blocked by unlisted Application Control Rules

Hello, my first post, I have been testing CFP for a week.

Here’s some info to help you to help me:

  • The version of Comodo Firewall Pro Installed: 2.4.18.184
  • Your Internet connection type: LAN (DSL)
  • Operating system and Service Pack Level: XP Pro SP2 fully updated
  • How you are logging in to the OS (Admin, User): user with admin rights
  • Other Security applications installed (AV, AS, HIPS etc): Symantec Corp 9
  • Security related applications which have been removed/disabled before installing CFP: Sygate PF
  • Security related application which have been removed/disabled after installing CFP: none
  • Please inform us if you have created any custom rules: custom rules deleted
  • Detail the problem, such as which applications are running when you have the problem: see below and see also attached log

Outlook 2000 uses a Symantec plug-in, ccapp.exe, to send and receive email.

ccapp.exe is being blocked by CFP.

If I “turn off” Application Control Rules, then ccapp.exe is not blocked. If I “turn on” Application Control Rules (my default setting), then ccapp.exe is blocked.

Now the strange part. I deleted all my Application Control Rules. If I “turn off” Application Control Rules, then ccapp.exe is not blocked. But when I “turn on” Application Control Rules, then ccapp.exe is blocked - even though there are no rules! How can this be?

On another topic (I may post about this separately unless perhaps someone can explain) I always get strange pop-ups regarding parent apps, where the parent is reported as being one of the other applications I have running. I do not suspect these other apps of hijacking and it seems to me that CFP is simply getting confused about which app is doing what. Incidentally Sygate did exactly the same thing. I need to collect further details but my impression has always been that there is absolutely no way that the apps could be related, and that something (in the OS?) is confusing the threads of disparate applications and/or the firewall software believes that one app is controlling another, when this is simply not true.

[attachment deleted by admin]

Welcome to the forum, negative - err…nonplus :wink:

It can be. That’s because any program not in the safelist or specifically allowed internet access in Application Monitor is blocked. The good old default-deny principle.

Actually, it’s very conscientious on what it’s doing. Let’s take explorer.exe for example. This is the Windows shell, the main program if you will. It starts most programs and you’ll soon realize this if you examine all the Application Monitor rules that it’s the primary “parent” executable. Now what happens if you have virus.exe as the parent executable and it loads a well-trusted program like your browser? This is one of the most basic anti-leaking features of CFP (and most likely other firewalls nowadays).

I deem this the almighty CFP help page: ** FAQs/Threads - Read Me First **:

[b]Constantly Same Alerts / Doesn't Remember Rules[/b] https://forums.comodo.com/index.php/topic,6908.0.html

OLE Automation Alerts
https://forums.comodo.com/index.php/topic,4728.msg35532.html#msg35532
https://forums.comodo.com/index.php/topic,4875.msg36088.html#msg36088
https://forums.comodo.com/index.php/topic,5207.msg38857.html#msg38857

(:CLP) he he!

Thanks for your patient reply, I understood everything - well, almost.

I read the forum threads to which I think you referred, re OLE, but I’m not sure I understood the conclusion. Was there one? Some users report what I am seeing, i.e. that unrelated apps are causing CFP to pop up an OLE warning even when no intermediary Windows components have been invoked (e.g. explorer, svchost). The latest pop-up I got was while visiting a web page using Firefox, CFP warned that Outlook might be trying to use Firefox. Exactly how are these two apps interacting, if at all?

It’s seems fair enough (and probably a good idea) to block everything that is not explicitly defined by an Application Control Rule.

But having taken that as its guiding principle, why does CFP make it so hard for the user to ‘clean the slate’ and get CFP to prompt about threats that CFP has questioned previously?

Let me illustrate the problem.

I am still seeing my original issue (Outlook/ccapp.exe blocked). This presumably because there is nothing in list of Application Control Rules to allow (or disallow) these applications.

I put CFP’s Component Monitor into Learn Mode. But strangely it does not prompt me about Outlook and ccapp.exe again.

Why not? Presumably because there is another list, that is not displayed anywhere. This is the list of threats that CFP has previously questioned. Anything on this list is not questioned again. Yet the hidden list remains in force and therefore it is, in effect, a list of Application Control Rules.

It seems unreasonable to expect the user to have to remember exactly what was allowed or disallowed in the long duration of a Windows session. Why not simply display the hidden list or at least offer a way to clear it, so that CFP can start learning again?

Apparently I am expected to reboot, in order to get CFP to prompt me in future about any threat on the hidden list. At least CFP might offer an easier way to clear its mysterious cache of hidden rules? No need for the inconvenience of a system reboot, surely?

My question and criticism arises, as you probably realise, because I deliberately told CFP not to remember my choice and yet it has remembered and, what’s more, it does not display what it has remembered! To me, this design is counter-intuitive and, frankly, unhelpful.

Thanks, I did check that before posting, and I did search for similar issues. I do appreciate this forum and the effort people make to help others, and I realise that I may be slow to grasp some of the concepts.

OLE thing has been questioned for almost a year now. The reason why I placed those 3 links in the FAQ’s is because no one can explain it better from a technical perspective than the lead programmer himself. That’s why I’m trying not to go into it any more than this. It is confusing, but if you denied the alerts when both programs are something you recognize and trust, then CFP will block internet access from them and you’ll have to restart the programs (or maybe reboot if it’s stuck in memory). The other reason I referenced them is because Egemen stated CFP 3 won’t generate these alerts (except maybe if programs in the alerts won’t be in the large safelist). For now, you should only deny these alerts if you don’t recognize the programs (i.e. you have malware).

Component Monitor is a different issue than this thread title on Application Monitor, but I’ll try to explain anyway. It’s not strange. Per the manual:

[b]Component monitor 'Learn Mode'[/b] When you install Comodo Firewall Pro the Component Montitor is set to 'Learn' mode by default.

Whereas the number of internet accessing applications will usually be relatively small, there is always a huge number of components loaded within these applications. By enabling learn mode the firewall will be forced to learn and build the component profile of the PC. Whenever an allowed application attempts to connect to the internet, Comodo Firewall Pro will add all the components it loads to the control rule list. By default, each of these components inherit the applications ‘Allow’ status. Users have the option to change this status by selecting one the appropriate Allow/Block/Ask radio button.


You would have to set it to On mode to receive these alerts.

The fact that you asked this question indicates you haven’t read the FAQ:

[b]Component Monitor[/b] https://forums.comodo.com/index.php/topic,5396.0.html https://forums.comodo.com/index.php/topic,793.0.html https://forums.comodo.com/index.php/topic,4057.0.html https://forums.comodo.com/index.php/topic,6241.0.html https://forums.comodo.com/index.php/topic,7526.0.html

Which list? If you mean the safelist that’s hidden, it’s hidden for a reason: so that malware doesn’t know of it and attempt to get on it. If you meant something else then I need some clarification.

Now I’m confused. CFP is a firewall not an antivirus. Therefore it doesn’t’ contain any list of threats.

Once again, I don’t quite understand. If you didn’t enable the remember option in an alert then it should re-alert on subsequent connection attempts by the same program(s).

Here’s a thread from some time back that I suspect might address some of your questions:
https://forums.comodo.com/help/quick_way_to_unblock_an_application_once_blocked_resolved-t7600.0.html

OK.

I’m not sure that it did always re-alert, but I hadn’t tried restarting the affected app(s). I need to make further observations. When I posted originally, I had only come across other posters’ suggestions to reboot (which you partly confirmed). I hadn’t yet come across the concept of restarting an affected application only.

No I don’t think I mean the hidden safelist. As I understand it, the hidden safelist is the list of Application Control Rules that we see in CFP’s interface, which is encrypted (“hidden”) in the system to prevent tampering by malware.

In any case, I’ll try to explain more about the list that I meant:

When the user clicks ‘Allow’ or ‘Deny’ (without ‘Remember’), that particular threat1 is not questioned again by CFP, for the duration of the session. How does CFP know not to question that particular threat1 again? It must be maintaining a list of threats1 that the user has ‘allowed’ or ‘denied’ without ‘Remember’.

1 I use the word ‘threat’ to mean any particular instance of suspicious activity that CFP is reporting via its pop-up interface.

This list of ‘unremembered’ threats1 is not displayed anywhere, even though it is, in effect, a list of Application Control Rules.

In some cases, as you say, the rules on this hidden list can apparently be overcome by restarting an app. But, as you say, in some cases, nothing less than a reboot will clear the list.

Why make a reboot necessary? Why force the user to restart an application? Why not display this hidden list (as I have defined it above) for viewing, editing or clearing?

In order to recover applications that have been temporarily ‘denied’ without ‘remember’, the nearest (and only) mechanism that CFP offers is to put Component Monitor into Learn Mode. But this does not have the effect of forcing CFP to question threats that the user has previously ‘allowed’ or ‘denied’ without ‘Remember’. I can understand why this doesn’t necessarily work. But CFP offers no better way to achieve what I had hoped (i.e. previous para above) so I thought I’d try Component Monitor in Learn Mode, if only to illustrate the problem.

Putting all this together, this is why I said,

Have I done a better job of explaining, this time?

Kind regards!

Some programs have proven to require a reboot because CFP keeps it in memory. The same programs only require a restart for others. It really depends. I don’t think I have ever needed a reboot for any of my programs.

Nope. CFP should alert you again if the program tries to connect (I know most programs try multiple times before it gives up or times out like Windows Media Player - actually, that’s a bad example because it’s considered a trusted [don’t ask me why all M$ files are…] program by CFP). This is if you deny on the alert. Now that you mention this, I think it works differently if you allow the alert since I stays for the session (however that’s defined I don’t know), which would be a bug. Can someone confirm this? I ask this because I keep picturing the browser issue with multiple tabs issue, but this is a different topic.

Of course. After I requested it :stuck_out_tongue: ;D. Unfortunately, the list you’re referring to is something I don’t know about. I suppose only the devs can answer that. I know it’s a crude method of having to restart/reboot, and I don’t know if it’s documented in the manual. 88) Perhaps v3 operates differently.