application control rules - unnamed / empty program

Hi,

I used Comodo Firewall for some weeks now.
Today I recovered that the “firefox” entry in the “application control rules” has vanished.
(A new game installed “Sudoku Imperial”) was able to connect to the internet through firefox without CF asking about that. That strucked me and I got suspicious…
After I put that program manually in the list (block) I saw that the firefox entry was gone. There were two “empty” entries in “application control rules”.I tried to delete both, but one always remained.
(:AGY)
After that I could not go online with firefox. After logoff and login I was asked again what Comodo Firewll should do with “firefox”.
I allowed firefox (again).

I’ve attached a screenshot to this posting showing this empty entry that could not be deleted.
The program name is empty and it always says “allow”.
I could not delete this entry - deleting it just makes nothing - or change it to “ask” or “block” cause the Firefall says “please select a valid application name” :frowning:

–NEW: (:AGY)
Now everytime I restart firefox the Comodo Firewall has forgotten the settings :frowning: :frowning:
I always tick the “Remember my answer for this application” and allow firefox “to act as a server” and “connect to the net”, but CF always forgets that. And firefox never appears in “application control rules”.
I even tried to manually put firefox in the “application control rules”, but that won’t work either.
At the beginning of using CF firefox always appeared there.

Any ideas??

Greetings
D

[attachment deleted by admin]

Now I found out a bit more.
And it’s still quite strange to me ???

When I make a new “application control rules” for firefox and make it as

[x]apply the following criteria:
Genaral
Allow
TCP or UDP
In and Out

then “firefox” disappears from “application control rules” and the unnamed empty entry appears.
:THNK
But when I make a new “application control rules” with the criteria

[x]allow all activities for this application

then firefox remains in the list of the “application control rules” and CF remembers the settings I told it before.

Is this the normal behaviour or could there be a malware working in the background undiscoverd by CF and Avira Antivir PE?
(I tried some rootkit detectors already, none found anything.)

Greetings
D

That sure sounds suspicious to me; it would have my hackles raised if that happened on my machine. The fact that it happened right in conjunction with the installation of software, plus the “requirement” of having to allow all activities for FF in order to keep the rule… Doesn’t look good.

Have you submitted a ticket to Support? http://support.comodo.com/ I would do that, to rule out other errors/problems.

Have you gotten any popup warnings from CFP, regarding changes to FF or anything? Did you have to reboot after installing Sudoku Imperial? Have there been any other changes to your system, or any indications of trouble?

I’d also watch the Activity/Connections tab, and use a free tool like TCPView to resolve those connections, to know what is connecting, and to where. With TCPView (and other similar tools) you can terminate individual connections, if you determine that it’s something you don’t want.

LM

Agreed.
The probs with firefox are even more: I don’t know when it really started but I could not use any JavaScript when NoScript was active even if I allowed all scripts on that page. (I recognised that when I wanted to install Plugins. That only worked when I allowed all JavaScript and switched NoScript off completly.)
But Maybe the reason was when I installed SeaMonkey. Maybe these two thwart each other?

Have you submitted a ticket to Support? http://support.comodo.com/ I would do that, to rule out other errors/problems.

I did it just now. I tell the forum what will result there. Maybe I ask a security forum (the german forum at http://www.digital-inn.de - board “Viren und Trojaner”) as well.

Have you gotten any popup warnings from CFP, regarding changes to FF or anything?
No.
Did you have to reboot after installing Sudoku Imperial?
No.
Have there been any other changes to your system, or any indications of trouble?
Yes as I mentioned above the trouble with firefox and NoScript.
I'd also watch the Activity/Connections tab, and use a free tool like TCPView to resolve those connections, to know what is connecting, and to where. With TCPView (and other similar tools) you can terminate individual connections, if you determine that it's something you don't want.

TCPView only says: Firefox, svchost, the avguard (Avira Antivirus) and “System:4”

ActivePorts finds a process “Unknown”:
“Local Adress: ‘PC-Name’:18350
Remote Adress: localhost:1261”
But that’s not really a remote address, istn’t it.

Greetings
D

I don’t know why seamonkey and firefox would conflict, but it is computer software, so I guess anything is possible. :wink:

Keep an eye on the IP connections listed for firefox; do a DNS/WHOis lookup on them if needed, to resolve the address. If it’s not something you’re actively connecting to (or one of your FF addons), you can always terminate that connection using TCP View.

Yes, localhost is not “remote” in the idea of being another computer. Normally these will be “system” or “svchost” connections; something used by Windows, rather than “unknown.”

Do keep us posted on the response from Comodo Support, and any security forum you join.

LM

Comodo mailed me:

We will try to investigate this in our lab and if we can produce will comeup with necessary updates in next release version 3.0.
Not really helpfull :P. I try http://board.protecus.de (it is said to be the biggest german speaking security forum) (:HUG)

I will post here again when I get the results there.

Cheers :■■■■

D