Windows now includes a functional built-in firewall, so consumers expect any third-party firewall to either offer a lot more than Windows does or to come as a freebie. Comodo Firewall (2013) does both. It's completely free, and it includes a wide range of features beyond the expected. Comodo's 2013 edition has gotten a serious makeover, with top-to-bottom streamlining of its user interface.

Like many other products, Comodo Firewall has a main window dominated by a big green security status icon. However, equal emphasis goes to a landing zone for applications to be sandboxed; more about the sandbox feature later on. When you want to dig deeper, you click the Tasks link which visibly "flips" the main window revealing a variety of available security tasks.

New in this edition, Comodo installs a desktop widget that offers a quick view of your security status. Clicking a button on the widget opens the product's main window. It also offers links to launch your browsers in sandboxed (protected) mode, and to follow Comodo on Facebook or Twitter.

Firewall Functions

Like Windows Firewall (and almost every third-party firewall), Comodo had no trouble putting all of my test system's ports in stealth mode. None of my port scans or other Web-based attacks could even detect the test system. A few firewalls, including Outpost Firewall Pro 8, go a step further, actively detecting and blocking port scan attacks.

The flip side of personal firewall protection is what we call program control. The firewall keeps track of what sorts of Internet and network access programs request and allows only appropriate communication. In its default Safe Mode, Comodo automatically configures permission for trusted programs. When an unknown program attempts a connection, it asks the user whether to allow or block the connection.

Like Outpost, Comodo gives the user a choice beyond simply allowing or blocking the program. Predefined rulesets make it easy to configure a program for the type of access appropriate to, for example, a Web browser, or an email client. Other presets relate to the type of access allowed. For example, it's easy to configure a program to allow normal outbound access but block it from receiving inbound connections.

High-end firewalls like what you get in Norton Internet Security (2013)See it at Amazon UK or Kaspersky Internet Security (2013) handle program control internally, with no reliance on user decisions. When a firewall does involve the user in trust decisions, it's important that the firewall catch every attempt at access. Leak test programs try to connect with the Internet "under the radar," undetected by program control.

In its default configuration, a dozen leak tests I tried slipped right past Comodo's protection, making their connections undeterred. However, when I enabled the Behavior Blocker (more about the Behavior Blocker shortly) it detected suspicious activity in every case and offered to run the samples in isolation. Some managed a connection even so, but they didn't get through undetected. ZoneAlarm directly blocked sneaky Internet connection attempts by about three quarters of these samples.

Many modern malware attacks slip into victim systems by exploiting unpatched vulnerabilities in the operating system, the browser, or essential applications. To test Comodo's exploit protection I attacked the test system using 30 exploits generated by the Core IMPACT penetration tool. Like ZoneAlarm Free Firewall 2012, Comodo didn't actively block any of these at the network level and also didn't block their attempts to drop files on the test system. Only the fact that the test system was fully patched prevented it from being compromised. Norton, by contrast, detected every exploit at the network level and identified most by name.

Comodo doesn't expose any significant settings in the Registry; a malicious program couldn't disable it by setting protection to "OFF" in the Registry. However, I had no trouble killing off its processes using Task Manager. That's surprising, because with the previous edition such an attempt yielded "Access Denied." I also managed to set its essential services to be disabled. After reboot it re-enabled some, but not all, of them. This firewall could do with a little toughening up. The same attacks on ZoneAlarm bounced off harmlessly.