Installation and configuration of Comodo Firewall. Optimal settings for Comodo Internet Security What does it mean to hide connections in Komodo firewall

The main firewall modes in the advanced settings window: Custom set of rules, when all programs that do not have a network rule will receive an alert, and Safe mode, when trusted programs are allowed outgoing connections by default. Detailed procedure for applying the rules. Additional, little-used modes: Complete blocking, when any network activity is stopped, regardless of the rules, and Training mode, in which any connections are allowed and allowing rules are automatically created.

The “Create rules for safe applications” option instructs in “Safe Mode” not only to allow network activity by trusted programs, but also to automatically create rules for them. I don’t recommend turning it on, just like . This option does not affect work in the “Custom Rule Set” mode.

If the “Do not show alerts” option is checked, the selected action will be applied instead of the alert: allow or block. No new rules will be created. I recommend setting the “Do not show alerts: Block requests” mode after creating all the necessary rules.

If, when responding to an alert, you check the “Remember my choice” option, a corresponding rule will be created. The Alert Frequency Level option determines how granular this rule will be. If, for example, you set the level to “Very Low,” the rule will allow or immediately prohibit any network activity. I recommend the “Very High” level: then the rule will contain the IP address and port.

If the Automatically detect private networks option is enabled on the Network Zones tab, when you connect to a new network, a prompt will appear prompting you to indicate its status. This will create a new entry in the list of network zones, and if you select the status of “home” or “work” network, allowing rules will also be created for it. If, at the same time as this option, the “Do not show alerts, assuming that the location of the Internet connection...” option is enabled, then new entries about network zones and allowing rules for them will be created automatically, without alerts. I recommend disabling both options: in this case, the connection will occur without notification and without creating new rules, i.e. the network will be silently accepted as “public.”

When connecting to an unsecured Wi-Fi network, notifications appear asking you to use the paid Trustconnect service. The display of these alerts can be disabled using the corresponding option.

To control connections within the computer (for example, prohibit certain programs from accessing the Internet through a local proxy server), you will need to check the “Enable loopback traffic filtering” option (I recommend).

To control connections via IP protocol versions not only IPv4, but also IPv6, you should check the “Enable IPv6 traffic filtering” option (I recommend).

The “Block fragmented IP traffic” option protects against an attack based on sending a TCP packet that is so fragmented that its header and TCP session membership cannot be determined. I recommend turning it on.

The “Analyze protocol” option instructs each packet to be checked for compliance with protocol standards, and counterfeit packets are blocked. I recommend turning it on.

Finally, the “Enable ARP Spoofing Protection” option protects the ARP table from being modified by an attacker sending a “spontaneous ARP response” (response without a request). I recommend turning it on.

Creating firewall rules

Application Rules

The usual procedure for creating a rule for an application is:

• open the “Application Rules” tab, click “Add”;
• specify the application, this can be done in different ways:
  • press Browse → Files and specify the file;
  • press Overview → Running Processes and select the application;
  • press Review and select a group of files;
  • directly in the “Name” field enter the path (or a pattern using the symbols * and? and environment variables);
• set rules:
  • or click “Use rule set” and select the desired set from the list;
  • or click “Use your own set of rules” and add your own rules (you can copy any set);
• Click "Ok" and organize the rules for applications using the "Up"/"Down" buttons.

When adding your own rule, you will need to specify:

• action: “Allow”, “Block”, or “Ask”;
• direction: incoming (i.e. initiated remotely), outgoing (i.e. initiated on a given computer) or any;
• description: text representing this rule; if not specified, a detailed description will be displayed in the list of rules;
• departure address and destination address;
• protocol:
  • IP, in this case it will be possible to specify the protocol on the “IP Details” tab;
  • ICMP, in this case, on the “ICMP Details” tab you can specify the type and ICMP message;
  • TCP and/or UDP, in this case it will be possible to specify the source port and destination port;
• option whether to log network activity in the log.

I note that the origin/destination address can be not only a single IP address, but also a network zone and many other objects, and you can also invert the selection using the “Exclude” option. Similarly, source/destination ports can be sets of ports, incl. inverted. Please note that the remote address for an outgoing connection is the “Destination Address”, and the remote address for an incoming connection is the “Departure Address”; similarly with ports. Therefore, generally speaking, the simultaneous resolution of incoming and outgoing connections with any remote node is specified by two rules:

• one rule allows incoming messages from a remote node to any address;
• the other allows outgoing messages from any address to a given remote node.

When specifying a set of several rules, you should order them so that the rule located above has priority.

Global rules

Global rules determine the network activity of the computer as a whole; their restrictions take precedence over application rules. Restrictions specified in global rules are more effective than in application rules. In particular, global port hiding makes the computer invisible when trying to scan them.

There are predefined sets of global rules. The interface for switching between them is presented as a choice of the computer’s visibility mode on the network: “Block incoming connections” or “Notify about incoming connections” ( Main window → Tasks → Firewall tasks → Hide ports).

Selecting the “Notify about incoming” mode removes the global ban on incoming connections and places further control on application rules. However, it is safer to still allow incoming traffic only on certain ports and/or from certain networks, and block others. Thus, the screenshot shows a sample of global rules with minimal permission for incoming connections, required only for responding to ping requests from the local network, opening access to files from it, seeing the names of the network environment, and for operating a torrent client. There are approaches for .

Creating your own global rules is done in a similar way, the only difference being the absence of the “Ask” action.

File groups, network zones, port sets, and rule sets

You can reduce many of the same type of operations and achieve a more visual representation of the rules if you create your own file groups, network zones, sets of ports and your own sets of rules.

Groups of files are formed on the tab File rating → File groups, these are named sets of their template paths using the wildcard characters * and ? and environment variables. For example, their use allows you to create rules for the operation and auto-update of a Flash player or Java, since these processes change file names and use temporarily created loaders. You can specify name templates without using file groups, but groups are preferable due to their clarity, compactness, and the ability to assign certain types of restrictions simultaneously in different protection components. For example, you can create a “NoInternet” group, which will simultaneously be prohibited from making direct Internet connections, DNS queries, using the BITS service, launching the browser, and accessing its memory.

On the Rule Sets tab, you can see which rules are contained in predefined firewall policies, and you can change these policies or create your own. In the future, you can assign these policies to applications: through the “Application Rules” tab or through firewall alerts. I note that the alert will only offer those policies that specify an unambiguous action for a given network activity: allow or deny. For example, if an application tries to access a web server on port 80, the “Mail client” policy will not be offered in the alert, but the “Web browser”, “FTP client”, etc. policies will be offered.

On the Port Sets tab, you can group any combination of ports into a named set, which you can then use in rules as an origin or destination port. When creating sets, you can combine single ports, ranges of ports, and their inversions.

The “Network Zones” tab has the following feature: on it you can not only group addresses into named “zones” for their further use in rules (as a departure or destination address), but also set the status of these zones. For example, if you create a zone and then add it to the Blocked Zones tab, all connections to it will be blocked, regardless of the rules. In addition, a network zone can be marked with the “Shared Network” status.

How to apply firewall rules

When network activity is detected, it first checks whether the remote address belongs to any . If belongs, then connection blocked. If not, the review begins. global rules.

Global rules are viewed from top to bottom. If a rule with the action "block" is found first for the requested type of connection, the connection prohibited. If no suitable rule is found or the allowing rule is discovered first, the review begins application rules.

When any program tries to establish a connection (allowed by global rules), a list of applications and the rules for them is scanned from top to bottom. At the first match found (i.e. when a given program or a group of programs containing it and the requested type of connection are encountered), the action specified in the rule will be performed: allow, block or show notification(if the “Do not show notifications” option is enabled in the setting, then instead of a notification the action specified in this option will be performed: allow or block).

If there is no suitable firewall rule in the list, the connection will be automatically allowed in the following cases:

• when the firewall is running in “Learning Mode” (in this case, an allowing rule will be created);
• when the option “Do not show alerts: Allow requests” is enabled;
• when the firewall is running in “Safe Mode”, the “Do not show alerts” option is disabled, and the program is trusted and runs in a real environment;
• When the firewall is running in "Safe Mode", the program is trusted and running in the real environment, and the requested connection is outgoing.

In other cases, an alert appears or, if the “Do not show alerts: Block requests” option is enabled, the connection is denied.

In particular, I note that programs running virtually are controlled by the firewall, regardless of their rating. Therefore, even if the firewall is running in Safe Mode, you will need to create allowing rules in order to use browsers.

You may notice that in “Safe Mode” the firewall somewhat illogically processes inbox connections of trusted programs. This is probably a bug.

Access to local network resources

By default, firewall rules do not have permissions to obtain information about the network environment, open file sharing on the local network, etc. These permissions are not needed if the network is used only for Internet access.

Trusted network status

Permissions for a local network are most easily created by assigning it the “trusted” status. This can be done in different ways.

If the “Automatically discover new private networks” option is enabled on the “Network zones” tab, then when you connect to a new network, an alert appears in which you need to indicate your location. The “trusted” status is assigned by selecting the “at home” or “at work” options. This will create a pair of global rules allowing any outgoing and any incoming connections to this network, and a pair of similar rules for the System process. Selecting the “in a public place” option does not create new rules.

If discovery of new networks is disabled or the network was previously assigned the “public” status, you should open the “Manage Networks” window ( Main window → Tasks → Firewall tasks), select the “Trust networks” option and click “Ok”. The result will be similar to the previous one.

To return the network to neutral status, the easiest way is to check the “Block network” option in the “Network Management” window, and then open the tab in the settings window Network zones → Blocked zones and remove this network from there.

There is a bug: when a network zone has not been created for an active network and in fact this network is treated as “public”, then in the “Network Management” window the “trusted” status will be indicated for this network.

Attention! If you click the “Ok” button in such a window, the active network will indeed become “trusted”, i.e. A corresponding entry will appear in the list of network zones and firewall rules will be created that allow connections on this network. If network trust is not required, then you should close the “Manage Networks” window with the “Cancel” button.

Example of permissions for accessing a local network

You can establish trust in a local network only if it is completely secure. Therefore, it is recommended to assign the network status to neutral (“public place”), enable , and then add the necessary permissions. Typically, to access network resources, it is necessary, in addition to the initially existing rules, to allow the System process the following incoming connections (everywhere the “sending address” is the local network):

• UDP connections with source port 137 and destination port 137: so that you can access computers by NetBIOS names;
• UDP connections with source port 138 and destination port 138: to see the network environment;
• TCP connections to destination port 445: to open file sharing.

To specify “System” as the application when creating rules, you need to select it from the running processes.

All these permissions must be duplicated in global rules. They should also allow incoming ICMPv4 connections sent from the local network with an “echo request” message; This is necessary not only to be able to respond to ping requests, but also to open file sharing. An example of a set of global rules.

Firewall Features

The Comodo firewall does not control incoming loopback connections (but does control outgoing ones). So, when using a local proxy, it is enough to allow only outgoing connections to the Internet for the proxy server and outgoing connections to “localhost” for the browser (whereas many other firewalls would also require allowing incoming connections from “localhost” for the proxy server).

It works in a peculiar way: if you specify a domain name as an address in a rule, CIS will find the minimum and maximum IP addresses for this name, and then consider all intermediate IPs to belong to it.

A feature of the CIS 10 version, which can be called an advantage, is that the belonging of ICMP traffic to various applications began to be determined. Previous versions of CIS (as well as, for example, Windows Firewall) perceived this traffic as belonging to the System process.

Content filter

The Content Filter component restricts access to websites based on their addresses. Comodo's updated lists are used to determine the security of addresses, and custom lists can also be defined. When trying to open a prohibited site, the user will see a page with a message about blocking, and also, depending on the settings, with a proposal to temporarily ignore the ban or add this site to exceptions.

Categories. Importing custom lists

Lists of addresses or them (using the symbols * and ?) are called categories. Comodo's own categories are "Safe Sites", "Phishing Sites" and "Malicious Sites". They are updated automatically and cannot be viewed or changed. The remaining categories - available for modification by the user - are set on the "Content Filter" > "Categories" tab. Initially, the “Exceptions” category is located there; sites excluded from blocking through browser notifications fall into it.

It makes sense to add categories with lists of malicious sites from other sources. Lists and Symantec WebSecurity are recommended. To obtain the latter, go to the MalwarePatrol website.

To use an additional list, you should create a new empty category on the “Categories” tab through the context menu, and then import the list from a file. When selecting a file, you must specify the list format, otherwise the content filter will not work correctly (a typical user error).

Post format in content filter categories

A template entry covers addresses that entirely match the template. For example, the entry *.example.com matches the address http://test.example.com, but not http://test.example.com/404 or http://example.com.

An entry without wildcards is identical to the pattern created by appending the * character to the end. For example, the entries https://example.com and https://example.com* are identical; they correspond to the addresses https://example.com, https://example.com/404 and https://example..example .com. Thus, an entry in the form of a site's domain name also covers its directories, but not its subdomains.

The HTTP protocol designation in the content filter is absence protocol. For example, an entry like example.com matches the address http://example.com, but not https://example.com. An entry like example.com/* corresponds to the address http://example.com/404. Attention! The address http://example.com does not match the entries http*example.com* and */example.com* , i.e. containing at least part of the protocol indication.

The HTTPS protocol is designated either explicitly or using wildcards. For example, the entries https://example.com correspond to the addresses https://example.com, https://example.com/404, etc. The *//example.com entry matches the address https://example.com, but not http://example.com or https://example.com/404.

It should be said that the content filter blocks HTTPS pages without notifications or offers to cancel the ban. Moreover, blocking HTTPS pages may not work, depending on the browser you are using.

So let's assume it is required to block example.com site simultaneously for HTTP and HTTPS protocols, with directories, but without subdomains. To do this in the most targeted way, let’s add 4 entries to the blocked category:

• example.co?
• example.com/*
• https://example.co?
• https://example.com/*

(Using the ? sign instead of any letter prevents the * character from appearing at the end of the line.)

Alternatively, you can get by with a single entry like *example.com*, but then not only the required addresses will be blocked, but also https://www.example.com/404, https://myexample..common.html.

Content filter rules

Each content filter rule contains a list of categories to which it applies and a list of users or user groups with their restrictions. The interface for changing the list of categories is obvious.

Users and their groups are added through the context menu in the “Restrictions” field: “Add” > “Advanced...” > “Object types” > check all > “Ok” > “Search” > select the desired entry > “Ok”.

Typically the user group is Everyone. If you need to set different restrictions for different users, you should be sure to indicate restrictions for each of them. Otherwise, it is possible that a user not specified in the rule will gain access to sites from the listed categories, even if there is another prohibiting rule.

According to, for Windows 8 and higher, in each rule, the entry “ALL APPLICATION PACKAGES” should be added to the list of users with the same restrictions as the users. Otherwise, the blocking will not work for Internet Explorer 11.

To work correctly with exceptions from blocking, the “Allowed sites” rule must be located above the “Blocked sites” rule.

Antivirus with advanced network protection Comodo Internet Security is loved by many advanced users, but is traditionally considered complex and inconvenient to set up initially. And the number of alerts that require immediate resolution significantly exceeds that of automatic security packages like Norton Security or Bit Defender. But if you spend a little time on the initial fine-tuning Comodo, ordinary users who do not want to delve into the intricacies of network protocols or anti-virus protection technologies will be able to work with it. This is what we will try to figure out today.

After Comodo is finalized, ordinary users will be able to work with it

What to pay attention to when installing

1. Check the box “I want to use cloud-based application behavior analysis...”. Thus, you will delegate routine decisions about allowing/prohibiting many operations to the user community. This will somewhat reduce the level of safety, but will make the work much more comfortable.
2. Whether or not to send statistics about the use of the application depends on your desire. But many users prefer to do without it.
3. On the screen for selecting components to install, check the boxes for “Comodo Antivirus” and “Comodo Firewall”. The rest can be safely turned off.
4. Be sure to disable the option “If possible, do not show alerts that require the user to make a security decision.”

What to do immediately after installation

1. Update your anti-virus databases (the “Update” icon at the bottom of the main screen).
2. Select the “InternetSecurity” configuration (“Basic settings” - “Configuration”), then click the “Enable” button in the lower pop-up panel.
3. There, click the “Export” button and save the settings in a safe place.
4. After that, click "Import", select the settings you just saved and give a name to your own option. Then select it in the list and click “Enable”. This is necessary so that the original configuration from the manufacturer remains intact.

After updates, restart your computer

1. Disable the desktop widget that is of little use (right-click on the tray icon, select “Widget”, uncheck “Show”).
2. Reboot your computer.

"Security Settings", section "Antivirus"

Leave the heuristic analysis level at “Low”

• Selecting the “Do not show notifications” option will help inexperienced users quickly get used to the program settings, but it is better not to use it constantly.
• Leave the heuristic analysis level at “Low”, otherwise you risk drowning in a heap of messages and warnings.
• Add the folder that contains files downloaded from the Internet, the working directory of the torrent client, and the section with installation packages as an exception. To do this, in the lower pop-up panel, select “Add”, “Folders”, select the desired directory and click “OK”. This will significantly increase the comfort of work during an active online life.

Canceling the desired directory will increase the comfort of work

“Security Settings”, section “Protection+”

• "HIPS Settings". Recommended operating mode is “Safe”. It is better to leave the “Create rules for secure applications” checkbox enabled.

• "Sandbox Settings". If you are confident in the security of certain executable files, you can add them to the exception (click the line “Do not virtualize access to the specified files and folders”). It is better not to touch the remaining settings.

If you are sure that your files are safe, add them to exceptions

• Viruscope. A useful and necessary system for dynamic analysis of the behavior of running programs. Sometimes it may not work entirely correctly, then until the reasons for the failure are determined, it is better to disable it (uncheck “Use Viruscope”).

Useful dynamic analysis system

“Security Settings”, section “Firewall”, block “Firewall Settings”

This point should be given maximum attention, since one incorrectly set option can lead to serious consequences.

• A custom set of rules for filtering traffic provides maximum protection, but at the initial setup stage it requires increased attention from the user. "Safe Mode" provides a slightly lower level of protection, but displays far fewer warnings.
• The “Create rules for safe offers” checkbox will turn Comodo into a complete automatic machine, so if you are not ready to carefully read every warning, you can check it. In all other cases, the field should be left blank.
• Activated advanced settings (“Enable IPv6 traffic filtering”, “Block fragmented IP traffic”, “Analyze protocol” and “Enable ARP spoofing protection”) provide additional security, but sometimes lead to problems. Use at your own risk.

Pay maximum attention to setting up this option

“Security Settings”, section “File Reputation”

• Block “File reputation settings”. Here it is better to trust the default settings, and if you want to get rid of some requests, check the “Do not show alerts” checkbox.

Leave the settings as default

Additional settings

They are not necessary, therefore they should be used with some caution, and in case of unstable operation, everything should be returned to its original state.

“HIPS” tab, “HIPS Settings” section:

• We increase the notification time to a maximum of 999 s.
• Activating the item “Adapt operating mode when system resources are low” increases stability, but negatively affects the speed of the program.
• The item “Enable enhanced protection mode” makes sense only for 64-bit OSes.
• If you use software emulators (Daemontools, VMware, Alcohol), add the corresponding directories to exceptions: the “Detect shell code injection” item.

“Security Settings”, “Protection+”, “Auto-Sandbox”:

The efficiency of the virtualization technologies implemented in Comodo is quite high, but due to the high resource intensity, problems are possible on weak computers. In this case, we do the following:

• For all objects with the “Unidentified” reputation, select the “edit” item in the pop-up panel, and in the “Action” line select “Block”.

Using a torrent client

For its normal operation, it is necessary not only to give the executable file full access, but also to add a special global rule. We select sequentially “Security Settings”, “Firewall”, “Global Rules”, then click “Add” on the pop-up bottom panel and assign a policy:

• Action: “Allow”, the “Register trigger in the log” checkbox should remain unselected.
• Protocol: check the “TCP or UDP” box.
• Direction: “Outgoing and Incoming”.
• Description: not important.
• Destination Port tab. Specify the number specified in the uTorrent settings.
• When everything is ready, move the newly created rule to the very top of the list.

Attention! If, as a result of erroneous actions, the program has stopped functioning normally, select “General Settings”, “Configuration”, check the “COMODO–Internet Security” item and click “Enable”.

Firewall Comodo Firewall from version 3.5 it is part of the free comprehensive protection of Comodo Internet Security and can be installed as a separate component.

Comodo Firewall is designed to protect users of PCs running Windows OS; its capabilities are practically not inferior to similar products, including some commercial developments.

The interface is extremely simplified, but at the same time provides all the necessary features and functions.

Main components of Comodo Firewall

Key features of Comodo Firewall

Multifunctional firewall - firewall

Comodo Firewall provides a high level of protection against incoming and outgoing threats. This way, you get the most effective protection against hackers, malware, and identity theft. Now the firewall has been improved by adding new features:

• Stealth Mode to make your computer completely invisible to port scanning;
• Automatic detection of trusted zones based on a wizard;
• Predefined firewall policies allow you to quickly apply the necessary security rules;
• Diagnostics to analyze the system for possible conflicts with the firewall and much more.

Behavior blocker

• Checking the integrity of each program before allowing it to be loaded into the computer's memory;
• Performs cloud-based behavior analysis for immediate detection of malware;
• Warns you every time unknown or untrusted applications try to launch or install;
• Blocks viruses, Trojans and spyware before they can gain access to your system;
• Prevents unauthorized modification of critical system files and Windows registry entries;
• Includes an automatic sandboxing feature that completely isolates untrusted files from the rest of the computer

HIPS Intrusion Prevention System

• Virtually impenetrable protection against rootkits, process injection, keyloggers and other zero-day threats.
• Comodo's free firewall monitors the activity of all applications and processes on your computer and allows files and processes to run if they comply with prevailing security rules.
• Blocks malware activity by stopping any activity that could damage the operating system, system memory, registry, or personal data.
• Enables advanced users to enhance their security controls by quickly creating custom policies and rule sets using an easy-to-use and powerful rules interface.

Virtual kiosk

• A virtual sandbox environment for running programs and surfing the Internet, isolated from your real computer. Applications and web browsers run inside the kiosk without leaving cookies or history on the real system, making it a secure environment for online banking and online shopping.
• Prevents viruses, rootkits and spyware from being installed on your computer from malicious websites and provides protection against hacking.
• Includes a virtual keyboard that allows the user to securely enter credit card numbers and passwords without fear of keyloggers.
• The virtual kiosk in Comodo Firewall allows advanced users to run beta programs in an isolated environment that will not disrupt the stability or file structure of the real system.

Viruscope

This is a system that allows you to dynamically analyze the behavior of running processes and record their activity. Viruscope monitors the activities of processes running on your computer and alerts you if they try to perform suspicious activities.

Internet Security Essentials

The SSL certificate verification tool protects against fake (phishing) sites that try to steal sensitive information.

optimally, with a minimum of pop-up notification windows, quickly andconfigure it yourself . The author's version of the program's advanced settings largely coincides with that recommended in the Russian part of the International COMODO Forums (thread "CIS/CFP for beginners in firewalls"). These forums can be visited by clicking on the "Miscellaneous" tab and clicking "Visit Support Forum". The only thing is that you will be taken to the main English page, so in order not to search, here is the directlink to the forum "In Russian / Russian". There is a lot of useful information on the topic - those who wish, of course, can “dig into it.” And for convenience, point by point, I will proceed to what I promised.

Setting up Comodo Firewall

1. At the beginning, I suggest changing the default gray and sad “face” of Comodo Firewall to something more interesting. To do this, in the same “Miscellaneous” tab, click “Settings” > “Appearance” > “Theme” and change the gray COMODO Default Normal theme to, say,. COMODO Blue Normal and, having dressed up, we move on.

Summary of previous articles: an example of setting up and using Comodo Internet Security 8

Attention! The article is addressed to users who have experience using the Comodo Internet Security complex and have read previous articles about it. “Beginners” are advised to study this product first. For familiarization and relatively effective use, the following setup procedure is suggested:

1. disconnect your computer from the Internet and/or local network;
2. install CIS;
3. open “Main window” > “Tasks” > “Advanced tasks” > “Advanced settings”;
4. on the “General Settings” > “Configuration” tab, double-click on the “Proactive Security” line;
5. on the “Protection+” tab > “Sandbox” > “Auto-Sandbox”, disable the “Use Auto-Sandbox” option;
6. on the “HIPS” tab > “Protected objects” > “Protected files”, add any file through the context menu;
7. via the context menu, replace the added line with ?:\*
8. Click “Ok” to close the settings window;
9. open “Main window” > “Tasks” > “Firewall tasks” > “Hide ports”;
10. select the “Block incoming connections” option;
11. perform a reboot;
12. connect your computer to the network.

Preliminary remarks

This setup procedure is given in abbreviated form. The purpose of the article is to give readers a guide to the variety of configuration options for Comodo Internet Security. It is assumed that readers are familiar with previous articles and understand the reasons for certain recommendations. Only the most general setup details are given here. Additional measures, for example, against firewall bypass (through inter-process memory access, DNS queries and BITS), protection against ransomware or against keyloggers are described in the article on using proactive protection; about access to the local network - in the article about firewall, etc.

I would like to emphasize that this configuration is not “maximum”, but more or less balanced in terms of protection and ease of use. Unidentified programs are automatically virtualized without notification. HIPS alerts are possible, but they will occur very rarely.

The proposed option is intended for personal use by an experienced user, but it is easy to adapt it for “newbies” or users with limited rights. You can, for example, disable all notifications, or replace the automatic virtualization of unidentified programs by blocking them, or switch the firewall to “Safe Mode,” etc.

If following these instructions leads to any problems, I ask readers to report in the comments. Messages supported by configuration export files, file lists and every CIS log for the entire period, as well as video recording and/or remote access for diagnostics are welcome.

Installation and configuration

Installation

It is advisable to install CIS on a system that is guaranteed to be free of malware. Let me remind you that you need to update the system and make a backup copy of it. It makes sense to first disable Windows Firewall through the Control Panel.

If the system is clean of malware, it is advisable to “familiarize” CIS with the files on it. To avoid conflicts, you can disable the protection components at this time: antivirus, Auto-Sandbox, HIPS, firewall and Viruscope. First, let's perform a “Reputation Scan” (“Main Window” > “Tasks” > “General Tasks” > “Scan”) and after it is completed, we will make all found files trusted. Then we will launch various installed programs and their components. Let's reboot. In the advanced settings window, on the “File Reputation” > “List of Files” tab, mark all files and use the context menu to set them to a trusted rating.

Basic setup

After installation, open the “General Settings” > “Configuration” tab in the advanced settings window and enable the “Proactive Security” configuration. When prompted to reboot, we’ll respond “Postpone.”

If you have previously configured CIS, import the initial “Proactive Security” configuration from the program catalog under a different name and activate it.

If a notification appears about choosing a network status, select the “Public place” option.

On the “Content Filter” > “Rules” tab, make sure that the “Blocked Sites” rule is located at the bottom, and change it: add the categories “MVPS Hosts list” and “Symantec WebSecurity” and set the type of restrictions not to “Block”, but to “Ask” "

Context Menu Extensions

To copy files blocked by the antivirus, we will add the corresponding context menu item. All materials necessary for this with instructions are given in the archive.

Usage

If an unidentified program is detected, we do not make any concessions in protection without making sure that it is safe. The easiest way to check the program is through the context menu. I note that the absence of antivirus detections is not an absolute guarantee of security. But you can more or less confidently judge the safety of a file if it has been known for a long time and leading antiviruses do not recognize it as malicious.

As an additional test, you can run an unknown program in a virtual environment and then send the contents of the VTRoot directory to VirusTotal. You can independently examine the behavior of the program in a virtual environment by enabling Viruscope with the option “Apply Viruscope action only to applications in Sandbox" and opening the activity report. Viruscope also sometimes automatically classifies program behavior as malicious.

To install a new safe program, call up the context menu on its installer while holding down the Shift key and select the “Run as installer” item. If a HIPS alert occurs during installation, disable the “Remember selection” option in it and select the “Install or update” policy. After installing the program, we perform its first test run through the context menu item “Run as installer without elevation of rights” and close the program. Then, on the “File Reputation” > “List of Files” tab, we transfer the unidentified files of this program to trusted ones. We also add the directory with the new program to the trusted ones.

To update an installed program, launch it using the context menu item “Run as installer”, carry out the update procedure and similarly transfer new files from unidentified to trusted.

It is possible that a program runs in isolation even after it has been added to the trusted list. Typically, this happens when the program size exceeds 40 MB. The solution is to add the path to such a program to the “AllowedProgs” group.

If you need to temporarily run a program without restrictions, open the context menu on it while holding Shift and select “Run as installer without elevation of rights.” It is important to remember that such a program and its child processes will be able to run any unidentified file without interference.

When any unidentified file is isolated for the first time through Auto-Sandbox, a pop-up notification appears. I remind you that it is dangerous to press the “Don’t isolate anymore” button in it.

If any data needs to be carefully protected from damage, for example, by encryption viruses, we add the word “WriteProtected” to the end of the name of the directory containing it. The contents of directories like “C:\Docs\My Projects - WriteProtected” will be prohibited from being changed by any program except Explorer. When you need to change the data, we will either temporarily rename the directory, or move the data to another directory, and after finishing the work we will return it to protection.

You should look at the event log from time to time, especially the firewall and proactive protection (“Protection+”). There you may find that a certain program requires additional permissions, for example, to carry out an update. Then you will need to adjust the configuration accordingly.

When a program is blocked by an antivirus, first of all we send it to VirusTotal through the context menu. If we are completely confident in its security, we add this program to the trusted ones. If, despite doubts, the program must be used, copy it to the exceptions directory. To do this, open the context menu on it while holding Shift, select the item “Copy infected file...” and save it to the C:\Exclusions directory. From this directory the program will be launched as a normal unidentified program in a virtual environment.

If you are concerned that the program you are running will block the OS interface and prevent you from clearing the sandbox, you can limit its execution time. A convenient way to do this is the context menu item “Run in Comodo sandbox as restricted”, suggested in the article about the virtual environment.

If you need to run a dubious program in a real environment, we do this through the extended context menu item “Run without restrictions Auto-Sandbox”. We monitor program activity through HIPS alerts. To avoid a large number of them, you can immediately select the “Restricted application” or “Isolated” policy in the notification (by enabling the “Remember selection” option). Attention! A malicious program can launch a trusted one, and HIPS will no longer monitor the activity of the child process, which can cause damage. As a mitigating measure, you can temporarily enable Viruscope in order to observe in more detail the activity of not only the dubious program, but also its child processes, and, if necessary, roll back changes.

Typically, HIPS alerts in this configuration will only occur when using the "Run without Auto-Sandbox restrictions" menu item or, less commonly, the "Run as installer" and "Run as installer without elevation" options. However, if HIPS alerts you to activity unidentified programs in other cases are a red flag. It may mean that an unidentified program ran before CIS or received SYSTEM privileges. I recommend selecting the “Block and complete execution” option in such an alert (disabling the “Remember selection” option in it), and then checking the system for vulnerabilities.