I have been trying to tighten up my Application rules.
My Primary question is are these rules read from the top down as are Network rules?
I have set them up so that the alow rules were before the Deny rules and it seems to work for awhile, but COMODO will rearange them so the block is before the allow and it will quit working
Is there any tutorial on Application rules or has anyony really tightened down your Application rules
I know this a more difficult area to learn and understand than network but
Thanks for any help you can give ???
Opus
Below is a sample of what I am talking about
IF you want I will send My registry entrys
Application Monitor rules are not ordered rules - they either exist or do not exist, regardless of where they appear in the list. Only the network monitor rules are position dependant.
It’s certainly possible to create tight AM rules, but it can be quite frustrating and time consuming. It’s something I’ve been doing for some time, and I still have things to sort out.
Essentially, if you start down this path, it’s possible to end up with a great many rules, particularly, when one considers the multitude of possible parents an application may have.
Toggie If you would not consider it an invasion of privacy, or welcing on you many hours of work would you send an export in a txt file of your HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Personal Firewall\AppCtrl
Another question Do you have any Idea What does this Registry key do
If you prefer not to post registry entrys on the web Cut and paste into a PM or Send to gtoko62(at)yahoo.com
Thanks for your help
Opus
I look forward To an educational with Comodo CFP V2 and more so with CFP V3
If he could ever complete it, Toggie will get us a definitive guide/tutorial on tightening rules… ;D
At the present (in addition to the link Soya gave you), you can check out this one: https://forums.comodo.com/index.php/topic,6167.0.html for a lot of info all in one spot. It may help you to do some of the things you want to do, by giving you a concise overview (and some specifics) for how the FW works.
If he could ever complete it, Toggie will get us a definitive guide/tutorial on tightening rules... Grin
Nah! V3 will be here before then, so I'll just have to start again :P
Opus Dei
I hope you don’t mind, but I’d rather not start distributing parts of my registry. I am, however, more than willing to help you with any questions you have concerning rule creation.
Many thanks And after some work I will be back With questions or comments
Thanks
Opus Dei
I´ve been shadowing these Forums since finding CPF and this got me involved with Malware U
in fact I´d better get back busy with MU have not posted there in a little over a week
So if I want to permit
PAth- \ Explorer.exe
Parent- \Userinit.exe
to access 1 network[LAN] and block everything else
I would need to
[b]1)[/b] [b]Block[/b] all [IPs [b]before[/b] [LAN]] and
[b]2)[/b] [b]Block[/b] all [IPs [b]after[/b] [LAN]] and
[b]3)[/b] [b]Allow[/b] [LAN]
Note: The order of my exemple at the end of this post matches the list above, however the order would not be important.
Have you noticed CPF Slowing down the connection if overburdend with rules
This seems complicated, however if I am correct
If I did any of the following 1) a.Block all b.Allow [LAN]
I’m F’d ( No Access for PAth- \Explorer.exe with Parent- \Userinit.exe)
2) a.Allow[LAN] b.Block [WAN]
I will still keep getting pop ups
3) a. If I Block Explorer.exe as an untrusted App - I’m F’d (userinit.exe will not be able to use it. At all). b. If I Allow Explorer.exe on [LAN] - I will keep getting pop ups c. If I Block Explorer.exe on [WAN] - I will keep getting pop ups
Have you found an easier way?
PAth- \ Explorer.exe
Parent- \Userinit.exe
Destination- [IPs before [LAN]]
Port- [ANY]
Protocol- TCP/UDP In
Permission- Block
PAth- \ Explorer.exe
Parent- \Userinit.exe
Destination- [IPs before [LAN]]
Port- [ANY]
Protocol- TCP/UDP Out
Permission- Block
PAth- \ Explorer.exe
Parent- \Userinit.exe
Destination- [IPs after [LAN]]
Port- [ANY]
Protocol- TCP/UDP In
Permission- Block
PAth- \ Explorer.exe
Parent- \Userinit.exe
Destination- [IPs after [LAN]]
Port- [ANY]
Protocol- TCP/UDP out
Permission- Block
Then create a rule:
Application: Explorer.exe
Parent: Userinit.exe
Action: Block
Protocol: TCP/UDP
Direction: Out
Destination: Any
Port: Any
Make sure the Allow rule comes first (is on top of) the Block rule. There is apparently a hierarchy of sorts within App Mon. Unfortunately, this will change if you Edit one of the rules - try it and see. I’m thinking if the Block rule gets on top, it may circumvent the Allow rule. If it does, just double-click the Allow rule, select OK - this will move it on top.
But I’m hard headed and like to prove things to my self.
Maybe that is what I did previously, because I had thought I had it working, and then all of the sudden it stopped working, and my rules appeared to rearrange themselves.
It wasn’t your imagination. AppMon does indeed switch the placement of rules as you alter them, but only on applications that have the exact same name. After all, the only order they are supposed to be arranged by is alphabetical. Although there shouldn’t be any priority order, this does appear to be the case as reported by others: https://forums.comodo.com/index.php/topic,8455.0.html
Ok I think Ive got it figured out for CPF version 2.4.18.184 this may change completely for CPF V3
Note Application rules Are very complicated and some of the auto configuration features in COMODO may cause problems in manually configured Application rule Sets
Before trying this I sugest you read the thead below
And this
1) The rules are grouped Alphabetically by Rule Sets by “Path” application (the application actually being used to access the internet) and the “Parent” application (the application starting the “Path” application) - The order of the Rule sets does not matter it is only alphabetical. It is based on the “Path” application and using the “Parent” application as a secondary reference. So you might have several Rule Sets of application rules showing as Explorer.exe However each Rule Set would have a different “Parent” application 2) The Order within each Rule Set is hierarchical (It is read from the top down) 2.1
Example Rule set to allow PAth- C:\windows\ Explorer.exe
with Parent- C:\windows\System32\Userinit.exe to and from [LAN] and block anything else
Notes:1. the rules are broken out into separate in
and out rules and theallow rule is above the block rule.) 2.1.1
PAth- C:\windows\ Explorer.exe
Parent- C:\windows\System32\Userinit.exe
Destination- [LAN]
Port- [ANY]
Protocol- TCP/UDP In
Permission- Allow 2.1.2
PAth- C:\windows\ Explorer.exe
Parent- C:\windows\System32\Userinit.exe
Destination- [LAN]
Port- [ANY]
Protocol- TCP/UDP Out
Permission- Allow 2.1.3
PAth- C:\windows\ Explorer.exe
Parent- C:\windows\System32\Userinit.exe
Destination- [ANY]
Port- [ANY]
Protocol- TCP/UDP In
Permission- Block 2.1.4.
PAth- C:\windows\ Explorer.exe
Parent- C:\windows\System32\Userinit.exe
Destination- [ANY]
Port- [ANY]
Protocol- TCP/UDP In
Permission- Block
[b]2.2[/b]
Example Rule set to block PAth- C:\windows\ Explorer.exe with Parent-
C:\windows\System32\Userinit.exe to and from [LAN] and allow anything else
Notes:
1. the rules are broken out into separate [b]in and out[/b] rules and theallow rule is above the
block rule.
2. Explorer.exe and userinit.exe were only used in example 2.2 to keep the example
consistant I can not think of any time you would want to set the rules up in the same
manner as 2.2 but that is decision that must be made by the network Designer or engineer
[b]2.2.1[/b]
PAth- C:\windows\ Explorer.exe
Parent- C:\windows\System32\Userinit.exe
Destination- [LAN]
Port- [ANY]
Protocol- TCP/UDP In
Permission- Block
[b]2.2.2[/b]
PAth- C:\windows\ Explorer.exe
Parent- C:\windows\System32\Userinit.exe
Destination- [LAN]
Port- [ANY]
Protocol- TCP/UDP Out
Permission- Block
[b]2.1.3[/b]
PAth- C:\windows\ Explorer.exe
Parent- C:\windows\System32\Userinit.exe
Destination- [ANY]
Port- [ANY]
Protocol- TCP/UDP In
Permission- Allow
[b]2.2.4.[/b]
PAth- C:\windows\ Explorer.exe
Parent- C:\windows\System32\Userinit.exe
Destination- [ANY]
Port- [ANY]
Protocol- TCP/UDP In
Permission- Allow
3.If the rules are out of order opening the bottomtop rule in a Rule Set and closing it by “clicking” on OK will move it to the topbottom of the coresponding rule set
Thanks to Toogie, Lil Mac and Soya as well as others who I may have forgoten to mention. For all your help and if you see anything in error in this please correct me
Maybe it was Toggie and I that discussed it, I don’t remember. But I do remember going over app rules with someone, and reading an entry in the Help files that stated there was a hierarchy. It seems kinda buggy the way it works. There was some rule, we found, that when edited did not move up in its section, but the rest would move to the top of that application when edited. Thus, it would come first, and the user could find themselves being blocked for an allowed application…
You are Right just checked it out and I´ve got I backwards By double clicking on the top Set of Rules and clicking OK it will move that set of rules to the bottom it also seems to group the allow and block rules together Note I have not experimented with More than 4 rules 2 to allow and 2 to block
Nope, or at least not what I’m remembering. I guess it doesn’t really matter. I just thought you could pull it up… But then again, if it was Toggie and I, it might’ve been thru PM, and I purge those periodically…
Did you realize you typed “In order to” 73 times in this forum? You can just cross out “in order” part because it’ll shorten your sentence. No need to present things in a sophisticated manner.
The logic used to rearrange rules in AM, is, sometimes, beyond me ???
Overall, rules are arranged alphabetically
Within application groups, arrangement is by parent
within parent groups, arrangement seems to be IN rules first, followed by OUT rules.
After that, it appears to place BLOCK rules Before ALLOW rules. (sometimes)
The rearrangement of the rules isn’t completely automatic. In fact it’s possible to force a rearrangement of the rules so that the BLOCK rule is placed last, simply by opening an ALLOW rule, clicking OK and closing the rule.
