I’ve just installed Comodo Firewall v6 (Win Vista x86). Even with firewall rules set to custom, when you install the newest adobe reader application and then click “Check for updates”, Comodo popups a window letting me choose what I want to do. If you you have checked “save this decision” and “block access” for the updater application, it will still be able to connect.
Adobe updater has several tricks up its sleeve. When the updater is not allowed access to the web it will access svchost.exe to access the web. On XP it can also access Background Intelligent Transfer Service from Windows update. And since it is a trusted application you won’t be alerted with default settings.
The thing is though…that I’ve created a rule “block all” for process svchost.exe, and the Adobe Updater still manages to connect for updates. If you now look at the app rules in the applications tab, you will see many different “block” rules for different kind of ports. But this should not be the case, as one rule should be enough (block from all to all).
Well, ok this is the adobe updater, what if it were a trojan?
No firewall will not block this type of manipulation. After it is created hips. Adobe is a trusted process for CIS therefore allowed for such actions. As for the Trojan to run was in the sandbox, and this type of action was to lock.
I find this annoying too. If the Comodo firewall won’t block a particular piece of traffic the user wants to block, regardless of what that traffic is or which app initiated it, what is the use of the firewall?
Too many software publishers make their products background tasks, like windows itself is doing. I want more transparency, and more control, and a decent firewall such as previous versions of Comodo was a way of achieving that.
With applications that use hosted processed like BITS, the only way of dealing with it, outside of using Windows firewall, which allows for rules to be created for individual hosted processes, is to block svchost entirely, which is not a good idea or in the case of CIS, you should be able to prevent the updater accessing svchost/BITs vis HIPS with the aid of Protected Files And Folders
Could you supply a little more information. What configuration are you under, on the firewall settings tab what is the alert frequency set on, do you have hips enabled ?
You say there are a lot of block rules under svchost, but what allow rules are showing. One can’t simply block all svchost. If you show only block rules and everything in functioning properly then something is off with your configuration or install.