Author Topic: Application rules order ( v3.0.17.304, x32, XP2 SP2)[Resolved]  (Read 15244 times)

fOrTy_7

  • Guest
Application rules order ( v3.0.17.304, x32, XP2 SP2)[Resolved]
« on: February 14, 2008, 09:29:53 AM »
Since version 3.0.17.304 of CFP I've noticed strange behaviour in Application rules sorting. New firewall rules added through popup alert were added at the top of the list, but the ones added directly in 'Network Security Policy' were added at the botton of the list. Similar situation is with rules made by Defense+. If the rule was added in 'Clean PC Mode' (without user interruption) it would be at the bottom of the list. If the rule was added in 'Paranoid Mode' (or required user interruption) then the rule would be added at the top of the list. The fact that CFP doesn't sort alphabetically 'Application rules' was very inconvenient, but now it's a complete mess. Why won't you sort it by name (or at least add such an option to CFP)?? It would make a lot easier to find application profile which a user need to edit/remove. 

AFAIK the rule order has only meaning for firewall's Global rules and the rules inside the application profile.

OS: Win XP Pro SP2 32bit + online updates
Active Protection:  CFP, Avira Antivir, BOClean.
I updated from CFP 3.0.16.295 to 3.0.17.304 using built-in updater and chose 'Yes' in the 'configuration migration' tool.
« Last Edit: September 20, 2008, 06:04:16 AM by gibran »

Offline adric

  • "Start every day with a smile and get it over with."
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 675
  • "I am not young enough to know everything. "
Re: Application rules order ( v3.0.17.304, x32, XP2 SP2)
« Reply #1 on: February 14, 2008, 10:39:15 AM »
I've noticed this too with rules being added to the top or bottom. I wanted to mention it, but I'm fighting other problems right now.

Al
« Last Edit: February 15, 2008, 12:38:18 PM by adric »

Offline SS26

  • Comodo's Hero
  • *****
  • Posts: 1925
Re: Application rules order ( v3.0.17.304, x32, XP2 SP2)
« Reply #2 on: February 15, 2008, 12:33:11 PM »
Do not know whether this is the bug or new feature of CF, but in some cases this new technique of adding new applications to network/computer security policy (placing new apps at the top of the list) may cause some problems, i guess.

Example: In previous versions (when new apps always were added at the end of the list) some activities were allowed/blocked by the ruleset of "All applications" group before reaching ruleset of any program (as list is processed from top to bottom).

But in 3.0.17 if you want permissions/prohibitions for all applications ("All applications" group) to be applied before ruleset of any program is processed you need to move this group manually to the top of the list every time new app is added to the policy.

EDIT: At least one user has same problem.
« Last Edit: February 16, 2008, 03:47:35 AM by goodbrazer »

Offline dchernyakov

  • Comodo's Hero
  • *****
  • Posts: 286
Re: Application rules order ( v3.0.17.304, x32, XP2 SP2)
« Reply #3 on: September 12, 2008, 08:25:55 AM »

But in 3.0.17 if you want permissions/prohibitions for all applications ("All applications" group) to be applied before ruleset of any program is processed you need to move this group manually to the top of the list every time new app is added to the policy.


If there is permissions/prohibitions for all applications ("All applications" group) at the top of the list - you will not get an alert for crossing over behavior, so there is no problem with this case.

Offline SS26

  • Comodo's Hero
  • *****
  • Posts: 1925
Re: Application rules order ( v3.0.17.304, x32, XP2 SP2)
« Reply #4 on: September 12, 2008, 04:20:51 PM »
If there is permissions/prohibitions for all applications ("All applications" group) at the top of the list - you will not get an alert for crossing over behavior, so there is no problem with this case.
Thanks for reply (спасибо :-TU) . You are right: no problems were encountered during testing/using CFP. I should have done this at the very beginning before complaining ;D
 I guess this topic issue cannot be treated as a bug - it's by design...

Offline fOrTy_7

  • Comodo's Hero
  • *****
  • Posts: 594
Re: Application rules order ( v3.0.17.304, x32, XP2 SP2)
« Reply #5 on: September 12, 2008, 04:34:21 PM »
If it's not a bug then it is a really wierd design. What is the purpose for file goup based rules like All application, Executables, etc. ?  AFAIK rules are processed from top to bottom so if you want to restrict some behavior of All applications or Executables, etc. then these file group rules must be on top of the list.



[attachment deleted by admin]

Offline SS26

  • Comodo's Hero
  • *****
  • Posts: 1925
Re: Application rules order ( v3.0.17.304, x32, XP2 SP2)
« Reply #6 on: September 12, 2008, 04:47:28 PM »
One example: "all applications" group works instantly and affects all apps - no matter whether they are higher or lower that group (computer security policy). I guess some testing by yourself can confirm this.

Offline fOrTy_7

  • Comodo's Hero
  • *****
  • Posts: 594
Re: Application rules order ( v3.0.17.304, x32, XP2 SP2)
« Reply #7 on: September 13, 2008, 03:26:36 AM »
I've done some testing and I still claim that it is bugged. Why? Because I can reproduce this bug several times where All application policy was applied or wasn't applied depending on if the application rule policy was bellow or above file group policy. It also depends on settings. The bug cannot be reproduced if you use the simplest rules. Try using Block as default action insted of Ask for application rule policy and/or Exceptions (Modify/Settings) and you will notice that there is something wrong with this 'design' :D. Anyway, if I will have some time later I might write how to reproduce this bug step by step.
« Last Edit: September 13, 2008, 03:30:02 AM by fOrTy_7 »

Offline dchernyakov

  • Comodo's Hero
  • *****
  • Posts: 286
Re: Application rules order ( v3.0.17.304, x32, XP2 SP2)
« Reply #8 on: September 15, 2008, 08:40:50 AM »

Offline fOrTy_7

  • Comodo's Hero
  • *****
  • Posts: 594
Re: Application rules order ( v3.0.17.304, x32, XP2 SP2)
« Reply #9 on: September 16, 2008, 03:14:33 PM »
I've finally got some time to write a simple test scenario:

1. Application needed: Firefox, TotalCommander or ObjectDock;

2. Edit All Aplication file group policy. Leave all Access Name to default Ask action and Modify Settings for Run an executable: Add an exeption which will allow any application to start firefox.exe ( of course with correct path ).

3. Now add an application rule for Total Commander or Object Dock. Choose custom policy and set Run an executable action to Block. Make sure no exeptions are added if you reedit rule. By default application policies made in Computer Security Policy are added at the bottom of the list. Move this policy to position just bellow All aplication file group policy and apply all changes.

4. Run the actual test. Set Defense+ into Paranoid Mode and start Total Commander. Now try to start Firefox through Total Commander. Firefox will start without any problems.

5. Close Firefox and Total Commander.

6. Go to Computer Security Policy and move the Total Commander application policy rule above All application file group policy.

7. Start Total Commander. Now try to start Firefox through Total Commander. Firefox will NOT start.

8. Conclusion: Applying global rules depends on where application policy rule is placed. Whether it is placed above or bellow file group policy then behavior is different.

I'm not intended to describe all tests I made. This is just one example. In my opinion file group applying is buggy or there is a flaw in this 'desing'. If this behaviour is intended just give me a short answer and mark this thread as resolved. 
« Last Edit: September 16, 2008, 03:34:00 PM by fOrTy_7 »

Offline dchernyakov

  • Comodo's Hero
  • *****
  • Posts: 286
Re: Application rules order ( v3.0.17.304, x32, XP2 SP2)
« Reply #10 on: September 17, 2008, 04:34:04 AM »
Indeed, this test shows how user can manually create the rule that crosses over global group policy. But if we are talking about auto creation of policy via alert answering - we can not get such situation.
Lets use the same example above to make it clear:

In example above we got global policy that allows every application to launch Firefox.exe, and because of it we won't get any alerts about launching Firefox.exe therefore. So there is no chance to auto-create blocking rule like in example above via answering alert. If either some application will try to execute some other application(e.g. Opera.exe) and you choose to block it - block rule for opera will be created on top, but it will not cross over the global policy for firefox.exe.

User always has ability to create contradictory rules or policies manually and we assume that he understands what he does. But there is no way for CFP to create contradictory rules automatically while user answer allow or block on security alerts.   

Offline gibran

  • Average User
  • Comodo's Hero
  • *****
  • Posts: 5056
  • A bad workman always blames his tools
Re: Application rules order ( v3.0.17.304, x32, XP2 SP2)
« Reply #11 on: September 17, 2008, 06:33:42 AM »
IIRC easrly CFP releases prevented the use to rearrange Computer Security Policy applications. 
Hi Malbeth,

There is a reason why the rules are not sortable. Because the order of the rules are very important in D+ and FW.

For example, if you notice, we have "All Applications" entry as the first entry in the rules. By default, D+ is configured to allow all applications to create files in temporary folders. This is achieved by the "All Applications" entry. If it were not the first entry, it would not work as expected. Especially when wildcards are involved, the order of the rules becomes crucial.

This is valid for the firewall rules too. So sorting is disabled for this very reason.

As a quick feature reminder, order of the rules can be easily changed in these grids by DRAG n DROP using the mouse.

Egemen

This limitation was then removed when Comodo approved user feedback requesting that.

User always has ability to create contradictory rules or policies manually and we assume that he understands what he does. But there is no way for CFP to create contradictory rules automatically while user answer allow or block on security alerts.   

After rule sort limitation was removed I believed that the rationale behind that was superseded but it looks like I was wrong to assume that All Application policy was applied first regardless its position.

As there is no official description about the design behaviour I guess no one really is able to undertand this.

EDIT: striked out incorrect assertions

Can you please describe the design behaviour?

Does that overriding behaviour happens only for Execute access rights?
« Last Edit: September 17, 2008, 03:02:35 PM by gibran »
"In the beginning the Universe was created. This has made a lot of people very angry and has been widely regarded as a bad move."- Douglas Adams

Offline dchernyakov

  • Comodo's Hero
  • *****
  • Posts: 286
Re: Application rules order ( v3.0.17.304, x32, XP2 SP2)
« Reply #12 on: September 17, 2008, 08:13:27 AM »
You can easily check that both in Firewall and Defense+ upper rules are applied first, no matter is it group or dedicated application policy so policy for ''All applications'' will be applied to all excepting behavior described in upper policies. That concerns all types of application rules.
So the order is important.

Note also firewall application rules and global rules consulting order:
 - For Outgoing connection attempts, the application rules are consulted first then the global rules. 
 - For Incoming connection attempts, the global rules are consulted first then application specific rules. 


After rule sort limitation was removed
Could you tell more detailed about this. Where does this information comes?

« Last Edit: September 17, 2008, 08:19:24 AM by dchernyakov »

Offline gibran

  • Average User
  • Comodo's Hero
  • *****
  • Posts: 5056
  • A bad workman always blames his tools
Re: Application rules order ( v3.0.17.304, x32, XP2 SP2)
« Reply #13 on: September 17, 2008, 09:13:00 AM »
Could you tell more detailed about this. Where does this information comes?
With rule sort limitation I meant the inability to use drag&drop to rearrange application policy order.

Early CFP versions didn't allow Drag&Drop rearrangement in the policy dialog that listed the applications.

The Egemen's post I quoted was a reply to an user about CFP 3.0.11.246 RC1 inability to sort applications.

As the rationale behind that limitation was that the relative position of application policies could affect policy enforcement when Drag&Drop sorting was enabled I incorrectly assumed that the original motivation for that was superseded.

EDIT: I imagined things. Drag & drop sorting was mentioned in that post too.


EDIT: This behaviour is officially described in CFP manual and thus it is unlikely to change in future.
Users can re-order the priority of policies by simply dragging and dropping the application name or file group name in question. To alter the priority of applications that belong to a file group, you must use the 'My File Groups' interface.

EDIT: I shortened this post and edited the previous ones too


Sorry for wasting your time :-[
« Last Edit: September 17, 2008, 03:07:29 PM by gibran »
"In the beginning the Universe was created. This has made a lot of people very angry and has been widely regarded as a bad move."- Douglas Adams

Offline MrBrian

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 494
Re: Application rules order ( v3.0.17.304, x32, XP2 SP2)
« Reply #14 on: September 19, 2008, 09:31:41 PM »
If it's not a bug then it is a really wierd design. What is the purpose for file group based rules like All application, Executables, etc. ?  AFAIK rules are processed from top to bottom so if you want to restrict some behavior of All applications or Executables, etc. then these file group rules must be on top of the list.

If this behavior was in fact intended, then a possible reason is to allow exceptions to the 'All Applications' rules.  See http://forums.comodo.com/empty-t21361.0.html for an example of how this behavior is useful.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek