Slashdot Mirror

And you just hit right on the head the biggest security measure you can do-get them off IE! I have found by getting them off IE, either with FF, Seamonkey(the older folks seem to prefer its Netscape style layout to FF), Kmeleon(for older machines) or Flock(for those into social networking) the rate of infection goes WAY down with my users.

The second biggest security advice I can give is don't make your users think. I have Comodo set to auto scan nightly based on their usage patterns, Spybot set to do the same, Foxit does its own updates, Windows set to autoupdate, etc. I have found that by relying on the user as little as possible it helps to keep the system up to date and less of a target. Relying on the user is how so many end up with a four year old out of date Symantec "product" as the only AV on a users machine.

But I personally think it is funny that the head of Symantec is warning about free AVs, when oftentimes his "product" will drag a machine to its knees worse than any malware infection! When I hand the customer a box that previously had Symantec their machine with something like Comodo installed the first thing they comment on is how much faster their machine is, which is kinda sad, as once upon a time (during the days of DOS and Win9X) Norton was a sign of quality. But like most things Symantec touches Norton turned to crap. BTW, is there any product the Symantec bought that hasn't turned to crap?

Sure there is. For example I like to know EXACTLY where a program is hooking to and why, because whether it is legit or not I don't want a program "calling mommy all the time" sucking up all my bandwidth. With Comodo Internet Security I can see exactly which ports and IP addresses a program is connecting to and decide if I want to allow it to communicate or not. There really isn't any fine grained controls on the XP firewall, it is "all or nothing".

I have also noticed that more and more programs, especially games, give themselves exceptions to the firewall rules. I want to decide where and if a program is allowed, like I have the last good free version of Copernic Desktop Search V2, after which they severely crippled the functionality of the free version to try to force you to use the pay version. With the XP firewall it would drive me nuts wanting to update whereas with Comodo as far as it is concerned I have no Internet connection.

If you haven't tried Comodo Internet Security you really should before passing judgment. It uses very little resources, has an excellent GUI that makes configuration a breeze, takes care of itself with very little interact required, doesn't slow down my gaming,etc. It really is a nice AV/firewall combo. And since it is free it will only cost you a little time to play with it and see if it is right for you. And hey, who doesn't like free?

Or he could just use Comodo Internet Security which has the firewall and AV together, doesn't bitch all the time or suck up lots of resources, and works great on XP32/64 and Vista 32/64. According to process Explorer it is using a whole 8.2Mb of RAM, took it about 3 days to learn which programs I use and what they do, and has been quick, snappy, and no problems with network shares. IMHO it certainly beats Zone Alarm and why run two programs when the one will do both jobs?

And if he is running the Zone alarm full package I've found this to be more stable and less of a hassle than Zone Alarm. Plus it is free, and who doesn't like free? But they have a nice business class version that my SMB customers are quite happy with. AVG and Zone Alarm IMHO have just gotten too bloated as of late. So if he is having trouble with Zone Alarm i would try Comodo. After all, it won't cost him anything but a little of his time.

It would help if he gave us the actual age of the machines in question. Working PC repair and builds I've had a chance to try just about all of them, and I recommend Avast! if it is an older machine that is very short on resources(256Mb) and Comodo on anything newer.

IMHO Comodo has a little friendlier interface and is a little more paranoid than Avast!, which means the first week you will get a few more false positives. But with an AV I'd much rather have it a little too paranoid than not paranoid enough.

I have mixed feelings about Comodo:

http://personalfirewall.comodo.com/

On one hand, in Proactive security mode, it will tell you anytime a process it doesn't know does anything. Accessess a registry key, tries to open a socket, tries to piggyback outbound placing a HTTP connection via the IE object, what .dll is getting linked for anything it doesn't know. It's miles ahead of Zonealarm, and it's free.

On the other hand, if CIPAV has an exception deep in the executable, then it's pointless.

I wish Comodo was distributed open source and you could compile it yourself using Visual Studio.

• Antivirus (use with firewall)
  • NOD32 ESET (fast, reasonably secure)
  • GData (slower, best possible protection)
  • Avira (fast, highly secure, & free version)
• Firewall (use with antivirus & antispyware)
  • Comodo (free, hard to configure)
  • PC Tools (free, easier to configure)
  • Zone Alarm (pay & free versions)
  • Agnitum Outpost (pay)
  • Jetico Firewall (pay & free versions, hard to configure)
• Internet Security Suites
  • Kaspersky
  • GData
  • BitDefender (cheapest)

That and lock down your browser, by installing Firefox, with NoScript, Better privacy, adblock plus, and deny cookies by default, then enable the cookies you want using the cookingSafe extension. Do that no matter what security software you have installed. Or of course you could save yourself a great deal of trouble by using Linux.

Every CA is required to provide a "Certificate Practice Statement" or CPS.

Mozilla should file a formal complaint with Comodo that they have failed in their CPS (section 4.1.2) obligation to "validate information provided by each Subscriber on the Comodo enrolment form prior to issuing a Certificate containing that information using the methods set out in the table at Section titled "Validation of Certificate Applications" of the CPS." per their "Comodo Relying Party Agreement ("Agreement")", presented as a legal contract between Comodo and anyone relying upon certificates issued by their CAs.

So, what does their CPS say about "Validation of Certificate Applications"?
Comodo CPS - [PDF Alert]

The end-entity certificate itself indicates that it has been "Domain Control Validated", implying that the applicant has legal control over the domain for which the certificate is being issued. The author, in this case, clearly has no such control over the mozilla.org domain.

IMHO, Comodo gets a FAIL, is in breach of contract and their CPS assertions, and Mozilla Foundation should file a complaint and make a claim against the Comodo warranty.

It should be sufficient justification for removal from any widely used application providing pre-installed "approved" CAs (a default truststore) and asserting that their end-users can trust their decisions on what CAs can be trusted "by default".

Mozilla Foundation and Mozilla Corporation have ample grounds to remove these CAs from their products per their existing policies.

Furthermore, the Comodo CPS has this gem:

b) InstantSSL Pro
InstantSSL Pro Certificates are the midlevel Secure Server Certificates from Comodo. ... All InstantSSL Pro Certificate applications include an out of bands validation
of the applicant's submitted information.
The maximum warranty associated with an InstantSSL Pro certificate is $2500.

I would say that Mozilla has a case for a $2500 claim for wrongful issuance of a certificate for their domain.

And under their Validation section, the Comodo CPS states in "2.4.1 Comodo SSL Secure Server Certificates":

Comodo Secure Server Certificates are offered in the variants listed below.
a) PositiveSSL Certificate
PositiveSSL Certificates are low assurance level Secure Server Certificates from Comodo ideal for mail servers and server to server communications. They are not intended to be used for websites conducting e-commerce or transferring data of value.

In accordance with section 4.2.2 (Validation Practices) of this CPS, PositiveSSL Certificates utilize third party domain name registrars and directories to assist with application validation in order to provide increased speed of issuance. Where possible, the third parties will be used to confirm the right to use the domain name used in the application. If the directory cannot be used to sufficiently validate a certificate applicantâ(TM)s domain control, further validation processes may be used. These may include an out of bands validation of the applicantâ(TM)s submitted information.

However, they have a nice disclaimer here:

Due to the increased validation speed and the nature of how Comodo intends
PositiveSSL certificates to be used, the certificates carry no warranty.

While I'm not defending Comodo, they could argue that the author, in applying for a certificate, knowingly violated their terms by requesting a certificate for a domain that he didn't have control over (and thus, is not their "fault"). They could also claim that they say that their certificates carry no warranty, as above (contradicting their other CPS that there is one), even though both appear to cover InstantSSL certificates

Every CA is required to provide a "Certificate Practice Statement" or CPS.

Mozilla should file a formal complaint with Comodo that they have failed in their CPS (section 4.1.2) obligation to "validate information provided by each Subscriber on the Comodo enrolment form prior to issuing a Certificate containing that information using the methods set out in the table at Section titled "Validation of Certificate Applications" of the CPS." per their "Comodo Relying Party Agreement ("Agreement")", presented as a legal contract between Comodo and anyone relying upon certificates issued by their CAs.

So, what does their CPS say about "Validation of Certificate Applications"?
Comodo CPS - [PDF Alert]

The end-entity certificate itself indicates that it has been "Domain Control Validated", implying that the applicant has legal control over the domain for which the certificate is being issued. The author, in this case, clearly has no such control over the mozilla.org domain.

IMHO, Comodo gets a FAIL, is in breach of contract and their CPS assertions, and Mozilla Foundation should file a complaint and make a claim against the Comodo warranty.

It should be sufficient justification for removal from any widely used application providing pre-installed "approved" CAs (a default truststore) and asserting that their end-users can trust their decisions on what CAs can be trusted "by default".

Mozilla Foundation and Mozilla Corporation have ample grounds to remove these CAs from their products per their existing policies.

Furthermore, the Comodo CPS has this gem:

b) InstantSSL Pro
InstantSSL Pro Certificates are the midlevel Secure Server Certificates from Comodo. ... All InstantSSL Pro Certificate applications include an out of bands validation
of the applicant's submitted information.
The maximum warranty associated with an InstantSSL Pro certificate is $2500.

I would say that Mozilla has a case for a $2500 claim for wrongful issuance of a certificate for their domain.

And under their Validation section, the Comodo CPS states in "2.4.1 Comodo SSL Secure Server Certificates":

Comodo Secure Server Certificates are offered in the variants listed below.
a) PositiveSSL Certificate
PositiveSSL Certificates are low assurance level Secure Server Certificates from Comodo ideal for mail servers and server to server communications. They are not intended to be used for websites conducting e-commerce or transferring data of value.

In accordance with section 4.2.2 (Validation Practices) of this CPS, PositiveSSL Certificates utilize third party domain name registrars and directories to assist with application validation in order to provide increased speed of issuance. Where possible, the third parties will be used to confirm the right to use the domain name used in the application. If the directory cannot be used to sufficiently validate a certificate applicantâ(TM)s domain control, further validation processes may be used. These may include an out of bands validation of the applicantâ(TM)s submitted information.

However, they have a nice disclaimer here:

Due to the increased validation speed and the nature of how Comodo intends
PositiveSSL certificates to be used, the certificates carry no warranty.

While I'm not defending Comodo, they could argue that the author, in applying for a certificate, knowingly violated their terms by requesting a certificate for a domain that he didn't have control over (and thus, is not their "fault"). They could also claim that they say that their certificates carry no warranty, as above (contradicting their other CPS that there is one), even though both appear to cover InstantSSL certificates

Every CA is required to provide a "Certificate Practice Statement" or CPS.

Mozilla should file a formal complaint with Comodo that they have failed in their CPS (section 4.1.2) obligation to "validate information provided by each Subscriber on the Comodo enrolment form prior to issuing a Certificate containing that information using the methods set out in the table at Section titled "Validation of Certificate Applications" of the CPS." per their "Comodo Relying Party Agreement ("Agreement")", presented as a legal contract between Comodo and anyone relying upon certificates issued by their CAs.

So, what does their CPS say about "Validation of Certificate Applications"?
Comodo CPS - [PDF Alert]

The end-entity certificate itself indicates that it has been "Domain Control Validated", implying that the applicant has legal control over the domain for which the certificate is being issued. The author, in this case, clearly has no such control over the mozilla.org domain.

IMHO, Comodo gets a FAIL, is in breach of contract and their CPS assertions, and Mozilla Foundation should file a complaint and make a claim against the Comodo warranty.

It should be sufficient justification for removal from any widely used application providing pre-installed "approved" CAs (a default truststore) and asserting that their end-users can trust their decisions on what CAs can be trusted "by default".

Mozilla Foundation and Mozilla Corporation have ample grounds to remove these CAs from their products per their existing policies.

Furthermore, the Comodo CPS has this gem:

b) InstantSSL Pro
InstantSSL Pro Certificates are the midlevel Secure Server Certificates from Comodo. ... All InstantSSL Pro Certificate applications include an out of bands validation
of the applicant's submitted information.
The maximum warranty associated with an InstantSSL Pro certificate is $2500.

I would say that Mozilla has a case for a $2500 claim for wrongful issuance of a certificate for their domain.

And under their Validation section, the Comodo CPS states in "2.4.1 Comodo SSL Secure Server Certificates":

Comodo Secure Server Certificates are offered in the variants listed below.
a) PositiveSSL Certificate
PositiveSSL Certificates are low assurance level Secure Server Certificates from Comodo ideal for mail servers and server to server communications. They are not intended to be used for websites conducting e-commerce or transferring data of value.

In accordance with section 4.2.2 (Validation Practices) of this CPS, PositiveSSL Certificates utilize third party domain name registrars and directories to assist with application validation in order to provide increased speed of issuance. Where possible, the third parties will be used to confirm the right to use the domain name used in the application. If the directory cannot be used to sufficiently validate a certificate applicantâ(TM)s domain control, further validation processes may be used. These may include an out of bands validation of the applicantâ(TM)s submitted information.

However, they have a nice disclaimer here:

Due to the increased validation speed and the nature of how Comodo intends
PositiveSSL certificates to be used, the certificates carry no warranty.

While I'm not defending Comodo, they could argue that the author, in applying for a certificate, knowingly violated their terms by requesting a certificate for a domain that he didn't have control over (and thus, is not their "fault"). They could also claim that they say that their certificates carry no warranty, as above (contradicting their other CPS that there is one), even though both appear to cover InstantSSL certificates

How do you manage to find an image without SP2?!! :D
http://thepiratebay.org/search/xp%20sp2%20integrated/0/99/300

Anyway, I guess there are both good and bad things with XP including a firewall now. It's good that it protects somewhat after installation, it's bad because many people probably keep that inferior firewall instead of replacing it with something decent.

For instance:
http://www.personalfirewall.comodo.com/download_firewall.html (Bundled with antivirus, bad choice imho, for the user that is, nothing say that you want all of their products. Stupid apple technique (Oh, I see you want iTunes, here you get Quicktime and Safari to!)

http://www.personalfirewall.comodo.com/overview.html

Comodo has got to be a contender. Their new Internet Security package looks very good: http://www.comodo.com/

Try Comodo 64 bits, it's free:
http://www.personalfirewall.comodo.com/

However, I had a problem on my XP 64, because my bandwidth slowed down a lot due to this program.

In case you wanted an ACTUAL answer,and not just a bunch of geeks shouting Linux I would suggest either Comodo if you would like one with a built in firewall,or AntiVir if you just need AV. As a Windows repairman I have used both on many customers machines and they work quite well.

I know that shouting "Linux" is a great way to Karma whore here,but the simple fact is I'm sure he asked about Windows Av for a reason. Sometimes Linux simply isn't the right tool for the job,as anyone who has tried to get those damned Lexmark all in ones to work or run into one of the bazillion SMBs that have custom VB apps that are mission critical can tell you.

Another option could be "Comodo Firewall" http://www.comodo.com/ It's free unless you pay for their tech support, some nifty extra features, and remote troubleshooting.. It is mainly a firewall.. and an extremely intelligent and well-written one at that (IMO). It's default settings are decent, and you can fine-tune the engine for more/less security. It also comes with a "defense+" module.. basically it's a firewall but for your local computer. It mainly monitors for changes and such to prevent the installation of rootkits, trojans.. etc.. and you can scan your computer for malware + remove it as well. I find that Comodo has a relatively small memory footprint.. on default settings (vista 32bit).. seems like both the kernel-mode drivers and and Ui top out at about 60mb combined max (with defense+ enabled) and 30mb max (with defense+ disabled and only the firewall running). I've also found that Avast and Comodo work perfectly together.. so if you do not like Comodo's built in Defense+ mode you can disable it and just use Comodo's firewall + Avast's system protection. ClamAV may be your best bet however if you don't want an active scanner.

Why not take this time to try out something new?

Sure, but which A/V product? Grisoft's AVG, Comodo, Avast!, or ClamWin to name a few.

I'm really loving Comodo's firewall

For those of us using Win2K until it's pried out of our cold, dead CPUs, not a choice. Comodo BSODs on Win2K. In fact, after trying Comodo (and I couldn't find anything that said 2K was a bad idea), my system was so borked that I had to reinstall for the first time in 7 years.

Are you talking about Comodo AntiVirus or Comodo Firewall? (The GP mentioned both.) If you're talking about the firewall, then count me as another Windows 2000 user who's used it (version 2) without any problems for more than a year (switched from ZoneAlarm).

Sure, but which A/V product? Grisoft's AVG, Comodo, Avast!, or ClamWin to name a few.

I'm really loving Comodo's firewall

For those of us using Win2K until it's pried out of our cold, dead CPUs, not a choice. Comodo BSODs on Win2K. In fact, after trying Comodo (and I couldn't find anything that said 2K was a bad idea), my system was so borked that I had to reinstall for the first time in 7 years.

Are you talking about Comodo AntiVirus or Comodo Firewall? (The GP mentioned both.) If you're talking about the firewall, then count me as another Windows 2000 user who's used it (version 2) without any problems for more than a year (switched from ZoneAlarm).

Well, yes but.. (you've seen the complaints).

Other decent free ones are:
Avast is popular.
AVira seems good, you get one popup ad per update.
Comodo permits business use.
BitDefender has a free version.
I'm not including ClamAV because it's just a scanner, no realtime protection.

Posting AC because I've moderated,
number11

As posted above, try Comodo's products. Excellent! firewall software plus all the other security software you need for free.

These guys rock! Free life-time license, etc... Small footprint and easy to use. http://www.comodo.com/

It sort of already exists. I use S/MIME and Outlook. All of my email is signed. You can send me an encrypted email. All I did was go to a CA and ask for a free cert. http://www.comodo.com/products/certificate_services/email_certificate.html Unfortunately the only encryption algorithms available with outlook currently are 3DES and RC2 ...

• Comodo - Still in beta, lots of false positives. Configuration is all in local text files, so some level of remote management is possible, but they certainly don't provide the tools for it.
• PC Tools - Requires interaction from the user to do updates, so not a contender.
• ClamAV is free of course, but does not provide a scan-on-access monitor. More suitable for mail servers than workstations.
• Winpooch - uses the ClamAV engine for on-access scanning, project seems dead, never tried it.
• Spyware Terminator - Also does AV using the ClamAV engine. I'd never heard of this one before today, and unfortunately their site design looks a little on the fly-by-night side. They offer a corporate edition with central administration for the wacky price of $2 per seat per year.

To continue..

FREE Comodo Firewall
FREE Comodo Anti-Malware
FREE Comodo AntiVirus

FREE Comodo Firewall
FREE Comodo Anti-Malware
FREE Comodo AntiVirus

How about giving the user more choices? You might want to let them run it in a sandbox, or run it without internet access, or chroot it.

If they had a way to express their intent, and actually control how much they give away when they click... it would go a VERY long way towards fixing things, probably 99%.

Have you ever tried Comodo's free firewall or free antivirus???

Both of them use whitelisting / safelists. Anything not whitelisted needs explicit permission from the user before they're able to read/write/delete/create a file or directory or access the internet. These two FREE (as in beer) products literally give you a similar level of control over what runs on your computer.

The Comodo antivirus doesn't work on Vista right now but will soon. Then again, this is Slashdot so we're all running XP right ?!?

For sandboxing, you can use VMWare Server (free as in beer) to generate an image to run in VMPlayer (also free as in beer) which you can then use within Windows. If you get VMWorkstation (not free but well worth it), you can get fine-grained control over snapshotting.

How about giving the user more choices? You might want to let them run it in a sandbox, or run it without internet access, or chroot it.

If they had a way to express their intent, and actually control how much they give away when they click... it would go a VERY long way towards fixing things, probably 99%.

Have you ever tried Comodo's free firewall or free antivirus???

Both of them use whitelisting / safelists. Anything not whitelisted needs explicit permission from the user before they're able to read/write/delete/create a file or directory or access the internet. These two FREE (as in beer) products literally give you a similar level of control over what runs on your computer.

The Comodo antivirus doesn't work on Vista right now but will soon. Then again, this is Slashdot so we're all running XP right ?!?

For sandboxing, you can use VMWare Server (free as in beer) to generate an image to run in VMPlayer (also free as in beer) which you can then use within Windows. If you get VMWorkstation (not free but well worth it), you can get fine-grained control over snapshotting.

To quote one of my former coworkers, we use Comodo, like the dragon. Their prices are decent and every time I've dealt with their support they've been responsive and helpful.

Comodo has firewall, A/V, and other mal-ware utilities for free for business and home use. Their firewall is excellent. At least it is more granular than ZoneLab's ZoneAlarm free version (which is only for home use anyway).

I'd also check out what Comodo is doing. Their free software is free for all, not just personal users (like Grisoft's AVG). They make their money off of web-site security certificates. I particularly like their firewall. It is very granular and allows you to create a myriad of rules based on software and/or ports.

The main obstacle to mass encryption these days is Microsoft. I expect to be skating over Hell's frozen wasteland before Microsoft adopts encryption in Outlook/Hotmail.

I've been encrypting and signing mail in Outlook Express and Outlook for years. The certificates are installed via XENROLL.DLL or CERTENROLL.DLL. Windows actually has a really good encrytion API.

If you go here you can get a free e-mail certificate. Once you install it to the cryptography store you can sign and encrypt mail in any Microsoft email program. If you use the Windows Live Mail application you can encrypt messages in Hotmail too.

I agree that a clean Windows 2000 with Service Pack 4 and all Windows Updates is not as secure as it should be without additional sofware. However, Comodo (and others) provides a good free firewall for Windows 2000. AVG and Spybot (and others) provide the needed protection against viruses and malware. Internet Explorer 6 is still getting security updates, but I think most users would be better off with the current versions of Opera or Firefox.

Getting back on topic, Windows 2000 is probably not a good solution for the "low-end PC market" anyway. There's a reason the only client version was called "Windows 2000 Professional." They could make it more usable for novices if they added an XP/Vista style "Security Center" that prompted the user to download free 3rd party firewall, anti-virus, and anti-spyware software.

must... preview...
steps should be as follows:

1) Not running as Admin.
2) Installing Commodo.
3) Installing Firefox.

The good news is that they already have a toilet-specific firewall.

(A quite good firewall, in all seriousness).

You are on DSL or Cable and do NOT have a firewall? Spend a few bucks and get one!

Spend money on one?! Dear oh dear..

Zonealarm (requires annoying popups asking you to buy),
Agnitum (requires reg),
Kerio (reverts to free features after 30 days),
Comodo (totally free as it's an advert for Comodo other products)

Although they may hold on to the enterprise market, why even bother with Norton AntiVirus or Internet Security when you can get Avast AntiVirus Personal edition for free! http://www.avast.com/eng/download-avast-home.html/

No, I don't work for them, or own stock. They've even updated it for Vista. The cost? Register for a free serial number every 14 months.

Comodo firewall http://www.comodo.com/ is nice free step up for those who think they need something more than Windows firewall.

In the year 2007, there is really no need for a consumer to pay for a product from Symantec/Norton, McAfee, or any other security software vendor that has been fleecing us for the last several years.

Matousec, which did the testing, found that the Comodo free firewall is the best. Are Matousec and Comodo completely separate organizations? Matousec is Japanese, and English is clearly not the native language of whomever runs Comodo.

Matousec's review covered "personal firewalls", an artificial category which may eliminate products of interest. For example, Comodo doesn't recommend its own firewall, it recommends the Trustix Enterprise Firewall, which is free, also.

At minimum, this is VERY weird. I'm not saying there is anything wrong, but anyone should wonder when all the traditional companies are shown to be producing products of poor quality, and three new companies are shown to be the most trustworthy. Especially when two of those companies give their products away free.

I've thought for years that Symantec and ZoneLabs were not hiring enough people with technical knowledge; their products show that. I discovered that Sunbelt Software was doing something fishy. Certainly the major suppliers have shown many examples of bad behavior.

But, what about these 3 new companies? How can it be true that they are immediately better than all the others?

Just to say I've been running comodo for ages, and find it great to use. Slows down the computer allot less then Norten and is far easier to customise and make rules for. Not to mention it has a very helpfull message board and its free. Comodo Site.

http://comodo.com/

They were the first company I found selling certs for $50 compared to Thawte which was around $200 at the time. Now we use a wild card cert which costs $449 + $10/server. We use it on 15 servers with 20 or so hostnames (*.url.com) right now. It makes it a hell of lot easier to update and manage only one cert.

We have had no reported problems with browser compatibility.

http://www.antivirus.comodo.com/ But read this http://www.emailbattles.com/archive/battles/securi ty_aadgdfdddh_ah/