Comodo Inc., a security company which makes its income by releasing SSL certificates, and which has also taken up security software development, has released version 3 of its free firewall - Comodo Firewall Pro. Comodo Firewall Pro(CFP) is a firewall distributed at no charge for both home and corporate use, which has capabilities that match and even surpass those of many famous shareware and freeware firewalls out there.

I’m an ex-ZoneAlarm user who was forced to move back to Windows Firewall when I adopted Windows Vista Beta 2 as my main Operating system(yes I know I’m crazy) and then when in late september I adopted the Vista-compatible Free firewall, I ran across some serious issues and decided it’s best to not keep it. ZA Pro for Vista was not released to this day, and I was stuck with Windows Firewall for over a year. That was, until Comodo Firewall Pro 3…

I came across CFP 3 on ieXwiki’s Vista software compatibility list, which saved me countless times, but was very reluctant to adopt a beta after the ZA debacle. However, a product whose previous version had scored EXCELLENT among the top 4 firewalls on Matousec’s page definately got my attention. So I decided to give 3.0.9 a go. And I fell in love with it. So what exactly was it about CFP that made me like it so much? To put it simply it’s the sheer richness of features and customizability that it offers and I could say the same for its resource demands - of all firewalls with such advanced features that I’ve tested this one is the lightest.

As with many firewalls out there, CFP has taken a step beyond traffic control of network only, and into the realm of application behaveior control. The component responsible for this is called Defense+. When an application exhibits questionable criteria of behaveior, it is frozen and a D+ pop-up alert is issued. I took an active role in the beta testing and feedback on the official forums.

Install package

Installation was pretty straightforward and easy. I encountered no difficulties and found it to be quite easy. It didn’t hog the computer nor did it cause high disk activity. All it really did was spend much time installing the drivers, but it falls well into the category of quick installs. Once that has been done, the firewall asks for configuration. It was simple and went smooth.

Hefty package I must say. 31MB, should look more promissing to the masses than those 2MB firewall installs I’ve seen… I believe the install space estimation isn’t correct however, and there’s two reasons for that. The firewall may require 50MB of HDD space, but mine actually uses some 53. I would set the threshold at 60 or even 70. Second, firewall folders such as C:\ProgramData\Comodo\Common\DB\DDB\CPL contain some 700 files. Due to cluster-fill avalanche effect(example: a 1-byte file will take up 4KB on the disk, more such files amplify the effect) this makes the folder, which contains 110KB of actual data, occupy 3.1MB on disk. Now let’s take that to larger scale and check the entire C:\ProgramData\Comodo\Common\DB\DDB folder. Size: 32MB, size on disk: 52MB. And there’s still the install in Program Files which is 20MB. I would recommend some 80-90MB, it’s a hefty firewall. I’ve seen many people pick their security apps by how much space they take, and condemn anything that stretches to 100MB or more, but is that really such a problem with today’s storage?

The install itself is straightforward and fast. You are asked 2 or 3 questions about how you’d like the firewall to behave and how advanced its alerts should be. The uninstall is just as simple and clean — all it ever leaves behind are a few hidden empty folders and a registry key saying when the last check for a new version was performed.

Firewall

Pros:

Now about the firewall itself. Once properly configured the firewall will behave like any high-end firewall out there. It will pass any and all leak tests with flying colors. I’ve ran both web-based tests and portscans from other machines and I could not find my computer. Excellent job. Pop-ups for every application trying to access the internet, possibility to create advanced custom rules or even predefined profiles, all you would expect from a powerful corporate product, and is a rebutable rival to any top-notch firewall out there.

Cons:

I actually failed Shields Up and a few others at first because the firewall allowed ICMP traffic even though I had selected to configure it for perfect stealth yet I still had to delete the one Allow global rule that it creates AND add an ICMP block rule on top of the default Block rule before it passed. The most important thing to know for every security-paranoid out there: a firewall will never completly hide you from hackers as long as you’re running applications which open up ports. Yahoo Messenger for instance, opens port 5101 which can be manually blocked without any loss in functionality. However, programs such as P2P clients like torrents NEED to keep an open port in order to communicate. If any of those cause you to fail a firewall test, the firewall is NOT to blame. Said programs need to be closed if you want 100% stealth from portscans. But most portscans give up if they don’t at first recieve a ping anyway.
Defense+

Pros:

I have not yet come across a firewall which can create custom rules to protect other programs against process termination or memory access. The fact that you can configure and create custom rules about what apps, registry keys or even files and folders a program has the right to access just turns it into the ultimate security policy tool. Imagine I can restrict IE or FireFox to only access its cache and a few isolated registry keys, I’m sandboxing them without the need of an annoying UAC or other methods of user access restriction. There are too few firewalls that I’ve seen out there who accept wildcards. To my experience, the firewall had a major impact on my PC Security Test 2007 results, having raised my score from 100%-80%-50% to 100%-100%-75%(I use antivirus too, mind you), the only thing that I failed being Internet Explorer malware installation. I’m sure I can block that by configuring the firewall to protect said points of entry if I have the mood for it, but I don’t use Internet Explorer.

Cons:

Just like the Firewall, default config is where it loses, and where it’s lost before. By default, the firewall does not protect itself against process terminations. In the editor’s review on Softpedia, CFP revieved 4.5 star voting by 500+ users, was awarderd the Softpedia Pick, and a 5 star rating from the editor himself. I don’t think it gets any better than that. Wanna know what his only con was against CFP? That it could be terminated easily via task manager. CFP’s process termination protection is misleading. You may think that just because you configured an app to be protected against termination it that will. But no, you have to have the function enabled FROM the general Defense+ settings. The per-app protections are only carried out then. Another thing I found annoying was keyboard and monitor protection vs. keyloggers or spyware. Sure it’s a sure stopper for them nasty little bugs, but stuff like games, media players or even Firefox triggers them! They’re too primitive.

Performance

Pros:

The firewall feels as if it was spawned by AVG or NOD32 in terms of performance. Its two processes will use, at the very most, a total of 10MB RAM, and I have yet to see CPU usage go over 0%.

Cons:

The only thing I found wrong with CFP performance was disk usage during log writing. Let’s say I fire up uTorrent and I’m downloading something. With all the new connections being made and unmade the firewall’s DoS protection starts blocking about 10 connections a second. Ten times a second my harddrive makes short sounds for each logged block attempt. It’s a killer. I had to disable logging. Other firewalls however, don’t have these issues. I suggest implementing a more effective algorythm for log writing.

Interface

Pros:

The firewall has a security level slider which allows for easy changing of behaveior aswell as an installation mode, which can be activated to avoid annoying pop-ups during software installations. This only applies to D+, and if installers need to access the internet, you will still get pop-ups.

Cons:

I really don’t like the colors, though the design is somewhat user-friendly. I’m not really that bothered by its complexity and the fact that it’s harder to config as long as it does the job nicely. And thank heavens, that’s what CFP does best, though I must admit a few skins containing less white and more blue, orange, or green would be nice. I’m not one to give importance to the aspect of programs(just look at NOD32), I only look at the technical side, and at that it pleases me very much. However, your average Joe will mind, and the most computer users are average Joes. Version 2’s interface was pure genius, they should have kept that I believe.

Stability/Security

No complaints so far(aside from the beforementioned logging). Everything running smooth as it always has. 10MB RAM usage, 0% CPU. With a product this complex, it’s a miracle. As for security, well it passes all tests it has passed as beta so far and there’s really not much to say there. Wether default configs for ICMP and self-protection against termination are now on by default, I cannot say.

Bugs?

There is some debate on the forums about ironing out bugs. Version 3.0.12.266 final was released on November 20th and version 3.0.13.268 was released two days later. The developers say that there were two small bugs they could have easily fixed and that that’s why they decided to release a second version so quickly. I’ve personally hardly had any issues with CFP3, and the most users have not, however, I’ve had my gripes about the final stages in its development. Back when CFP was RC1, a thread was made asking if it should be released on Nov 20. I voted NO, and this was because I saw that many bug reports were still coming in. Like any point oh version, expect that there will be some system configurations, be they hardware or software, which may not work as originally designed. I’m not trying to scare anyone, I only think they may have released it a tad too soon. There are known issues with some systems which run Avast!, Spyware Doctor, or other spyware-blocking programs which control app behaveior at a driver level. Also, some of you with more “exotic” connections, such as shared connection, wireless, VPN etc. may experience problems. The forums are teeming with activity in the bug report section. Forum moderator ~cat~ has posted a short list of temporary fixes for the most common problems in a thread on the Comodo Forum. Hopefully they will be of help to those of you who run into problems.

The developers are not going to be releasing “nightlies” or any builds as quickly as they did with 3.0.12 - 3.0.13, it will probably be a month until the next version. However, the administrators of the forum have said that the team has already started fixing the bugs, so if you’re going to be a bit cautious about deploying it, you may aswell wait another month until the next version is out.

Bottom Line

CFP is quite simply the best freeware firewall ever created. It aims high and lives up to its expectations. Version 3 brings both x32 and x64 compatibility for everyone’s needs. If you’re just a regular user who just wants to know he’s not going to get hacked, then really Windows Firewall will keep the ports for you without any hassle. More companies like Comodo should exist out there. If you’re someone concerned of not having malware phone home or unwanted connections, you should install it with D+ deactivated. If you’re a poweruser looking for a very tight firewall no doubt this may very well be the firewall of your dreams.