There are few major bugs that could mess with your CPF installation:
I’ll summarize there along with the known workarounds.
CPF lose existing rules
Use the configuration management wizard (Miscellaneous Section) to backup your rules before shutdown. Don’t overwrite previous backups, in addition you may import the last backup and give it a different name just in case (it won’t hurt to have two rulesets).
The configuration management wizard Could be used to switch to the other ruleset anytime. So Is a good thing to clone the main ruleset before shutdown and make it active. The next reboot if some rules are missing in the cloned ruleset activete the previous one or use a previous backup.
Every even CPF startup some IP get reversed (CPF not working). Just close it from the tray and run it again. Don’t bother to create new rules. If you don’t want to check if IP are reversed just Edit the Firewall rules for Svchost and System to include your source IP. This way when IP get reversed you will not see the CPF connection animation in action.
Things to avoid:
Fast user switching and Limited User Accounts seem to cause problems
View active connection will crash when one app open more than 32 connections. Use Cports
Shutdown takes a long time
Look for csrss.exe in defense+ make it trusted and eventually grant it permission to close cpf.exe.
It won’t hurt to make all Microsoft windows components such as userinit.exe, sethc.exe, control.exe, wscntfy.exe, mmc.exe, cisvc.exe, wuauclt.exe, wmiprvse.exe, wmiadap.exe, alg.exe, csrss.exe, svchost.exe, winlogon.exe, services.exe, ctfmon.exe, helpsvc.exe, helpctr.exe, your antivirus and other security softwares Trusted in Defense+. You can then start to limit Defense+ privileges for these apps if your system run stable. Make sure to change permission for one executable every few reboots.
BSOD before Logon
Login using the Safeboot mode in windows and set Defense+ to learn all. Disable Image Execution Control and reboot.
Cannot Install after uninstall
If you previously uninstalled CPF V3 and now you are unable to install it again because the install reports that it is already installed then download BFU and let it run the script (comodocleaner.bfu) in the attached archive. This uninstaller should work also for non-english windows installations (at least those using Latin alphabet).
Thanks for this info.
I though I was alright regarding my defense rules had them for 8 days without any loss but I had overwritten my backup so when I restored it nothing in defense.
I thought of exporting the policy key in the registry to backup my defence rules?
I lost them when installed/uninstalled a program which I was trying or it could have been system restore?
Hi Gibran, sorry I cannot completely agree with you – reversed or not, CPF works for me…
more, when including individual IP’s to applications, those get reversed as well.
Don’t know about the other ones you’ve mentioned - but Beta just saved my humble skin today: one of my co-workers gently removed windows FW to print some of his crap on my computer. I’ve worked about one hour on it before Beta warned me of a completely suspicious activity.
I’ll rather avoid “ alg, svchost, winlogon, services” to be on any safelist.
Thanks again Comodo – I’ve survived another day, because of You.
sometimes I don’t bother about agreeements.
Like it is stated on the beta download page the beta is intended for a test machine for a testing purpose. This imply that the tester has full control on his machine and that he will know when he willingly disabled CPF protection.
The listed workarounds are tailored around common betatester ruleset to apply to most testers.
Anyway since this topic is about known workarounds, if something doesn’t apply to your specific needs is a good thing to post if you are willing to add more details. So feel free to edit your posts.
IP reversal is a known bug. Some users gets duplicated rules because of this or they have no connection if they used IPs in some fundamental rules. The point is not that ip get reversed or that CPF may work in some cases. That workaround is meant to limit the number of revesed ip.
Those components are MS digitally signed executables. They won’t do any harm by themselves if CFP is let properly run.
CPF registry and file protection defauld ruleset will guard many key parts of windows, like the list of installed services and MS executables. Anyway marking such files to be trusted doesn’t still allow some privileges (look a the defence+ trusted policy) but these files are key windows components and could benefit from a wider permission. Is still possible to finetune their Defense+ ruleset in a troubleshooting fashion.
If a suspicious activity was running on your pc please provide additional info like:
type of activity
affected executable/directory/registry key/other meaningful info
what defense+ component alerted you
executable/process causing the alert
Sometimes you don’t need to agree but you only have to share you personal experiences in a way that will be useful to other people as well. (CNY)