Comodo Internet Security

• Introduction To Comodo Internet Security
  • Special Features
  • System Requirements
  • Installation
    • CIS Premium Installation
    • CIS Pro-Installation And Activation
    • CIS Complete-Installation And Activation
      • Installing Comodo Internet Security 2012 Complete
      • Activating Online Backup, TrustConnect And Guarantee
      • Installing Comodo Backup
      • Installing Comodo TrustConnect
    • Activating Pro/ Complete Services After Installation
      • Activating Your License
      • Activating Your Guarantee Coverage
      • Renewal Of Your License
  • Starting Comodo Internet Security
  • Comodo Internet Security - Overview Of Summary Screens
    • Comodo Internet Security – Summary
    • Comodo Antivirus – Summary
    • Comodo Firewall – Summary
  • Comodo Internet Security - Navigation
  • Understanding Alerts
• Antivirus Tasks-Introduction
  • Run A Scan
  • Update Virus Database
  • Quarantined Items
  • View Antivirus Events
  • Submit Files To Comodo For Analysis
  • Scheduled Scans
  • Scan Profiles
  • Scanner Settings
    • Real Time Scanning
    • Manual Scanning
    • Scheduled Scanning
    • Exclusions
• Firewall Tasks-Introduction
  • View Firewall Events
  • Define A New Trusted Application
  • Define A New Blocked Application
  • Network Security Policy
    • General Navigation
    • Application Rules
    • Global Rules
    • Predefined Policies
    • Network Zones
    • Blocked Zones
    • Port Sets
  • View Active Connections
  • Stealth Ports Wizard
  • Firewall Behavior Settings
    • General Settings
    • Alert Settings
    • Advanced Settings
• Defense+ Tasks - Introduction
  • View Defense+ Events
  • Trusted Files
  • Unrecognized Files
    • Unrecognized Files
    • Submitted Files
  • Computer Security Policy
    • Defense+ Rules
    • Predefined Policies
    • Always Sandbox
    • Blocked Files
    • Protected Files And Folders
    • Protected Registry Keys
    • Protected COM Interfaces
    • Trusted Software Vendors
  • The Sandbox - An Introduction
    • Unknown Files - The Sand-boxing And Scanning Processes
  • View Active Process List
  • Run A Program In The Sandbox
  • Defense+ Settings
    • General Settings
    • Execution Control Settings
    • Sandbox Settings
    • Monitoring Settings
• More Options-Introduction
  • Preferences
    • General Settings
    • Parental Control Settings
    • Appearance
    • Log Settings
    • Connection Settings
    • Update Settings
  • Manage My Configurations
    • Comodo Preset Configurations
    • Importing/Exporting And Managing Personal Configurations
  • Diagnostics
  • Check For Updates
  • Manage This Endpoint
  • Browse Support Forums
  • Help
  • About
• Comodo GeekBuddy
  • Overview Of Services
  • Launching The Client And Using The Service
  • Accepting Remote Desktop Requests
  • Registration
  • Activation Of Service
  • Uninstalling Comodo GeekBuddy
• TrustConnect Overview
  • Microsoft Windows - Configuration And Connection
  • Mac OS X - Configuration And Connection
  • Linux / OpenVPN - Configuration And Connection
  • Apple IPhone / IPod Touch - Configuration And Connection
  • TrustConnect FAQ
• Comodo Dragon
• Appendix 1 CIS - How To... Tutorials
  • Setting Up Security Levels Easily
  • Setting Up The Firewall For Maximum Security And Usability
  • Blocking Internet Access While Allowing Local Area Network (LAN) Access
  • Setting Up Defense+ For Maximum Security And Usability
  • How To Password Protect Your CIS Settings
  • How To Reset Forgotten Password (Advanced)
  • Running An Instant Antivirus Scan On Selected Items
  • Creating An Antivirus Scanning Schedule
  • Running An Untrusted Program Inside Sandbox
  • Restoring Incorrectly Quarantined Item(s)
  • Submitting Quarantined Items To Comodo For Analysis
  • Enabling File Sharing Applications Like BitTorrent And Emule
  • Blocking Any Downloads Of A Specific File Type
  • Disabling Defense+ And Sandboxing For Specific Files Selectively
  • Switching Between Complete CIS Suite And Individual Components (just AV Or FW)
  • Switch Off Automatic Antivirus And Software Updates
  • Suppressing CIS Alerts Temporarily While Playing Games
• Appendix 2 Comodo Secure DNS Service
  • Router - Manually Enabling Or Disabling Comodo Secure DNS Service
  • Windows XP - Manually Enabling Or Disabling Comodo Secure DNS Service
  • Windows 7 / Vista - Manually Enabling Or Disabling Comodo Secure DNS Service
• Appendix 3 CIS Versions
• About Comodo Security Solutions

 Advanced Settings

Comodo Firewall features advanced detection settings to help protect your computer against common types of denial of service (DoS) attack. When launching a denial of service or 'flood' attack, an attacker bombards a target machine with so many connection requests that your computer is unable to accept legitimate connections, effectively shutting down your web, email, FTP or VPN server.

• Protect the ARP Cache - Checking this option makes Comodo Firewall to start performing stateful inspection of ARP (Address Resolution Protocol) connections. This blocks spoof ARP requests and protects your computer from ARP cache poisoning attacks (Default = Disabled).

The ARP Cache (or ARP Table) is a record of IP addresses stored on your computer that is used to map IP addresses to MAC addresses. Stateful inspection involves the analysis of data within the lowest levels of the protocol stack and comparing the current session to previous ones in order to detect suspicious activity.

 

Background - Every device on a network has two addresses: a MAC (Media Access Control) address and an IP (Internet Protocol) address. The MAC address is the address of the physical network interface card inside the device, and never changes for the life of the device (in other words, the network card inside your PC has a hard coded MAC address that it keeps even if you install it in a different machine.) On the other hand, the IP address can change if the machine moves to another part of the network or the network uses DHCP to assign dynamic IP addresses. In order to correctly route a packet of data from a host to the destination network card it is essential to maintain a record of the correlation between a device's IP address and it's MAC address. The Address Resolution Protocol performs this function by matching an IP address to its appropriate MAC address (and vice versa). The ARP cache is a record of all the IP and MAC addresses that your computer has matched together.

 

Hackers can potentially alter a computer's ARP cache of matching IP/MAC address pairs to launch a variety of attacks including, Denial of Service attacks, Man in the Middle attacks and MAC address flooding and ARP request spoofing. It should be noted, that a successful ARP attack is almost always dependent on the hacker having physical access to your network or direct control of a machine on your network - therefore this setting is of more relevance to network administrators than home users.

• Block Gratuitous ARP Frames - A gratuitous ARP frame is an ARP Reply that is broadcast to all machines in a network and is not in response to any ARP Request. When an ARP Reply is broadcast, all hosts are required to update their local ARP caches, whether or not the ARP Reply was in response to an ARP Request they had issued. Gratuitous ARP frames are important as they update your machine's ARP cache whenever there is a change to another machine on the network (for example, if a network card is replaced in a machine on the network, then a gratuitous ARP frame informs your machine of this change and requests to update your ARP cache so that data can be correctly routed). Enabling this setting helps to block such requests - protecting the ARP cache from potentially malicious updates (Default = Disabled).

• Block Fragmented IP datagrams - When a connection is opened between two computers, they must agree on a Maximum Transmission Unit (MTU). IP Datagram fragmentation occurs when data passes through a router with an MTU less than the MTU you are using i.e when a datagram is larger than the MTU of the network over which it must be sent, it is divided into smaller 'fragments' which are each sent separately. Fragmented IP packets can create threats similar to a DOS attack. Moreover, these fragmentations can double the amount of time it takes to send a single packet and slow down your download time.

Comodo Firewall is set by default to block fragmented IP datagrams i.e the option Block Fragmented IP datagrams is checked by default.

• Do protocol analysis - Protocol Analysis is key to the detection of fake packets used in denial of service attacks. Checking this option means Comodo Firewall checks every packet conforms to that protocols standards. If not, then the packets are blocked (Default = Disabled).

• Monitor NDIS protocols other than TCP/IP - This forces Comodo Firewall to capture the packets belonging to any other protocol driver than TCP/IP. Trojans can potentially use their own protocol driver to send/receive packets. This option is useful to catch such attempts. This option is disabled by default: because it can reduce system performance and may be incompatible with some protocol drivers (Default = Disabled).

Comodo Internet Security User Guide | © 2012 Comodo Security Solutions Inc. | All rights reserved