to Chec!3 tab before the are loaded into memor and also *ntercepts prefetching@caching attempts for the executable files. Normal 1 +ame as aggressi"e but does not intercept prefetching@caching attempts. This is the default and recommend# ed setting. 2isabled 1 4o execution control is applied to the executable files. Clic! 3"pply3 to implement our settings.
120
=ists file t pes that ,efense- will chec! using the *mage 9xecution =e"el specified on the 36eneral3 tab.
The default and recommended setting is N.exe. This means e"er .exe file will be authenticated b ,efense- before it is allowed to run. *f ,efense- is unable to authenticate a particular .exe file then ou will recei"e an alert which will as! our permission before the application allowed to run. Clic! the 38dd3 button to add additional file groups or processes to the 3Files to chec!3 list. Clic! here for an outline of the options a"ailable when adding file t pes. Clic! 3"pply3 to implement our changes.
121
To "iew or edit an existing predefined polic D ,ouble clic! on the Polic 4ame in the list +elect the Polic 4ame in the list& right#clic! and choose 39dit3 +elect the Polic 4ame and clic! the 39dit... button on the right
From here& ou can modif a polic 3s name and& if desired& ma!e changes to its 3Process 8ccess 5ights3 and 3Protection +ettings3. 8n changes ou ma!e here will be automaticall rolled out to all applications currentl under that polic . To create a new predefined polic ou should clic! the 38dd..3 button& t pe a name for the polic then follow the same configuration procedure as outlined for creating a custom& application specific polic . Clic! here to "iew. Once created& our polic will be a"ailable for deplo ment onto specific application or file groups "ia the Computer +ecu# rit Polic section of ,efense- .
122
2efense: !ettin's
The ,efense- component of Comodo Firewall Pro is a host intrusion pre"ention s stem that constantl monitors the ac# ti"ities of all executable files on our PC. 2ith ,efense- acti"ated& the user is warned 9(95F time an un!nown applica# tion executable C.exe& .dll& .s s& .bat etcE attempts to run. The onl executables that are allowed to run are the ones ou gi"e permission to. 8n application can be gi"en such permission to run in a "ariet of wa s including. manuall granting them execution rights in Computer +ecurit Polic . b deciding to treat the executable as trusted at a ,efense- alert or simpl because the application is on the Comodo safe list. ,efense- also automaticall protects s stem#critical files and folders such as registr entries to pre"ent unauthori/ed modification. +uch protection adds another la er of defense to Comodo Firewall Pro b pre"enting malware from e"er running and b pre"enting an processes from ma!ing changes to "ital s stem files. !o#e 1or 7e-inners- /his page will often refer to 'executables' )or 'executable files'+ "n 'executable' is a file that can in, struct your computer to perform a task or function #very program! application and device you run on your computer re, =uires an executable file of some kind to start it /he most recognisable type of executable file is the ' exe' file )e g ! when you start Microsoft >ord! the executable file 'winword exe' instructs your computer to start and run the >ord appli, cation+ 0ther types of executable files include those with extensions cpl dll! drv! inf! ocx! pf! scr! sys Anfortunately! not all executables can be trusted Some executables! broadly categorised as malware! can instruct your computer to delete valuable dataC steal your identityC corrupt system filesC give control of your .$ to a hacker and much more 5ou may also have heard these referred to as /roDans! scripts and worms >orse still! these programs are explicit, ly designed to run without you knowing about them 1efense3 is designed to make sure you 10 know about them by blocking all unknown executables and alerting you whenever they try to run The ,efense- +ettings area allows ou to $uic!l configure the securit le"el and beha"ior of ,efense- during operation. This settings area can be accessed in the 38d"anced3 section of 3,efense- Tas!s3 and& more immediatel & b clic!ing on the blue text next to 3,efense-3 on the +ummar +creen Cshown belowE.
'(eneral !ettin's' tab Comodo Firewall Pro allows ou to customi/e the beha"ior of ,efense- b ad%usting a +ecurit =e"el slider to switch be# tween preset securit le"els. The choices a"ailable areD Paranoid& +afe mode& Clean PC :ode& Training :ode and ,isabled. The setting ou choose here will also be displa ed on the firewall summar screen.
123
Paranoid ModeD This is the highest securit le"el setting and means that ,efense- will monitor and control all executable files apart from those that ou ha"e deemed safe. The firewall will not attempt to learn the beha"ior of an applications # e"en those applications on the Comodo safe list. and will onl use your configuration settings to filter critical s stem acti"it . +imilarl & the firewall will not automaticall create 38llow3 rules for an executables # although ou still ha"e the option to treat an application as 3Trusted3 at the ,efense- alert. Choosing this option will generate the most amount of ,efense- alerts and is recommended for ad"anced users that re$uire complete awareness of acti"it on their s stem. !afe modeD 2hile monitoring critical s stem acti"it & the firewall will automaticall learn the acti"it of executa# bles and applications certified as 3+afe3 b Comodo. *t will also automaticall create 38llow3 rules these acti"ities. For non#certified& un!nown& applications& ou will recei"e an alert whene"er that application attempts to run. +hould ou choose& ou can add that new application to the safe list b choosing 3Treat this application as a Trusted 8pplication3 at the alert. This will instruct the firewall not to generate an alert the next time it runs. *f our machine is not new or !nown to be free of malware and other threats as in 3Clean PC :ode3 then 3+afe mode3 is recommended setting for most users # combining the highest le"els of securit with an eas #to#manage num# ber of ,efense- alerts. Clean PC ModeG From the time ou set the slider to 3Clean PC :ode3& ,efense- will learn the acti"ities of the ap# plications currentl installed on the computer while all new executables introduced to the s stem are monitored and controlled. This patent#pending mode of operation is the recommended option on a new computer or one that the user !nows to be clean of malware and other threats. From this point onwards ,efense- will alert the user whene"er a new& unrecogni/ed application is being installed. *n this mode& the files in 3: Pending Files3 are excluded from being considered as clean and are monitored and controlled. Installation ModeG *nstaller applications and updaters ma need to execute other processes in order to run ef# fecti"el . These are called 3Child Processes3. *n 3Paranoid3& +afe3 and 3Clean PC modes3& ,efense- would raise an alert e"er time these child processes attempted to execute because the ha"e no access rights. 2hilst in one of these 3 modes& Comodo Firewall Pro will ma!e it eas to install new applications that ou trust b offering
124
ou the opportunit to temporaril engage 3*nstallation :ode3 # which will temporaril bestow these child process# es with the same access rights as the parent process # so allowing the installation to proceed without the usual alerts. *f ou are installing a new& un!nown application. ,efense- will alert ou with a pop#up notification and& as ou want to allow this application to continue installing& ou should select 3Treat this application as an *nstaller or 7p# dater3. Fou will subse$uentl see the followingD
Clic!ing 3Fes3 will engage 3*nstallation :ode3 and so grant child processes with the same access rights as the parent process. This will be followed b the following reminder that ou need to switch bac! to our pre"ious modeD
Trainin' ModeD The firewall will monitor and learn the acti"it of an and all executables and create automatic 38llow3 rules until the securit le"el is ad%usted. Fou will not recei"e an ,efense- alerts in 3Training :ode3. *f ou choose the 3Training :ode3 setting& we ad"ise that ou are K00U sure that all applications and executables in# stalled on our computer are safe to run. .i*G This mode can be used as the V6aming :odeW. *t is hand to use this setting temporaril when ou are run# ning an Cun!nown but trustedE application or 6ames for the first time. This will suppress all ,efense- alerts while the firewall learns the components of the application that need to run on our machine and automaticall create 38llow3 rules for them. 8fterwards& ou can switch bac! to 3+afe mode3 modeE.
2isabledD ,isables ,efense- protection. 8ll executables and applications are allowed to run irrespecti"e of our configuration settings. Comodo strongl ad"ise against this setting unless ou are confident that ou ha"e an al# ternati"e intrusion defense s stem installed on our computer.
>ee7 an alert on screen for ma?imum DnE seconds # ,etermines how long the Firewall will show a ,efense- alert with# out an user inter"ention. ' default& the timeout is set at KH0 seconds. Fou ma ad%ust this setting to our own prefer# ence. Trust a77lications di'itall" si'ned b" Trusted !oftware 4endors 1 =ea"ing this option chec!ed means software which is signed b a Trusted Certificate 8uthorit will be automaticall added to the safe list. Comodo recommend lea"ing this option enabled. For more details& see : Trusted +oftware (endors.
125
3loc. all un.nown re$uests if the a77lication is closed 1 Chec!ing this box will bloc! all un!nown re$uests Cthose not included in our Computer +ecurit Polic E if Comodo Firewall Pro is not running@has been shut down. 2eacti)ate 2efense: 7ermanentl" D#e$uires a s"stem restartE # +huts down the ,efense- )ost *ntrusion element of Comodo Firewall Pro P95:8494T=F. The firewall is not affected and will continue to protect our computer e"en if ou deacti"ate ,efense-. Comodo do not recommend users close ,efense- unless the are sure the ha"e alternati"e *ntru# sion Pre"ention + stems installed. 'Monitor !ettin's' tab The 3:onitor +ettings3 tab allows ou configure which acti"ities& entities and ob%ects should be monitored b ,efense-. !o#e/ /he settings you choose here are universally applied *f ou disable monitoring of an acti"it & entit or ob%ect using this interface it will completel switch off monitoring of that acti"it on a -lo7al basis # effecti"el creating a uni"ersal 3+llow3 rule for that acti"it . This 38llow3 setting will o:er9rule an polic specific 3'loc!3 or 38s!3 setting for that acti"it that ou ma ha"e selected using the 38c# cess 5ights3 and 3Protection +ettings3 interface.
+cti)ities To MonitorD Inter7rocess Memor" +ccess 1 :alware programs use memor space modification to in%ect malicious code for numer# ous t pes of attac!s& including recording our !e board stro!es. modif ing the beha"ior of the in"aded application. steal# ing confidential data b sending confidential information from one process to another process etc. One of the most seri# ous aspects of memor #space breaches is the abilit of the offending malware to ta!e the identit of the in"aded process& or 3impersonate3 the application under attac!. This ma!es life harder for traditional "irus scanning software and intrusion# detection s stems. =ea"e this box chec!ed and ,efense- will alert ou when an application attempts to modif the mem# or space allocated to another application.
126
WindowsJWin5)ent @oo.s 1 *n the :icrosoft 2indows[ operating s stem& a hoo! is a mechanism b which a function can intercept e"ents Cmessages& mouse actions& !e stro!esE before the reach an application. The function can act on e"ents and& in some cases& modif or discard them. Originall de"eloped to allow legitimate software de"elopers to de# "elop more powerful and useful applications& hoo!s ha"e also been exploited b hac!ers to create more powerful mal# ware. 9xamples include malware that can record e"er stro!e on our !e board. record our mouse mo"ements. moni# tor and modif all messages on our computer. ta!e o"er control of our mouse and !e board to remotel administer our computer. =ea"ing this box chec!ed means that ou are warned e"er time a hoo! is executed b an untrusted applica# tion. 2e)ice 2ri)er Installations 1 ,e"ice dri"ers are small programs that allow applications and@or operating s stems to in# teract with a hardware de"ice on our computer. )ardware de"ices include our dis! dri"es& graphics card& wireless and =84 networ! cards& CP7& mouse& 7+' de"ices& monitor& ,(, pla er etc.. 9"en the installation of a perfectl well#inten# tioned de"ice dri"er can lead to s stem instabilit if it conflicts with other dri"ers on our s stem. The installation of a ma# licious dri"er could& ob"iousl & cause irreparable damage to our computer or e"en pass control of that de"ice to a hac!# er. =ea"ing this box chec!ed means ,efense- will alert ou e"er time a de"ice dri"er is installed on our machine b an untrusted application. =oo7bac. Networ.in' 1 =oopbac! connections refer to the internal communications within our PC. 8n data transmit# ted b our computer through a loopbac! connection is immediatel also recei"ed b it. This in"ol"es no connection out# side our computer to the internet or a local networ!. The *P address of the loopbac! networ! is KHO.0.0.K& which ou ma ha"e heard referred to under its domain name of 3httpD@@localhost3 i.e. the address of your computer. =oopbac! chan# nel attac!s can be used to flood our computer with TCP and@or 7,P re$uests which can smash our *P stac! or crash our computer. =ea"ing this box chec!ed means ,efense- will alert ou e"er time a process attempts to communicate using the loopbac! channel. Process Terminations 1 8 process is a running instance of a program. Cfor example& the Comodo Firewall Pro process is called 3cfp.exe3. Press 3Ctrl-8lt-,elete3 and clic! on 3Processes3 to see the full list that are running on our s stemE. Ter# minating a process will& ob"iousl & terminate the program. (iruses and Tro%an horses often tr to shut down the processes of an securit software ou ha"e been running in order to b pass it. 2ith this setting enabled& ,efense- will monitor and alert ou to all attempts b an untrusted application to close down another application. Window Messa'es 1 This setting means Comodo Firewall Pro will monitor and detect if one application attempts to send special 2indows :essages to modif the beha"ior of another application Ce.g. b using the 2:\P8+T9 commandE. 2N! Client !er)ice 1 This setting alerts ou if an application attempts to access the 32indows ,4+ ser"ice3 # possibl in order to launch a ,4+ recursion attac!. 8 ,4+ recursion attac! is a t pe of ,istributed ,enial of +er"ice attac! whereb an malicious entit sends se"eral thousand spoofed re$uests to a ,4+ ser"er. The re$uests are spoofed in that the ap# pear to come from the target or 3"ictim3 ser"er but in fact come from different sources # often a networ! of 3/ombie3 pc3s which are sending out these re$uests without the owners !nowledge. The ,4+ ser"ers are tric!ed into sending all their replies to the "ictim ser"er # o"erwhelming it with re$uests and causing it to crash. =ea"ing this setting enabled will pre# "ent malware from using the ,4+ Client +er"ice to launch such an attac!. !o#e 1or 7e-inners/ 1NS stands for 1omain Name System It is the part of the Internet infrastructure that translates a familiar domain name! such as 'example com' to an I. address like E<; :76 F9G 8: /his is essential because the Inter, net routes messages to their destinations on the basis of this destination I. address! not the domain name >henever you type a domain name! your internet browser contacts a 1NS server and makes a '1NS Huery' In simplistic terms! this =uery is '>hat is the I. address of example comI' 0nce the I. address has been located! the 1NS server replies to your computer! telling it to connect to the I. in =uestion 5ntities To Monitor +'ainst Modifications Chec! the boxes against the needed options& if ou want to enable monitoring of themD # Protected C;M Interfaces enables monitoring of CO: interfaces ou specified here. # Protected #e'istr" >e"s enables monitoring of 5egistr !e s ou specified here. # Protected FilesJFolders enables monitoring of files and folders ou specified here.
127
;bPects To Monitor +'ainst 2irect +ccess ,etermines whether or not Comodo Firewall Pro should monitor access to s stem critical ob%ects on our computer.. 7s# ing direct access methods& malicious applications can obtain data from a storage de"ices& modif or infect other exe# cutable software& record !e stro!es and more. Comodo ad"ise the a"erage user to lea"e these settings enabledD # Ph"sical Memor" :onitors our computer3s memor for direct access b an applications and processes. :alicious programs will attempt to access ph sical memor to run a wide range of exploits # the most famous being the 3'uffer O"erflow3 exploit. 'uffer o"erruns occur when an interface designed to store a certain amount of data at a specific address in memor allows a malicious process to suppl too much data to that address.& This o"erwrites its internal structures and can be used b malware to force the s stem to execute its code. # Com7uter Monitor Comodo Firewall Pro will raise an alert e"er time a process tries to directl access our computer monitor. 8lthough le# gitimate applications will sometimes re$uire this access& there is also an emerging categor of sp ware#programs that use such access to monitor users3 acti"ities. Cfor example& to ta!e screenshots of our current des!top. to record our browsing acti"ities etcE # 2is.s :onitors our local dis! dri"es for direct access b running processes. This helps guard against malicious software that need this access to& for example& obtain data stored on the dri"es& destro files on a hard dis!& format the dri"e or corrupt the file s stem b writing %un! data. # >e"board :onitors our !e board for access attempts. :alicious software& !nown as 3!e loggers3& can record e"er stro!e ou ma!e on our !e board and can be used to steal our passwords& credit card numbers and other personal data. 2ith this setting chec!ed& Comodo Firewall Pro will alert ou e"er time an application attempts to establish direct access to our !e board.
128
Miscellaneous ;)er)iew
The 3:iscellaneous3 section contains se"eral areas relating to o"erall configuration as well as hand utilities and shortcuts to help enhance and impro"e our firewall experience. Fou ha"e the following options to choose fromD +ettingsD 8llows the user to configure general firewall settings Cpassword protection& update options& language& theme etc.E :anage : ConfigurationsD 8llows the user to manage& import and export their firewall configuration profile ,iagnosticsD )elps identif an problems with our installation Chec! For 7pdatesD =aunches the Comodo Firewall Pro updater +ubmit +uspicious FilesD 8llows users to send suspicious files to Comodo for anal sis and possible inclusion on the Comodo safelist. 'rowse +upport ForumsD =in! to Comodo 7ser Forums. )elpD =aunches this help guide 8boutD ,ispla s "ersion and cop #right information about the product.
12
!ettin's
The 3+ettings3 dialog box allows ou to configure "arious options related to the operation of Comodo Firewall Pro and can be accessed b clic!ing the 3:iscellaneous3 button followed b 3+ettings3.
'(eneral' tab
+utomaticall" start the a77lication with Windows D#ecommendedE # 2ith this option chec!ed& Comodo Fire# wall Pro will be automaticall loaded e"er time ou start our computer. This is the default and highl recom# mended setting. 7nchec!ing this box means the application will not load at computer startup and& unless ou ha"e an alternati"e firewall@intrusion detection s stem running& our computer will not be protected. !how the balloon messa'es # These are the notifications that appear in the bottom right hand corner of our screen # %ust abo"e the tra icons. 7suall these messages sa ' $omodo Firewall .ro is learning 3 or 31efense3 is learning 3 and are generated when these modules are learning the acti"it of pre"iousl un!nown components of trusted applications. 7nchec! this option if ou do not want to see these messages. !how the traffic animation in tra" 1 ' default& the application3s 3+hield3 tra icon displa s a small animation whene"er traffic mo"es to or from our computer.
130
*f the traffic is outbound& ou will see green arrows mo"ing upwards on the right hand side of the shield. +imilarl & for inbound traffic ou will see red arrows mo"ing down the left hand side. This pro"ides a "er useful indicator of the real#time mo"ement of data in and out of our computer. 7nchec! this box *f ou would rather not see this an# imation. +utomaticall" 2etect New Pri)ate Networ.s # Chec!ing this option means that the firewall will automaticall detect an new networ!s that the computer is connected to. Comodo recommends users to lea"e this option at its default& enabled setting.
'Parental Control' tab The parental control tab allows ou to configure password protection for Comodo Firewall Pro.
5nable 7assword 7rotection for settin's 1 Chec!ing this box will acti"ate password protection for all important configuration sections and wi/ards within the interface. *f ou choose this option& ou must first specif and con# firm a password b clic!ing the 3Change Password...3 button. Fou will be as!ed for this password e"er time ou tr to access important configuration areas Cfor example& all sections in the ,efense- Tas!s and Firewall Tas!s areas will re$uire this password before allowing ou to "iew or modif their settingsE
This setting is of particular "alue to parents& networ! administrators and administrators of shared computers to pre"ent other users from modif ing critical firewall settings and exposing the machine to threats. !u77ress Firewall alerts when 7assword 7rotection is enabled 1 *f chec!ed& no Firewall 8lerts will be dis# pla ed when password protection is enabled. Parents and networ! admins ma want to enable this setting if the do not want users to be made aware when a Firewall alert has been triggered. For example& a tro%an horse pro# gram ma be attempting to download itself or transmit pri"ate information to a third part . 7suall & the firewall would generate an alert and as! the user how to proceed. *f that user is a child or an inexperienced user then
131
the ma unwittingl clic! 3allow3 %ust to 3get rid3 of the alert and@or gain access to the website in $uestion # thus exposing the machine to attac!. Chec!ing this option will bloc! the connection but will not generate an alert. !u77ress 2efense: alerts when 7assword 7rotection is enabled # *f chec!ed& no ,efense- 8lerts will be displa ed when password protection is enabled. Parents and networ! admins ma want to enable this setting if the do not want users to be made aware when a ,efense- alert has been triggered. For example& a malware program ma be attempting to modif & terminate or delete a critical registr !e in order to launch an attac! on our machine. 7suall & the ,efense- intrusion detection s stem would generate an alert and as! the user how to proceed. *f that user is a child or an inexperienced user then the ma unwittingl clic! 3allow3 %ust to 3get rid3 of the alert # thus exposing the machine to attac!. Chec!ing this option will bloc! the acti"it of the suspected malware but will not generate an alert.
'*7date' tab The 37pdate3 tab allows users to configure how Comodo Firewall Pro beha"es regarding program updates. automatic loo!ups of un!nown files and auto#submission settings.
+utomaticall" chec. for 7ro'ram u7dates 1 ,etermines whether or not Comodo Firewall Pro should automat# icall contact Comodo ser"ers for updates. 2ith this option chec!ed& Comodo Firewall Pro will automaticall chec! for updates e"er HI hours 84, e"er time ou start our computer. *f updates are found the are auto# maticall downloaded and installed. 2e recommend that users lea"e this setting enabled to maintain the highest le"els of protection. 7sers that choose to disable automatic updates can download them manuall b clic!ing 3Chec! for 7pdates3 in the 3:iscellaneous3 section. +utomaticall" 7erform an online loo.u7 for unreco'ni8ed files # 2hene"er the ,efense- module detects an executable file that is not on the safelist Ci.e. it does not et recogni/e or trust the fileE then it will connect to the Comodo ser"ers and consult the master safelist database to see if we ha"e an information about it. 8n infor# mation disco"ered about a file is automaticall downloaded to our computer and used to update our safelist. The loo!up process is described in greater detail in the 3: Pending Files3 area of ,efense- tas!s. Comodo rec# ommends lea"ing this setting enabled. +utomaticall" submit the files in the submission $ueue to Comodo # 9xecutable files that are unrecogni/ed b ,efense- Cnot in the internal safelistE are automaticall $ueued for submission to Comodo ,igital Trust for anal sis Csee 3: Pending Files3 for more details on submitting filesE. =ea"ing this option chec!ed means that all $ueued files will be submitted immediatel .
'=an'ua'e' tab Comodo Firewall Pro is a"ailable in multiple languages. Fou can switch between installed languages b selecting from the drop down menu. *n order for our choice to ta!e effect& ou must restart the firewall. Fou can do this b eitherD CiE 5estarting our computer CrecommendedE
132
CiiE Closing then restarting the firewall b right clic!ing on the firewall tra icon and selecting 39xit3. To restart the firewall& select +tartP ProgramsP ComodoPFirewallPComodo Firewall Pro. The firewall will be in our choice of lan# guage the next time ou restart the application.
'Themes' tab The themes tab allows ou to customi/e the loo! and feel of Comodo Firewall Pro according to our preferences. 7se the drop down menu to switch between installed themes.
'=o''in'' tab 8 log file is a record of all actions ta!en b Comodo Firewall Pro during the course of it3s operation Cfor example& if the firewall bloc!s a particular application from connecting to an outside ser"er then ou will see a record of this 3bloc!3 action in the log filesE.
This tab allows ou to configure the maximum si/e of the log file and the action that should be ta!en when the si/e limit is reached.
133
If the lo' file si8e e?ceeds 2n2 M3 1 choose the maximum si/e of the log file before Comodo Firewall implements our choice of actionD o 2elete it and create a new file 1 choosing this option means the firewall will delete the current log file af# ter it reaches the specified si/e and create a new one. 8ll e"ents recorded in the file at the point it reach# es the si/e limit will be deleted and the logging will start o"er from scratch in a new file. *f ou wish to maintain archi"es of our log files ou should either CiE select 3:o"e it to the specified folder3 Cexplained belowE CiiE regularl export our log files to html using the log "iewer module. Mo)e it to the s7ecified folder # instead of deleting the log file& the firewall will mo"e it to a folder of our choice when the si/e limit is reached. Clic! the blue text to choose the location of our folder. 2isable Firewall =o''in' # chec!ing this box means 4O firewall e"ents will be recorded in the 3(iew Firewall 9"ents3 interface. This setting will o"er#rule an indi"idual 3=og as a firewall e"ent...3 instructions ou created when 38dding and 9diting a 4etwor! Control 5ule3. 2isable 2efense: =o''in' # chec!ing this box means 4O firewall e"ents will be recorded in the 3(iew ,efense- 9"ents3 interface. This setting will o"er#rule an indi"idual log instructions that ha"e been creat# ed for an application.
o o o
For the ma%orit of users& we recommend lea"ing the maximum log file si/e at the default Hmb. This will pro"ide easil enough records for effecti"e troubleshooting. 8d"anced users ma want to specif a larger file si/e in order to "iew records stretching further bac! in time when the log "iewer module is accessed. =og files and log file management are discussed in more detail in the sections 3(iew Firewall 9"ents3 and 3(iew ,efense9"ents3.
134
Clic! the area on which ou would li!e more informationD o o o o 9xport m configuration to a file *mport a sa"ed configuration from a file +elect a different acti"e configuration setting ,elete an inacti"e configuration profile
135
*f this is the first time ou ha"e accessed this interface ou will see two preset choices #
3CO:O,O # Optimum +ecurit 3 Cwhich is the configuration 3Firewall with ,efense- CrecommendedE3 E 3CO:O,O # 4etwor! +ecurit 3 Cwhich is the configuration 3Firewall - =ea! Test Protection3 E
The name of FO75 C75594T=F 8CT*(9 CO4F*6758T*O4 will ha"e a chec!mar! next to it. *n the example shown abo"e& 3CO:O,O 4etwor! +ecurit 3 is the currentl acti"e profile. *mportant 4oteD 8n changes ou ha"e made to the firewall settings since installation are recorded in this& acti"e& profile. Fou ha"e the opportunit to export our current configuration Cincluding changes made since installationE under the preset name COptimum or 4etwor! +ecurit E. )owe"er& Comodo ad"ise that ou create a new name when ou export our custom configuration. To export our existing configuration& clic! the export button then our currentl acti"e configuration Cin the example abo"e& 3CO:O,O # 4etwor! +ecurit E. T pe a filename for the profile Ce.g. 3: Firewall Profile3E and sa"e to the location of our choice.
136
Im7ort a sa)ed confi'uration from a file *mporting a configuration profile allows ou to store an profile within Comodo Firewall Pro. 8n profiles ou import do no become acti"e until ou select them for use.
To import a profile choose 3*mport 8s....3 or 3*mport....3 . 'rowse to the location of the sa"ed profile and clic! 3Open3.
137
3*mport 8s...3 allows ou to assign a different name for the profile when ou import.
Once imported& the configuration profile is a"ailable for deplo ment b selecting it. !elect and Im7lement a different confi'uration 7rofile To select the imported configuration& clic! the 3+elect3 button and choose our profile.
138
2elete an inacti)e confi'uration 7rofile Fou can remo"e an unwanted configuration profiles using the 3,elete3 button. Fou cannot delete the profile that the Fire# wall using # onl the inacti"e ones. *n the example below& 3: \Firewall\Configuration3 is gra ed out because it is the cur# rentl acti"e profile. Fou can howe"er& delete the inacti"e profile& 3CO:O,O # 8cti"e +ecurit 3
13
2ia'nostics
Comodo Firewall Pro contains it3s own integrit chec!er. This chec!er will scan our s stem to ma!e sure that the firewall is installed correctl . *t will chec! our computersD File + stem # to chec! that all of Comodo3s s stem files are present and ha"e been correctl installed 5egistr # to chec! that all of Comodo3s registr !e s are present and in the correctl installed Chec!s for the presence of software that is !nown to ha"e compatibilit issues with Comodo Firewall Pro.
The results of the scan will be shown in the following pop#up window
140
141
To initiate the update process clic! the !tart button C*f ou want to download and install the updates later& clic! the 38bort3 button.E 8fter the installation process is completed& Clic! O>. Fou will then be as!ed to restart the s stem. Clic! Hes to reboot the s stem now or 4o to reboot at a later time.
142
7se the 38dd...3 button to manuall select and add executables to the list.
143
The drop down allows ou to choose the t pe of executable ou wish to bloc!. 8fter locating the file or files ou wish to submit& clic! the 3Open3 button. 4oteD Fou cannot submit files that are alread on the Comodo safe list. Fou ha"e the option to add an accompan ing description to each file ou submit and also the option to associate our email *, with the submitted fileCsE. Our anal sts ma use this address to contact ou should the re$uire further clarifica# tions. Clic! 3+ubmit3 to send the files to Comodo for anal sis.
144
Please wait for the confirmation to be displa ed after clic!ing the +ubmit button to ensure that the file is submitted suc# cessfull . Comodo will anal /e the file ou submit. *f it is found to be trustworth & it will be added to the Comodo safelist.
145
;nline >nowled'e 3ase 2e also ha"e an online !nowledge base and support tic!eting s stem at httpD@@support.comodo.com. 5egistration is free.
146
@el7
Clic!ing the 3)elp3 lin! in the :iscellaneous section will open this help guide. 9ach area has its own dedicated page con# taining detailed descriptions of the application3s functionalit .
147
+bout
Clic! the 38bout3 icon in the :iscellaneous +ection +ummar page to "iew the 38bout3 information dialog. From here ou can "iew information about the (ersion 4umber of the Firewall that is installed on our computer & the 2eb site from where ou can download the latest "ersion of the Comodo Firewall Pro and the status of our license li!e +ubscription "alidit and the t pe of =icense.
148
+bout Comodo
Comodo is a leading global pro"ider of *dentit and Trust 8ssurance ser"ices on the *nternet& with o"er H00&000 customers worldwide. )ead$uartered in Serse Cit & 4S with global offices in the 7>& 7!raine& and *ndia& the compan offers businesses and consumers the intelligent securit & authentication and assurance ser"ices necessar to ensure trust in online transactions. 8s a leading Certification 8uthorit & and in combination with the ,igital Trust =ab C,T=E& Comodo helps enterprises address digital ecommerce and infrastructure needs with reliable& third generation solutions that impro"e customer relationship& enhance customer trust and create efficiencies across digital ecommerce operations. Comodo3s solutions include ++= certificates& integrated 2eb hosting management solutions& web content authentication& infrastructure ser"ices& digital ecommerce ser"ices& digital certification& identit assurance& customer pri"ac and "ulnerabilit management solutions.
Comodo is deli"ering the highl rated Comodo Firewall Pro free to consumers as part of an initiati"e to empower consumers to create a safe and trusted online experience whene"er the go online. This initiati"e will ma!e a"ailable free to all consumers some of the leading tools that consumers can use to be safe and a"oid leading threats such as Phishing attac!s.
To download Comodo Firewall Pro and other free securit products& "isit httpD@@www.Comodogroup.com@products@free\products.html
14