(Confuision)The Defence + has blocked X suspicious attempt(s) so far [RESOLVED]

[Guest]

[Nosnibor]

(R) Hello everyone I'm a little confused about some listings in the "Defence + Events" log On the main screen of CF (Ver 3.5.54375.427) near the bottom left corner under the heading "Proactive Defence" it say "The Defence + has blocked X suspicious attempt(s) so far.) When i click on the blue link indicating how many items that have been blocked the "Defense + Events" log pops up and this is where the CONFUSION starts The help files on this log differes from the actual log as in the log it shows under the heading "Action" different actions such as - "Changed Defense + Mode" - "Send Message" - "Access Memory" ect ect.  But it doesn't indicate weather or not the item  was "Alowed" or "Denied". How do i get the log to display if the action was allower or denied?

[Dennis2]

(R) Hello everyone I'm a little confused about some listings in the "Defence + Events" log On the main screen of CF (Ver 3.5.54375.427) near the bottom left corner under the heading "Proactive Defence" it say "The Defence + has blocked X suspicious attempt(s) so far.) When i click on the blue link indicating how many items that have been blocked the "Defense + Events" log pops up and this is where the CONFUSION starts The help files on this log differes from the actual log as in the log it shows under the heading "Action" different actions such as - "Changed Defense + Mode" - "Send Message" - "Access Memory" ect ect.  But it doesn't indicate weather or not the item  was "Alowed" or "Denied". How do i get the log to display if the action was allower or denied?

Unless you make a allow rule to log in the firewall all log entries are blocked actions.
Mode changes are there so it remind's you how you have change the settings for Firewall and Defence+
Dennis

[Nosnibor]

(R) Sorry but I'm a little confused Under "Miscellaneous" - "Settings" - "Logging" the "Disable" box for "Firewall Logging" and "Defense + Logging" are NOT checked indicating that logging IS anabled. I've looked all through CF but I can't seem to find the setting I'm looking for. How do I configure the Defense + Log to indicate weather the event is allowed or blocked???

[3xist]

Nosnibor.

You're D+ behavior is fine. Try running some leak tests, and block them. You will then see D+ Alerts.

Josh

[Nosnibor]

(R) Leak test? What are those and how do I find one?

[3xist]

http://www.testmypcsecurity.com/securitytests/firewall_test_suite.html And Discussion thread is here: http://forums.comodo.com/feedbackcommentsannouncementsnews_cis/comodo_leak_test_suite_release_with_34_tests-t29688.0.html



Josh

[Nosnibor]

(R) Hey thanks I'll check it out.

[3xist]

No worries.

Allow the program to open then just block every D+ Alert, And report back here if your D+ Logs are recorded. Here are my D+ Logs\Events for the leak tests.

Josh

[Nosnibor]

(R) Ok I think I understand the logs now Please varify if the following statements are correct or not....(1) If it's listed in "Firewall Events" with Blocked  under "Action" it's a blocked item (the only thing listed in the "Firewall Events" are blocked items?)....(2) If it's listed in "Defense + Events" it's also a blocked item (the only thing listed in the "Defense + Events" are blocked items?)

Just a note to add....after doing the leak test i got a score of 320/340 with;
"Hijacking : ChangeDebuggerPath----Vulnerable"
"Hijacking : StartupPrograms----Vulnerable"

[3xist]

(R) Ok I think I understand the logs now Please varify if the following statements are correct or not....(1) If it's listed in "Firewall Events" with Blocked  under "Action" it's a blocked item (the only thing listed in the "Firewall Events" are blocked items?)....(2) If it's listed in "Defense + Events" it's also a blocked item (the only thing listed in the "Defense + Events" are blocked items?)

Just a note to add....after doing the leak test i got a score of 320/340 with;
"Hijacking : ChangeDebuggerPath----Vulnerable"
"Hijacking : StartupPrograms----Vulnerable"

Okay.

In CIS, Make sure you have Defense+ & Firewall in Safe Mode. Also be sure your Configuration is "COMODO - Proactive Security" Configuration by right clicking the tray icon and choosing Configuration.

Also Block All D+ Alerts, with "Remember my Answer" ticked - You will then get 340/340.

Josh

[Nosnibor]

(R) Yes both are set to "Safe Mode" Also I just read in the help file on "Configuration" but doesn't explain the difference between "Optimum Security"(the setting it's on now) and "Proactive Security Could you explain the differance please

[3xist]

(R) Yes both are set to "Safe Mode" Also I just read in the help file on "Configuration" but doesn't explain the difference between "Optimum Security"(the setting it's on now) and "Proactive Security Could you explain the differance please

Optimum Security - Is a Configuration you either imported from CFP 3.0x to CIS 3.5x, Or you made your own configuration, etc.

Proactive Security - In CIS, This Activates the full power of Defense+. Image Execution is Normal & All Settings in Defense+>Advanced>Defense+ Settings>Monitor Settings are ticked. In "Internet Security" Configuration, Image Execution is disabled & Only some Monitor Settings are ticked, Which is why most people only get a 80% success rate.

However, It's not vulnerable - Internet Security Configuration is there for those with a good AV, And only want some power of D+. Proactive is like CFP 3.0 Default. 

Josh

[Nosnibor]

(R) Ok I changed settings to what you recomended and now I get a score of 340/340 ....but....a new problem has started since changing settings I have a touch pad mouse on my LapTop and whenever I use the scroll function of my touchpad(sliding my finger up and/or down on the side of the touch pad) I get a "Defence +" allert" that say...."SynTPEnh.exe is trying to modify the user interface of IEXPLORE.EXE"....or the IEXPLORE.EXE is changed to match whatever program screen I'm on. The alert isn't realy the problem at hand but what is....is the fact that when this alert pops up my touchpad(mouse) is COMPLEATLY FROZEN untill the alert goes away which is 120sec.  What did I do wrong now lol.

[3xist]

(R) Ok I changed settings to what you recomended and now I get a score of 340/340 ....but....a new problem has started since changing settings I have a touch pad mouse on my LapTop and whenever I use the scroll function of my touchpad(sliding my finger up and/or down on the side of the touch pad) I get a "Defence +" allert" that say...."SynTPEnh.exe is trying to modify the user interface of IEXPLORE.EXE"....or the IEXPLORE.EXE is changed to match whatever program screen I'm on. The alert isn't realy the problem at hand but what is....is the fact that when this alert pops up my touchpad(mouse) is COMPLEATLY FROZEN untill the alert goes away which is 120sec.  What did I do wrong now lol.

Just add it as a Trusted Application to the Computer Security Policy.

Josh

[Nosnibor]

(R) Done and all is well from the bottom of my heart I thank you for all your help

[Tags:]