If your computer doesn’t have firewall and antivirus protection, you risk exposing it and personal information to all manner of malware. You owe it to yourself and the online community at large to install security. Comodo Internet Security 4.0 offers free firewall and antivirus protection, along with a budding “Social Authentication” browser toolbar. Overall, Comdo’s protection is quirky, but the effectiveness of the components is consistent.
Comodo Internet Security 4.0: Basic Firewall Protection
The Comodo firewall puts all your system’s ports in stealth mode so outside attackers can’t see your computer when it connects to the Internet. That’s no surprise—any firewall that can’t do that is a total dud. I verified its protection using a number of port scans and other web-based tests.
The firewall runs at five distinct security levels. At the highest level it blocks all network traffic; at the lowest level it blocks nothing. The interesting levels are the three in between (Training Mode, Safe Mode, Custom Policy Mode), which define how the firewall responds when unknown programs attempt network access.
In Training Mode the firewall assumes all programs currently on the system should be trusted. When an unknown program requests any sort of network access the firewall not only allows it, it creates a rule so the program will still have access even in a stricter firewall mode. Safe Mode, the default, works the same as Training Mode for programs making normal outbound network requests. If an unknown program tries to act as a server or otherwise accept inbound traffic in this mode, the firewall pops up a query asking the user what to do. In Custom Policy Mode the firewall asks the user what to do about any connection request from an unknown program – except for those which Safe Mode or Training Mode already created rules.
Comodo also controls which programs are permitted specific types of network and Internet access. Like the firewall in Avira Premium Security Suite 10 ($53.95 direct, ), it grants access to any program digitally signed by a known and trusted vendor. When a pop-up appeared asking me whether to trust a program signed by an unknown vendor, I had the option to check a box to add that company to the trusted list.
The point of this elaborate system of protection levels is to avoid inundating the user with confusing firewall queries. It’s a noble goal, but Comodo’s implementation does leave the firewall vulnerable to malicious programs that are already present on the computer. I prefer the approach taken by the firewall in Norton Internet Security 2010 ($69.99 direct, ). It never asks the unqualified user to make complex security decisions. Rather, it allows all access for known good programs (over 80 million of them), eliminates known bad programs, and makes its own security decisions after monitoring the behavior of any unknowns.
Comodo’s firewall lacks identification and blocking of web-based exploits, a feature that you’d find with Norton’s firewall. I discovered in my tests that I had to rely on antivirus software to catch the exploit after it had been dropped onto a system. None of the exploits I generated using the Core IMPACT penetration tool compromised the test system. Comodo can’t take credit for that, though; the exploits failed because the test system was fully patched. Two exploits that by passed Comodo’s firewall and penetrated the test system were quarantined by Comodo’s antivirus component.
Some malicious programs try to protect themselves by disabling or turning off system protection, so I tried to replicate this in Comodo. I had no trouble opening the simple XML configuration file in Notepad and turning features off. My Comodo contact pointed out that Notepad was allowed access since it is a known and trusted program; an unknown program couldn’t change the configuration files. When I tried again using a small file editor I wrote myself, Comodo properly prevented me from saving changes. I also couldn’t disable Comodo by killing its processes with Task Manager.
Comodo Internet Security 4.0: Playing In the Sandbox
New to Comodo Internet Security 4.0 is the software’s ability to run unknown programs in sandbox mode. Here, unidentified programs run with the least possible privileges, and all file and registry changes are virtualized (so unfamiliar programs can’t make permanent changes to the system).
I tested the sandbox feature by installing twenty-odd PCMag utilities that need to hook into the operating system to function. Several of them didn’t work at all when sandboxed. For example, BHO Cop could not even get a list of installed Browser Helper Objects, much less control them. If you find that any of your programs mysteriously fail after you install Comodo, add that program to the “My Own Safe Files” list.
I didn’t have to take action when the sandbox popup notification appeared– I ignored it and it went away. You can interact with the popup before it disappears, telling Comodo not to sandbox this particular program again. That choice has no effect on the currently-running instance, though. You’ll have to shut down and re-launch the program to run it outside the sandbox. Sandboxed files get sent for review to Comodo’s technicians, and after analysis they’ll either put the file on the global safe list or add it to their list of malware signatures.
By default, Comodo automatically excludes any program that it recognizes as an installer or automatic update utility from the sandbox, as installers copy and add necessary files and registry information. Many installers end by launching the program they’ve just installed, but Comodo is smart enough to not sandbox the application because the installer that launched it was not sandboxed (but it will open in the sandbox the next time you launch it). However, if a rogue security product was installed, that could be trouble, because its first launch will be outside the sandbox’s control.
Leak test programs try to sneak around a firewall’s protection using sneaky techniques like piggybacking on existing trusted programs, or injecting code into trusted programs. I had to turn off the real-time antivirus for this test, as it quarantined all of the leak test samples on sight. Though all of the samples ran inside the sandbox, several of them still managed to connect to the Internet without triggering Comodo’s program control, which is potentially disastrous. That brings up an important point—the sandbox can’t virtualize actions that take place outside your own computer.
Comodo Internet Security 4.0: Defense+
Comodo’s Defense+ pops up a warning any time an unknown program attempts what the software considers a risky behavior. If the program involved is digitally signed, the user can choose to allow the action (or mark the vendor as trusted). Unlike the behavior-based ThreatFire 4.5 (Free, ) or the SONAR2 technology in Norton Antivirus 2010 ($39.99 direct, ), Defense+ doesn’t aggregate and analyze behavioral clues to detect malware. It just pops up any time any program hits one of its triggers, whether the program is malicious or not. Many of the popup descriptions state that if the program is “one of your everyday applications” you can safely allow the action. Others give a tougher warning, saying you “must make sure” the program is safe. And a few warn that the action is “not a common operation for everyday programs”.
During testing I chose “Block” for red popups that signified malware, and “Allow” for the non-scary yellow and orange popups. Doing so headed off most interference with my valid programs, though blocking one red warning disabled my wireless card’s connection monitor utility.
The combination of Defense+ and the sandbox wreaked serious havoc with some of my performance-testing scripts. In order to complete the performance tests I had to manually add every utility, batch file and script involved to the “My Own Safe Programs” list. To be fair, few normal users will encounter this level of obstruction
Comodo Internet Security 4.0: Surprising Performance Hit
You might expect a minimalist suite like Comodo would have a minimal effect on system performance, but its firewall, real-time antivirus, sandbox and Defense+ components all put a noticeable drag on system performance.
Comodo fared well in a test of the time required to zip and unzip a multitude of files; the test took just 6 percent longer with Comodo installed. Only five suites in the current collection had a smaller impact. It didn’t do too badly in a similar test that timed lengthy file move and copy operations, adding 22 percent to the time required. However, K7 TotalSecurity Version 10.0 ($44.96 direct, ) added just 2 percent to this test’s time and VIPRE Antivirus Premium 4.0 just 3 percent.
Comodo’s own protective components interfered with my browser and Windows Installer tests until I added all files involved to the safe list. The browser test measures how long it takes for Internet Explorer to completely load 100 web sites. With Comodo installed, web pages took 39 percent more time to load. In the same test Norton Internet Security 2010 and AVG Internet Security 9.0 ($54.99 direct, )
Comodo added 70 percent to the time required for running a script that automatically installs and uninstalls several large Windows Installer packages. Only ZoneAlarm Extreme Security 2010 ($69.99 direct, ) and Kaspersky Internet Security 2010 ($79.95 direct, ) had a greater impact, adding 77 and 78 percent respectively.
Now we come to the real bomb: the boot time test. For this test my script waits until the system’s CPU usage has been under 10 percent for 10 seconds, then subtracts the boot-start time as reported by Windows. I ran this test 100 times with and without Comodo installed and averaged each set of results. Comodo added a whopping 155 percent to the boot time, more than doubling it. That’s a new record, and not a good one. For more information about my testing, read How We Test Security Suites for Performance.
Comodo Internet Security 4.0: Bonus Toolbar
In addition to the firewall and antivirus components Comodo includes a toolbar for a service they call HopSurf. If you’re not paying attention during the install process, it will switch your home page to HopSurf.com and your search provider to Ask.com. That’s lame; those should be opt-in choices, not opt-out.
HopSurf users can click a button to like or dislike the current web site and can also add tags or mini-reviews that are visible to other HopSurf users. To use these “social authentication” features you have to create a free account with HopSurf. This toolbar adds no security benefit that I can see, and it clearly has few users. There are 0 users who like PCMag.com, for example, and also 0 users who dislike it.
Comodo Internet Security 4.0: Premium Versions of the Suite
Comodo offers two paid editions of the suite. Comodo Internet Security Pro 4.0 ($49 direct) adds 24/7 chat-based support including full support for cleaning up any malware problems not handled by the product itself. A “virus-free guarantee” will pay up to $500 for any costs caused by malware the product fails to block. The paid edition also offers Wi-Fi Security. For $69.99 you can step up to Comodo Internet Security Complete 4.0. The Complete edition has everything that’s in Pro plus 2 GB of online backup hosted by Comodo, and a $15,000 insurance policy against identity theft. At heart, though, these two editions offer the same firewall and antivirus protection found in the free edition reviewed here.
Comodo Internet Security 4.0: The Verdict
I really hope that one day I’ll discover a free security suite that I can recommend, but Comodo Internet Security 4.0 is not that suite. Its firewall is good, but the multi-layered malware protection is way too in-your-face for my taste, and it does a terrible job of cleaning up existing malware infestations. Your best bet is to install just the firewall component (choose “Firewall Only” when prompted) and use a better antivirus. As for the paid editions, you can get much better protection for the price.