Comodo Firewall's program control is overshadowed by its Defense+ module, a kind of behavior-based malware detection that I'll describe in detail later in this article. Defense+ proved effective against leak tests, programs that attempt to connect to the Internet behind the firewall's back. I consider a product successful if it detects the attempt, since the whole purpose of leak test techniques is to connect invisibly. Comodo detected sneaky actions like trying to modify Internet Explorer in memory, trying to launch and control IE, or trying to modify a program's user interface in every case, even one that got past ZoneAlarm.
It's worth noting, though, that leak test control is only necessary when firewall program control relies either on simple rules or on user queries. Norton and Kaspersky ignore leak tests because analysis shows they're not actually malicious.
Like ZoneAlarm, Comodo Firewall didn't actively detect or block any of the thirty-odd exploits generated by the Core IMPACT penetration tool. Norton and Kaspersky block exploit attacks at the network level. When last tested, Norton blocked all of them and identified almost all by name.
Unfortunately, this firewall isn't quite as well-hardened against attack as ZoneAlarm. I couldn't kill it using Task Manager, and I couldn't stop its essential Windows service. However, setting the service's startup type to disabled and forcing a reboot disabled the firewall. It visibly launched, but its protection never started.
The basic firewall settings are fairly general, and accessible to non-expert users. Even so, most users shouldn't change the defaults. Clicking Network Security Policy brings up a dialog with a vastly more complex set of options. If you can look at a line like "Allow ICMP In from MAC Any To MAC Any Where ICMP Message Is TIME EXCEEDED" without fainting, then you may be qualified to review and adjust these settings.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment