Application rules order ( v3.0.17.304, x32, XP2 SP2)[Resolved]

Since version 3.0.17.304 of CFP I’ve noticed strange behaviour in Application rules sorting. New firewall rules added through popup alert were added at the top of the list, but the ones added directly in ‘Network Security Policy’ were added at the botton of the list. Similar situation is with rules made by Defense+. If the rule was added in ‘Clean PC Mode’ (without user interruption) it would be at the bottom of the list. If the rule was added in ‘Paranoid Mode’ (or required user interruption) then the rule would be added at the top of the list. The fact that CFP doesn’t sort alphabetically ‘Application rules’ was very inconvenient, but now it’s a complete mess. Why won’t you sort it by name (or at least add such an option to CFP)?? It would make a lot easier to find application profile which a user need to edit/remove.

AFAIK the rule order has only meaning for firewall’s Global rules and the rules inside the application profile.

OS: Win XP Pro SP2 32bit + online updates
Active Protection: CFP, Avira Antivir, BOClean.
I updated from CFP 3.0.16.295 to 3.0.17.304 using built-in updater and chose ‘Yes’ in the ‘configuration migration’ tool.

I’ve noticed this too with rules being added to the top or bottom. I wanted to mention it, but I’m fighting other problems right now.

Al

Do not know whether this is the bug or new feature of CF, but in some cases this new technique of adding new applications to network/computer security policy (placing new apps at the top of the list) may cause some problems, i guess.

Example: In previous versions (when new apps always were added at the end of the list) some activities were allowed/blocked by the ruleset of “All applications” group before reaching ruleset of any program (as list is processed from top to bottom).

But in 3.0.17 if you want permissions/prohibitions for all applications (“All applications” group) to be applied before ruleset of any program is processed you need to move this group manually to the top of the list every time new app is added to the policy.

EDIT: At least one user has same problem[/url].

If there is permissions/prohibitions for all applications (“All applications” group) at the top of the list - you will not get an alert for crossing over behavior, so there is no problem with this case.

Thanks for reply (спасибо :-TU) . You are right: no problems were encountered during testing/using CFP. I should have done this at the very beginning before complaining ;D
I guess this topic issue cannot be treated as a bug - it’s by design…

If it’s not a bug then it is a really wierd design. What is the purpose for file goup based rules like All application, Executables, etc. ? AFAIK rules are processed from top to bottom so if you want to restrict some behavior of All applications or Executables, etc. then these file group rules must be on top of the list.

[attachment deleted by admin]

One example: “all applications” group works instantly and affects all apps - no matter whether they are higher or lower that group (computer security policy). I guess some testing by yourself can confirm this.

I’ve done some testing and I still claim that it is bugged. Why? Because I can reproduce this bug several times where All application policy was applied or wasn’t applied depending on if the application rule policy was bellow or above file group policy. It also depends on settings. The bug cannot be reproduced if you use the simplest rules. Try using Block as default action insted of Ask for application rule policy and/or Exceptions (Modify/Settings) and you will notice that there is something wrong with this ‘design’ :D. Anyway, if I will have some time later I might write how to reproduce this bug step by step.

See more detailed explanation

I’ve finally got some time to write a simple test scenario:

  1. Application needed: Firefox, TotalCommander or ObjectDock;

  2. Edit All Aplication file group policy. Leave all Access Name to default Ask action and Modify Settings for Run an executable: Add an exeption which will allow any application to start firefox.exe ( of course with correct path ).

  3. Now add an application rule for Total Commander or Object Dock. Choose custom policy and set Run an executable action to Block. Make sure no exeptions are added if you reedit rule. By default application policies made in Computer Security Policy are added at the bottom of the list. Move this policy to position just bellow All aplication file group policy and apply all changes.

  4. Run the actual test. Set Defense+ into Paranoid Mode and start Total Commander. Now try to start Firefox through Total Commander. Firefox will start without any problems.

  5. Close Firefox and Total Commander.

  6. Go to Computer Security Policy and move the Total Commander application policy rule above All application file group policy.

  7. Start Total Commander. Now try to start Firefox through Total Commander. Firefox will NOT start.

  8. Conclusion: Applying global rules depends on where application policy rule is placed. Whether it is placed above or bellow file group policy then behavior is different.

I’m not intended to describe all tests I made. This is just one example. In my opinion file group applying is buggy or there is a flaw in this ‘desing’. If this behaviour is intended just give me a short answer and mark this thread as resolved.

Indeed, this test shows how user can manually create the rule that crosses over global group policy. But if we are talking about auto creation of policy via alert answering - we can not get such situation.
Lets use the same example above to make it clear:

In example above we got global policy that allows every application to launch Firefox.exe, and because of it we won’t get any alerts about launching Firefox.exe therefore. So there is no chance to auto-create blocking rule like in example above via answering alert. If either some application will try to execute some other application(e.g. Opera.exe) and you choose to block it - block rule for opera will be created on top, but it will not cross over the global policy for firefox.exe.

User always has ability to create contradictory rules or policies manually and we assume that he understands what he does. But there is no way for CFP to create contradictory rules automatically while user answer allow or block on security alerts.

IIRC easrly CFP releases prevented the use to rearrange Computer Security Policy applications.

This limitation was then removed when Comodo approved user feedback requesting that.

After rule sort limitation was removed I believed that the rationale behind that was superseded but it looks like I was wrong to assume that All Application policy was applied first regardless its position.

As there is no official description about the design behaviour I guess no one really is able to undertand this.

EDIT: striked out incorrect assertions

Can you please describe the design behaviour?

Does that overriding behaviour happens only for Execute access rights?

You can easily check that both in Firewall and Defense+ upper rules are applied first, no matter is it group or dedicated application policy so policy for ‘‘All applications’’ will be applied to all excepting behavior described in upper policies. That concerns all types of application rules.
So the order is important.

Note also firewall application rules and global rules consulting order:

  • For Outgoing connection attempts, the application rules are consulted first then the global rules.
  • For Incoming connection attempts, the global rules are consulted first then application specific rules.

Could you tell more detailed about this. Where does this information comes?

With rule sort limitation I meant the inability to use drag&drop to rearrange application policy order.

Early CFP versions didn’t allow Drag&Drop rearrangement in the policy dialog that listed the applications.

The Egemen’s post I quoted was a reply to an user about CFP 3.0.11.246 RC1 inability to sort applications.

As the rationale behind that limitation was that the relative position of application policies could affect policy enforcement when Drag&Drop sorting was enabled I incorrectly assumed that the original motivation for that was superseded.

EDIT: I imagined things. Drag & drop sorting was mentioned in that post too.

EDIT: This behaviour is officially described in CFP manual and thus it is unlikely to change in future.

Users can re-order the priority of policies by simply dragging and dropping the application name or file group name in question. To alter the priority of applications that belong to a file group, you must use the 'My File Groups' interface.

EDIT: I shortened this post and edited the previous ones too

Sorry for wasting your time :-[

If this behavior was in fact intended, then a possible reason is to allow exceptions to the ‘All Applications’ rules. See https://forums.comodo.com/ for an example of how this behavior is useful.

Thanks to everyone for participating in this discussion, especially to dchernyakov for explaining how things actually works in CFP. It’s still a little fuzzy for me, but I’ve got an overall picture.

Anyway, could someone of the moderators mark this thread as [RESOLVED]? It was made on my old forum account, so I cannot do it myself.