Allow all or block all!

Could someone at the Comodo team please put together a step by step instruction to get around this problem, because I think every new user is going to struggle with this.

For instance, yesterday I allowed Firefox to access internet. Child: Firefox, parent: explorer. I kept closing and opening Firefox every once in awhile and surfing went smooth through the whole night.
Today when I opened Firefox, CF asked about it again saying it was an invisible process. While the dialog was opened it blocked Firefox from access. I click allow and then restart Firefox and was able to surf again. I now have two instances of Firefox in my application list. The second instance is Parent: Firefox and child: Firefox.
So what is going on here. I end up with several instances of programs in my application list and ALL have to be allowed or I wont be able to get out on the internet. I get all kinds of popups and warnings from almost every application that I use, most of them aren’t supposed to have anything to do with internet, unless software makers can’t make a program nowadays without implemetning some kind of spyware function in them, be it that maybe they just want to collect statistics how much their programs are being used, like Winamp for instance.
But I don’t want to be forced to have to ALLOW everything to get internet access! What is the point with a firewall then??
So I want to know IS there a way to get control of what to allow or not to allow, or do we have to chose if we want to have internet access or not using applications??
I’m wondering maybe most of these applications aren’t even trying to access internet, it’s just CF that gets confused with them.

hi,

if a parent is different from child (good expression :slight_smile: it means firefox was started by another application. eg. u click my.html in explorer explorer is parent.

if you start firefox by hand, is firefox parent and child, which means new situation, new entry.

and so on.

it have do with prog analysis in Advanced and might related.

so at least cfp cant decide that, if you want that, so any virus could start firefox and your system serves your hdd for profan example.

Mike

To expand on what Mike said… I think you maybe missing the phrase “could be” off CFPs alerts. CFP raises a lot of alerts for things that do not actually access the Internet, but do meddle with explorer.exe. This is because that anything that meddles with explorer.exe (such as, adding context menus/functions, grabbing file associations, etc…), and lots of things do, could be trying to gain unauthorised access to the Net. Basically, explorer.exe is the parent process of almost everything the user runs and, in Windows, this is important, since it gives explorer.exe a certain amount of rights over its child processes. This is why CFP guards explorer.exe in such a aggressive manner. Explorer.exe is the primary target of many Trojans (this is how leaktests work). They target explorer.exe (parent) to get at the default browser (child process) and onto the Net.

Now, CFP 2.4 does not know if XYZ application adding something explorer.exe is to trying to get unauthorised Net access or not, it cannot guess so it asks you. Thus the alert.

CFP 3 (current in beta testing) doesn’t guess… it knowns exactly what XYZ application is doing. It has full blown HIPS. And that is, I think, Comodo’s solution to your query.

It’s perfectly ok with me if CFP doesn’t know what to do and ask me. I actually prefer it that way, and I’m not sure HIPS are the ultimate solution. I just would like it to work like this:

                                      ---[BLOCK]-- Application 1
                                     |
                                     |

Internet ----- service ------------ Application 2
|
|
----- Application 3

Instead it works like this:

                                           ----- Application 1
                                          |
                                          |

Internet —[BLOCK]-- service ----- Application 2
|
|
----- Application 3

hi,

internet (network monitor) only rule open is allow tcp/udp out for beginners.

you have:

network block - app block- dll block and viceversa.

remove network tcp/udp out and silence except some ping and whatever.

Mike

What are you talking about, Meier? Lol.

My point is it doesn’t matter if it is a legitimate application or if it has been hijacked by a trojan, what CFP is saying to me is “You let this through or else…!”

Ok, enough from me. Peace! I’m outta here! (:TNG)

re,

ah ■■■■, i read your posting 100% turned.

you can do this also,

remove tcp/ udp out in network.

apps monitor asks you, and you allow each by rule in network.

but that you want can none firewall?

Mike

PS: you cant narrow tcp ports by application, if 2 apps use same port is gaga.

how should network known which app is meant?

comodo can both ways, play with it, but not automated.

hence even HTTP reply goes on x-many changing reply ports.

PSS: and with such a superclever firewall as you assume, i had more ports open then secure,

ok no popups, no trouble, but open for any Superior hacker.

PSSS: and you can disable program analyzer, disable monitor 127 monitor, and hence:

disable LEARN MODE, create your own rules, which meant for experts.

I see. But, I believe 2.4 works more like this…

Internet----Default Browser–>>X<<–explorer.exe----application/component

CFP prompts for & blocks/breaks (if required) the whole browser-explorer.exe relationship (>>X<<). This is because the identified application/component is still loaded/hooked/injected into explorer.exe. CFP cannot stop/undo that… it has already happened. CFP 2.4 is only a firewall, the application/component is of no concern. Restarting explorer.exe (less the previously identified application/component) is the only way around that block, if issued.

edit: this post was in response to MrSurfTurf’s diagram post. Sorry, I got behind.

But what about several instances in the GUI with the same application. Looks to me like the firewall has knowledge and ability to allow or block some of those instances, hence the ability to edit the rules for them. Maybe I could edit the rule for one instance to block all while another instance is allowed all, but I’m pretty sure blocking ANY of those will kill my internet connection, because the warning that pops up is the same thing as edit in the GUI. So it looks to me there is no point in even having all those applications in the list, it would be enough just having ‘explorer.exe’ and ‘svchost.exe’ in there, because those are what I allways block or allways allow anyway, instead of the applications.

To clarify why I wish CFP would work like I want it to, is that if we could block applications like in my first example, then we would allways be a step ahead of hackers, because there wouldn’t be any point for a hacker to try to hijack an application that will never have internet access. We would only have to worry about services, and here we would have to rely on signatures and HIPS and a good antimalware program to can clean them!

So the strenght with CFP as far as I can comprehend at the moment is that it blocks port scans very effectively, but quite useless for outbound connections. Unplugging my internet cable is the better choice.

re,

ah i get you now, but you did understand cfp can block anyways.

why tcp/udp out network rule is open:

if a hacker gets above your IN connections, which you define yourself!, then it still needs a app to respond, or a dll, that monitors cfp well.

understand? hacking needs a dll or exe to respond, so you can live with “open OUT” ports.

this firewall covers all ideas.

hope you get me, its not easy, at least you configure it, basic setup is for beginners allow www.blah.com

you can define it both ways, by app, by network port …

but tell you think is open leaking

Mike

An important thing to realise is that whilst CFP 2.4 can detect changes/modifications made to explorer.exe (be those DLL injections/hooks, etc…), it cannot stop them from happening in first place. 2.4 detects the event after it has happened. Multiple GUI’s? We are talking about explorer.exe here, check your system… you will not find multiple instances of explorer.exe (the shell). Using Windows Explorer as separate process to browse drives/folder/files is one thing, the desktop shell (you know… that thing that can crash sometimes) is something else completely. The shell is the parent of almost every application on the desktop. Of course, CFP can equally apply this to any process, not just explorer.exe. Also I’m fairly sure if you got an alert for explorer.exe on the component NukeMySystemNow.DLL, you would not authorise it. In this case that DLL is already loaded into explorer.exe, that instance of explorer.exe is already compromised… there’s nothing you can do, you cannot unload/unhook the DLL and you do not want Net access under this circumstance. You’d remove whatever did that & reboot or restart the shell (explorer.exe).

Useless for outbound connections? You must have misunderstood something… seriously. CFP 2.4 is second to none in this field and it’s not just me that says that. Check this yourself. Second to none.

re,

yeah thats job of a virscanner.

but comodo can do hips or whatever and reversed. infact a cake for advanced user,

most technically doable this times imho. (and very easy understandable)

Mike

PS: what we most discuss here are not leaks, then more security as possible and not covered windows leaks

'm not saying CFP is a bad product, I’m sure it’s one of the best and I have no plans on changing to another firewall, but I’m saying this problem will discurage a lot of people. And I may have a problem explaining this to friends and relatives that don’t no zip about internet security.
I haven’t had any serious problems with hijacked applications yet that I know of, and I’m using Antivir and BOClean and I’m careful with what I’m downloading. It’s just that IF an application would get hijacked and my other antimalware products haven’t got the right signatures for it yet I may have a serious problem.
So I’m wondering if my suggestion would be possible to implement in the future, to block applications from using services for internet access, and the services would only get blocked if the signatures have changed on them? Like if it’s not in the whitelist it will ask me what to do. Because the way it works now is a little messy.
Take this for example:
The day before yesterday I had removed all applications from the GUI and when I started Firefox I get a popup saying ‘explorer.exe’ is the parent and ‘Firefox.exe’ is the child.
Then the next day when I started Firefox I get a popup again saying ‘Firefox.exe’ is BOTH child and parent.
This doesn’t make any sense at all and would cause people to get confused.
I suspect my firewall is getting confused too. Also I can’t chose to block any instance without blocking them all.
Maybe I’m asking too much but I didn’t have constant popups for the same applications when I used Norton Internet Security, and blocking an application didn’t block my internet connection. You tell me why it didn’t. Maybe NIS didn’t block my applications either, just fooled me. :stuck_out_tongue:

Firefox, both Parent & Child? This is because Firefox restarts itself in certain situations. Thus you need to authorise Firefox to run Firefox. Both Parent & Child only doesn’t make sense biologically. :slight_smile: