CFP 3.0.9.229 BETA - Questions about how it works [CLOSED]

giraffe · September 30, 2007, 7:26pm

In 2.4, I could look at apps. and change the permissions. How does this work in v3?
I’ve blocked an update for an app. and can’t find out how to change it ???

Thanks,

Peter.

Andreas · September 30, 2007, 9:45pm

Click on “Firewall”, “Advanced” and “Network Security Policy” and you see all application rules who you can change.

Andreas

[attachment deleted by admin]

Opus_Dei · October 1, 2007, 12:30am

I was just wondering if CFP 3 was only relying on MD5 checksum for it’s system integrity verification?

Posted mostly for info but if any one knows anything about CFP3 Abilities to detect ADS I would like to hear your comments

OD

From another conversation with Melih
in General Security Questions and Comments (not product related)/MD5 Sum

Opus Dei:

“The attacker now puts the executable ipeye.exe into an alternate data stream associated with the existing file test_file The syntax to do this is as follows:
type ipeye.exe > test_file:ipeye.exe”

http://www.securityfocus.com/infocus/1822

Yes I am aware that there are several ADS discovery tools including the one in HJT

I was just wondering if CFP 3 was only relying on MD5 checksum for it’s system integrity verification

proir to CFP3 I was using
Sentinal 2.0 anti-Virus/Trojan Integrity Checker developed by RuntimeWare.
Sentinel works by analyzing exploits in both your Registry and your system folders; integrating with ANY(except Symantec 10.0 Corp) Anti-Virus program to quarantine these threats. Sentinel’s Integrity Checker will notify your anti-virus/trojan application(s) if any file has been modified or added in any way whatsoever (using either a heavily optimized CRC32, SHA-1, MD5 or MD4 algorithm–for those of you who don’t speak geek: Sentinel is fast, and very secure). Note: this is not an AV program however it will integrate with most very nicely

I don´t think this could program catch ADS(Alternate Data Streams) attached to a file
And it does not work With Symantec 10.0 Corp AV either But it does a fair job of idetifying file changes

Thanks for the quick reply Melih
OD

PS
I hav done minimal plating with these such attaching an exe to a text file and then launcing the hidden EXE from the registrty and as I said “this will not change the file size nor the MD5 check sum. I know the file modified date will change with the attachment of an ADS.”
if the are meanings to ADS(Alternate Data Streams) please let me know but from my research ADS is unique to the NTFS File system.

Any good pointers to other reference sources, refering to other types of Alternate Data Streams, would be appreciated

egemen · October 1, 2007, 2:13am

Nope. CFP does not keep any checksums. It simply watches all the file system activity and record the changes.

By default, every application who has a firewall rule or used in a defense+ rule(as long as it is a full path) are protected by default although they are not listed in my protected files.

Egemen

Opus_Dei · October 1, 2007, 2:20am

Thanks Egemen
Good Info

So the attachment Of an ADS should be detected by the activity.

OD

egemen · October 1, 2007, 3:09am

Yes. In that case CFP will raise a protected file alert and wont allow such an activity unless the user approves.

mrgigabyte2002 · October 1, 2007, 3:17am

hi everyone i would like to know about pending files right now i have 37 and would like to know if i should hit remove or put them in to my safe files i have been looking this up not sure what to do it seems like if you remove the answer is the firewall thinks they are safe if i am right thanks

panic · October 1, 2007, 3:21am

How about the execution of an ADS? How will CFP cope with that as it shows as a extended node of the hosting data file

panic · October 1, 2007, 3:24am

You should firstly do a lookup. If they are identified then they can be moved to "Your Safe List. If they come back as unknonw then you should submit them to Comodo for Analysis. Once analysed and approved, they can be moved to Your Safe List.

Ewen

mrgigabyte2002 · October 1, 2007, 3:35am

ok i did what you said and they are all unknow sumitted them some are apts i have like rogue remover and even comodo firewall windowwasher and ect do you think i should wait or add i know they are safe thanks

cvsa · October 1, 2007, 6:47am

is it normal that vista firewall is not desactivated in the security center ? ???

ranon · October 1, 2007, 10:19am

I would like to know if it is possible to trust an application for every action within my PC but ASK what to do if this application makes contact to or is contacted from an extern IP number?

ranon · October 1, 2007, 10:47am

Another question:

I still use sygate 5.6 firewall.
Is the comdo beta v.3 more secure as the sygate firewall?
I had a lot of troubles with the v 2.4 (and slow down of my pc) so I decide to reinstall sygate again. The beta v3 firewall seems to be lighter and working better but I would like to know if it is more secure as my previous sygate firewall?

In my network security policy i have as global rule:
Allow all outgoing requests.
I cancelled this.
Why this rule?

panic · October 1, 2007, 11:15am

I can’t say how secure your old sygate firewall is.

In my network security policy i have as global rule: Allow all outgoing requests. I cancelled this. Why this rule?

Without it, how are your going to access anything?

ranon · October 1, 2007, 11:32am

the firewall must be there before to access anything isn’t it?

the request
firewall
execution of the request

btw I have cancelled this rule and I can still access everything.

Mirage · October 2, 2007, 1:50pm

The gui is cool, but it seems to load quite slow on my laptop…

The explorer.exe keep hoping 1 percent which I do not understand why?

Btw have you people realised speed of surfing is decreased why is this so any explanation? Compared to Comodo v2.4 the speed seems to be very slow on Comodo v3.0 when I surfing around.

lironjan · October 2, 2007, 3:26pm

hi
what is the path that the firewall beta 3 save his log?
thanks

Opus_Dei · October 2, 2007, 8:28pm

XP Pro Spanish edition - C:\Documents and Settings\All Users\Datos de programa\Comodo\Firewall Pro\cfplogdb.sdb

XP Pro English edition - C:\Documents and Settings\All Users\program data\Comodo\Firewall Pro\cfplogdb.sdb

IN Vista - I am not sure but I would be interested in an answer from some using Vista

Hope this helps
OD

Edit:
I have found the best way to open this is create a sortcut to C:\Archivos de programa\COMODO\Firewall\cfplogvw.exe or in the English XP Pro version C:\Program Files\COMODO\Firewall\cfplogvw.exe

Edit 2: This is a SQLite (format 3) File

egemen · October 3, 2007, 3:02am

Sure that will be detected too.

For example, an executable test.exe is attached to text.txt file.

1 - Create a folder called c:\ADS
2 - run cmd.exe and type “cd c:\ADS”
3 - “type “data file” > text.txt”
4 - “type c:\windows\notepad.exe > text.txt:test.exe”

After step 4, you have successfully hidden notepad.exe in test.txt as a stream.

5 - “start text.txt:test.exe”

CFP will :

1 - Catch the attaching attempt of an executable and warn the user.
2 - If the attaching is allowed, then the executable stored with ADS should be in my pending files.
3 - When attached executable is going to run, cfp will show a normal execution alert for the attached executable.

ADS is typically used by virus programmers to hide executables from some virus scanners. From CFPs point of view, there is no difference. You may see an alert like “cmd.exe is trying to execute text.txt:test.exe. What would you like to do?”

In the final version, we will put more explanations to the security considerations section of a popup because this is almost always a virus behavior. Even if it is legitimate software, the vendor must stop doing this(Unless they try to hide something).

Hope this helps,
Egemen

lironjan · October 3, 2007, 4:40am

thank you!