Allow/Block?

Current settings sitting at it being comfortably auto-blocked without any visible problems, still:

edit: this is on startup

edit2: Oh, it wants a connection both ways (in/out)

edit3: I decided to switch it on allow after seeing “security risk: safe”, though I wouldn’t mind input.

Oriour, welcome to the forums (:WAV)

Everything I can find on iaanotif.exe says that it is a known safe application, relating to Intel’s chipset. There are two aspects at work here…

  1. Should the application be allowed to run at startup?
  2. Should the application be allowed to access the internet?

The answer to 1 appears to be if you’re using a RAID setup on your drives (you will know if you are) then it should be left alone, so that it runs at startup. If you’re not using a RAID setup, it is less of a requirement to let it run, but should be fine either way.

The answer to 2 is what CFP is giving the alert for. I’m not sure why it would need to connect; I did not find any info relating to that in my search. I even looked at Intel’s whitepaper on the Matrix Storage Manager. My guess (and it’s only a guess) is that it’s looking for updates, but if that’s the case it’s doing it in a very odd fashion.

Personally, I would be inclined to block it, but given that it’s a known application, realistically it’s probably safe to allow.

If, when you switched it to “Allow” did you do so by checking the “Remember” box on the popup, or through a rule in Application Monitor?

LM

Thanks for the info, appreciate it.

I decided to leave it at allow, mainly because by denying it other programs were screwing up (avast auto-update doesn’t function with both ends of svchost blocked apparently).

edit: oh and when I tested switching them back to deny, comodo hit a problem and had to shut down, though it was able to block both entrances when I checked after launching the fire wall. Don’t know if this’ll happen if I try again, though I don’t intend to without good cause wink.

Oh whoops missed that last question there. I switched it through applications monitor. Weird thing I notice, if I tell comodo to remember an allow via check box, the program doesn’t show up in app moniter, but if I check off deny then it’ll show up. Any idea with this occurrence?

edit: I have no idea if this is a raid setup or not, anything you can tell me how to check?

edit: on the track of the application monitor, is there any way to reset the settings to ask all short of reinstalling comodo?

Hope I’m allowed to post this if not I am very sorry and you can delete this message

check processes here at processlibrary.com

This is typically only the user-end; the GUI (CPF.exe). The core of the firewall - the two drivers, and service (cmdagent.exe) are still running. Thus, you’re still protected, but just can’t interact with it. CFP is not so easy to terminate as that… :wink:

For the 1st question, it shouldn’t show up in AppMon (from the alert) unless you check the “Remember” box; then it should be there either way.

For the 2nd question, RAID setups are a redundancy configuration for multiple drives, normally used on a dedicated server. RAID can be set up different ways, but basically it’s automatically writing to multiple drives at the same time (as you’re working) so that in the event a drive goes bad, you have either part, most, or all of your data freshly preserved (plus regular backups). You’d know if you had it; since you don’t know, you probably don’t have RAID.

For the 3rd question, there’s not an automatic way to reset application rules, component monitor, or network rules. You can do it, but you’d have to do it by hand. You can, however, use the CTRL key and highlight multiple entries for mass removal.

Does Uniblue push the sales of their products on users who check processes on their system? If so, then I’d suggest you edit the post to indicate if it’s something you use, but that they have an emphasis on sales of their product.

LM

Thanks for the reply.

Yeah, definitely a no on the RAID setup. Anyways I decided to disable iaanotif at startup, so I won’t go raving mad, and nothing has exploded yet, which is a good sign.

Still, I am curious about the AppMon. I meant from an alert I checked the remember box and clicked allow, and that entry won’t show up on AppMon. Could it be because Comodo flagged the entry as safe (well safe in AppMon of course)?

edit: actually there might be a problem from disabling (blue screen of death, something about irql drivers or another not less or equal), I’m going to wait and see if this reoccurs (it happend twice, but rather inconsistent in the timing).

If Comodo has the application listed as safe (ie, it’s on the safelist), you shouldn’t get a popup on it. If you’re getting an alert, and responding as you indicate, this should have created a new rule, or modified an existing one. If there’s already an existent rule, you might check to make sure it hasn’t been modified in any way.

There are only a few confirmed cases of CFP actually not updating rules from user input via the popup alert; it’s always possible you have another odd one. If there’s no instance of the rule, nothing has changed, etc, it would be good to file a ticket with Support, to make sure they are aware of it. You will have to register on that system; the forum login doesn’t cross over, and you may do so here: http://support.comodo.com/

LM

Alright, I suppose it’s worth bringing up. Thanks for all the support.

Not a problem; we’re volunteers, but we’re here to help.

If/When you do file a ticket with Support, please keep us apprised of their response. Also, let them know that you have already been in the forums (a link to this thread would be good) and that a Moderator referred you to them for follow-up.

LM

The response:

Please go through the following link to trouble shoot this issue. https://forums.comodo.com/index.php/topic,6908.0.html

If still the problem persists kindly send us the following information.
Operating system with service packs information.
Version of Internet explorer.
Other security software you are having.
Version of program you are using.
Screen shot of the error message you are receiving.

To take a screen shot of the error message please go through the following link.

Regards
Stewart
Technical Support

I don’t think that’s the same as what I’m experiencing. In his case, it was the low alert settings (which I have) that was the trigger, and from what I can cobble together from speeding through he was being alerted to something he had checked off to remember. Actually I think that on a reboot the alert didn’t reappear (bear in mind my memory is rubbish and I don’t want to turn IAAnotif back on to test this), so CFP did remember, it just doesn’t manifest on AppMon unless I hit deny.

I agree; it’s not the same as ForzaItalia …

Yours is a clear case (the popup alert) of OLE Automation (if they’d looked at the link they’d have known that); this invalidates pretty much everything in that thread.

The question is, if CFP did not acknowledge your response to the popup, why not? At an AF level of Low, your alerts (and resultant rules) only contain details to the level of Application and Direction of traffic, inasfar as Application Monitor goes. ABA falls outside of that; you’ll always get those alerts (such as you got), regardless of AF.

CFP sometimes doesn’t acknowledge rules changes on the fly; restarting the firewall, the application, or even rebooting are sometimes required. Temporary rules (ie, without “Remember”) definitely don’t clear short-term memory until one of those happens; with OLE Automation attempts, it has been my experience that a reboot is required.

It is possible that this occurred in your scenario with rules creation as well. If you think it may have been fine after a reboot, your memory might not be as bad as you think… :wink:

You might want to give them the information they requested, and point out that it’s an Application Behavior Analysis (ABA) alert, and the other “troubleshooting” is not applicable in that scenario. They may not be in a position to download your screenshot thru the link (dont’ know why, just a guess), so you might want to actually upload it in your response. To do so, there are options below each textbox to attach resident files; just browse to your screenshot and then click the attach button.

LM

CFP sometimes doesn't acknowledge rules changes on the fly; restarting the firewall, the application, or even rebooting are sometimes required. Temporary rules (ie, without "Remember") definitely don't clear short-term memory until one of those happens; with OLE Automation attempts, it has been my experience that a reboot is required.

But in the case of deny, CFP did immediately recognize the change immediately so we have two responses of the same situation that for some reason leads to two different situations (appear or not appear). In either case, I believe the rule change took, as I think that I wasn’t egged by the alerts with iaanotif (I can’t remember on a restart if the rules appeared in appmon, then again if I did I probably wouldn’t be here wink)

edit: I guess I can find comfort from knowing it was through a legit program and something malicious that I encountered this issue wink

Okay, the situation is happening again with another program:

Got that after updating Windows today and then after figuring out it was probably alright I checked remembered and allowed it. I looked in the firewall settings and not surprisingly it wasn’t there. I then rebooted the computer and checked again, because I’ve read a reboot might be necessary for it to show, and well it didn’t.

Not a big concern on my end, but it just makes me curious why the interaction between these two programs aren’t showing up in App. monitor if I have it remember an allow. Haven’t tested deny yet, given that I’d have to reinstall the firewall, but then again unlike Iaanotif, there’s really no guarantee here that it’ll respawn, though I’m not entirely sure why there’s a pop up to begin with.

Well, the thing I’ve wondered about with it is that there isn’t a place in the Application Monitor rule to indicate permanent changes based on these types of alerts. All that could be done would be it could check boxes in the Miscellaneous tab, to Skip advanced checks (which would be global for that application, not just the specific instance in the alert), or Allow Invisible connections (if applicable).

I haven’t ever looked into it, but have wondered if on these “hijack” type alerts if it doesn’t make a change to the rules as in the registry, but not show those changes, since there’s really not a way for it to do so. I don’t know.

I know that v3 has an “exceptions” list for each application, where these types of details can be clearly specified. That will be a lot better.

LM

I think I see what you mean by things being a lot better with the V3 exceptions list. Apparently if I remember deny it, Avast anti-virus can no longer update. This happened with a block UDP in and block UDP out with a ask for in.

Maybe I can go back and set it so there’s no UDP outbound to 239.255.255.250, which I’ve read is for Multicast Broadcast, related to window’s messenger.

edit: if I just use a non-remember deny, then Avast can update properly

edit2: Uh… could I ask what explorer.exe would want an UDP in for with svchost/services? I figure it’s doing something with messenger for an outbound connection.

I’ve seen that before, on port 123. If that is the same, then it’s for system time update, and safe to Allow w/Remember.

After the IP address, it reads port 1028.

If I check remember and allow the in, will it allow the out as well (2 of 2), because so far I’ve been hitting deny and I think that deny kills both of them.

Ugh, I think this might be easier if I just hit remember allow, and lose the stealth shield for broadcasting to 239.255… and just let Comodo and Avast handle whatever comes by while waiting for v3.

edit: I guess the only thing left to ask is since this doesn’t appear on App in the case of allow, how are other programs affected? I mean, if I set it to remember allow, then will anything else using automation be auto-allowed with svc/services. In the case of deny, apparently everything that uses the combination is sent to the chopping board as well (avast), since it completely blocks svchost with a services parent, so does the opposite pretty much give the same treatment? Hmmm, maybe that’s why it doesn’t show up on App. Mon, so it doesn’t pre-allow. I don’t know, I’m just tugging at whatever idea comes to mind.

Port 1028 is commonly used by ALG.exe (Application Layer Gateway service), which is most likely not needed on your machine, and safe to disable.

If you’d like to know what is establishing the connection, I’d recommend using a free application like TCP Viewer from SysInternals, CurrPorts from NirSoft, or Vision from Foundstone, to monitor connections, show the application and Process ID that is associated with it. What’s Running is another good one that will help you track it down.

LM

ALG is stopped from services and am going to restart to see if the connection pops up again. Thanks for the additional assistance.

As I am… paranoid about installing anything, of the mentioned, which would you recommend, that’s idiot friendly and is easy to remove should I desire (I’m only asking after experiences with Zone Alarm)?

edit: now new ports wants in, 1027 and 1031, so far 1031 was a one shot.

edit: I decided to go with TCPView, and am confused. Which do I look at to identify ports, the numbers by the application or the numbers in the local address. Remote address more or less ends up blank for UDP. Most end up being svchost, which I imagine is because it’s svchost was trying to get connected, ALG probably worked through svc.