Application Monitor Rules Hierarchy

[Guest]

[xiuhcoatl]

I have been trying to tighten up my Application rules.
My Primary question is are these rules read from the top down as are Network rules?

I have set them up so that the alow rules were before the Deny rules and it seems to work for awhile, but COMODO will rearange them so the block is before the allow and it will quit working

Is there any tutorial on Application rules or has anyony really tightened down your Application rules

I know this a more difficult area to learn and understand than network but

Thanks for any help you can give
Opus

Below is a sample of what I am talking about
IF you want I will send My registry entrys

PAth- C:\windows\ Explorer.exe
Parent- C:\windows\System32\Userinit.exe 
Destination- [LAN]
Port- [ANY]
Protocol- TCP/UDP In
Permission- Allow

PAth- C:\windows\ Explorer.exe
Parent- C:\windows\System32\Userinit.exe 
Destination- [LAN]
Port- [ANY]
Protocol- TCP/UDP Out
Permission- Allow

PAth- C:\windows\ Explorer.exe
Parent- C:\windows\System32\Userinit.exe 
Destination- [ANY]
Port- [ANY]
Protocol- TCP/UDP In
Permission- Block

PAth- C:\windows\ Explorer.exe
Parent- C:\windows\System32\Userinit.exe 
Destination- [ANY]
Port- [ANY]
Protocol- TCP/UDP In
Permission- Block

[panic]

Application Monitor rules are not ordered rules - they either exist or do not exist, regardless of where they appear in the list. Only the network monitor rules are position dependant.

Hope this helps,
Ewen :-)

[Quill]

It's certainly possible to create tight AM rules, but it can be quite frustrating and time consuming. It's something I've been doing for some time, and I still have things to sort out.

Essentially, if you start down this path, it's possible to end up with a great many rules, particularly, when one considers the multitude of possible parents an application may have.

It is interesting though 

Toggie

[xiuhcoatl]

Toggie If you would not consider it an invasion of privacy, or  welcing on you many hours of work would you send an export in a txt file of your HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Personal Firewall\AppCtrl

Another question Do you have any Idea What does this Registry key do

If you prefer not to post registry entrys on the web Cut and paste into a PM or  Send to gtoko62(at)yahoo.com

Thanks for your help
Opus
I look forward To an educational with Comodo CFP V2 and more so with CFP V3

It's certainly possible to create tight AM rules, but it can be quite frustrating and time consuming. It's something I've been doing for some time, and I still have things to sort out.

Essentially, if you start down this path, it's possible to end up with a great many rules, particularly, when one considers the multitude of possible parents an application may have.

It is interesting though 

Toggie

[Little Mac]

If he could ever complete it, Toggie will get us a definitive guide/tutorial on tightening rules... 

At the present (in addition to the link Soya gave you), you can check out this one: http://forums.comodo.com/index.php/topic,6167.0.html for a lot of info all in one spot.  It may help you to do some of the things you want to do, by giving you a concise overview (and some specifics) for how the FW works.

LM

[Quill]

If he could ever complete it, Toggie will get us a definitive guide/tutorial on tightening rules...  Grin

Nah! V3 will be here before then, so I'll just have to start again

Opus Dei

I hope you don't mind, but I'd rather not start distributing parts of my registry. I am, however,  more than willing to help you with any questions you have concerning rule creation.

Toggie 

[xiuhcoatl]

Hope I did not offend you by asking

Many thanks And  after some work I will be back With questions or comments

Thanks
Opus Dei

I´ve been shadowing these Forums since finding CPF and this got me involved with Malware U
in fact I´d better get back busy with MU have not posted there in a little over a week

Nah! V3 will be here before then, so I'll just have to start again


I hope you don't mind, but I'd rather not start distributing parts of my registry. I am, however,  more than willing to help you with any questions you have concerning rule creation.

Toggie 

[xiuhcoatl]

I am, however,  more than willing to help you with any questions you have concerning rule creation.

Toggie 

Thanks in advance Opus

So if I want to permit
PAth- \ Explorer.exe
Parent- \Userinit.exe
to access 1 network[LAN] and block everything else
I would need to

    1) Block all [IPs before [LAN]] and 
    2) Block all [IPs after [LAN]] and
    3) Allow [LAN]

Note: The order of my exemple at the end of this post matches the list above, however the order would not be important.

Have you noticed CPF Slowing down the connection if overburdend with rules

This seems complicated, however if I am correct
If I did any of the following
  1)
    a. Block all 
    b. Allow [LAN]
I'm F'd ( No Access for PAth- \Explorer.exe with Parent- \Userinit.exe)  

  2)
    a. Allow[LAN]
    b. Block [WAN]
 I will still keep getting pop ups

  3)
    a. If I Block Explorer.exe as an untrusted App - I'm F'd (userinit.exe will not be able to use it. At all).
    b. If I Allow Explorer.exe on [LAN] - I will keep getting pop ups
    c. If I Block Explorer.exe on [WAN] - I will keep getting pop ups

Have you found an easier way?
 
PAth- \ Explorer.exe
Parent- \Userinit.exe 
Destination- [IPs before [LAN]]
Port- [ANY]
Protocol- TCP/UDP In
Permission- Block

PAth- \ Explorer.exe
Parent- \Userinit.exe
Destination- [IPs before [LAN]]
Port- [ANY]
Protocol- TCP/UDP Out
Permission- Block

PAth- \ Explorer.exe
Parent- \Userinit.exe
Destination- [IPs after [LAN]]
Port- [ANY]
Protocol- TCP/UDP In
Permission- Block

PAth- \ Explorer.exe
Parent- \Userinit.exe
Destination- [IPs after [LAN]]
Port- [ANY]
Protocol- TCP/UDP out
Permission- Block

PAth- \ Explorer.exe
Parent- \Userinit.exe
Destination- [LAN]
Port- [ANY]
Protocol- TCP/UDP In
Permission- Allow

PAth- \ Explorer.exe
Parent- \Userinit.exe
Destination- [LAN]
Port- [ANY]
Protocol- TCP/UDP Out
Permission- Allow

[Little Mac]

You might try this:

Create an app rule like your very last entry:

PAth- \ Explorer.exe
Parent- \Userinit.exe
Destination- [LAN]
Port- [ANY]
Protocol- TCP/UDP Out
Permission- Allow

Then create a rule:
Application:  Explorer.exe
Parent:  Userinit.exe
Action:  Block
Protocol: TCP/UDP
Direction:  Out
Destination:  Any
Port:  Any

Make sure the Allow rule comes first (is on top of) the Block rule.  There is apparently a hierarchy of sorts within App Mon.  Unfortunately, this will change if you Edit one of the rules - try it and see.  I'm thinking if the Block rule gets on top, it may circumvent the Allow rule.  If it does, just double-click the Allow rule, select OK - this will move it on top.

LM

[xiuhcoatl]

I might try that but per panic

Application Monitor rules are not ordered rules - they either exist or do not exist, regardless of where they appear in the list. Only the network monitor rules are position dependant.

Hope this helps,
Ewen :-)

But I'm hard headed and like to prove things to my self.
 Maybe that is what I did previously, because I had thought I had it working, and then all of the sudden it stopped working, and my rules appeared to rearrange themselves.

[Soyabeaner]

But I'm hard headed and like to prove things to my self.
 Maybe that is what I did previously, because I had thought I had it working, and then all of the sudden it stopped working, and my rules appeared to rearrange themselves.

It wasn't your imagination.  AppMon does indeed switch the placement of rules as you alter them, but only on applications that have the exact same name.  After all, the only order they are supposed to be arranged by is alphabetical.  Although there shouldn't be any priority order, this does appear to be the case as reported by others:
http://forums.comodo.com/index.php/topic,8455.0.html

[xiuhcoatl]

Ok I think Ive got it figured out for CPF version 2.4.18.184 this may change completely for  CPF V3
Note Application rules Are very complicated and some of the auto configuration features in COMODO may cause problems in manually configured Application rule Sets

Before trying this I sugest you read the thead below

Re: Overall viewpoint of a new user

And this

Hi flarp, a couple of tips that may help when creating rules.

1. Make sure logging is enabled for all components
2. Set the Alert Frequency to Very High

The entries in the log can help you to identify problem areas, as can monitoring the connections window when starting an application.

Setting the Alert Frequency (cfp/Security/Advanced/Musc/Configure/Alert frequency) to Very High will generate pop-ups for virtually every connection attempt. When you click allow + remember you will get individual entries in AM for IP and Port. You can then use these entries to build the rules you need.

Give it a go, but if you still need some help, you know where we are

1) The rules are grouped Alphabetically by Rule Sets by "Path" application (the application actually being used to access the internet) and the "Parent" application (the application starting the "Path" application) - The order of the Rule sets does not matter it is only alphabetical. It is based on the "Path" application and using the "Parent" application as a secondary reference. So you might have several Rule Sets of application rules showing as Explorer.exe However each Rule Set would have a different "Parent" application
2) The Order within each Rule Set is hierarchical (It is read from the top down)
    2.1
    Example Rule set to allow  PAth- C:\windows\ Explorer.exe
    with Parent- C:\windows\System32\Userinit.exe to and from [LAN] and block anything else
    Notes:1. the rules are broken out into separate in
     and out rules and theallow rule is above the block rule.)
      2.1.1
      PAth- C:\windows\ Explorer.exe
      Parent- C:\windows\System32\Userinit.exe 
      Destination- [LAN]
      Port- [ANY]
      Protocol- TCP/UDP In
      Permission- Allow
      2.1.2
      PAth- C:\windows\ Explorer.exe
      Parent- C:\windows\System32\Userinit.exe 
      Destination- [LAN]
      Port- [ANY]
      Protocol- TCP/UDP Out
      Permission- Allow
      2.1.3
      PAth- C:\windows\ Explorer.exe
      Parent- C:\windows\System32\Userinit.exe 
      Destination- [ANY]
      Port- [ANY]
      Protocol- TCP/UDP In
      Permission- Block
      2.1.4.
      PAth- C:\windows\ Explorer.exe
      Parent- C:\windows\System32\Userinit.exe 
      Destination- [ANY]
      Port- [ANY]
      Protocol- TCP/UDP In
      Permission- Block

    2.2
    Example Rule set to block  PAth- C:\windows\ Explorer.exe with Parent-
    C:\windows\System32\Userinit.exe to and from [LAN] and allow anything else
    Notes:
    1. the rules are broken out into separate in and out rules and theallow rule is above the
    block rule.
    2. Explorer.exe and userinit.exe were only used in example 2.2 to keep the example
    consistant I can not think of any time you would want to set the rules up in the same
    manner as 2.2 but that is decision that must be made by the network Designer or engineer
      2.2.1
      PAth- C:\windows\ Explorer.exe
      Parent- C:\windows\System32\Userinit.exe 
      Destination- [LAN]
      Port- [ANY]
      Protocol- TCP/UDP In
      Permission- Block
      2.2.2
      PAth- C:\windows\ Explorer.exe
      Parent- C:\windows\System32\Userinit.exe 
      Destination- [LAN]
      Port- [ANY]
      Protocol- TCP/UDP Out
      Permission- Block
      2.1.3
      PAth- C:\windows\ Explorer.exe
      Parent- C:\windows\System32\Userinit.exe 
      Destination- [ANY]
      Port- [ANY]
      Protocol- TCP/UDP In
      Permission- Allow
      2.2.4.
      PAth- C:\windows\ Explorer.exe
      Parent- C:\windows\System32\Userinit.exe 
      Destination- [ANY]
      Port- [ANY]
      Protocol- TCP/UDP In
      Permission- Allow

3.If the rules are out of order opening the bottomtop rule in a Rule Set and closing it by "clicking" on OK will move it to the topbottom of the coresponding rule set

Thanks to Toogie, Lil Mac and Soya as well as others who I may have forgoten to mention. For all your help and if you see anything in error in this please correct me

Opus Dei

[xiuhcoatl]

Changed the title on this from Application Monitor Rules to Application Monitor Rules Hierarchy.  It sounded a lot more appropriate to me

[Quill]

Very nice Opus

[Little Mac]

Maybe it was Toggie and I that discussed it, I don't remember.  But I do remember going over app rules with someone, and reading an entry in the Help files that stated there was a hierarchy.  It seems kinda buggy the way it works.  There was some rule, we found, that when edited did not move up in its section, but the rest would move to the top of that application when edited.  Thus, it would come first, and the user could find themselves being blocked for an allowed application...

LM

PS:  SearchMaestro Soya, do your thing... 

[Tags:]