A CPF Companion - possible solution to an existing challenge

I hope this wasn’t mentioned already and I apologize if it was. Most people are focused on apps that go out to the net; this idea is internal to a computer.

One of the challenges of setting up a tighter system in respect to the dlls is dealing with invisible connections when you install CPF in Advanced Mode. Your current options are either to block the dll in question, which will stop the associated application (like IE) from functioning till its restarted. Or let it out against your better judgment. Neither provides a satisfactory solution. There are a lot of items that ask to go out which makes one question why would THAT need to go out. There are companies (won’t mention any names) that have proven themselves untrustworthy. I noticed others would like to utilize the dll section but have let it go out of frustration due to it not operating, as one would expect. With CPF’s current setup, you really cannot utilize the block\allow feature that the programmers have taken the time, effort and expense to offer in their product.

One method of dealing with this might be to create an internal control managing application that sits between the windows environment and CPF. With it, you could handle these invisible attempts with allow\ block settings before it even reaches CPF. The result should rectify the need to restart the associated application while intercepting and blocking the dll in question. This could be accomplished by having a firewall\ sandbox hybrid. The sandbox is needed for a controlled environment to allow an un-interrupted operation of an application, so only ‘allowed’ items would reach CPF. The firewall portion of the app could operate just like CPF in regards to rules creation and type of operational modes. The app is already halfway done.

Does anyone else have an interest in this? Is this feasible from a programmer’s stand point?

Just wanted to mention some other benefits to this idea.

Someone pointed out in another post how items can get passed CPF when software like VirtialPC or WMware is used. Even though a solution was offered, as a CPF staff member pointed out that nothing is 100% secured. This might add an extra cushion of security since one could control the information that’s passed to the virtualware.

Also, new security holes in the OS and other apps are being exploited more now than any time in the past. There is a time period between the exposure of a new exploit and the release of the patch where people are vulnerable. Sometimes security websites will identify the specific components mentioned even though they cannot offer a fix. Some of the component might be able to block from being used until the patch becomes available. Like if it’s an activex or java issue for example.

Can anyone think of other benefits this could offer?

i have had this thought ever since i started using software firewalls. all you end up doing is hitting allow all the time just to keep going. so what is the point. you just keep allowing and allowing and allowing. how often does any one actually deny anything? sometimes i wonder what the whole point is.
however i do have to admit that comodo in learn mode is the best i have used so far, i still tell myself, "of course i’m gonna allow say IE to go out and every other program that exists on my machine, or new app that i install because i want it to keep going and to work. it’s sort of a paradox in that your asked to approve an app that you want to work because obviously if you deny it, it won’t. when you get the extremely rare obvious stuff trying to access your system then you deny it of course. and of course it’s not just dll’s either. i mean, you get asked if you want to allow or deny explorer.exe for various situations. how can you ever deny it if you want something to work?

anyway, it kind of makes your head spin if you really think about it. say your installing an app. now, during the install your firewall and antivirus are asking numerous times to allow or deny several different things. if you deny even just one, you can cause all kinds of things to happen. basically it won’t install properly, if at all, then if you go to reinstall it, it most likely won’t because you have created a rule that denied something. you will have to track down what you have denied and change it to allow. so what is the point of that. either you want the app installed or you don’t. so in the end you end up just allowing everything. most of the time, no, all of the time your asked to allow or deny because the firewall or antivirus doesn’t know if it’s a bad file or program or whatever. how should the user know either. you talk about pre-emptive solutions which would be perfect, but if no one knows before hand if it’s malware then how about catching it very quickly if it turns out to be malware immediately after it runs and corrects any damage it did in the milliseconds that it ran.

this may be extremely difficult to do, as i am a fixer not a programmer. but i agree with you whole heartedly. pre-emptive and if not caught before hand, a quick kill and repair. no questions need to be asked except for obvious stuff that is very off the wall. so far comodo is extremely good at this after it learns. but there is the new app install that takes twice as long and you have to watch it so you can answer the questions.
ok. enough. keep going comodo, your software is excellent (:CLP)

kpc

again i agree. we’re just wording it differently, but these are the things i was trying to say in my long winded essay (sorry). this whole firewall thing needs to make more sense. pre-emptive, pro-active, and post-active. otherwise you basically have to allow virtually everything.

kpc

Hi kpc,

I think most people operate the same way you do, in regards to letting things out against their better judgment to avoid the frustration of blocking. My rule of thumb is, when in doubt, block. I want to understand how things work behind-the-scenes. It’s very frustrating but I have learned a lot so far.

If this app currently existed, how would you expect it to operate and what would you like to see in it? I was thinking along the lines of something like this.

First scenario: IE is already listed in the sandbox and the following components attempt an invisible connection - explorer.exe and flash.xxx. (‘xxx’ meaning any extension) One might be ok with explorer but say someone didn’t like using flash. A pop-up table displays when the connection is attempted…

[CPF’s Companion]

These components are attempting an invisible connection with iexplore.exe:

Components Allow Block Ask
Explorer.exe >> (move explorer) >> (move flash) >>
Flash.ocx << << <<

Apply Cancel

[A Component Description would be a bonus - like the one you see under Comp Mon in the ‘Details’ section]

After changes are applied, explorer.exe is allowed through, while flash.ocx is blocked at the same time. Then the information could be made available to CPF and normal operations are carried out. Since flash has been blocked before it even reaches CPF, the browser will be able to function without any interruption because it’s only receiving approved components.

Second scenario (used to fine-tune by utilizing rules): Creating a rule where it may be ok for a component to go out with one app but not any others. (This would cut down the need of creating several rules when a dll is known to intercept more than one internet-based app) Or maybe one might want to control ‘some.exe’ file that has multiple functions - allow some while blocking others:

Component: ‘some.dll’ or ‘some.exe’
Allowed if asked with the following app(s). Browser, …,
Blocked if asked with the following app(s). Email client, …,

Is this kind of what you were thinking, too?

Yes. Only a little more precise if possible. Certain programs (let us stick with IE for example) need flash or it will not run in certain cases. However, say it does not need ocx.dll. It would be cool along the way if the “companion” could tell you if the program needs or does not need a certain file to run. That way if you deny a process and the program happens to need it, you won’t have to start over for that one file. However, installs of new apps would be where it would be the most noteworthy. Let’s say you download tiny firewall (I know, bad example). You go to install it and your gonna get popups. Now maybe someone introduced a trojan or some kind of malware along the way. If comodo could pick out that file or files only and say do you want malware on your machine or not. Again, as i write i begin thinking why should that even happen? if it finds malware it should take it upon itself to deny it. i admit some interaction is fun, but at the same time, should it be necessary. your idea could be a stepping stone to eventually eliminating interaction. Again, I’m not a programmer so i don’t know if this is even possible. just would be nice and affirm the true meaning of the word firewall. to prevent fires. Not ask if you want a fire. I just think too much. Everyone tells me that. I do like what you are saying and I guess that is what I mean if interaction has to be involved. But usually as I’m typing I think more into something. Hence the long windedness. Like I said, comodo is extremely good at filtering. By far the best, I have used to date. I think comodo will be a winner by a long shot when the smoke clears.

kpc

OK, great! I’m not a programmer but logically it seams feasible, that a program could tell you what is needed with commonly used apps anyway. Only if someone was willing to gather the information. The other ones probably would need to be setup by the user since there are literally thousands of them on the market. It’s an intriguing idea, so let’s do a little brainstorming to see how this could possibly work.

Logical layout - flow of data
Let’s use explorer and flash again even though they are not be the best examples.
Windows Environment (Operations & Functions) - explorer.exe and flash.xxx asks to go out
|
| ← Data Flow (towards…)
|
CPF’s companion: (IE is currently running in the sandbox)
Configurations: I was thinking the sandbox portion of the app is inside the firewall. You could think of it like putting a cube inside a cardboard box. The sandbox is the cube and inside that are running applications with their required components in a controlled environment. These associated components could be just the core ones or bare minimum that is required to initialize and run an app. (This would be how someone would know what is required) Then allow the user to add or block anything else that the app may use or something that may want to use an app in the sandbox. This reason is suggested because everyone’s level of security is different and this is the only way I could think to accommodate such a wide range. Flash is not a requirement for IE to run. One may not be able to use a ‘part’ of IE if it is not running but you can still surf without it. (Can you tell I’m not a fan of flash? LOL) So flash could be a user’s choice rather than listed as a required component. Explorer.exe is also not required but if it’s not allowed then when you click on a hyperlink say from your email client or open a ‘.mht’ file, you won’t be able to make a connection. It’s needed from the standpoint of what was mentioned but it is a parent app and is not apart of IE. It makes sense not to list it as a core part of the app and let the user add it. Otherwise, there might be too many overlapping programs, which could cause a problem.

Action requested: IE is running and say the user blocks flash and allows explorer. Since the firewall blocks flash before it reaches IE, there isn’t a need to restart IE. It is here where I wonder if this idea can even be created. Because I think the way CPF works, it doesn’t catch an alert until ‘after’ the dll joins the internet-based app. In order for this to work, it would need to be caught ‘before’ it joins, I would imagine anyway. Perhaps there may be a need to have 2 instances of IE running. One on the outside of the sandbox so one could receive the alert and one inside that is protected from any interruption. I’m not sure. This is why I was hoping a programmer would comment whether the idea is even feasible.
|
|<- explorer.exe: Approved Data Flow
|
CPF (normal operations are carried out)

I think this would give you what you want in regards to knowing what to let out or not. You also mentioned having the app deal with malware. Typically, that’s wasn’t the function of a software firewall when the concept was first created. Although, it has been expanded upon with the introduction of security suites. In a way, with the setup mentioned above and a few other features, it could deal with this to an extent.

For example: Say ‘some.dll’ (part of a trojan) you never seen before, wants to use iexplorer.exe to go out. Let’s also assume that it’s a new type that was just released and it’s too new for your AV app to catch. The companion could check an internal list of approved components and it would find out that it’s not listed. Hold that thought for a moment - going to sidestep.

Going to the firewall portion of the app. In CPF, the ‘Turn On’, ‘Turn Off’ and ‘Learn Mode’ are nice features. These are set to a global scope meaning it applies to all or nothing. Let’s say these options are also in the companion but set to an individual scope. In other words, one app might be set to ‘Turn On’ while another is set to ‘Learn Mode’ and change their function a little.

The ‘Turn On’ setting could just approve items on the list, and if the component in question is not there then it could block by default. ‘Learn Mode’ could check the list for approval and if not listed then prompt the user for action. The purpose of these two is, someone may know what they want to approve or block with one app but may not know (or still learning) about another. The companion would grow as the user grows.

Getting back to the ‘some.dll’ that is part of a trojan. (I guess an exe file is needed too. I don’t think the app could work from just a dll. But for simplicity sake, let’s just use the dll) Before it can even reach iexplorer.exe which is currently running in the sandbox, it must get past the companion’s firewall first. Just like the previous example. If IE were set to ‘Turn On’ mode, then the dll would be blocked by default. It wouldn’t bother the user; it would just log the attempt. If IE were set to ‘Learn Mode’, then it would ask the user. Someone who runs a tight setup on their system, likely will block it because it’s an unknown. Since the dll didn’t get out, no harm is really done and your AV app would eventually take care of it when the update becomes available. This way a system is safe even when one doesn’t know something harmful is present. It’s an extra layer of security for preventive maintenance. Again, something was safely blocked without an interruption of the application.

Whew, that was a lot. I hope everything made sense. Sometimes the hardest thing about an idea is communicating it clearly with others. :wink:

One last thing you mentioned was about user interaction. Once the companion is setup to the user needs, eventually there should be very little interaction depending on how much someone installs new programs.

This is just one method, I’m sure there are several ways to set this up. What do you think kpc? Would that cover it or did I just run my mouth too much? LOL

I agree CPF is impressive especially only being a 2.x version. It’s packed with more features than one would expect at its current stage of development. I can only imagine what version 9 or 10 will be like down the road. It really opens your eyes to what’s happening in the background, too. It stands alone against the rest and Comodo has set a new standard in firewalls for the home user.

What impresses me even more is the company’s attitude. They don’t compromise with their freeware products in regards to quality, like a few others we all know. They focus on it as if it was pay-ware and they look for win-win situations to benefit everyone. They mention this in “Why is it free?” article. (Free Firewall | PC Security with Free Secure Email and Secure Backup) For me, the mind-set of the company is almost as important as the product itself.

Comodo Team if you are reading this, thank you for giving us a superior product and setting new standards in the home industry. :slight_smile: