Author Topic: Application Rules  (Read 666 times)

Offline domo78

  • Comodo's Hero
  • *****
  • Posts: 354
Application Rules
« on: September 20, 2021, 04:07:34 AM »
W10 Famille - 21H1 - 19043.1237 / CFW : 12.2.2.8012

Hello,

The FW is set at the level "Safe Mode".
I use Glasswire to monitor my laptop's Internet access.

I used the Microsoft PHOTOS program for the first time.
Its rating is "Trusted" (screeshot1).

Glasswire informs me that the PHOTOS program has connected to the Internet (screenshot2).

Because of the level "Safe Mode", rules should have been created automatically in "Application Rules". But no rule has been created.

There are no events in the FW and HIPS logs.

Would you have a possible explanation ?
Thanks

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1889
Re: Application Rules
« Reply #1 on: September 20, 2021, 04:49:54 AM »
Not unless you have "Create rules for safe applications" enabled for Firewall and/or HIPS in Safe Mode.

Offline domo78

  • Comodo's Hero
  • *****
  • Posts: 354
Re: Application Rules
« Reply #2 on: September 20, 2021, 05:05:01 AM »
Not unless you have "Create rules for safe applications" enabled for Firewall and/or HIPS in Safe Mode.

On the laptop :
- FW : "Create rules for safe applications" is enabled
- HIPS : "Create rules for safe applications" is disabled

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1889
Re: Application Rules
« Reply #3 on: September 20, 2021, 09:08:26 AM »
As a test / check:

- Close the Microsoft PHOTOS program
- Create a new FW rule for the Microsoft PHOTOS program and set it to Block and Log, IP In/Out, Address Any, Port Any.
- Move the created FW rule to the top of the Firewall rules list.
- Start Microsoft PHOTOS program again and check if it still connects to the internet (also check FW Logs).

Offline domo78

  • Comodo's Hero
  • *****
  • Posts: 354
Re: Application Rules
« Reply #4 on: September 21, 2021, 12:03:19 PM »
To create the rule, I could not access the program directly because of a problem of rights on the directory.
I ran the program and created the rule using the "Running process" function and setting "Log as a firewall event if this rule is fired" enabled.

I closed the program and ran it again.
There is no event in the FW log.

Maybe the program accesses the Internet at its first launch.

Offline CISfan

  • Comodo's Hero
  • *****
  • Posts: 1889
Re: Application Rules
« Reply #5 on: September 21, 2021, 01:23:48 PM »
It could be that the Microsoft PHOTOS program connects to the internet using the svchost service.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek