CFP 3.0.9.229 BETA - Questions about how it works [CLOSED]

kail · October 12, 2007, 2:28am

Following CFP 3’s Alpha testing, the first beta (3.0.7.208) was released on 09-Aug-2007. The latest Beta (3.0.9.229) was released on 28-Sep-2007.

What’s the problem?

TheHeartSmasher · October 12, 2007, 3:45am

Yep, it never got through, mmm, a few hours later and now no events are being shown in the firewall or defense log at all.

gibran · October 12, 2007, 7:49am

Geez, I had some issues with these tests Maybe my V3 installation has some issues (I’m using a catch-all test config fof the new COM pseudo-objects)

the 1st time I launched CPILsuite I didn’t get the run executable alert and few other strange things (eg in some test cases I got a rule for cpilsuite but I marked the alert to not remember).

After few reboots and V3 rule checks I managet to pass the tests. I attached only a pic of the 3rd.
Anyway V3 architecture should be able to pass all tests an indefinite amount of times if you deny the all threats. The 3rd test can be passed only once. This is strange. Anyway I will test this in the next beta with a fresh ruleset

[attachment deleted by admin]

scaa · October 12, 2007, 10:47am

:SMLRWhile the latest beta is working fine, I have about 390 pending files all of which are safe. Is there any way all of them can be marked as safe rather than mark each and every file.
If there is no such facility, it should be incorporated

Zito · October 12, 2007, 12:55pm

Er…I don’t seem to have those options? There is a Misc. button, but nothing in there related to passwords. Hitting F1 and then doing a search for “Password” results in “No topic found”.
I just ran the updater, but it tells me that there aren’t any updates available, so presumably v2.4.18.184 is the latest version(?)

kail · October 12, 2007, 1:04pm

CFP 2.4 does not have password control, only CFP 3+ has password control.

CFP 2.4.18.184 is indeed the latest official release.

I got the impression from your first post, reinforced by the subsequent posts, that you were using, or wanted to use, CFP 3 Beta. Was this not the case?

bowhunter · October 12, 2007, 2:17pm

Yes…just click on the “select” title and it will select all entries, then you can de-select any you want and then choose the function save,purge,remove,etc.

Bow

sogno · October 12, 2007, 7:02pm

Hi everybody,

Actually this beta version of Comodo 3.0 works fine and is quite stronger than a lot of shareware (HIPS) and will be therefore great alternartive to SSM, Prosecurity and so on… But there is one function that I miss, maybe I’m blind but there isn’t any way to check the md5 or crc for the executables. It’s quite useful if a trusted executable has been modified.

Anyway great work COMODO!

ABTTh · October 12, 2007, 8:24pm

You talking to me?

If yes, then I do have password protection.

Grtz,

I.

Little_Mac · October 12, 2007, 8:37pm

Bow, you are my hero! (:HUG) Now, why didn’t I think o’ that? “Think outside the box,” I says to myself, “Think outside the box.” Perhaps I shoulda been thinkin’ inside the box (or at least looking inside it)!

LM

kail · October 12, 2007, 8:58pm

Ah… yes. Oops. :-[ My fault. I didn’t realise that somebody else had posted.

I think it probably stems from the fact that this topic is the wrong section. Again my fault… I should have moved it earlier. I’ll do that now. Sorry.

gibran · October 13, 2007, 5:09pm

I miss that too. Actually there is no hash protection anyway I made some tests and I found out that there is a lighter and likely effective feature.
Since it is a new feature and is a bit more complex than V2 hash we should make some efforts to find any flaws.

Here are the details ;D:
V3 is able to report about new file created even if the GUI was closed and D+ Slide was set to DISABLE and file protection unchecked.
If you close CFP.exe you can modify exe (during one test session I was not able to do that but further testing and a reboot make me think that was an exception) but that file will be added to My pending list.
If you create a bogus file an rename it to exe when V3 is closed, that file will not be added to My pending list once you restart V3.
If you create a bogus file, delete/rename an existing exe an rename that file to exe you deleted/renamed when V3 is closed, that file will be added to My pending list once you restart V3.

Anyway since there is no hash checking you cannot tell if that file was really modified or for example if there is a file that it is created then deleted after it was launched you’ll get always an entry in my pending list.

The current implementation of My pending file list cannot give any info to know if a file was created or updated.

BTW: I made no test about file modified during boot(using WININIT.INI or PendingFileRenameOperations), nor I tested what happen if a file is updated twice at (one by a legit installer, another by a malware app)

Dennis2 · October 13, 2007, 5:51pm

I have been meaning to asked about md5 check as there have been a few modular updates in my antivirus program but no alert from CPF.
On my partner’s comp. I have a different firewall and have been alerted (Replaced) for all modular updates.
Re. pending file list I am having a lot of entries for temp files. (files which are deleted after being used by the program)

gibran · October 13, 2007, 6:31pm

If your AV updater was set to trusted then there should be no alert but those files should be listed in My pending file list.

Anyway as long as V3 is active a MD5 check is useless IMHO as you can control how protected files are handled.
You can purge My pending file list from deleted files.

V2 had SHA1 check because it was the simplest way to check for an app changes as the rules were enforced only when an app attempted to connect so V2 made sure that the rule was applied until the same binary attempted a connection. As long as that app Sha1 was unchanged the same rule was applied.

IIRC V2 used CRC only for DLLs loaded in a process. CRC was a weaker hash check and there could be some ways to bypass it anyway I don’t have V2 anymore so this part could be wrong.

stormblade · October 13, 2007, 6:40pm

Hey all,

I’m running Windows Vista Ultimate. Comodo is working fairly well except for when I run utorrent. In Custom Policy Mode it seems to ask me about every single incoming and outgoing connection despite the global rules and setting utorrent as a trusted application.

If I go to training mode it of course leaves me alone but that doesn’t really fix anyway.

Any help would be appreciated.

Dennis2 · October 13, 2007, 6:55pm

Thank you and my AV updater is not set to trusted all are set to custom policy.

gibran · October 13, 2007, 7:48pm

Then there are 3 explanations:

The AV updater acces rights for protected files are set to ALLOW
Those files were created using some other unprotected extension (like EX_) and then renamed at bootup using WININIT.INI or PendingFileRenameOperations alike methods (there should be a mention in my pending file list)
CFP had issues at that moment

Please test this and report any unespected behavior in the bugreporting topics

Andreas · October 13, 2007, 9:28pm

When will be released the new beta version of cfp 3.0 (maybe cfp 3.0.9.300 !?)?

Andreas

egemen · October 13, 2007, 10:04pm

We are aiming for the next week. Lets see.

Andreas · October 13, 2007, 11:15pm

Good luck!

:BNC :BNC :BNC