CFP 3.0.10.238 BETA - Questions about how it works[CLOSED]

[Guest]

[gibran]

I even erased Terminal Service totally, because I don´t need it and to rise security bar.
I removed aak 3.7 because I thought it could be a conflict with shadow ssdt hooks of cpf, but results were the same, aak 3.7 didn´t affect the vulnerability it even helped to protect if comodo beta failed during init.

Please post the results in https://forums.comodo.com/32_bit_bug_reports/cpf_3010238_beta_32bit_bug_reports-t14004.0.html

IIRC terminal services are needed to handle some user related acess infos. For example you can see the owner of a process using Task Manager (Like SYSTEM, LOCAL SERVICE, NETWORK SERVICE, logged usernames.). The terminal services are not the same thing of Terminal Server services

[ubuntu]

So CPF defended all attacks except directx.

Hello

CFP 3.0.10.238 BETA introduced a new default configuration. it allow all system32\*.dll hooked.
you can remove this rule in Defense+ All applications Policy ----> windows hooks .

CFP 3.0.10.238 BETA should pass all AKLT tests!

[StormyMind]

Hello

CFP 3.0.10.238 BETA introduced a new default configuration. it allow all system32\*.dll hooked.
you can remove this rule in Defense+ All applications Policy ----> windows hooks .

CFP 3.0.10.238 BETA should pass all AKLT tests!

Doesn´t have any effect. DirectX vulnerability remains.

IIRC terminal services are needed to handle some user related acess infos. For example you can see the owner of a process using Task Manager (Like SYSTEM, LOCAL SERVICE, NETWORK SERVICE, logged usernames.). The terminal services are not the same thing of Terminal Server services

Indeed, I didn´t know this, so in this case of deletion there are no more user names in task manager.

[malbeth]

Rules are processed from top to bottom.
Firewall and defense+ protections are handled separately but both need to be enabled in order to be protected.
Alerts are generated only when an app need to to do something and there are no allow/deny rules.
D+ catches only an user-modifiable set of protected files/registry keys/components in order to reduce the number of alerts.

Using Training mode make V3 learn all the necessary rules for all apps regardeless if they are safe or not.
Learn safe only make V3 learn all the necessary rules for  apps marked safe.

Thanks gibran, that's definitely a start. But I did mean algorithms deeper than that. Suppose I have my LAN marked as safe in Global FW rules (Allow ALL IP), and a blocked application tries to access it - what happens then? Or suppose I turned on protection against interprocess memory access for ctfmon.exe, but also gave another program access rights to ctfmon's memory in that prorgam's Access Rights settings but not in ctfmon's protection exclusions? And most importantly, when I observe some behaviour from CPF for these cases, how do I know if it's a bug or not? Unless I've badly missed the general introduction to v3, each member here is betatesting against his/her own ideas how a firewall+HIPS must work, which sounds like quite a mess...

[d6d]

Nice job COMODO guys!

I did find one thing from the new beta. When I take my laptop to home/office (change of network) it always prompts for New Private Network Detected even though I already save it. Should I just check Do not automatically detect the new networks?

see attached screen.

[Ragwing]

Nice job COMODO guys!

I did find one thing from the new beta. When I take my laptop to home/office (change of network) it always prompts for New Private Network Detected even though I already save it. Should I just check Do not automatically detect the new networks?

see attached screen.

If you won't use it anywhere else, you could check 'Do not automatically detect the new networks'. No need for it to detect the network everytime if it's already added.
If you need this feature in the future, simply re-enable it


Ragwing

[garou]

Ok thx Ragwing, I did try the way you explainned and it does not work.

[Ragwing]

Ok thx Ragwing, I did try the way you explainned and it does not work.

Can you specify what did not work?
Did CPF alert you even tho you disabled it to detect new networks?


Ragwing

[adric]

Hello

CFP 3.0.10.238 BETA introduced a new default configuration. it allow all system32\*.dll hooked.
you can remove this rule in Defense+ All applications Policy ----> windows hooks .

CFP 3.0.10.238 BETA should pass all AKLT tests!

Anyone know why this rule was added?. I hate to remove stuff and not know what the ramifications are down the line. Granted, the DIRECTX vulnerability is gone, but what will the overall impact be by removing the rule?

The new rule for this BETA must have been added for a reason. Can one of the developers give a quick explanation?

Al

[gibran]

Anyone know why this rule was added?. I hate to remove stuff and not know what the ramifications are down the line. Granted, the DIRECTX vulnerability is gone, but what will the overall impact be by removing the rule?

The new rule for this BETA must have been added for a reason. Can one of the developers give a quick explanation?

Al

You may be mislead. The rule added was system32\*.dll in protected file section in order to have an alert when those files are modified.
If it was added under hooks that means that app needed to hook one DLL in system32. If you know what DLL was hooked then you may remove the * wildcard and use that DLL full path.

Still would be wise to add wildcard expansion to generated rules. Maybe there is an entry about that hooked DLL in D+ log. Let us know.

Edit: I made some tests. I found out that generated rules DO wildcard expansion so generated rule get an explicit ful path and not a wildcarded one.

[(Silent)]

Can someone please explain to me how "Image execution" works or what exactly it does?

As if I have it turned on or off nothing changes, the exact same alerts are given when I try to execute an .exe file from my desktop(explore.exe as parent of course).

I figured it to simply be a pop up stating a new file is about to start. However, All I see is "Explore.exe is starting whatever.exe". Which happens as well when I have "Image execution" Disabled. And Yes, I have "files to check" correctly set up.

I thought Image Execution protection was supposed to say something more along the lines of. "Whatever.exe is about to start". Regardless of parent application and so on.
I'm in "paranoid" mode, BTW.

BTW, any chance of renaming that to "custom" mode or something?

Also, is there a way I can set up Defense+ where it will no longer ask any questions? Just, more along the lines of do what I have it set up to do in the rules and block everything els by default? A mode as such would be very nice, IMO.

[Ragwing]

Can someone please explain to me how "Image execution" works or what exactly it does?

As if I have it turned on or off nothing changes, the exact same alerts are given when I try to execute an .exe file from my desktop(explore.exe as parent of course).

Disabled, doesn't prompt you if you open .exe-files.
Normal, prompts you if you open a .exe-file before it's loaded into the memory
Agressive, same as normal, plus prevents the .exe-file from getting prefetched/cached

That's how it works.


Ragwing

EDIT: https://forums.comodo.com/32_bit_bug_reports/cpf_3010238_beta_32bit_bug_reports-t14004.0.html;msg99091#msg99091

[scaa]

  The beta is working fine  . But security centre in vista says both the firewalls are on (comodo and windows vista)
Is there any conflict between the two? Can both remain turned on or should windows firewall be turned off ?

[Goose19]

You're not suppose to run two firewalls at the same time because they will conflict with each other. And having two firewalls conflicting with each other will just make you Vulnerable so i would trun Windows firewall off. Comodo firewall is much more advanced  then any windows firewall so it is the best choice.

[Searinox]

Ran a firewall test at ShieldsUp

https://www.grc.com/x/ne.dll?bh0bkyd2

And everything came out fine except I failed at the IMCP test because my computer responded to a ping. In the firewall security policy global rules there is only one rule:

Block IMCP from Any IP to Any where IMCP Message Is ECHO REQUEST.

Isn't this the rule supposed to protect me from pings?

[Tags:]