Comodo’s CEO Attacks Scot’s Newsletter Product Decision

Comodo’s president and CEO, Melih Abdulhayoglu, used his forum today as a podium to blast this Scot’s Newsletter Jan. 20th blog post. In that post, I notified readers here of my decision to stop considering one of the two modes that his company’s software firewall product, Comodo 3, offers during installation.

In the Jan. 20th post, I explained that because Comodo 3’s “Basic Firewall” installation option does not offer full-fledged leak protection, and because my first impressions of Basic Firewall’s user-interface were favorable, I needed to make a statement to my readers that:

a) Comodo 3 Basic Firewall installation mode is no longer under consideration in my review (see my firewall review criteria).

b) My recommendation would be to use Comodo 3 Advanced or some other software firewall (such as Online Armor, the only other software firewall I’ve had a favorable reaction to).

At the urgent request of Comodo’s marketing department, I even made some tweaks early today to the Jan. 20th post to make doubly sure that people would understand I was talking about one mode of Comodo 3, not the entire product.

Abdulhayoglu took me to task for everything from my terminology to my advice to SNB readers to my understanding of what his company has communicated to me over the last week. Nothing he writes in his diatribe changes my mind one iota about my recommendation to my readers. Do not use Comodo 3 Basic Firewall. It does not provide leak protection. The Advanced installation mode does offer leak protection, which helps protect you from threats that might, for example, cause your personal data to be accessed.

Now, as to the facts. Abdulhayoglu claims that I misunderstood information that Comodo imparted to me. Well here is that information, which was written by Comodo senior research scientist Egemen Tas and relayed to me in a lead-up email prior to our meeting last Thursday by Comodo vice president of marketing Judy Shapiro:

CFP 3 BASIC vs CFP 2.4

CFP 3 BASIC New Features
1 – CFP 3 consumes 2/3 of the memory of 2.4(7 MB vs 22 MB), consumes less CPU time
2 – CFP 3 has many user interface enhancements over 2.4
3 – CFP 3 introduces Predefined Rule Sets(e.g. Email Clients/Web Browsers etc)
4 – CFP 3 does not require the users to create manual firewall rules. For example, to make CFP 2.4 work with P2P applications (to get a high ID), the users had to create network security rules. CFP 3 shows popup alerts for incoming connections (CFP 2.4 did not have this functionality)
5 – CFP 3 has the defense against Layer 2 attacks (ARP spoofing)
6 – CFP 3 rules interface is much more flexible and powerful
7 – CFP 3 has a unique feature called “application grouping” i.e. File Groups. For example in CFP 3, more than one applications can be grouped together and treated as 1 application. For example: “Windows System Applications” etc. And CFP 3 supports wildcard characters and environment variables (e.g. %windir%, *, ?)
8 – CFP 3 automatically detects the new networks and can create a trusted zones on the fly
9 – CFP 3 has a Training mode for GAMERS and GAMING friendly
10 – CFP 3 BASIC can detect 70%(According to our local analysis) of unknown viruses with a unique static heuristic analysis algorithm. This is not related to Defense+ or any behavior analysis. When an application tries to connect the internet, CFP FIREWALL alert can show a clear virus warning.
11 – CFP 3 supports Vista and x64 processors
12 – CFP 3 current does not have an Anti-Leak mode similar to CFP 2.4. If Defense+ is disabled, unless it is detected as a virus, leaking is possible.(3.1 or 3.2 will have an anti leak mode)
13 – CFP 3 has a blocked IP addresses/hosts list e.g. spyware sites etc(My Blocked Network Zones)
14 – CFP 3 has 1-Click stop all activities feature.
CFP 2.4 does not have a hips i.e. does not prevent the harm however it can detect known leak techniques and show an alert if there is an internet connection attempt.

There are some user transparent features in CFP 3:

1 – A new enterprise strength stateful inspection engine,
2 – It can be managed remotely
3 – It performs stateful layer 2 inspection
4 – It detects routers, switches and optimizes MTU in slow networks

I asked Shapiro for a clarification on point #12 above. Here is her response from Monday of last week:

As far your question around whether 3.0 “Basic” is less “protective” . Not sure how to answer that. 3.0 is meant o run with Defense + running but it would be accurate to say that Defense + module is needed to protect against “leaks”

Abdulhayoglu, in his forum post, never directly comes out and admits that Comodo 3 Basic Firewall doesn’t have anti-leak protection. That’s part of the problem! My readers weren’t aware that this was the case because I wasn’t aware until SNB commenters drew my attention to it. I then asked Comodo for verification of that fact — and got it.

At this writing, I am unable to find a document on the Comodo Web site that provides a features/functionality comparison of Comodo 2.4, Comodo 3.0 Basic Firewall, and Comodo 3.0 Advanced. Without that information, Comodo’s users are left to guess.

My concern was that my readers might guess that they had protection with Comodo 3 Basic Firewall that they do not, in fact, have. So I moved to make that point clear. I just wish I had made the point sooner.

My only responsibilities are to the interests of my readers and to being as accurate as I can be. I believe I’ve met both goals.

— Scot

Added on January 23, a picture of the Comodo 3 installation screen that offers the choice between the Advanced Firewall and the Basic Firewall:


16 Responses to “Comodo’s CEO Attacks Scot’s Newsletter Product Decision”

  1. alexgieg Says:

    This makes things much clearer. I myself am not still confident in Comodo 3.0 Advanced, it doesn’t seem to be a superior product to Comodo 2.4, and it gave me headaches, as I mentioned in a comment to your previous post on the subject. But it seems 3.1 or 3.2 might improve things a bit. I guess I’ll wait before choosing between it or Online Armor for my office computers. Good thing I don’t have to make this choice for my home, where Ubuntu is king. 🙂

    Thank you for keeping us updated, and keep up the good work!

  2. leland Says:

    You as an independent reviewer of software have a responsibility to your readers to print the truth no matter how a software author or company likes it. Thanks for sticking with it. This makes me respect Comodo a lot less than I have in the past and I suspect it will make many people think again about using Comodo products.

  3. Japo Says:

    Hi Scot,

    First of all I’m coming from the Comodo forums and I’m actually a mod. This is just to show my cards, don’t worry and please don’t regard me more as an outsider than any of the other commenters. Sorry for the exceedingly long coment though but I’ll try to explain what I see partially as a misunderstanding and I think this is the right place.

    I don’t think borders are as clear as you put them, let me explain. Even if you are in CFP3’s advanced mode, you can still ruin its leakproof-ness by disabling Defense+ even only partially (not “deactivating” which isn’t even the same as “disabling” in CFP3 and instead means switching to the “basic firewall” mode).

    So what, you’ll say. The point is that you can do the same changing the settings of CFP2, OA or any outbound firewall: all can be configured so that their leak protection is ruined. Back then before CFP3 was final when people asked at the Comodo forums if they should deactivate behaviour analysys, I warned them that of course but that would compromise their outbound leakproof protection –still some would go ahead and do it.

    The features in CFP2, OA etcetera that provide leakproof protection are technically speaking HIPS capabilities, even if they’re concerned only with preventing leaks and let malware otherwise roam the machine at leisure. They’re HIPS to the extent that they may conflict with standalone HIPS software: if you have installed a HIPS program that monitors inter-process memory accesses and global hooks (by means of its own global hooks), and on top of it a firewall with leak protection which has to monitor those same things (by means of its own global hooks) if it’s to pass the leak tests that OA, CFP2 and CFP3 (in “advanced” mode) do pass, then it’s clear that both programs are redundant and their conflicts may cause problems.

    The idea behind CFP3 is that, since a firewall must have HIPS support (either its own or from a separate HIPS program) to be leakproof, why not extending CFP’s capabilities so that it protects your whole computer and not only prevents unauthorized calls home, makes sense. Most people think of an outbound firewall as a last reactive line of defense so that even if they get infected they prevent the malware from stealing their data. But what if the infection includes a rootkit that stealths the another malware from the whole system? This would allow the malware to connect without even bothering to use leaking techniques because the rootkit is hidding it.

    The “basic firewall” option was added at a last stage of development and because of user demand, see here:

    As you can read there the whole purpose of the basic firewall mode was in case someone wished to use CFP as a firewall but another program instead of D+ as a HIPS. Perhaps this isn’t made clear enough in the installer, but it does say that the basic firewall does not protect against malware, that you need D+ for that, and only malware attempts leaks (well maybe also Windows Media Player LOL). (And as you can also read there, the middle-ground with limited anti-leak HIPS which would resemble CFP2 or other firewalls was already in the development queue way before the basic mode was requested, only that the order in which both features have been finally added has been the opposite.)

    Again I repeat my point: you can configure any firewall into ruining its leak protecion. You’re making a big difference because CFP3 gives an option when installing not only afterwards from the interface. But I see no qualitative difference. Maybe the phrasing of the installer could be made clearer.

    Only a final remark, it’s okay that you say that CFP3’s “basic firewall” mode offers no leak protection (unless combined with a third-party HIPS of your choice), but in your post the alternative you recommended was switching to OA: fair enough, I’ve heard it’s a neat product, but you don’t even mention the alternative of switching to the default “advanced mode” of CFP3, as though it were undesirable for some reason. (And for Vista users who don’t have OA for their OS you inform them that they must uninstall CFP3 to activate the advance mode, that’s not accurate, you only have to go to “Defense+ > Advanced > Defense+ Settings > General Settings” and then change the option at the bottom, of course a reboot is necessary but nothing else.)

  4. Scot Says:

    Japo, thanks for the calm attempt to argue the point here. I appreciate it.

    Taking your last point first, I did say that you could uninstall and reinstall Comodo 3 and select Advanced mode. Read what I wrote again in the Jan. 20th post. I recommended that Vista users in particular choose this route, since OA doesn’t support Vista. That last part may be annoying to Comodo supporters, but it’s what I currently believe is the best bet for all concerned. As as I wrote at the end of this piece, more to come.

    [Note: Since I wrote the Jan. 20th post, SNB readers and Comodo have pointed out that you don’t have to uninstall and reinstall Comodo to switch to the Advanced mode. I’m told that you can achieve the same goal by re-enabling the Defense+ HIPS module.]

    I take your point about running behind a third-party HIPS, but that really misses my point. My stated criteria for firewalls I recommend includes that they must offer leak protection. While I did not make an out and out recommendation for Comodo 3 Basic Firewall, I did mention it positively back in November. I have received numerous emails from Scot’s Newsletter readers who trust my opinion and recommendations saying, in effect, “I tried Comodo 3 Basic Firewall when you mentioned it and I like it, so I’m going to keep using it until you tell me otherwise.” I have a responsibility to my readers to tell them otherwise when that is what I fervently believe.

    No amount of extenuating circumstances, nuances between sort-of-HIPS and whether or not it’s possible to defeat the HIPS in different ways matters in that scenario. What it’s about is making sure my readers are aware of the differences between Comodo 3 Basic Firewall and Comodo 3 Advanced. It’s important for software makers to realize that their user interfaces are responsible for communication with their users.

    As I wrote in the post that tops this thread, I am unable to find specific feature communication about the differences between Comodo products offered anywhere by Comodo — other than the document they emailed me. Perhaps even more importantly, the Comodo 3 installation screen that offers the choice between Advanced and Basic Firewall does not specifically detail that a user’s choice of Basic Firewall eliminates leak protection. That should be spelled out under the Basic Firewall heading. Had it done that, all of this would never happened.

    It’s about communicating with Comodo users, regardless of their technical level. Relying on a forums for that is not enough. It needs to be baked into the code and spelled out on the company website.

    — Scot

  5. Japo Says:

    Scot, I indeed understand that you were bound to warn your users because you had recommended the basic firewall option and it isn’t leakproof on its own. As you say, the nuances don’t matter –I just tried to explain them for your readers: CFP3’s so-called “basic firewall” is not a separate product, it’s a configuration option.

    The fact is, CFP3 does offer leak protection. Configured below its maximum protection, it’s not leakproof… just like any other firewall. The ways in which CFP3 lets itself be configured, during installation or afterwards, don’t matter either. Perhaps the phrasing about the basic option is not clear enough, it currently says that it doesn’t offer protection against malware but I’ll be sure to comment it at the forums that it’s made clearer.

    However the case is that when you wrote the 20th Jan. post to made clear that (unlike you had understood at first because of the installer’s phrasing) the basic option is not leakproof, it was more than merely your phrasing what spooked CFP users and created somewhat of a public relations disaster for Comodo among your constituency. You say that CFP3 (in its advanced mode) is still in consideration because it complies with your criteria, but you urged the CFP3 users who had chosen the basic option to switch to another product, as though it didn’t exist the possibility of configuring back their CFP3 so that it offers leak protection, just like any other firewall can be configured so that the protection is increased or decreased.

  6. rickogorman Says:

    Hi Scot,

    In fairness, I think Japo has a point here. You did recommend in the original post that XP users should switch to another product, while Vista users should re-install:

    “If you’re relying on this version of Comodo 3 for your firewall protection, Windows XP users should switch to Online Armor FREE version (or newer) and Vista users should uninstall Comodo 3 and reinstall it, choosing the “Advanced” installation option.”

    Why not just point out that XP users could also switch to the advanced version if they wish? Encouraging them to switch to another product seems punitive in the absence of a rationale for this.

  7. Scot Says:

    I understand the point you’re both making. It is a reasonable point. I did decide not to go into my reasoning on pointing XP users toward OA for now. It’s why I wrote I would post more in the near future.

    I do think that XP users — especially those who don’t frequently install new applications — have a reasonable option in switching to Comodo 3 Advanced. But here’s why I decided not to get into that level of detail within what was a simple post meant to focus on Comodo 3 Basic Firewall:

    I have some more research to do with the latest build (277 at last check). To be honest, I have received a lot of email from Scot’s Newsletter readers who are very frustrated with Comodo 3 — and not just Vista users. Melih and team owned up to issues for some Vista users with the earliest releases of Comodo 3, which they believe are fixed in 277. But when I asked about issues with XP users, they denied a significant set of issues there. The data I’ve collected don’t match that viewpoint. What I’ve learned from the many, many people who have emailed me or posted on this blog is that it’s not just Vista — there are or were issues with XP too.

    The fact that Comodo has released so many incremental builds of 3.0 since its initial launch is also muddying the waters. I have no way to be certain that people are reporting problems with older builds where bugs have been fixed. This is why many development teams post detailed bug-fix lists by incremental build. If that information exists for Comodo, I have not been able to find it.

    The upshot is: The waters are roiled up right now around Comodo 3. A lot of people are angry or frustrated. Some of them possibly unnecessarily so. Or perhaps it’s for a very good reason. I have no way to tell.

    My concern, again, is my readers. The Defense+ experience is not perfect. Especially if you download and install several programs each week. You’re apt to see a lot of pop-ups in that kind of usage scenario. If you don’t install new applications very often, my findings have been that it’s a pretty good experience.

    But there are far too many variables at play for me fully support Comodo 3 at this point. And hanging back and waiting to see what develops is rarely a bad thing to do in such a situation. For what it’s worth, and I don’t mean this to be inflammatory, it’s just the plain truth: While I’ve received just as much feedback from Online Armor users as from Comodo 3 users, that feedback has been a lot more positive than the Comodo 3 feedback. There’s nothing even remotely statistically valid about email messages. But I do pay attention to this information. SNB readers tend to be extremely detailed and very fair in their assessments. The ones who have an obvious bias I discount.

    You can see an example of what I’m talking about in the post by wraithdu in this comment. Understand that I have received literally hundreds of messages like this one detailing people’s experiences with Comodo 3, OA, or both of them since November. Some of them are readers I’ve been corresponding with for years.

    I have not made my decision about Comodo 3 or OA 2. They each offer positive attributes. There are also aspects of Comodo 2.4 that I prefer over Comodo 3. This universe of finalists in the software firewall category represents what I consider to be the very best products for medium to advanced desktop computer users and small businesses. All I simply did was warn my readers away from — as you say — a primary configuration option of one of them.

    To be honest, to me, this all seems like a bit of a tempest in a teapot.

    — Scot

  8. Japo Says:

    Okay now I understand why you resorted to OA to be sure about what you recommended to your readers. However waters are muddy in more than one sense. After the major bugfixes after the first release, we have no evidence that there are existing critical bugs standing (I’m not assuring this let alone asking you to believe it). We at the forums do know that a lot of people are having problems because of fiddling with the settings. Ironically, many people who finally think that D+ is too much for them had at first overstimated their knowledge modifying the default settings. We are trying to separate the real bugs or conflicts from these other many cases.

    I’m not going to advocate CFP against other options let alone here abusing Scot’s hospitality, but for people willing to try Defense+ I have some brief advice: let everything as default during installation. Nobody I know likes to set it at specially tight levels, no matter how knowledgeable they are. As with any piece of low-level security software, it’s very recommendable temporarily disabling any real-time disk protection (AVs etc.) during installation. And when installing new software after CFP, make sure you use the tools intended for that: the “installer/updater” policy and the special installation mode.

    Thanks Scot for letting everybody have his word. I agree about the tempest in a teapot. See you.

  9. Japo Says:

    Oh sorry I forgot I wanted to say that the 3.1.x version of CFP will reportedly include a third configuration mode, leakproof but without extended HIPS, much like CFP2 or other firewalls. However please understand the difference: Defense+ can defend in the first place against infections that may compromise the most leakproof of firewalls.

  10. Japo Says:

    Oh sorry I forgot I wanted to say that the 3.1.x version of CFP will reportedly include a third configuration mode, leakproof but without extended HIPS, much like CFP2 or other firewalls. However please understand the difference: Defense+ can defend in the first place against infections that may compromise the most leakproof of firewalls.

    Bye again.

  11. GQ Says:

    All what Scot say about Comodo 3’s “Basic Firewall” it’s the simple truth.
    Comodo “Basic Firewall” it’s very, very basic firewall, and protect what protect?
    Comodo’s CEO attacks and reaction is typical

    Melih say:
    Simple task of a firewall is to provide visibility to in/outbound traffic hence its called outbound protection.

    Now I have two question for you Melih.

    1. because Comodo don’t provide “cmdagent.exe” visibility to in/outbound traffic, when itself make hidden connection to Comodo server port 80, COMODO V2 firewall.

    2. because Comodo don’t provide “cmdagent.exe” visibility to in/outbound traffic, when itself make hidden connection and DNS request to DNS port 53, COMODO V3 firewall.


  12. JustinZ Says:


    The simple solution seems that it would be to only offer the advanced option, then let the advanced users disable Defense+ if they wish to use a 3rd party HIPS program. The basic user just wants to be protected, so why not automatically set them up to be protected. Why should the “basic” user have to do more configuring that an “advanced” user?

    Offering a 3rd option is even more confusing to the “basic” user. Again using basic user term carefully as they are actually the advanced users who have to do even more configuring. And again I say, let the advanced users configure the program to their needs.

    I have been a long time supporter of Comodo and I appreciate that they stepped up to the plate with the release of Vista, but this seems like common sense to me, a “basic” user of your software. Or should I say “advanced”

  13. Japo Says:


    I can see CFP’s apps connecting when it updates etc. and can log them if I want, however I haven’t checked the cmdagent.exe one you mention. If you really want an answer you can post in the forums about it. And is hired by Comodo for service concerning updates I think, it’s been already asked in the forums a couple of times, however if you don’t really trust Comodo I guess you wouldn’t trust its own servers more than some hired ones.


    First let me say that it’s not “our” software, regretfully I own no stock. 😛 For me it’s still theirs (Comodo’s). The story of my life in the Comodo forumus is as follows: I registered to get support, later I started to help when I could, much later (like recently) I received a PM asking, do you want to be mod? I said why not, if I’m already willing to help I’ll be doing just the same work plus a little moving/merging/etc. I’ve registered in other vendors’ forums in the past. It wasn’t even any Comodo staff who contacted me or selected me in the first place, only other volunteering mods who were in the same situation I’m now. In Comodo forums, the people really affiliated with Comodo beyond the forums (that is employed and, unlike me, paid) all showcase the same “staff Comodo” avatar –the same one as Melih himself. As for posting here, nobody either sent me directly or even suggested me to, and what I felt like saying here to get things clear was on my own accord and probably different from what Melih or whoever would, had he decided to post here. Sorry about the long reading I just wanted to point this. 🙂

    And the corollary is that even thoug my posting here may look at first as an invitation to turn Scot’s blog into an advice column for CFP, still the Comodo forums are the place for it. 🙂 Besides there are many questions I can’t answer but others there will be able, including if necessary Melih or Egemen (CFP lead developer).

    As for your point about the options, I think it’s more about getting the message right with crystal clear language and taking into account that people needn’t be experts and what they understand will be conditioned by what they expect –a v2-like program. Because people can still disable D+ even if they choose the advanced option, even if it’s “active” (the system hooks are in place) but it’s set not to act at all. Moreover a lot of people have nothing more than the Windows firewall with no outbound control at all –and some of them even understand the implications and it’s fine for them. So I still think it’s still about providing as many options as possible and making sure the implications are clear, rather than limiting the options that users get depending on their knowledge, or how deep they have to dig to find the configuration options. Because if CFP just buried the configuration options deep in a hostile interface, finding them would be no guarantee that the user knows his stuff, and advanced users may have as many problems finding them and would complain with reason.

  14. GQ Says:

    Melih, Comodo’s CEO answer on Comodo forum, but not on my questions! It was a “geniune” question actually.

    Dear Melih, do you not find absurd any further discussion against “outbound test” (i.e DNS leaktest, or DNStester leaktest) when Comodo Firewall act and matching in this mode in same time?
    No matter if you practice, basic or full installation of Comodo firewall!

    Comodo firewall don’t provide “cmdagent.exe” (comodo firewall service), user transparent visibility to in/outbound traffic, when itself make hidden connection and DNS request to
    The address is (, port:53, protocol:UDP.

    Each Comodo user can confirm this, just create a rule to block & log everything going in/out to IP address ( or IP range), and after look in comodo log.
    Comodo Firewall v.3 use functions to make a recursive DNS query (connect/redirect connection) to the “recursive” DNS servers, a virtually undetectable form of attack that quietly controls where victims go on
    the Internet

    This is alarming as vulnerable PCs could be hijacked to always point to a malicious DNS server for all Internet access.
    The alarming part of this is that users may feel they are doing valid online transactions, but are in essence giving the “good” guys private data or other identification.
    If the initial exploit code was not stopped, the attack would give attackers virtually undetectable control over the computer.
    It’s really the ultimate back door?

    – GQ

  15. Leopard19 Says:

    I’m still worried about that DNS connection from CFP. I posted about it not long ago in Comodo forum and got an answer from Melih saying he’d ask his staff to take care of the issue. He also agreed with me on the point that it would be much better to have a Comodo IP instead of as an address for file submission. Well the change hasn’t occurred yet, and I hope it will happen soon. By the way I found today that also hosted DNSStuff. Can’t tell if that’s good news…

    That said: I’ve been a supporter of Comodo Firewall for a while now, and that will not change. Give me the name of another company that, even for promotional reasons, make available to the public, for free, a firewall with the quality of the former 2.4 version (I know about the cmdagent cpu load issue, but the software was fantastic), and a firewall now as sophisticated as CFP 3.0 is. I know the point of this conversation here is whether or not CFP 3.0 can resist a leak test without Def+. Def+ is an amazing HIPS, and extremely easy to use even for newbies who just have to let it set to CleanPC mode and won’t be bothered with unnecessary alerts: the result will be a leak proof firewall, or software, or whatever you wanna call it doesn’t matter as long as the expected result is there.
    Then, again, OM ‘s not ready for Vista, where CFP is ready for Vista. OM has got an extremely outdated interface that reminds me of Win95, unbearable. The efforts that have been put into the conception and creation of CFP 3.0 gave birth to a fantastic interface, not only in terms of appearance, but in terms of what you can do with it. I’m talking of both the firewall and the HIPS interface. Predefined security rules for the network, not to mention the degree of control that you get on your system data with Def+.
    I’m gonna leave it there, but before I do, I want to insist on one point: no one at Comodo has ever ever tried to confuse the users. Every single issue is taken into account in the forum, the mods are taking care of the users, and the devs come around when necessary, 90 % of problems and bugs are resolved for the next release of the software.
    Also, there’s no other forum that I know that is so tolerant, and accept 99 % of the posts, when not 100. The devs and the mods are ready to discuss everything with everyone, no censorship whatsoever. Most forum are full of unanswered posts, most forums have mods who delete annoying posts, Comodo is different.


  16. Scot Says:

    In an effort to cool down this topic, I’m closing this blog post to comments. Those who have questions about Comodo should probably visit the Comodo forums. Thanks.