Application Monitor Rules Hierarchy

Opus_Dei · May 15, 2007, 10:25pm

Hope I did not offend you by asking

Many thanks And after some work I will be back With questions or comments

Thanks
Opus Dei

I´ve been shadowing these Forums since finding CPF and this got me involved with Malware U
in fact I´d better get back busy with MU have not posted there in a little over a week

http://www.malwareremoval.com/picture_library/malwareremoval.gif

Opus_Dei · May 16, 2007, 5:18pm

Thanks in advance Opus

So if I want to permit
PAth- \ Explorer.exe
Parent- \Userinit.exe
to access 1 network[LAN] and block everything else
I would need to

[b]1)[/b] [b]Block[/b] all [IPs [b]before[/b] [LAN]] and  
[b]2)[/b] [b]Block[/b] all [IPs [b]after[/b] [LAN]] and 
[b]3)[/b] [b]Allow[/b] [LAN]

Note: The order of my exemple at the end of this post matches the list above, however the order would not be important.

Have you noticed CPF Slowing down the connection if overburdend with rules

This seems complicated, however if I am correct
If I did any of the following
1)
a. Block all
b. Allow [LAN]
I’m F’d ( No Access for PAth- \Explorer.exe with Parent- \Userinit.exe)

2)
a. Allow[LAN]
b. Block [WAN]
I will still keep getting pop ups

3)
a. If I Block Explorer.exe as an untrusted App - I’m F’d (userinit.exe will not be able to use it. At all).
b. If I Allow Explorer.exe on [LAN] - I will keep getting pop ups
c. If I Block Explorer.exe on [WAN] - I will keep getting pop ups

Have you found an easier way?

PAth- \ Explorer.exe
Parent- \Userinit.exe
Destination- [IPs before [LAN]]
Port- [ANY]
Protocol- TCP/UDP In
Permission- Block

PAth- \ Explorer.exe
Parent- \Userinit.exe
Destination- [IPs before [LAN]]
Port- [ANY]
Protocol- TCP/UDP Out
Permission- Block

PAth- \ Explorer.exe
Parent- \Userinit.exe
Destination- [IPs after [LAN]]
Port- [ANY]
Protocol- TCP/UDP In
Permission- Block

PAth- \ Explorer.exe
Parent- \Userinit.exe
Destination- [IPs after [LAN]]
Port- [ANY]
Protocol- TCP/UDP out
Permission- Block

PAth- \ Explorer.exe
Parent- \Userinit.exe
Destination- [LAN]
Port- [ANY]
Protocol- TCP/UDP In
Permission- Allow

PAth- \ Explorer.exe
Parent- \Userinit.exe
Destination- [LAN]
Port- [ANY]
Protocol- TCP/UDP Out
Permission- Allow

Little_Mac · May 16, 2007, 5:47pm

You might try this:

Create an app rule like your very last entry:

PAth- \ Explorer.exe Parent- \Userinit.exe Destination- [LAN] Port- [ANY] Protocol- TCP/UDP Out Permission- Allow

Then create a rule:
Application: Explorer.exe
Parent: Userinit.exe
Action: Block
Protocol: TCP/UDP
Direction: Out
Destination: Any
Port: Any

Make sure the Allow rule comes first (is on top of) the Block rule. There is apparently a hierarchy of sorts within App Mon. Unfortunately, this will change if you Edit one of the rules - try it and see. I’m thinking if the Block rule gets on top, it may circumvent the Allow rule. If it does, just double-click the Allow rule, select OK - this will move it on top.

LM

Opus_Dei · May 16, 2007, 10:00pm

I might try that but per panic

But I’m hard headed and like to prove things to my self.
Maybe that is what I did previously, because I had thought I had it working, and then all of the sudden it stopped working, and my rules appeared to rearrange themselves.

system · May 16, 2007, 10:09pm

It wasn’t your imagination. AppMon does indeed switch the placement of rules as you alter them, but only on applications that have the exact same name. After all, the only order they are supposed to be arranged by is alphabetical. Although there shouldn’t be any priority order, this does appear to be the case as reported by others:
https://forums.comodo.com/index.php/topic,8455.0.html

Opus_Dei · May 17, 2007, 5:11am

Ok I think Ive got it figured out for CPF version 2.4.18.184 this may change completely for CPF V3
Note Application rules Are very complicated and some of the auto configuration features in COMODO may cause problems in manually configured Application rule Sets

Before trying this I sugest you read the thead below

And this

1) The rules are grouped Alphabetically by Rule Sets by “Path” application (the application actually being used to access the internet) and the “Parent” application (the application starting the “Path” application) - The order of the Rule sets does not matter it is only alphabetical. It is based on the “Path” application and using the “Parent” application as a secondary reference. So you might have several Rule Sets of application rules showing as Explorer.exe However each Rule Set would have a different “Parent” application
2) The Order within each Rule Set is hierarchical (It is read from the top down)
2.1
Example Rule set to allow PAth- C:\windows\ Explorer.exe
with Parent- C:\windows\System32\Userinit.exe to and from [LAN] and block anything else
Notes:1. the rules are broken out into separate in
and out rules and theallow rule is above the block rule.)
2.1.1
PAth- C:\windows\ Explorer.exe
Parent- C:\windows\System32\Userinit.exe
Destination- [LAN]
Port- [ANY]
Protocol- TCP/UDP In
Permission- Allow
2.1.2
PAth- C:\windows\ Explorer.exe
Parent- C:\windows\System32\Userinit.exe
Destination- [LAN]
Port- [ANY]
Protocol- TCP/UDP Out
Permission- Allow
2.1.3
PAth- C:\windows\ Explorer.exe
Parent- C:\windows\System32\Userinit.exe
Destination- [ANY]
Port- [ANY]
Protocol- TCP/UDP In
Permission- Block
2.1.4.
PAth- C:\windows\ Explorer.exe
Parent- C:\windows\System32\Userinit.exe
Destination- [ANY]
Port- [ANY]
Protocol- TCP/UDP In
Permission- Block

[b]2.2[/b]
Example Rule set to block  PAth- C:\windows\ Explorer.exe with Parent- 
C:\windows\System32\Userinit.exe to and from [LAN] and allow anything else 
Notes:
1. the rules are broken out into separate [b]in and out[/b] rules and theallow rule is above the  
block rule.
2. Explorer.exe and userinit.exe were only used in example 2.2 to keep the example 
consistant I can not think of any time you would want to set the rules up in the same 
manner as 2.2 but that is decision that must be made by the network Designer or engineer
  [b]2.2.1[/b]
  PAth- C:\windows\ Explorer.exe
  Parent- C:\windows\System32\Userinit.exe  
  Destination- [LAN]
  Port- [ANY]
  Protocol- TCP/UDP In
  Permission- Block
  [b]2.2.2[/b]
  PAth- C:\windows\ Explorer.exe
  Parent- C:\windows\System32\Userinit.exe  
  Destination- [LAN]
  Port- [ANY]
  Protocol- TCP/UDP Out
  Permission- Block
  [b]2.1.3[/b]
  PAth- C:\windows\ Explorer.exe
  Parent- C:\windows\System32\Userinit.exe  
  Destination- [ANY]
  Port- [ANY]
  Protocol- TCP/UDP In
  Permission- Allow
  [b]2.2.4.[/b]
  PAth- C:\windows\ Explorer.exe
  Parent- C:\windows\System32\Userinit.exe  
  Destination- [ANY]
  Port- [ANY]
  Protocol- TCP/UDP In
  Permission- Allow

3.If the rules are out of order opening the bottomtop rule in a Rule Set and closing it by “clicking” on OK will move it to the topbottom of the coresponding rule set

Thanks to Toogie, Lil Mac and Soya as well as others who I may have forgoten to mention. For all your help and if you see anything in error in this please correct me

Opus Dei

Opus_Dei · May 17, 2007, 5:14am

Changed the title on this from Application Monitor Rules to Application Monitor Rules Hierarchy. It sounded a lot more appropriate to me

system · May 17, 2007, 5:22am

Very nice Opus

Little_Mac · May 17, 2007, 7:35pm

Maybe it was Toggie and I that discussed it, I don’t remember. But I do remember going over app rules with someone, and reading an entry in the Help files that stated there was a hierarchy. It seems kinda buggy the way it works. There was some rule, we found, that when edited did not move up in its section, but the rest would move to the top of that application when edited. Thus, it would come first, and the user could find themselves being blocked for an allowed application…

LM

PS: SearchMaestro Soya, do your thing…

Opus_Dei · May 17, 2007, 7:48pm

You are Right just checked it out and I´ve got I backwards By double clicking on the top Set of Rules and clicking OK it will move that set of rules to the bottom it also seems to group the allow and block rules together Note I have not experimented with More than 4 rules 2 to allow and 2 to block

I will correct my rules above though.

Thanks for catchin that
Opus

system · May 17, 2007, 7:58pm

You’ll find it also groups rules by parent too…

Little_Mac · May 17, 2007, 8:38pm

Nope, or at least not what I’m remembering. I guess it doesn’t really matter. I just thought you could pull it up… But then again, if it was Toggie and I, it might’ve been thru PM, and I purge those periodically…

LM

system · May 17, 2007, 8:41pm

Sigh. Here it is: https://forums.comodo.com/index.php/topic,8804.0.html

Actually, this is the one you’re really looking for as it has you in it. I didn’t want you to start believing you had amnesia or something:
https://forums.comodo.com/index.php/topic,7235.0.html

Did you realize you typed “In order to” 73 times in this forum? You can just cross out “in order” part because it’ll shorten your sentence. No need to present things in a sophisticated manner.

system · May 17, 2007, 9:14pm

The logic used to rearrange rules in AM, is, sometimes, beyond me ???

Overall, rules are arranged alphabetically
Within application groups, arrangement is by parent
within parent groups, arrangement seems to be IN rules first, followed by OUT rules.
After that, it appears to place BLOCK rules Before ALLOW rules. (sometimes)

The rearrangement of the rules isn’t completely automatic. In fact it’s possible to force a rearrangement of the rules so that the BLOCK rule is placed last, simply by opening an ALLOW rule, clicking OK and closing the rule.

Little_Mac · May 17, 2007, 9:16pm

Well golly gee, Soya! That there’s the exact one about which I thought. Thanks for providing that in order to keep my sanity.

My apologies for using proper grammar. The current generation of American public school grads won’t present you with that issue, that’s for certain.

LM

system · May 17, 2007, 9:20pm

I just tried it and it’s as you posted. It if it’s to be uniformly sorted in alphabetical order, then this is a bug because Allow should be before Block.

If I already have a blocked rule on an app and create another rule to allow that same app, there won’t be 2 app rules; it’ll just replace the current one. Another inconsistency.

system · May 17, 2007, 9:33pm

AM is a joy

Little_Mac · May 17, 2007, 9:46pm

Another twitchy glitchy with it that I have noticed is that when (for instance) AF is at High (which would require Port/Protocol/Direction in the details), that if you have a rule that stipulates a port, and another rule that is “Any” port, it will create a prompt. In order for it to work, each port has to have its own rule (or be included in a “range” on one rule).

I first really noticed this because of BOC using an FTP server for updates. I created a rule to allow the port 21 connect, and let it popup for the other two, which I allowed without remember. That kept failing if I wasn’t at the machine, so I finally made a second rule (below the port 21 rule) to allow Any port for the FTP site. Doesn’t work. It still alerts on each additional port. Maybe that’s because I included too much detail (the IP address) for the AF level; I really dont’ want to go to Very High to include the IP though, as I don’t want 5000 popups a day (number used for effect only; not an indication of reality).

LM

system · May 17, 2007, 10:03pm

My BOC rules currently are:

port 21 TCP OUT
Port 51000 - 55000 TCP OUT
Port 80 TCP OUT

Plus DNS entries. This seems to work ok, I’ve not received any additional prompts for quite a while. However, I don’t know for sure what the port range is exactly.

Little_Mac · May 17, 2007, 10:07pm

I’ve never seen it do port 80 out. Although it does do a DNS connect on 53. But that’s enough about BOC; that’s not the topic of this thread. How’s that, Soya? Proud of me for steering the topic back? ;D

LM