Author Topic: CFP 3.0.10.238 BETA - Questions about how it works[CLOSED]  (Read 26977 times)

Offline gibran

  • Average User
  • Comodo's Hero
  • *****
  • Posts: 5056
  • A bad workman always blames his tools
Re: CFP 3.0.10.238 BETA - Questions about how it works
« Reply #75 on: October 31, 2007, 09:47:01 AM »
I even erased Terminal Service totally, because I don´t need it and to rise security bar.
I removed aak 3.7 because I thought it could be a conflict with shadow ssdt hooks of cpf, but results were the same, aak 3.7 didn´t affect the vulnerability it even helped to protect if comodo beta failed during init.

Please post the results in https://forums.comodo.com/32_bit_bug_reports/cpf_3010238_beta_32bit_bug_reports-t14004.0.html

IIRC terminal services are needed to handle some user related acess infos. For example you can see the owner of a process using Task Manager (Like SYSTEM, LOCAL SERVICE, NETWORK SERVICE, logged usernames.). The terminal services are not the same thing of Terminal Server services

« Last Edit: October 31, 2007, 09:50:28 AM by gibran »
"In the beginning the Universe was created. This has made a lot of people very angry and has been widely regarded as a bad move."- Douglas Adams

Offline ubuntu

  • Comodo Member
  • **
  • Posts: 45
Re: CFP 3.0.10.238 BETA - Questions about how it works
« Reply #76 on: October 31, 2007, 10:16:19 AM »
So CPF defended all attacks except directx.

Hello

CFP 3.0.10.238 BETA introduced a new default configuration. it allow all system32\*.dll hooked.
you can remove this rule in Defense+ All applications Policy ----> windows hooks .

CFP 3.0.10.238 BETA should pass all AKLT tests!
Whereof one cannot speak  thereof one must be silent
Comodo Firewall - The Hackers' Choice

Offline StormyMind

  • Comodo Member
  • **
  • Posts: 42
Re: CFP 3.0.10.238 BETA - Questions about how it works
« Reply #77 on: October 31, 2007, 10:31:25 AM »
Quote
Hello

CFP 3.0.10.238 BETA introduced a new default configuration. it allow all system32\*.dll hooked.
you can remove this rule in Defense+ All applications Policy ----> windows hooks .

CFP 3.0.10.238 BETA should pass all AKLT tests!
Doesn´t have any effect. DirectX vulnerability remains.

Quote
IIRC terminal services are needed to handle some user related acess infos. For example you can see the owner of a process using Task Manager (Like SYSTEM, LOCAL SERVICE, NETWORK SERVICE, logged usernames.). The terminal services are not the same thing of Terminal Server services
Indeed, I didn´t know this, so in this case of deletion there are no more user names in task manager.
« Last Edit: November 01, 2007, 06:22:12 AM by StormyMind »

Offline malbeth

  • Comodo Family Member
  • ***
  • Posts: 54
Re: CFP 3.0.10.238 BETA - Questions about how it works
« Reply #78 on: October 31, 2007, 10:37:48 AM »
Rules are processed from top to bottom.
Firewall and defense+ protections are handled separately but both need to be enabled in order to be protected.
Alerts are generated only when an app need to to do something and there are no allow/deny rules.
D+ catches only an user-modifiable set of protected files/registry keys/components in order to reduce the number of alerts.

Using Training mode make V3 learn all the necessary rules for all apps regardeless if they are safe or not.
Learn safe only make V3 learn all the necessary rules for  apps marked safe.

Thanks gibran, that's definitely a start. But I did mean algorithms deeper than that. Suppose I have my LAN marked as safe in Global FW rules (Allow ALL IP), and a blocked application tries to access it - what happens then? Or suppose I turned on protection against interprocess memory access for ctfmon.exe, but also gave another program access rights to ctfmon's memory in that prorgam's Access Rights settings but not in ctfmon's protection exclusions? And most importantly, when I observe some behaviour from CPF for these cases, how do I know if it's a bug or not? Unless I've badly missed the general introduction to v3, each member here is betatesting against his/her own ideas how a firewall+HIPS must work, which sounds like quite a mess...

Offline d6d

  • Newbie
  • *
  • Posts: 2
    • Download drivers free
Re: CFP 3.0.10.238 BETA - Questions about how it works
« Reply #79 on: October 31, 2007, 10:53:29 AM »
Nice job COMODO guys!

I did find one thing from the new beta. When I take my laptop to home/office (change of network) it always prompts for New Private Network Detected even though I already save it. Should I just check Do not automatically detect the new networks?

see attached screen.

Offline Ragwing

  • Comodo's Hero
  • *****
  • Posts: 3498
Re: CFP 3.0.10.238 BETA - Questions about how it works
« Reply #80 on: October 31, 2007, 11:00:10 AM »
Nice job COMODO guys!

I did find one thing from the new beta. When I take my laptop to home/office (change of network) it always prompts for New Private Network Detected even though I already save it. Should I just check Do not automatically detect the new networks?

see attached screen.

If you won't use it anywhere else, you could check 'Do not automatically detect the new networks'. No need for it to detect the network everytime if it's already added.
If you need this feature in the future, simply re-enable it ;)


Ragwing

Offline garou

  • Newbie
  • *
  • Posts: 4
Re: CFP 3.0.10.238 BETA - Questions about how it works
« Reply #81 on: October 31, 2007, 12:27:03 PM »
Ok thx Ragwing, I did try the way you explainned and it does not work.

Offline Ragwing

  • Comodo's Hero
  • *****
  • Posts: 3498
Re: CFP 3.0.10.238 BETA - Questions about how it works
« Reply #82 on: October 31, 2007, 12:30:31 PM »
Ok thx Ragwing, I did try the way you explainned and it does not work.

Can you specify what did not work?
Did CPF alert you even tho you disabled it to detect new networks?


Ragwing

Offline adric

  • "Start every day with a smile and get it over with."
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 675
  • "I am not young enough to know everything. "
Re: CFP 3.0.10.238 BETA - Questions about how it works
« Reply #83 on: October 31, 2007, 12:52:49 PM »
Hello

CFP 3.0.10.238 BETA introduced a new default configuration. it allow all system32\*.dll hooked.
you can remove this rule in Defense+ All applications Policy ----> windows hooks .

CFP 3.0.10.238 BETA should pass all AKLT tests!

Anyone know why this rule was added?. I hate to remove stuff and not know what the ramifications are down the line. Granted, the DIRECTX vulnerability is gone, but what will the overall impact be by removing the rule?

The new rule for this BETA must have been added for a reason. Can one of the developers give a quick explanation?

Al


Offline gibran

  • Average User
  • Comodo's Hero
  • *****
  • Posts: 5056
  • A bad workman always blames his tools
Re: CFP 3.0.10.238 BETA - Questions about how it works
« Reply #84 on: October 31, 2007, 01:50:41 PM »
Anyone know why this rule was added?. I hate to remove stuff and not know what the ramifications are down the line. Granted, the DIRECTX vulnerability is gone, but what will the overall impact be by removing the rule?

The new rule for this BETA must have been added for a reason. Can one of the developers give a quick explanation?

Al

You may be mislead. The rule added was system32\*.dll in protected file section in order to have an alert when those files are modified.
If it was added under hooks that means that app needed to hook one DLL in system32. If you know what DLL was hooked then you may remove the * wildcard and use that DLL full path.

Still would be wise to add wildcard expansion to generated rules. Maybe there is an entry about that hooked DLL in D+ log. Let us know.

Edit: I made some tests. I found out that generated rules DO wildcard expansion so generated rule get an explicit ful path and not a wildcarded one.
« Last Edit: November 01, 2007, 07:47:31 AM by gibran »
"In the beginning the Universe was created. This has made a lot of people very angry and has been widely regarded as a bad move."- Douglas Adams

Offline (Silent)

  • Newbie
  • *
  • Posts: 3
Re: CFP 3.0.10.238 BETA - Questions about how it works
« Reply #85 on: October 31, 2007, 02:02:39 PM »
Can someone please explain to me how "Image execution" works or what exactly it does?

As if I have it turned on or off nothing changes, the exact same alerts are given when I try to execute an .exe file from my desktop(explore.exe as parent of course).

I figured it to simply be a pop up stating a new file is about to start. However, All I see is "Explore.exe is starting whatever.exe". Which happens as well when I have "Image execution" Disabled. And Yes, I have "files to check" correctly set up.

I thought Image Execution protection was supposed to say something more along the lines of. "Whatever.exe is about to start". Regardless of parent application and so on.
I'm in "paranoid" mode, BTW.

BTW, any chance of renaming that to "custom" mode or something?

Also, is there a way I can set up Defense+ where it will no longer ask any questions? Just, more along the lines of do what I have it set up to do in the rules and block everything els by default? A mode as such would be very nice, IMO.

Offline Ragwing

  • Comodo's Hero
  • *****
  • Posts: 3498
Re: CFP 3.0.10.238 BETA - Questions about how it works
« Reply #86 on: October 31, 2007, 02:18:34 PM »
Can someone please explain to me how "Image execution" works or what exactly it does?

As if I have it turned on or off nothing changes, the exact same alerts are given when I try to execute an .exe file from my desktop(explore.exe as parent of course).

Disabled, doesn't prompt you if you open .exe-files.
Normal, prompts you if you open a .exe-file before it's loaded into the memory
Agressive, same as normal, plus prevents the .exe-file from getting prefetched/cached

That's how it works.


Ragwing

EDIT: https://forums.comodo.com/32_bit_bug_reports/cpf_3010238_beta_32bit_bug_reports-t14004.0.html;msg99091#msg99091
« Last Edit: November 01, 2007, 06:44:45 AM by Ragwing »

Offline scaa

  • Newbie
  • *
  • Posts: 24
Any conflict with windows firewall in vista
« Reply #87 on: October 31, 2007, 10:56:18 PM »
 (:AGL) The beta is working fine  :BNC . But security centre in vista says both the firewalls are on (comodo and windows vista)
Is there any conflict between the two? Can both remain turned on or should windows firewall be turned off ?

Offline Goose19

  • Comodo's Hero
  • *****
  • Posts: 1218
Re: Any conflict with windows firewall in vista
« Reply #88 on: October 31, 2007, 11:18:11 PM »
You're not suppose to run two firewalls at the same time because they will conflict with each other. And having two firewalls conflicting with each other will just make you Vulnerable so i would trun Windows firewall off. Comodo firewall is much more advanced  then any windows firewall so it is the best choice.
System Specs:  Pentium 4 with HT 3.06 Ghz,  1.5GB RAM, 160 GB WDC HD, Nvidia Geforce 7600GT 256MB DDR3



New Build: AMD Athlon 64 x2 6000 3.1 Ghz  4 Gb RAM 320GB WDC Hard Drive 650 watt quad rail Power supply(overkill :D) 9500GT Hybrid SLi with 8200 (onboard video) Decent Gaming rig :)

Offline Searinox

  • Comodo's Hero
  • *****
  • Posts: 534
  • Do you like fire? I'm full of it.
Firewall test failed
« Reply #89 on: October 31, 2007, 11:48:57 PM »
Ran a firewall test at ShieldsUp

https://www.grc.com/x/ne.dll?bh0bkyd2

And everything came out fine except I failed at the IMCP test because my computer responded to a ping. In the firewall security policy global rules there is only one rule:

Block IMCP from Any IP to Any where IMCP Message Is ECHO REQUEST.

Isn't this the rule supposed to protect me from pings?
Windows 7 Ultimate 64-bit with all updates, UAC off + COMODO Internet Security 5.8 + Avira Free 2012 + TuneUp Utilities 2011 + Norton Ghost 15 SP1

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek