cLICK-iTIS

hello

‘trusted app, remember my answer’ does not seem to work.

when i click “trusted application” and “remember my answer”, then i should not have to do it all over again, one or two, three, or more times for the same exe.

“trusted application” should mean, “do not ask me again about the same exe”

instead, i often get asked 3 or 10 more times about the same exe, in rapid succession, so that just as soon as i start to work on another task, i’m interrupted, again, by comodo personal firewall pro, 'do you trust the same exe that you twice just told me you trust?"

does it think i’m not sure?

as a result, i just say ‘yes’ to everything, which is no security either.

this can’t be the way defense+ is supposed to work, is it?

i assume i just don’t know how to configure it right, because this is a serious, catastrophic case of click-itis.

once i tell it, “trusted app, remember my answer”, i should NEVER get asked about that same exe again. unless i don’t understand how pfp works.

this is especially bad during new installs, which i do all the time.

i want to turn off defense+ completely, but i’m scared to lose the protection. i have tried to set it to the lowest level possible, while still actually doing something. no good. it’s either ‘no protection’, or ‘get snowed under with endless, redundant comodo alerts’.

it would be great, if cpfp would:

--only ask me ONCE about an exe. 
--come with a large database of trusted apps, including internet explorer, firefox, etc
--come with a large database of common, trusted actions, such as browsing the web from inside various windows apps, such as windows explorer, or whatever.

cheers,
johny
O0

Hi johny & Welcome to the Forums :),

It depends on what setting you have Defense+ on. in Defense+/Advanced/Defense+ Settings, What level do you have it on (Train with Safe Mode, etc).

Train with Safe Mode , Is the most recommended, If you have installed CFP 3 for the first time, Use Clean PC Mode, This will reduce the # of pop ups too. You should notice with “Train with Safe Mode”, Over time, The alerts will dramatically go down. Comodo has Plans, Such as Threat Cast, to help the pop ups.

BTW… Yes, “Remember my answer” does work. Give CFP 3 to learn your programs Try putting Defense+ in Training Mode for a few days or so to learn your safe applications :), Then put it in “Train with Safe Mode”

Josh

i had it on clean pc mode. i just switched it to Train With Safe mode.

what does ‘clean pc mode’ mean? that my pc is clean? or that comodo is going to clean my pc?

Train with Safe Mode: While monitoring critical system activity, the firewall will automatically learn the activity of executables and applications certified as ‘Safe’ by Comodo. It will also automatically create ‘Allow’ rules these activities. For non-certified, unknown, applications, you will receive an alert whenever that application attempts to run. Should you choose, you can add that new application to the safe list by choosing ‘Treat this application as a Trusted Application’ at the alert. This will instruct the firewall not to generate an alert the next time it runs. If your machine is not new or known to be free of malware and other threats as in ‘Clean PC Mode’ then Train with Safe Mode’ is recommended setting for most users - combining the highest levels of security with an easy-to-manage number of Defense+ alerts.

Clean PC Mode: From the time you set the slider to ‘Clean PC Mode’, Defense+ will learn the activities of the applications currently installed on the computer while all new executables introduced to the system are monitored and controlled. This patent-pending mode of operation is the recommended option on a new computer or one that the user knows to be clean of malware and other threats. From this point onwards Defense+ will alert the user whenever a new, unrecognized application is being installed. In this mode, the files in ‘My Pending Files’ are excluded from being considered as clean and are monitored and controlled

Example: I run autoMz ultimate Tweaker. I’ve run it before, many times. Yet, again I receive a Defense+ alert.

That’s wrong. I always pick ‘Trusted Application’ and ‘Remember my answer’ whenever it’s available.

There’s an outside possibility that I installed an update since the last time i ran it, but pfp did not say “You have previously trusted this application, but it has changed. Do you want to trust it?”

Which I should not get anyway, because that update would have been downloaded by autoMz. Therefor, pfp should trust any file installed by autoMz. Does it?

Anyway, after clicking ‘Allow this request’, I click ‘Use Windows System Restore Service’ inside the autoMz interface. And I get another alert: ‘rstrui.exe is trying to modify a protected registry key’.

This is wrong-- I’ve already trusted autoMz. Therefor, pfp should automatically trust any process started by autoMz, including asynchronous threads. But it does not.

So, two, or possibly three, unnecessary alerts. Am I wrong? Is there a way I can prevent redundant alerts like the above?

thanks

I understand your point of view, But as you use CFP 3 over time, the alerts should DIE DOWN. I would expect these alerts for a new install of CFP 3.

However, Comodo do have development plans to make CFP less noisy

Josh

I assume that “pfp” = CFP?

If there was an update and the application has changed, then CFP is doing what it is supposed to do in alerting you. I can see your point that it may be clearer if it said “You had previously trusted an application with this name. Is this an updated version of the same trusted application?”

Which I should not get anyway, because that update would have been downloaded by autoMz. Therefor, pfp should trust any file installed by autoMz. Does it?

Sorry, but you couldn’t be more wrong, if you tried really hard. Following your logic, if Internet Explorer was trusted, everything it downloads is trusted??? Explorer.exe (the desktop shell) is a trusted application, but I REALLY don’t want to auto-trust every file that explorer.exe tries to start. CFP treats each file on its merits.

Anyway, after clicking 'Allow this request', I click 'Use Windows System Restore Service' *inside* the autoMz interface. And I get *another* alert: 'rstrui.exe is trying to modify a protected registry key'.

This is wrong-- I’ve already trusted autoMz. Therefor, pfp should automatically trust any process started by autoMz, including asynchronous threads. But it does not.

Wrong. Wrong. Wrong. For the reasons outlined above. Besides, “autoMZ” is not trying to modify a protected registry key, rstrui.exe is. CFP has correctly alerted you that an application is trying to modify something you have told CFP to protect.

So, two, or possibly three, unnecessary alerts. Am I wrong? Is there a way I can prevent redundant alerts like the above?

They’re not redundant alerts. The firewall is doing exactly what it is supposed to do.

Ewen

i don’t agree. i trust windows update-- comodo should not ask me every time windows update or windows defender and my antivirus program or comodo, for that matter, download and install updates. that’s different than a user-initiated download of a random file over internet explorer. i don’t know if comodo is smart enough to understand the difference, but there is a difference.

regarding spawned processes, it would be nice if there was a way for comodo to see a difference between a safe spawned process and an unsafe one.

this is not a new install of cpfp (comodo personal firewall pro).

also, comodo has been asking me every time i turn on the computer if i want to switch my network settings. clicking yes or no seems to have no effect on anything, and then comodo asks me again and again, every time i turn on the computer. this may have stopped recently, not sure off-hand.

i’m curious-- when i switch to “installation” mode, does comodo trust everything? or just everything the installer wants to do? of course, it should be the latter. it would be nice if comodo could determine that the installer is still running, instead of asking me if i’m ready to turn off install mode-- if i walk away from an installer, thinking i permitted, and then comodo turns off installation mode while i’m away, couldn’t that disrupt my installation?

another example: I clicked “import windows contacts” in window mail, a previously trusted app. now Defense+ is asking me, “wabmig.exe is a safe executable. however, the parent, winmail.exe could not be recognized.” – makes no sense, winmail.exe is a trusted app. i use it frequently, without any comodo alerts.

it would be cool to protect my computer without getting carpal tunnel syndrome in the process

CFP is what it is - a firewall, not a mindreader. Itis examining activity on your OPC, regardless of your intent in initiating that activity.

When you switch to installation mode, it is trusting any process initiated by the installer, and only by the installer. It does not trust everythng going on at the time, just things to do with the installation.

If you get up and go away during the install and aren’t there to click anything, it assumes that the installation is continuining and stays in install mode.

another example: I clicked "import windows contacts" in window mail, a previously trusted app. now Defense+ is asking me, "wabmig.exe is a safe executable. however, the parent, winmail.exe could not be recognized." -- makes no sense, winmail.exe is a trusted app. i use it frequently, without any comodo alerts.

Yes, but the realtionship between the two hasn’t been established as trusted. You may have previously started application X from the desktop and therefore the “explorer.exe → X” relationship is trusted. In this case, after running winmail.exe (which is a trusted app), you got it to run wabmig.exe (Windows Address Book Migration). CFP was merely querying whether this relationship was trusted or not. If it didn’t check the parent->child relationship of activities, malware could use one previously app to start another app and CFP wouldn’t alert you and you would be hosed.

In the example you’ve quoted above, you’re only going to import your address book into Windows Mail once,aren’t you?

it would be cool to protect my computer without getting carpal tunnel syndrome in the process

It’d be even better if we never had to do anything, ever, to achieve a positive result, but life’s not that simple.

Ewen

Ewen, do you work for Comodo? Just curious if you represent Comodo company.

"It'd be even better if we never had to do anything, ever, to achieve a positive result, but life's not that simple."

--thanks, if i ever want your advice on LIFE, i'll let you know. Meanwhile, let's talk about Comodo personal firewall pro.

You defend cpfp as if there is no alternative, and as if it’s just perfect and could not be any better. I hope you’re not in charge of product development, because as far as you’re concerned, it cannot be developed further.

Suggestion: cpfp could be made better.
Proposal: user-criticism is legitimate.
Conclusion: forum moderators who tell people not to complain, work against the improvement of Comodo products.

There are alternatives-- ZoneAlarm and others, on the free side of things, as well as mcaffee and others for paid firewalls. I’ve used many firewalls over the years. Defense+ is one of the noisiest.

3xist says there are plans to make cpfp “less noisy”, so I’m optimistic.

3xist, i’d like to suggest some options:
–option to “allow all processes started by this process in the future” when a specific alert is received.
–option to “allow all process started by trusted processes” as a global option.

These options would be turned off by default, for the “Cautious” defense level, and turned ON by default for the “Less Paranoid” defense level.

that should go a long way to making the firewall less-noisy, while giving users the option to continue to intercept every single process if they want to .

No, I don’t, I"m just a volunteer moderator.

You defend cpfp as if there is no alternative,

Of course there are alternatives. My replies focussed on Comodo because your initial post specified Comodo.

and as if it's just perfect and could not be any better.

It's far from perfect - there is no such thing as perfect software.

I hope you're not in charge of product development, because as far as you're concerned, it cannot be developed further.

Of course it can and should be devloped further, as should any other alternative firewall.

[u]Suggestion[/u]: cpfp could be made better.

Agree

[u]Proposal[/u]: user-criticism is legitimate.

User criticism is legitimate and it is actively encouraged. Comodo use user input to a high degree in their development.

[u]Conclusion[/u]: forum moderators who tell people not to complain, work against the improvement of Comodo products.

If the above is aimed at myself, I would ask you to directly reference any instance on these forums where I have told a user not to complain. Likewise, I would ask you to reference any instance where I have worked against the improvement of Comodo products.

There are alternatives-- ZoneAlarm and others, on the free side of things, as well as mcaffee and others for paid firewalls.

One of the best things to have occured over the past couple of years is the rapid improvement in security related software, most notably personal firewalls. Another good, free firewall you may have missed is OnlineArmour. It's bloody good, but, IMHO, not as good as CFP.

Defense+ is one of the noisiest.

The noiseiness of Defense+ (the HIPS component) depends on its settings to a large extent. When you installed CFP, did you do the malware scan and did you allow Defense+ to then run in CLEAN PC mode?

--option to "allow all processes started by this process in the future" when a specific alert is received. --option to "allow all process started by trusted processes" as a global option.

If you feel that these are valid options and should be considered for inclusion in a future release, please add these to the firewall wishlist topic.

https://forums.comodo.com/feedbackcommentsannouncementsnews/comodo_firewall_wishlist_v6-t15557.0.html

The Comodo developers regularly go through this list.

Cheers,
Ewen

When you installed CFP, did you do the malware scan and did you allow Defense+ to then run in CLEAN PC mode?

I ran cpf in clean-pc mode. that did not reduce it’s noisiness.

During install I deferred to malware scan for another day, but then i could not find the malware scan function in the cfp control panel.

i will put my requests in wishlist.

If you stop and think. Zone Alarm,Outpost,Look-n-Stop are all FIREWALLS. Comodo is a firewall and HIPS program. So of course Comodo will be nosier at first cause its more then a firewall. Give Comodo a week or 2 and it will calm down. Be patient. I only get D+ alerts when I install something new.

i’ve been using cpf for about two years.
see above for details of my issues, such as during new installs.
thanks

Malware scanner cab be easily found by going to D+\Scan My System.

[attachment deleted by admin]

I have no problems what so ever on either of my pc’s with installs. Simply put Comodo into install mode in the main GUI before installing anything.

Malware scanner cab be easily found by going to D+\Scan My System.

you’re right about that, my bad.

If I’m not mistaken,

A “trusted” application can also be further defined and expanded by the user as well. Not only with connection attempts but almost every other aspect in D+. If I go into Firewall > Advanced > Predefined Firewall Policies I can make a trusted application be what ever I want it to be, this goes for Defense Plus as well.

I choose not to modify these too much but have done so out of both necessity and convenience. For the most part I recognize that the flurry of pop-ups that occurred when I first installed CFP3 are just signs that Comodo is getting familiar with my machine and it’s behavior. Now, when introducing new software I simply switch to TWS mode if I feel CFP becomes obtrusive.

today i got “mfpmp is a new executable and could not be recognized. It’s parent wmplayer.exe was allowed to be executed previously.”

but mfpmp is Copyright Microsoft corporation, and it’s parent is trusted. Obviously, I’ve run wmplayer, Windows Media Player, thousands of times.

I would like the option to say, “Trust any exe launched by a trusted exe, if it’s the same publisher”, or some other property that help identify as probably safe.

Or, more specifically, “Trust any exe launched by this exe, if it’s the same publisher.”

more paranoid users could disable these options.

this is what i was talking about, in my initial post, when i said “Trusted app, remember my answer” does not work.

It does work.

Comodo protects Registry Keys, file types, your keyboard, etc etc. It is just doing it’s job. Allow to the alerts to die down.

Also: When installing a New App or playing a game- Put Defense+ in Training Mode. When done, Put it back to Safe Mode.

Josh