Adding many files in firewall?


When i want to block a file in the firewall, say a .exe file for example.

If i have many .exe files in one folder, i have to add, choose blocked application and so on, and repeat this over and over again with each .exe file.

Is there a faster way to do this? What i would love to do, is to be able to add many files at the same time, to be blocked. Maybe some kind of contex menu, mark all files and choose block in firewall or just be able to open application rules and then choose add, and then choose many files instead of just one at the time.

Maybe this became more of a wish thing, but i wanted to ask, if there is a faster way to block files in the firewall.

EDIT: Sorry for my bad english and if i asked in a weird way, but maybe some of you understand what im trying to say. If i have 10 files in a folder i want to block in the firewall, i want to be able to choose these 10 files and block them all, in one click, not add them one by one :slight_smile:

You can add a new group, as shown on the help link: Protected Files, PC Files, Folders Protection From Malicious Software | COMODO Internet Security v7.0 # pf_manage_groups
Soon after Going in the application settings of the firewall and add the created group.
You can also add a file in any folder, eg C: \ EEK \ start.exe clears the start.exe name or start and will be C: \ EEK \ * must be added the asterisk.

The video is optional.

Well thats great :slight_smile: Thanks for the video showing how to.

Do i need HIPS on? or can HIPS be off and it still works?

I created a folder and added a folder with subfolders and then added that to the application rules and then blocked it? So i guess everything in that folder is blocked to connect to internet?

Provided you have configured to block, yes. Everything is blocked except injectors or malware that use the browser, for example, to connect to internet. So if you’re worried about the safety of your data does not disable the HIPS. :-TU

Also you can get to the path of the folder while creating a rule, and as last step …/*.exe

Personally i would go the easy and save way:
Nothing is allowed to connect without permission (given once or per case). Thats a lot less work than trying to set everything on a black list first.

Because, see it this way:
If you WOULD have to put things on a blocklist first, to have control,
a virus doesnt say “hello, put me on the blacklist”,
you are not safe.

That sounds good, what setting should i use for that?

Block all or custom rules?

I have my firewall setting at safe mode

The only time internet access is important is when any arbitrary file actually requests internet access.

I have 251 install files sitting in my EXE folder, and 784 items in my ZIPS folder; I block neither each one, nor the entire folder(s). None of those things will ever phone home by themselves unless they’re executed by something. That something has to have execute permissions in HIPS. That something atypically will be EXPLOERER.exe after I click on any arbitrary EXE or ZIP. When EXPLORER phones home after I click on the file, its o.k. to allow it to phone home if you trust the source of the file. A reasonable explanation why the EXE wants to phone home is for version integrity checking or something.

W/ out HIPS, the FW is one’s last line of defense WRT malware connecting to rogue botnet servers. If any arbitrary file phones home w/ out explicit user action, that’s something to be aware of. An alert will generate informing the user that something wants to phone home.

With CIS HIPS, one can create a file-group of any file in any arbitrary folder, e.g., F:\Exe* & F:\Exe*.*

To block interweb access by any arbitrary component of any arbitrary folder, create a custom rule in FW selecting the file-group, or by opening any arbitrary file in any arbitrary folder. In the file path for the rule, change the file name to .

Then add a custom rule to block IP out from ANY to ANY for where protocol is ANY

Check cancellation of the certificate of the publisher.

There is an option in properties of the browser.
If to remove a mark, explorer.exe won’t phones …

I always wondered what was going on with that; publisher certificate revocation is an excellent reason for that. CCleaner is notorious for attempting to ping an IP address first before trying to connect. Doesn’t matter, the CCleaner installer.exe don’t phone home by itself w/ out me clicking on it. Bottom line: I have neither D+ or FW rules for installers, or FW rules for Explorer. For either, each resource access name access attempt will generate an alert and its allowed on a case-by-case basis.

EVERY resource access name access attempt is denied by default in CIS D+ & FW by default unless implicit permission is explicitly allowed. The canary in the coal mine is singing in your logs. Pay very close attention to your logs: you’ll become aware of things trying to become prollems. Not only that, but you’ll become aware of prollems that are actually hidden and allow rules should be made to allow things to work properly. Its akin to scrutinizing the wife’s grocery list each week to make certain she’s NOT buying cocaine. I don’t need to run herd on that. Nor do I need to be aware she’s even going to the grocery store. But if she goes to the strip club, I DO want to know that.

LIkewise, I don’t have FW rules for Word, Excel, or any arbitrary PDF; no reason at all to implicitly allow interweb access for them. Word, Excel, AcroRd32, OpenOffice, etc., have D+ rules necessary for their inherent functionality / features and load / modify the required files. Interweb access is done explicitly case-by-case w/ out permanent rules created. If I open a DOC file, Word don’t need to be phoning home ANYWHERE unless I click on a link in the document.

To access iterweb any file will request D+ DNS client service resource access name permission. This is actually an RPC hook for TCP/IP. The next thing is that the app will try to hit DNS server with UDP on port 53 to resolve domain name to IP address. Then IP traffic to some IP address will be attempted. I have three chances to intercept the attempted interweb access. If I allow those: woe be me and not the monkey brained HIPS and/or FW.

I’ll qualify the above with an example of an exception, e.g., CCleaner installer files. I have a FW rule created for X:\Exe\CCleaner_v*.exe that contains all the IP address to the CCleaner - Piriform - home servers. It updates so frequently, I don’t want to be bothered with alerts if its phoning home to Piriform servers.

Another exception to that plausibly could be the in-app update feature. Obviously the app will need interweb access permission; first to DNS and secondly to home servers. But that exception scenario is by app, e.g., Word.exe, and not by file, e.g., SomeDocument.DOC, and will only occur through overt action on my behalf. I can constrain that behavior by not creating a permanent rule allowing access to DNS servers.

How do I know where an app phones home to? WHOIS will tell you the domain name owner for the IP address. If CCleaner wants to phone home to Piriform domain name IP address, that’s o.k., and I create a rule to allow that and it won’t bother me next time for that particular address. I pay attention to ranges too. For example, if I see XXX.YYY.ZZZ.18 XXX.YYY.ZZZ.59 & XXX.YYY.ZZZ.156 for the same app, I make rule w/ range: XXX.YYY.ZZZ.18 to XXX.YYY.ZZZ.156; you have 138 IP address to phone STOP BOTHERING ME now! That doesn’t always work though; ZZZ may become ZZZ+1 and then the range may be 126 to 254. But even so: WHOIS is your friend, because you may see that the domain name owner owns a block of 1000 IP address where ZZZ runs from, e.g., ZZZ-5 to ZZZ+3 (or something). Such is usually only a prollem for huge corp like M$, Java, Adobe, etc. In that case, YYY can change the same way, in addition to the ZZZ changing for each YYY change. Aaaaaarrrrggrgrgrgrgr!

I have no group option as that article specifies!!! That article is false!!!

I changed your all caps sentence to regular case. It’s considered shouting.

What version of CIS are you using?