Using Installation Mode and other Operational Questions

[Guest]

[Carls2]

Permit me to reply in this thread - just delete if this is inappropriate (I'm a newbie and find it difficult to find or get access to the right forum to ask newbie questions).

What is a firewall? If it's software, it ought to work without requiring me to be the firewall. <g> Otherwise the software is nothing more than an alert system, requiring me to do the firewalling (?).

Here's a case in point. (Again, please delete if this is an inappropriate comment or inappropriately placed. I.e., act as firewall. <g>) Yesterday MS released SP 3.5 of .net - a big update. For the first half hour, I responded to each of Comodo's alerts - orange and red - to items such as svchost and rundll (!) and accepted everything until acceptance got to be just automatic. So what was the firewall (me) doing? At that point I exited from Comodo and ran for the additional hour of download and installation (which also required on-line access: don't you love MS security?!).

Never - ever - have I run without a firewall before. No one should have to do that or have that as an option to standing in front of a computer keyboard incessantly repeating the "accept" click.

Something seems really wrong with my setup or with my understanding of the philosophy of Comodo. What did I do wrong. It was I the firewall, not Comodo. Is there a "sensible only" alert configuration that I haven't yet found (yes, I downloaded and have read (most of) the docs.) Is there a way to exclude omnipresent rundll or svchost alerts? (Not in the docs). Is there a way to have Comodo use an intelligent selection of what gets alerted using a database acquired from other users and that can spot the difference between normal and potentially dangerous activity? I want to use and trust Comodo and hope the answer to these questions is _not_: let it run in training mode for a couple of days... Because then it is me that's the firewall, not Comodo.


Moderator's Note:  Several Posts relating to CIS Operations have been moved from Melih's Corner, here so that the user's questions can be answered without disrupting the previous thread.

[Little Mac]

Carls2,

Welcome to the forums, and I'll just respond quickly (I don't want to sidetrack this thread and only have 2 points to make) to help you understand more clearly.

1.  If you switch from Training Mode to Safe Mode (one move up the slider), it will enable Comodo's built-in Safe/White List which will obviate the interaction for known safe applications (such as svchost).

2.  During an installation (such as you were doing), you want to switch to Installation Mode (part of Defense +) which is available from the Summary view.  The first alert you get, select to Treat As "Installer" w/out the option to create a rule.  It will prompt you to switch to Installation Mode, to which you respond Yes.  Every 30 seconds it will prompt you to switch back to previous mode.

More in-depth discussion of Installation Mode and the benefit that offers should be taken to a different board.  PM me if you're not sure where/how.

HTH,

LM

[Little Mac]

Thanks for the offer to PM you. (Who knew to look in your profile for the link to do that?!)

You said in response to the "what is a firewall" spark (small flame) I wrote:

Welcome to the forums

Thanks, seriously. There is a flood of info here and little personal.

1.  If you switch from Training Mode to Safe Mode (one move up the slider), it will enable Comodo's built-in Safe/White List which will obviate the interaction for known safe applications (such as svchost).

My right-click on the configuration showed everything running in "save" mode during this process. No, svchost did not make it through, over and over again. Installation problem?

2.  During an installation (such as you were doing), you want to switch to Installation Mode (part of Defense +) which is available from the Summary view.

Tried this - and for a while it seemed to work. But isn't this the same as running without a firewall? In fact, since this "training" took over half an hour for the 3.5 .net pack, and still required my constant intervention - that's why I turned off the firewall for the rest of the install...

The first alert you get, select to Treat As "Installer" w/out the option to create a rule.

I'll have to look next time, but I don't think there was an option to create a rule. Again, could this be an indication of an installation problem?

More in-depth discussion of Installation Mode and the benefit that offers should be taken to a different board.  PM me if you're not sure where/how.

Yes, please. The Simple Machine board has options coming out of its ears, but is just one more barrier to getting info. (Yes, I'm familiar with more familiar boards. <g>) Where exactly do I go (as a beginner) for how to handle installation mode and take advantage of any commonly accepted rules and exceptions.

And again thanks for your carefully worded and accepting message.

Carls2

Carls2,

Tnx for the PM.  I've sent you a link to this post, to help answer your questions.

Here are some links to FAQ boards about the firewall, which should hopefully prove helpful.

https://forums.comodo.com/defense_faq-b140.0/

https://forums.comodo.com/firewall_faq-b139.0/

In regards to this specific question: 

But isn't this the same as running without a firewall?

the answer is emphatically NO!  Installation Mode allows you to suspend the HIPS (in a way) ONLY for the designated installer and its child processes.  ALL other rules remain intact and fully active. 

If any additional install processes are spawned (not as child processes, such as a hidden install or some malware activity), the HIPS will still catch it and warn you.  That could still be legitimate, as some installations will fire off additional installers for another aspect of the application, which can then be designated as an Installer as well.  It's really quite cool...

The links I posted above can be found from the "Home" page of the forums.  The third section down the page is "Desktop Security Products" which lists all those sub-boards in the forum.  Under the "Comodo Internet Security" is a listing for "FAQ - CIS" which will take you to that specific sub-board.

In fact, the very first section on the "Home" page is "New Member Information" which has a number of useful links and helpful info about the forums.  One of these links is specifically a link to various FAQ areas of the forum.

So read through those, and ask questions as you need to help you understand how the firewall works.  There's no reason you should have to turn it off to download and install something, even as big a deal as a NET Framework.

LM

[Carls2]

1.  If you switch from Training Mode to Safe Mode (one move up the slider), it will enable Comodo's built-in Safe/White List which will obviate the interaction for known safe applications (such as svchost).

More in-depth discussion of Installation Mode and the benefit that offers should be taken to a different board.  PM me if you're not sure where/how.

I'm not sure that svchost should always be treated as safe. Shouldn't it depend on the program or process that's calling it? Like rundll, one needs to know the app name behind the call. Or not? IMWTK.

Thanks.

[Little Mac]

I'm not sure that svchost should always be treated as safe. Shouldn't it depend on the program or process that's calling it? Like rundll, one needs to know the app name behind the call.

If a different app acts as the parent (ie, calls svchost.exe) then you will get an alert for that application, not the one being called.

The white/safe-list identifies the application as it is known to exist (file signature analysis); if it is somehow modified (such as by malware) you will receive an alert because the signature no longer matches.  The safelist is encrypted and protected/hidden from view so as not to become corrupted.

LM

[Carls2]

If a different app acts as the parent (ie, calls svchost.exe) then you will get an alert for that application, not the one being called.

The white/safe-list identifies the application as it is known to exist (file signature analysis); if it is somehow modified (such as by malware) you will receive an alert because the signature no longer matches.  The safelist is encrypted and protected/hidden from view so as not to become corrupted.

LM

Very clear - thanks. However this seems to make it all the more important that the alert show the parent calling process, IMHO. Of course, one can jump to the D+ Events screen to see who's doing the calling, but that takes time and Alerts seem to disappear after several seconds. (BYW, Where do they go and what's the default for a non-accept?.

Again thanks for your patience and clear answers.

[Little Mac]

However this seems to make it all the more important that the alert show the parent calling process. <snip> Alerts seem to disappear after several seconds. (BYW, Where do they go and what's the default for a non-accept?.

The alerts do show that there is a new parent process for an exe, dll, etc.  There's no need to go check the logs.

Alerts are set to disappear based on the setting in Defense + / Advanced / Defense + Settings/ "Keep an alert on screen for maximum of ______ seconds".

The default behavior is Deny.

LM

[Carls2]

The alerts do show that there is a new parent process for an exe, dll, etc.  There's no need to go check the logs.
LM

Thanks for correcting me. I'll watch more carefully next alert - but I was sure that "Norton Security Scan" was nowhere on the alert screen - I should have seen it.

Carls

[Little Mac]

but I was sure that "Norton Security Scan" was nowhere on the alert screen

It will be the actual process name (which may not be as obvious), not what we actually know it as...  With a lot of applications, there are additional processes that do much of the work, but are not commonly talked about/documented; without the use of an extremely granular and detailed HIPS, one would likely never know about them.

LM

PS:  I've split the posts surrounding your questions related to CIS Operations from the original thread, and moved them to the thread I created on your behalf, to help answer them without detracting from the other thread.

[Carls2]

It will be the actual process name (which may not be as obvious), not what we actually know it as...  With a lot of applications, there are additional processes that do much of the work, but are not commonly talked about/documented; without the use of an extremely granular and detailed HIPS, one would likely never know about them.

OK, that was the case and I didn't recognize it and couldn't check it out quickly enough for the default 120-second delay on the D+ alert.

However, IMHO, that checking out process seems to me to be the legit job of the firewall. Otherwise I'm  operating as the firewall, not Comodo, and that's not safe or efficient. Maybe a collective effort to create a database of "accepts" that are OK - a database that is developed from a trusted web of users? Anyway, to ask a newbie to track down each spawned process, follow up to each parent, ... this doesn't seem either safe or efficient.

Thanks for moving this thread - I didn't dare start another and risk losing the help I was getting there.

[Little Mac]

You can easily change the 2 minute setting to any amount of time you desire.  Quickest way to start checking the given application is by clicking it in the popup window.  That will take you to the location of the executable file, which is a good start.  Then you can check the properties for more detailed info to help inform you.

Inasfar as that being the "firewall's" job or not, remember that we're not talking about the firewall itself (ie, the job of checking network-based traffic), we're talking about Defense +, which is a very tight HIPS (Host Intrusion Prevention System).  This is extremely granular application/system control.  Unfortunately, there's no way (at the present) to prevent there from being some level of user interaction and still maintain security.  Keep in mind that earlier I noted you should switch D+ from "Training" Mode to "Safe" Mode in order to engage the built-in safelist, which will greatly reduce your popups.

The safelist, BTW, has a community input function.  At all times, under the Miscellaneous tab/page, there is an option to "Submit Suspicious Files" to Comodo.  This will allow you to send any files  you wish to Comodo for detailed analysis.  If the files are safe, they will be added to the safelist for the future so that you (and others) won't have to worry about popups from those.

When you're in Training Mode, if you look at the Defense + area of the Summary page, there is a place which has "Pending Files" or "Files waiting for  review."  These will be applications that have changed, or otherwise no longer match previous rules or safelist.  They can be easily purged (as inTemp files created during installs), a Lookup done to check against Comodo's databases, and Submitted to Comodo for Analysis.


There are, btw, a number of tutorials/FAQs that explain these things, as well as the detailed Help files included w/CIS.  It doesn't have to be just some big mystery...

LM

[Carls2]

... Inasfar as that being the "firewall's" job or not, remember that we're not talking about the firewall itself (ie, the job of checking network-based traffic), we're talking about Defense +, which is a very tight HIPS (Host Intrusion Prevention System).

Well, now I'm a bit embarrassed - because it is only now, a week into Comod, that I finally understand the difference between HIPS and a firewall. No software before Comodo had that functionality, so when I downloaded and signed up for Comodo Pro, I expected my old firewall and AV systems and procedures.

I've looked back and tried to see where I missed the boat on this critical distinction - and I don't see how I could have understood it without going through a week of misunderstandings and thanks to very gracious help on this forum.

IMHO, the HIPS D+ needs to be highlighted as a new functionality that requires a "willing suspension of disbelief" while the (annoying) alerts are handled. Secondly, there needs to be something in the alert that says: "this isn't the Firewall, stupid - it's a whole new concept of HIPS," or words to that effect. <g> Just look at the comments about Comodo in the major download sites: it's clear that a lot of us missed that distinction and blamed the firewall.

Boy am I glad I sat through the learning period with only a tiny bit of my frustration showing and read all the extremely thoughtful and patient replies to my plaints and questions.

[Carls2]

There are, btw, a number of tutorials/FAQs that explain these things, as well as the detailed Help files included w/CIS.  It doesn't have to be just some big mystery...

LM

Your detailed thoughtful answer (deleted in this note) was terrific - and, for me, better than the docs and tutorials I've been slogging through. It opened up some distinctions that I'd just glossed over before.

Many thanks.

Carls

[Little Mac]

Your detailed thoughtful answer (deleted in this note) was terrific <snip>

Many thanks.

You're welcome.

Happy to help,

LM

[Little Mac]

IMHO, the HIPS D+ needs to be highlighted as a new functionality that requires a "willing suspension of disbelief" while the (annoying) alerts are handled. Secondly, there needs to be something in the alert that says: "this isn't the Firewall, stupid - it's a whole new concept of HIPS," or words to that effect.

Hey, just so you are aware ~ the Comodo development team does keep tabs on these forums, and interacts (on a somewhat limited basis) with users.  They also have done a great job (IMO) of listening to their users and making changes to the product(s).  The point of that is, there's a very good chance that they've already seen your comments.

LM

[Tags:]