COMODO Firewall Pro Logs
Date Created: 17:36:02 09-10-2007
Log Scope:: Last 7 Days Date/Time Application Action Target 09 October 2007 05:02:49 C:\WINDOWS\system32\csrss.exe Terminate Process C:\Program Files\COMODO\Firewall\cfp.exe 09 October 2007 05:02:53 C:\WINDOWS\system32\csrss.exe Terminate Process C:\Program Files\COMODO\Firewall\cfp.exe 09 October 2007 12:37:53 C:\WINDOWS\system32\csrss.exe Terminate Process C:\Program Files\COMODO\Firewall\cfp.exe 09 October 2007 12:38:03 C:\WINDOWS\system32\csrss.exe Terminate Process C:\Program Files\COMODO\Firewall\cfp.exe 09 October 2007 12:46:58 C:\WINDOWS\system32\csrss.exe Terminate Process C:\Program Files\COMODO\Firewall\cfp.exe 09 October 2007 12:47:07 C:\WINDOWS\system32\csrss.exe Terminate Process C:\Program Files\COMODO\Firewall\cfp.exe 09 October 2007 13:24:15 C:\WINDOWS\system32\csrss.exe Terminate Process C:\Program Files\COMODO\Firewall\cfp.exe 09 October 2007 13:24:25 C:\WINDOWS\system32\csrss.exe Terminate Process C:\Program Files\COMODO\Firewall\cfp.exe 09 October 2007 15:01:54 C:\WINDOWS\system32\csrss.exe Terminate Process C:\Program Files\COMODO\Firewall\cfp.exe 09 October 2007 15:02:03 C:\WINDOWS\system32\csrss.exe Terminate Process C:\Program Files\COMODO\Firewall\cfp.exe 09 October 2007 15:49:07 C:\WINDOWS\system32\csrss.exe Terminate Process C:\Program Files\COMODO\Firewall\cfp.exe 09 October 2007 15:49:16 C:\WINDOWS\system32\csrss.exe Terminate Process C:\Program Files\COMODO\Firewall\cfp.exe
End of The Report
i scaned csrss at jottis and found nothing and i also uninstalled and reinstalled comodo and it keeps
coming up in the log is this ok comodo is running with network defense train with safe mode
and proactive defense clean pc mode thanks
It seems I was confused, glad things are becoming clearer with time.
Defense+ is HIPS (Computer Security Policy)
Firewall is… Firewall (Network Security Policy)
Now I have two more questions.
Are the policies in both places totally incompatible? (should be, right?). I say this because in HIPS I see an item called network loopback, so I wonder if I block something on HIPS mode (no privilege) and allow it Any/Any Incoming/Outgoing on Firewall mode, does it mean it gets TCP/UDP access or not? (or maybe network loopback has nothing to do with internet access?).
Also sorry, but you didn’t tell me in the end if there is such thing as a default safe list, or how to disable it completely if possible? (Like I want to individually adjust settings as I run applications, I dont want comodo to automatically take decisions like allowing java to connect online -like it did- without my “written” permission). Or maybe I didn’t understand you.
I was wondering if anyone knew
What is the diference between “Switch to Installation Mode” in “Summery” and selecting “Windows Installer Application” as a securuity policy?
I noticed that there are apps for which I had selected “Windows Installer Application” that kept this Policy
Example I had given rtvscan.exe. So I would be less molested by Symantec updates
this seemed to work but in review I decided this might not be a good idea as I got a trojan from port 2967
as when I was using 2.4 I had accidently created a rule “Allow All IN from IP Any to IP Any where source port is Any to destination Port 2967” there is a trjan that uses that port and Symantec to get into your system
I have no problems with Windows updates needing this right, but if I did I might give this policy right to %system%\wuauclt.exe wuauclt.exe to help Windows updates
Am I correct in the asumption that when you give the policy right “Windows Installer Application” to an app. it retains that right without the 5 minute popups given for “Installation Mode”
If some one could clairfy the diference it would be nice
the localhost loopback really has nothing to do with internet access, unless you’re using a local proxy for your browser (such as proxomitron). Localhost is used internally for communication between applications and such.
The architecture for the Safelist changed between the last Beta and the current one; to me the current one seems to give far less control (you can only Import, Export, or Submit for inclusion). Adding to and taking away from are done separately through Defense + Common Tasks (Pending List, My Safe…), but that’s only for what you yourself have added.
The only way I can think to accomplish what you want is to go to Paranoid Mode immediately after install, and working like mad to define your rules & exceptions manually. That’s gonna be a pain IMO. The other option would be to take what you have now, switch to Paranoid Mode, and remove the rules for applications you don’t want to have access (or change the rules to Block instead of Allow).
Am I correct in the asumption that when you give the policy right "Windows Installer Application" to an app. it retains that right without the 5 minute popups given for "Installation Mode"
You are correct, as far as I can tell. I have wondered the same thing - what's the difference between Installation Mode and Windows Installer Application? If one selects that from the popup w/Remember option checked, it creates a hard rule for that application; this rule remains past the installation.
I guess the idea is that you if you have an executable that will be controlling the updates you would set it as an Installer Application (perhaps not much different from Trusted Application??). However, those rights would not perpetuate to any child processes it spawned. So if you put it D+ into Installation Mode, this transfers the rights of the parent to the child (up to 3 children). I didn’t really get that until I re-read Egemen’s quoted post in yours. So this would be very handy for software updates where you might normally run into trouble.
Then, if you’re just installing a new application, you set the setup package as an Installer Application, and turn on Installation Mode. The only thing I see there is that you might not want to retain that Installer Application rule, so would have to go back in to delete/remove it. I’m about to install another app, so I’ll pay some more attention to the process.
I think this is what is going on. As I said in my post it seemed to work very well for symantec update and rtvscan.exe. It pretty well stopped the pop ups
I PM’d Egemen as I think this a very powerful rule and I want to know what is going on when I apply it Hopefuly he will find the time to reply
I have install the latest beta and notice that my network security and my computer security files seems way to long. Is it possible to delete all the entries in both (or most of them) and then put firewall back into “learning clean PC” mode to relearn the correct functions. Is there any way to “start” the learning process all over again without uninstalling then re-installing comodo.
My system seems stable, but I have 1.5 pages of learned applications and i’m sure that is too many. Running Vista64 with Raid O.
2 additional areas of concern:
shadow copy area seems to be messed up
along with where vista keeps temp internet files . I have lots of denied access to these areas.
Also posted in bug reports
Little Mac
here is my converstion with Egemen see if you can verify what I am saying
If I understand him correct and he understands me
the behavior of Windows installer Application is a Bug
It´s a long conversation
Thanks
OD
when you select “Remember my answer” for a pop up with “Windows installer Application” you should still get the pop-up telling you to and In the “Summary” screen “Proactive Defense” it should say “Switch to Previous Mode” not “Switch to Installation Mode”(Andysnap_029.jpg)]
I know many dislike Spybro, but it is the only tool that is able to reveal extraordinary api hooks or spooky api names, so watch this and tell me what is the myth about?
By default these are in the “My Protected Files” in Defense +. You should, however, get popup alerts. You may also go into the D+ application rule in question, to Access Rights, Protected Files, Modify (Exceptions) and define the file path to be Allowed. You can use wildcards for the extension.
I think you’re not following his train of thought and/or the process as he’s laying it out (I think). I say that because you don’t seem to be turning on Installation Mode from the Summary window; you see to be saying that you’re only replying to the popup with Windows Installation Application and Remember. I went through this yesterday, and installed three different applications, one after another (none required reboot). Here’s the steps I took (which I think parallels what Egemen is outlining):
Switch to Installation Mode in CFP v3 Summary screen.
Run install package executable.
Respond to installer executable popup with Windows Installer Application and Remember (yes, this creates a “permanent” rule for me to later delete).
Respond to reminder from CFP v3 about being in Installation Mode (yes, it showed)
For the most part, that was it. I think on one of the installations, I got a popup from a second installer process, and had to do the Windows Installer Application/Remember thing there as well.
Here’s what I think, having gone thru all this. Unless you first select “Switch to Installation Mode” from the Summary screen, the spawned child processes won’t inherit the installer rights of the main installer executable. The whole process won’t work the same if you’re only responding to the popup; you have to switch Modes first, then respond to the popups as well.
If you switch Modes first, then respond to the pops as the Installer App/Remember, the child processes are allowed, but no rules are created for them. Then you get a reminder to switch Modes back to normal. The installer executable will still have a rule, which would grant it considerable power, but no child processes would be automatically allowed by it. So IF you left that “Windows Installer Application” rule in place, while that would be a risk for that application alone, if something hijacked it, the child processes thus spawned wouldn’t be able to get thru unannounced.
Thanks LM
This makes sense to me
This is the type of info I am looking for.
However, it seems to me that the Child proccess are still inheriting the rights
For Example After Rtvscan runs, Defwatch.exe is launched, followed by DWHWizard.exe
following this procedure
When in the case of Symantec Live Update
rtvscan.exe pops up with
“Rtvscan.exe is trying to modify a protected file or directory. What would you like to do?”
I select “Treat this application as” {windows Installer Application]
I check the “Remeber my answer” check box
CFP3.09 will create a rule in D+
Application Treat as
C:.…\rtvscan.exe Windows Installer Application
after this i no longer seem get pop ups from Defwatch.exe nor from DWHWizard.exe
Symantec seems to update itself without pop-ups
I have no problems with this behaviour (I actually like it) I just think
1) If there is supposed to be a reminder to disactivate the rule there should be a reminder
or, and these are actually my preference
2) If its not in the design architecture, its a bug or the behaviour needs to be
documented and it needs to be included in the design.
3) Due to the power of this rule there should be a warning pop up telling the user of what
he is about to do, with a check box saying: “Are you sure you want to due this?” Yes or No
I have no problems with this behaviour (I actually like it) I just think
1) If there is supposed to be a reminder to disactivate the rule there should be a reminder
or, and these are actually my preference
2) If its not in the design architecture, its a bug or the behaviour needs to be
documented and it needs to be included in the design.
3) Due to the power of this rule there should be a warning pop up telling the user of what
he is about to do, with a check box saying:
"Are you sure you want to due this?" Yes or No
1. I don't [i]think[/i] there's supposed to be a reminder to change the "Windows Installer Application" rules we create from popup (by the design, that is).
2. I agree that there should be; I also consider the lack thereof to be a design weakness.
3. Absolutely; the rule is quite powerful - seems to be basically the same as setting it to be a "Trusted Application" or perhaps even a little more so. There needs to be an "Idiot Light" for it... ;)
Alright I did another restart none of the test where able to open ie (my default is firefox) so that’s good. Now is there a way I can prevent the dll injection, as the 3rd test crashes explorer.exe on Vista 32bit.
Not sure about Vista, but it sometimes does crash explorer on XP (hasn’t on my system, but does on some). That’s because of the way the dll is forced in (my simple understanding); it causes instability. Kind of the nature of the beast. Just remember, it’s only a test; it’s designed to emulate malware behavior. And even tho’ explorer crashes, the traffic should have been stopped (provided you told it to deny).
I download Comodo Firewall and I search the forum if there is some password enabled. I read that it will be included in Comodo 3.0,… So now I look at my Firewall that I installed an hour ago and I see it’s version 3.0, so? Is there or is there not a password protection?
If yes, how can I enable this, because I read all topics and all FAQ, and nothing!? And if no, why is my version 3.0 and I read everywhere there will be a password protection at 3.0? If it’s beta testing, then I want a beta download, because without password it’s basically (for me) useless. Can I download a beta-Comodo Firewall? Where? I don’t care if it crashes.
Open CFP… Miscellaneous button - Settings - Parental Control. The password stuff is there.
Also I would like to make it clear that CFP 3 is Beta. As a Beta, it can contain bugs of varying degrees. Comodo recommend that you should not run this Beta on production systems. In addition issues, questions & bugs should be raised on the CFP Beta Corner. There are existing topics for bugs, feedback & questions.
I say that because you don’t seem to be turning on Installation Mode from the Summary window; you see to be saying that you’re only replying to the popup with Windows Installation Application and Remember. I went through this yesterday, and installed three different applications, one after another (none required reboot). Here’s the steps I took (which I think parallels what Egemen is outlining):