Author Topic: Tutorial on how to make CFP3 work nicely with Vista and UAC.  (Read 68980 times)

Offline Star Shadow

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 373
Tutorial on how to make CFP3 work nicely with Vista and UAC.
« on: March 03, 2008, 05:52:27 AM »
Note: Apparently I cannot post in the FAQ section, so this can either stay here or be moved.

A little about me: I know I do not have a lot of posts, but I have been a long time reader of this forum, even long before I joined. I have always run Comodo Anti-Malware (BOClean), and just started to use CFP3. I love both programs and I hope to share my knowledge of how I was able to make these programs work flawlessly. This will focus on CFP3 since this is the Firewall thread and v3 is the only Vista compatible version of CFP out right now.

Also, I do not know if this was posted already, so forgive me if it was. ;)

I have read that lots of users experience weird things when it comes to vista, like having the program report different versions of the software depending on if it is run as full Administrator or not. This may be caused by the new UAC feature called "Virtual Store". In Vista, even if the person is an "Administrator", their account will run as though it is a regular user and any changes to files in the "Program Files" directory will be made to the "Virtual Store" instead. So, the firewall will try to make changes to it's files in "Program Files", but they get recorded to a different directory under the user's folder, thus another user on the same system will not experience the changes made. CFP (and also Comodo Anti-Malware) needs to be allowed to make changes in "Program Files" directory directly.

One fix for this is to right-click on the executable in C:\Program Files\Comodo\Firewall and changing the property to "Run as Administrator". However, this is where the first problem lies ... Windows Vista will deny the program to autostart and there is no way to edit the rules (that I have found) to make an exception for this program.

So, what do you do? First, you need to go through the settings of CFP and uncheck the box for automatic startup. You may be screaming at me that you want this program to start when you log in, but don't worry, we are going to use the "Task Scheduler". :) And you do not even to need to right-click on your .exe's and say "Run as Administrator". ;)

Note: The Task Scheduler is also available on Windows XP and may eliminate some of the issues I have read about that, like it not running on non-admin accounts.

To reach the "Task Scheduler", go to: Start --> All Programs --> Accessories --> System Tools --> Task Scheduler.
You will get a screen similar to the first screenshot.

On the left hand side of "Task Scheduler", click the triangle by "Task Scheduler Library" and then click on "Task Scheduler Library" to select it. On the right hand side, click on "New Folder" and then enter "Comodo Software" in the pop-up and then press OK. Then click on the new "Comodo Software" folder. You should have something that looks like the second screenshot, but I will have an extra directory there since I have a lot of tasks created there.
Note: If you are like me, then you will also have Comodo Anti-Malware (BOClean) installed as well. I found that this needs to be done for that program as well, which is why I am making the Comodo folder.
Note2: I found that tasks tend to disappear unless they are created under the "Task Scheduler Library" folder, so we might as well keep it organized. :)

Next, the hard part. :P Making sure that "Comodo Software" folder is selected, so that the task is created there, click on "Create Task..." on the right hand side menu.

The "General" tab settings:
Name: Comodo Firewall
Description: This will start Comodo Firewall with full Admin rights. (or whatever you want)

If you have one user on your system that is an admin, then the only thing you need to change in the "Security options" part is adding a check in the box for "Run with highest privileges".

If you have more than one user and all the accounts are admins, then you need to click the "Change User or Group..." button. A new pop-up will appear. In the "Select this object type" field, make sure it says: User, Group, or Built-in security prinicpal. Then click the "Advanced..." button. Then "Find Now". Then, scroll down until you see "Administrators" (note the "s" on the end). Highlight "Administrators", click OK, and then click OK again. This will make it so when any Administrator logs on, then they will start CFP. Now, you need to do like the above If statement says and play a check in the "Run with highest privileges" box.

If you have multiple users on your system and some are regular users (not admins), then things get a little more complicated. I have read reports saying that CFP does not like to be run as a non-admin. I forget where I saw that thread now, but this should work. If not, let me know. ;) I don't have any non-admin accounts to test this on. I read reports on the Internet saying this is how you start a program that refuses to start under non-admin conditions. First, the trouble... You may have noticed the option "Run whether user is logged on or not" and think that it will start a program under a certain user even if another user logs on. That is the correct logic, however, there is a bug since Windows XP, that is really stupid: You can set it to run as an account with admin privileges and it will ask you for the password of that account, but if you log on as any other user, there will be an error reported in the task manager log that the program failed to start because the password was invalid. Stupid huh? Microsoft really needs to fix that. However, there is a work around for this that I have read about. Follow all the steps of the above if statement about have multiple accounts that are admins. However, instead of choosing "Administrators", scroll down until you see "SYSTEM" and choose that instead. This will run CFP as a the SYSTEM user. :) No invalid password error now. And don't forget to put a check in the checkbox for "Run with highest privileges".

After this step, you should have something like screenshot 3.

The "Triggers" tab:
Click the "New..." button. For "Begin the task" choose "At log on". Then "Any user". Then click OK. That should do it. See screenshot 4.

The "Actions" tab:
Click the "New..." button. It should be on "Start a program" by default. Click "Browse..." and find the location where you installed the firewall and choose "cfp.exe" and then ok. In the "Add arguments (optional):" box add: -h
Now you can click OK. See screenshot 5.

The "Conditions" tab:
The only thing you need to change here is un-checking "Stop if the computer switches to battery power", unless you want your firewall to stop when you are on battery. :P Screenshot 6.

The "Settings" tab:
The only thing you need to change here is un-checking "Stop the task if it runs longer than....". This way it will run forever, unless you restart. Screenshot 7.

Now, click OK and you have your new task. You can restart to test it. :)

All screenshots were made with the "Snipping Tool" and edited for size. If any part of this tutorial is unclear or could be made better, let me know and I will modify it. Thanks and I hope this explains Vista better and helps you work around it. Also note that the instructions for Comodo Anti-Malware (BOClean) will be the same as above, except that you do not add the "-h" additional argument.

Good luck.

[attachment deleted by admin]
« Last Edit: March 08, 2008, 05:15:48 AM by Star Shadow »
Married to a loving wife. :)

Offline tcarrbrion

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 672
Re: Tutorial on how to make CFP3 work nicely with Vista and UAC.
« Reply #1 on: March 03, 2008, 06:40:01 AM »
CFP basically works fine as a limited user as it is. Updates and import/export settings do not work but this is not a big problem and you might not expect them to work for a limited user. The only problem I have is these two things do not work from an administrator account.

It should be easy for the developers to fix both problems so, hopefully, a fix should be out very soon.

Offline <>

  • Comodo Member
  • **
  • Posts: 41
Re: Tutorial on how to make CFP3 work nicely with Vista and UAC.
« Reply #2 on: March 04, 2008, 05:07:09 AM »

I have read that lots of users experience weird things when it comes to vista, like having the program report different versions of the software depending on if it is run as full Administrator or not. This may be caused by the new UAC feature called "Virtual Store". In Vista, even if the person is an "Administrator", their account will run as though it is a regular user and any changes to files in the "Program Files" directory will be made to the "Virtual Store" instead. So, the firewall will try to make changes to it's files in "Program Files", but they get recorded to a different directory under the user's folder, thus another user on the same system will not experience the changes made. CFP needs to be allowed to make changes in "Program File.
Re this paragraph
I like what Microsoft have done in the limited account on Vista ie. that you can run some programs with admin rights for short periods if you like if you have the password.
What I do NOT like is that they have crippled the Adminstrator account so if someone runs only that account the damaged caused can be limited.
Since I having a moan about Microsoft I do not like what have done to the Legacy registry keys either ???
I apologize for my rant.
I hope this is fixed in SP1 as I believe they are making changes to UAC.
Thank you for your post Star Shadow I find it very informative.
Thanks
Dennis

Offline Star Shadow

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 373
Re: Tutorial on how to make CFP3 work nicely with Vista and UAC.
« Reply #3 on: March 04, 2008, 08:55:11 AM »
I hope this is fixed in SP1 as I believe they are making changes to UAC.
Thank you for your post Star Shadow I find it very informative.
Thanks
Dennis
I am running Windows Vista with SP1 final. Thankfully my job allows me to get it early. I still need to do the above tutorial to make things work perfect for me. I have multiple users on my home PC, and I need to make sure it is in full Admin mode so all the users get the update, rather than just my account in the Virtual Store. In full Admin mode, the files under the "Program Files" directory get modified directly, rather than the files in my "Virtual Store" directory in my user accounts folder.

Thank you for your kind words. I tried to make the tutorial as thorough as possible explaining everything so people understand reasons why instead of just following blindly. :)

Cheers.
Married to a loving wife. :)

Offline public4001

  • Newbie
  • *
  • Posts: 3
Re: Tutorial on how to make CFP3 work nicely with Vista and UAC.
« Reply #4 on: March 24, 2008, 06:43:24 PM »
Thanks, Star Shadow. I believe this is the best workaround at the moment. CFP developers should fix the problem in future release.

Offline novice

  • Newbie
  • *
  • Posts: 1
Re: Tutorial on how to make CFP3 work nicely with Vista and UAC.
« Reply #5 on: March 29, 2008, 11:35:36 PM »
Thank you star shadow for your complete explanation. I haven't implemented it yet. Does version 3.0.21.329 have a fix that makes this unnecessary? Will using the task scheduler handicap CFP from any pre-logon duties?
I am running Windows Vista SP1.
 (I only get to do this mostly on weekends, so if you reply it's not lack of appreciation if I don't respond immediately -thank you.)
« Last Edit: March 29, 2008, 11:50:24 PM by novice »

Offline Info-Sec

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 605
Re: Tutorial on how to make CFP3 work nicely with Vista and UAC.
« Reply #6 on: March 30, 2008, 12:01:04 AM »
I suggest turning UAC off.  Because it does the basic (yet limited protection scope) job as D+.

If you have D+ you don't need UAC.
*Vista *CFP V3 *Avira * Avast *Spyware Doctor
*XP *Zone Alarm PRO *NOD32 V2.7 *Spysweeper

Josh123

  • Guest
Re: Tutorial on how to make CFP3 work nicely with Vista and UAC.
« Reply #7 on: March 30, 2008, 12:06:52 AM »
I suggest turning UAC off.  Because it does the basic (yet limited protection scope) job as D+.

If you have D+ you don't need UAC.

I agree here.

I also have UAC disabled, Besides! If XP users can survive without it, so can vista users...

Hope Comodo otherwise will provide a fix in the future.

Josh.

Offline Star Shadow

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 373
Re: Tutorial on how to make CFP3 work nicely with Vista and UAC.
« Reply #8 on: March 30, 2008, 07:57:46 AM »
I posted my views on disabling UAC in this thread: http://forums.comodo.com/empty-t21323.0.html

Also, I hear there is no "Protected Mode" for IE when UAC is off. Granted, turning off UAC would eliminate most of the quirks of all the comodo software, but the issues with UAC need to be fixed in General. Some companies may have a policy about turning off UAC, so the issues need to be fixed if Comodo wants to be a complete viable option to companies that don't turn off UAC. Some users feel the need for UAC and some don't. I am not going to say what is best for a user. I mearly provide this guide for those that want UAC on, but not experience the quirks that have been reported about it.

Personally, I leave UAC on to annoy others that use my computer. :P It's nice to have a pop-up box with an admin login that they get frustrated with. It means more PC time for me since they go to the slower XP machine. ;) hehe. Also, non-multi-user games (those that save the games directly to Program Files dir) can be used on a multi-user system and not interfere with each other because of the Virtual Store. This is probably one of the greatest uses I get out of it, if not the only good use. Some games save info to the "Documents" folder now, but there is a specific folder for saving game data to now and I hope future games take advantage of that.

Cheers.
Married to a loving wife. :)

Offline Info-Sec

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 605
Re: Tutorial on how to make CFP3 work nicely with Vista and UAC.
« Reply #9 on: March 30, 2008, 10:20:40 AM »
I posted my views on disabling UAC in this thread: http://forums.comodo.com/empty-t21323.0.html

Also, I hear there is no "Protected Mode" for IE when UAC is off. Granted, turning off UAC would eliminate most of the quirks of all the comodo software, but the issues with UAC need to be fixed in General. Some companies may have a policy about turning off UAC, so the issues need to be fixed if Comodo wants to be a complete viable option to companies that don't turn off UAC. Some users feel the need for UAC and some don't. I am not going to say what is best for a user. I mearly provide this guide for those that want UAC on, but not experience the quirks that have been reported about it.

Personally, I leave UAC on to annoy others that use my computer. :P It's nice to have a pop-up box with an admin login that they get frustrated with. It means more PC time for me since they go to the slower XP machine. ;) hehe. Also, non-multi-user games (those that save the games directly to Program Files dir) can be used on a multi-user system and not interfere with each other because of the Virtual Store. This is probably one of the greatest uses I get out of it, if not the only good use. Some games save info to the "Documents" folder now, but there is a specific folder for saving game data to now and I hope future games take advantage of that.

Cheers.

I also have UAC off.  However if UAC is off, I highly doubt protected mode is disabled.  As UAC has to do with certain setting changes, and installing certain drivers, or software.

UAC is infact useless if you have CFP, otherwise it is a DECENT way to protect your valuable settings.
*Vista *CFP V3 *Avira * Avast *Spyware Doctor
*XP *Zone Alarm PRO *NOD32 V2.7 *Spysweeper

Offline Star Shadow

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 373
Re: Tutorial on how to make CFP3 work nicely with Vista and UAC.
« Reply #10 on: March 30, 2008, 11:44:28 AM »
I also have UAC off.  However if UAC is off, I highly doubt protected mode is disabled.  As UAC has to do with certain setting changes, and installing certain drivers, or software.
Open Internet Explorer and visit a site like Google, then look at the bottom. Does it say "Protected Mode: On"? I had UAC off once, and I could have sworn that IE at the bottom said "Protected Mode: Off". UAC does a lot more than people think. ;) It controls a vast number of little components in the system.

Let me know what you what you find. :)
Married to a loving wife. :)

Offline Info-Sec

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 605
Re: Tutorial on how to make CFP3 work nicely with Vista and UAC.
« Reply #11 on: March 30, 2008, 12:29:51 PM »
Open Internet Explorer and visit a site like Google, then look at the bottom. Does it say "Protected Mode: On"? I had UAC off once, and I could have sworn that IE at the bottom said "Protected Mode: Off". UAC does a lot more than people think. ;) It controls a vast number of little components in the system.

Let me know what you what you find. :)

I trust you, i'll NEVER EVER use IE again, I lost a computer to its crappy defenses.  I have my Zone Alarm KILL IE cna't say i'll use it.  ;)
*Vista *CFP V3 *Avira * Avast *Spyware Doctor
*XP *Zone Alarm PRO *NOD32 V2.7 *Spysweeper

Offline Nikku

  • Newbie
  • *
  • Posts: 20
Re: Tutorial on how to make CFP3 work nicely with Vista and UAC.
« Reply #12 on: March 30, 2008, 07:12:38 PM »
After I did the above steps, it does run and everything under system.  A new problem appears though...how do I configure the firewall when the icon doesn't appear in the systray?  ???

Offline Info-Sec

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 605
Re: Tutorial on how to make CFP3 work nicely with Vista and UAC.
« Reply #13 on: March 30, 2008, 08:24:02 PM »
After I did the above steps, it does run and everything under system.  A new problem appears though...how do I configure the firewall when the icon doesn't appear in the systray?  ???

Double click the CPF shortcut, it should bring up the GUI.
*Vista *CFP V3 *Avira * Avast *Spyware Doctor
*XP *Zone Alarm PRO *NOD32 V2.7 *Spysweeper

Offline public4001

  • Newbie
  • *
  • Posts: 3
Re: Tutorial on how to make CFP3 work nicely with Vista and UAC.
« Reply #14 on: April 03, 2008, 10:06:09 PM »
 (:KWL)

Have taken the CFP3 off the Vista SP1 machines. Waiting for the fix.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek