Windows now includes a functional built-in firewall, so consumers expect any third-party firewall to either offer a lot more than Windows does or to come as a freebie. Comodo Firewall (2013) does both. It’s completely free, and it includes a wide range of features beyond the expected. Comodo’s 2013 edition has gotten a serious makeover, with top-to-bottom streamlining of its user interface.
Like many other products, Comodo Firewall has a main window dominated by a big green security status icon. However, equal emphasis goes to a landing zone for applications to be sandboxed; more about the sandbox feature later on. When you want to dig deeper, you click the Tasks link which visibly “flips” the main window revealing a variety of available security tasks.
New in this edition, Comodo installs a desktop widget that offers a quick view of your security status. Clicking a button on the widget opens the product’s main window. It also offers links to launch your browsers in sandboxed (protected) mode, and to follow Comodo on Facebook or Twitter.
Like Windows Firewall (and almost every third-party firewall), Comodo had no trouble putting all of my test system’s ports in stealth mode. None of my port scans or other Web-based attacks could even detect the test system. A few firewalls, including Outpost Firewall Pro 8, go a step further, actively detecting and blocking port scan attacks.
The flip side of personal firewall protection is what we call program control. The firewall keeps track of what sorts of Internet and network access programs request and allows only appropriate communication. In its default Safe Mode, Comodo automatically configures permission for trusted programs. When an unknown program attempts a connection, it asks the user whether to allow or block the connection.
Like Outpost, Comodo gives the user a choice beyond simply allowing or blocking the program. Predefined rulesets make it easy to configure a program for the type of access appropriate to, for example, a Web browser, or an email client. Other presets relate to the type of access allowed. For example, it’s easy to configure a program to allow normal outbound access but block it from receiving inbound connections.
High-end firewalls like what you get in Norton Internet Security (2013) or Kaspersky Internet Security (2013) handle program control internally, with no reliance on user decisions. When a firewall does involve the user in trust decisions, it’s important that the firewall catch every attempt at access. Leak test programs try to connect with the Internet “under the radar,” undetected by program control.
In its default configuration, a dozen leak tests I tried slipped right past Comodo’s protection, making their connections undeterred. However, when I enabled the Behavior Blocker (more about the Behavior Blocker shortly) it detected suspicious activity in every case and offered to run the samples in isolation. Some managed a connection even so, but they didn’t get through undetected. ZoneAlarm directly blocked sneaky Internet connection attempts by about three quarters of these samples.
Many modern malware attacks slip into victim systems by exploiting unpatched vulnerabilities in the operating system, the browser, or essential applications. To test Comodo’s exploit protection I attacked the test system using 30 exploits generated by the Core IMPACT penetration tool. Like ZoneAlarm Free Firewall 2012, Comodo didn’t actively block any of these at the network level and also didn’t block their attempts to drop files on the test system. Only the fact that the test system was fully patched prevented it from being compromised. Norton, by contrast, detected every exploit at the network level and identified most by name.
Comodo doesn’t expose any significant settings in the Registry; a malicious program couldn’t disable it by setting protection to “OFF” in the Registry. However, I had no trouble killing off its processes using Task Manager. That’s surprising, because with the previous edition such an attempt yielded “Access Denied.” I also managed to set its essential services to be disabled. After reboot it re-enabled some, but not all, of them. This firewall could do with a little toughening up. The same attacks on ZoneAlarm bounced off harmlessly.
The Behavior Blocker feature is turned off by default. When enabled, it blocks suspicious activity, and offers to run unknown programs in “sandbox mode,” which limits their ability to make permanent changes to the system. As noted earlier, turning on Behavior Blocking enabled Comodo to detect leak test programs that were attempting to subvert program control.
In reviews of previous Comodo products I’ve lamented the plethora of multi-colored behavior-related popups. That feature has been seriously tamed in the current edition, and it’s definitely an improvement.
On the other hand, Behavior Blocker had a seriously negative effect on my attempt to install 20 older PCMag utilities. For all but two of them, it detected the installer as unknown and offered to run it in isolation. Five installers totally failed to function in this mode, and all but one of the others displayed one or more error messages. In isolation, the installers couldn’t perform tasks like saving files, registering DLLs, or making certain Registry settings. Out of the 20 utilities, just seven actually installed and ran properly.
If you stick with modern, commonly-used, trusted programs, you probably won’t see this type of problem. And if you do install what you’re sure is a valid older program, consider skipping Comodo’s offer to run the installer in isolation.
SecureDNS and Phishing Protection
The Domain Name System is what translates a human-readable name like www.pcmag.com into the IP address used by computers for actual communication. Public DNS servers can be subverted by certain types of attacks; Comodo’s Secure DNS is hardened against such attacks. Installed by default along with the firewall, it also actively blocks known malware-hosting sites and phishing sites.
However, in testing the phishing protection came up short. I went through hundreds of potential phishing URLs before even seeing it take action once. Its detection rate came in 91 percentage points lower than Norton’s, and 47 percent lower than Internet Explorer 8′s SmartScreen Filter alone. The article How We Test Antiphishing explains exactly how I test antiphishing solutions.
Comodo Firewall (2013) antiphishing chart
Don’t get me wrong; using Secure DNS is a good idea for overall security. It’s just not an effective antiphishing solution.
The bonus features in this firewall just don’t stop. Comodo’s Dragon browser is a tuned, hardened version of Google Chrome; if you know Chrome, you know Dragon.
If you’ve arrived at a Web page that looks iffy, you can check it out using Dragon’s Web Inspector button. Click it to launch an analysis of the page that reports on any malicious links, malicious code, or other safety issues. Another button streamlines the process of sharing the link on Facebook, Twitter, or LinkedIn.
Sandbox and Virtual Kiosk
When I test antivirus tools with actual, live malware samples, I always use a virtual machine. As far as any programs running inside it can tell, it’s exactly the same as a physical computer. But if malware completely trashes it, I can simply delete the virtual machine, or roll back to an earlier snapshot.
Comodo’s sandbox feature offers a similar type of protection. A program running in the sandbox operates just the same as usual, but system changes it makes are virtualized by Comodo to protect the actual, physical computer.
A vast number of malware attacks come in through the browser, so running your browser in the sandbox is a very smart move. As noted, Comodo’s desktop widget displays icons to launch your browser in the sandbox. A green border around sandboxed programs helps you stay aware of the program’s status. If you want to make a lasting change, like downloading a file, you can save it in a predefined area shared by the sandbox and the real environment.
The Virtual Kiosk is a fully sandboxed desktop that offers even more protection. Any activities you perform in the Kiosk stay there, available the next time you open it but not accessible from your normal operating environment. All programs launched in the kiosk are sandboxed. For additional security when entering passwords, it includes an on-screen keyboard. And if you do suspect malware has made it into the Kiosk, a single click will wipe it back to its original state.
Especially Good for Techies
For a free product, Comodo Firewall (2013) packs a lot of features. Naturally it protects your system from outside attack and manages access permissions for local programs. It also offers Secure DNS to block DNS-based attacks, sandboxing for safe surfing, and a behavior blocking system that protects critical system areas.
However, one reason to install a standalone free firewall is that you’re building your own best-of-breed suite. In that situation, Comodo’s extra features may get in the way. And using the advanced features may be too confusing for non-technical users.
If you’re impressed with the bonus features and can see yourself using them, by all means choose Comodo. Otherswise, stick with PCMag’s Editors’ Choice ZoneAlarm Free Firewall 2012.
More Firewall reviews:
|Tech Support||Online support, live support and community support.|
|OS Compatibility||Windows Vista, Windows XP, Windows 7|
|Type||Business, Personal, Professional|
Copyright © 2012 Ziff Davis, Inc