I’m running Comodo Firewall Pro on a Windows XP Pro SP2 computer. I’m a new user of CFP and so far I like what I see.
I just tried to run the Samspade networking utility (in case you don’t know it, description and download can be found here: http://www.pcworld.com/downloads/userreviews/fid,4709/userreviews.html) for the first time after installing Comodo Firewall Pro and naturally CFP popped up a window asking me if I wanted to allow Samspade to access the Internet (I’m running CFP with mostly default settings). To my surprise, the Samspade utility started pinging (and getting results from) a REMOTE host BEFORE I had clicked the “Allow” button in Comodo Firewall Pro. In fact, I deliberately decided to NOT click the “Allow” button and see if the Samspade utility worked ok. It did. The Samspade utility seems to completely bypass Comodo firewall Pro when pinging and doing traceroutes. I even set Comodo to attempt to BLOCK the Samspade utility from accessing the Internet. It couldn’t do it. The Samspade utility had no trouble pinging and doing traceroutes from remote servers even when “blocked” by Comodo Firewall Pro.
Is this normal? Why am I seeing this behaviour? Can someone replicate this?
I would really like to see some comments on this subject.
If you think you need more info about my setup, OS or software, just ask
I’m running Comodo Firewall Pro on a Windows XP Pro SP2 computer. I’m a new user of CFP and so far I like what I see.
Just to be on the safe side please run this test and chose to not allow. This test will allow us to check if something is interfering with cpf.
Ok, here I am again.
I ran the test you suggested. While the test itself went ok, things REALLY didn’t go right with Comodo Firewall Pro.
Comodo DID alert me that some sort of infiltration was going on and prompt me to allow or deny connection to cpil.exe . So far, so good. Unfortunately, the window Comodo Firewall Pro showed to ask for my decision was very confusing. At first sight, it looked as if my default e-mail program was asking for Internet access. Here is the windows Comodo showed me:
Well, should I allow MY DEFAULT E-MAIL PROGRAM to access the Internet? I guess I should, right?
This is a very confusing prompt from Comodo.
But things didn’t stop there. I obviously denied access to that request (so in theory CFP passed the leaktest) and closed the DOS window cpil.exe had opened. I also check that there was no cpil.exe process left running in my PC. BUT somehow the infiltration persisted and every time a program using the parent application explorer.exe tried to access the Internet, Comodo Firewall Pro asked me to allow or deny access for that application. This doesn’t look harmful by itselt, in fact is probably a good security measure. The problem is one of those programs asking for permission was my default browser (Maxthon) which uses the Explorer engine. Here’s the prompt:
I denied access again but this implied that Maxthon could not connect to the Internet at all. In fact, I had to disable CFP to be able to post this reply here. At first, I guessed that my answer to the prompt had changed the settings in CFP regarding Maxthon and that I could allow access to the Internet again by going into the settings section of Comodo and re-allowing Maxthon. It didn’t work that way. When I denied access to cpil.exe I obviously did not set the “remember my decision” box, so no settings had been changed in Comodo Firewall Pro regarding Maxthon (or any other application using explorer.exe as a parent). So the only solution I could find to allow Maxthon access to the Internet again was to disable CFP (or set it to allow all traffic, which is more or less the same).
To sum up, I see two different problems here with Comodo. The first one is that the prompts (at least in the case of an infiltration) are VERY confusing. Any user who doesn’t read IN DETAIL the prompt window could easily allow an infiltration to take place. The second one is that there is no way to easily isolate what kind of traffic from a parent application should be allowed and which shouldn’t. I understand that if explorer.exe itself has been compromised, a lot of other applications can be affected but I just don’t find the solution by CFP (block all traffic) to be the best.
By the way, the Samspade utility is STILL bypassing Comodo Firewall Pro completely
Any help will be appreciated. I really Comodo Firewall Pro and would like to keep on using it but my experience with it so far has not been the best.
Hey allnew, (:WAV)
I’m very glad to see your firewall passing the leak test.
I believe that you had already created application control rules for Barca and Maxthon before you ran the leaktest and that normally you wouldn’t be alerted when either of them tried to connect to the internet.
Now with cpil.exe modifying explorer.exe you’ll get a very clear warning (red all over the alert+an explanation of what’s going on).
To sum up, I see two different problems here with Comodo. The first one is that the prompts (at least in the case of an infiltration) are VERY confusing. Any user who doesn't read IN DETAIL the prompt window could easily allow an infiltration to take place.Of course you are alerted that your mail programme / browser tries to connect to the internet (because that IS what's happening: Barca.exe / Maxthon.exe try to connect to the internet). However, Comodo informs you that there's something fishy going on and even tells you in great detail what's going on - compare that to security alerts of ZoneAlarm (I just know Free, sorry). Wonderful!!!
A simple restart would’ve done as the temporary rule would’ve been deleted from memory.
The second one is that there is no way to easily isolate what kind of traffic from a parent application should be allowed and which shouldn't. I understand that if explorer.exe itself has been compromised, a lot of other applications can be affected but I just don't find the solution by CFP (block all traffic) to be the best.As you state yourself, if one component is compromised, you simply shouldn't let an assumingly infected application connect to the internet. Very wise decision! In your example, how can CPF let a compromised explorer.exe start your email prog / browser? That would be irresponsible.
By the way, the Samspade utility is STILL bypassing Comodo Firewall Pro completely :(Sorry, not using the programme myself I'm afraid I can't come up with an explanation / solution.
Hope I’m not sounding too rude (:HUG)
Just wanted to point out that the way Comodo alerts you is probably the best possible way it can be done. I admit that one is often tempted to simply tick “allow” if a known app is launched. However, no firewall in the world can decide for itself what to allow and what not. It can only act according to the rules we the users set.
I really, really apologise if all this seems rude. It’s NOT my intention to offend you in any way.
Just wanted to give my 2pence, that’s all.
Please forgive me (:AGL)
Hope you’ll be helped with your samspade-problem.
All the best,
I’ve only been using Comodo for a couple of weeks but I have had some strange things happen similar sounding to part of this.
Unfortunately I don’t have an accurate record. I was busy on other things. After some rather unexpected popups from Comodo some bizar things began to happen including being told that my default media player, Media Player Classic, had tried to modify Opera - or some such, as I said no written records. But Media Player Classic wasn’t running according to Processs Explorer and Task Manager.
In the end I eventually lost my patience,unistalled Comodo, reinstalled, and carried on learning about the rules and the order in which they are executed so I could get uTorrent and Emule running. On reinstall it had no such problems except that I got a notice after the first reinstall that a service had failed to start and COMODO had all of its proteection off and would not turn on.
I therefore this time rapidly turned on Windows firewall (please, please change the default so that Windows Firewall is turned off AFTER Comodo gives the thumbs up!), killed the Cmdagent.exe in Task Manager. uninstalled and reinstalled for the 3rd time. I again refused anything I didn’t know about. So far, so good.
When I finish this post I next going to seal off some pesky phone-home stuff like ACDSee, explorer.exe (no, it doesn’t need to act as a server, nor access the internet and I certainly regard any Microsoft components accessing the net without my knowledge of the reason as one of the biggest risks any PC has. Nor, to the best of my knowledge does System need to access the Internet directly, but it wanted to.
This time, to be reasonably sure I wasn’t going to screw up LAN communications and block myself out of my own machine network, I made a rule that excluded explorer from anything but 192.168.000 to 255. That should do the trick, it can talk to itself and the router all day for all I care!
On to another little prob - Give me one standard rule set that I can implement that bolts Microsoft’s so-called “SAFE” (haha!) system to the floor and ONLY allow ESSENTIAL communications, and I’ll be a much happier mam with a lot less Googling and head scratching to do. I would also get more sleep.
What was happened tp trigger the reinstall was that after some Comodo popups to which I tried to give a reasonable response (accept or deny, remember or not - and yes I agree that the messages are VERY confusing. Should I accept or not that lsass.exe should run as a server. For the moment I have said no. The ONLY apps or services I need to run as a server are the two P2P apps, and AVG E-mail check.
If you look at your post allnew, on the face of it there is something wrong. Barca was not apparently running when the problem occurred (if I understand you correctly so no, it couldn’t have tried to access the internet. Just as Media Player wasn’t running so it couldn’t have triggered the event that had it’s name on it.
Then there is a bizar event where you saw Comodo asking a question about cpil.exe, one of it’s own components! That makes no sense. I personally have no idea what cpil.exe does or needs to do to function. But it looks like I should find out.
Granpa. You are confusing me desperately. It passed the leak test becasue allnew denied something that was rather confusing, ostensibly allnew could easily have said Allow. Barca wasn’t running so that warning was innappropriate, and any firewall knows about browsers, it’s not hard to make a list of them, there can’t be more than a 20! So that warning should have been taken care of by a predefined rule that the user could change later if they wished. (Up pops a window say that has a pulldown list of "browser, email client, pop server, smtp server, eD2K, BT. And poof! it’s done. All the default ports in place)
Then you mention a “temporary rule”, restart clears that?
…err, if I click Allow but not remember, I assume that the rule is appled ONCE, then dies. It should not stay active and in memory, no way! I will assume that the one access was enough to shut the little b*gg** up. If the same thing pops up again I will dig in and make a rule.
Letting Comodo make the rules seems to mean that every time OLE is used we have a new parent and another line in the rules list. For a browser that could be 50 lines of rules. Any of which could be a trojan hiding as an app or controlling an app. Nope, nobody could find their way through a mess like that. So we gotta do a “Skip parent check” for Opera, IE Maxthon, Firefox, etc as the only sane solution.
Don’t knock Zone Alarm too hard. The orginal version was a lot easier than Comodo and just as effective in practice. Everthing, and I mean everything (including Zone Alarms main app!) was blocked. Only when an app wanted to talk would you click ALLOW. Unless the app needed to talk I always clicked NO. I never had a any probs with that simple solution. What is killing ZA’s reputation is bloat. You need a spare computer to run the latest versions, then that computer has no power left to do more than word processing.
Oh, mine is a clean install of Windows 2003. So I am not worried about intruders yet. I will be when I bypass my router and go on-line direct.
allnew … just in case, and you seem a little worried, if you do have doubts about an intruder then you could try Kasperkys on-line scan. I don’t like Kaspersky installed on my machine 'cause it’s a resource hog, but their detection rate is way better than anything else. Their on-line scan has saved me a couple of times from weird things that AVG didn’t pick up (nor Ewido, nor NOD, nor Norton, nor 3/4 of the AV programs out there). Overall AVG and BoClean do a a good job for me, but Kasperksy is the best and the test is free. Run it overnight, it takes a long time. If you find an infection, just download the 30 day trial to kill it.
Oh, BoClean works great on 2003, even though it is not listed as a supported OS. I tried it with a tame trojsn I can kill easily. It jumped up within microsecomds and disabled, then deleted it.
Ho hum. Lots to learn, so little time!
(i) I still have a lot of reading and work to do on Comodo.
(ii) Comodo is not without it’s problems. I supect it can loose track of what app is doing what under certain circumstances. Thne uninstall definitely. has a problem
(iii) The User interface needs some thought as to how rules are created in learning mode. Those messages will frighten any newbie and confuse others who are more experienced with other products. The most likely solution is an extended standard rules database so that far fewer questions pop-up.
as I understood it - correct me if I’m wrong - all of the possibly confusing alerts popped-up while you were running the firewall leaktest !?
You didn’t reboot inbetween or anything?
If I misunderstood you, some - if not all - of my remarks might be nonsense. In this case I apologise whole-heartedly.
Hey bilou and allnew,
I’ll try to explain my post as good as I can.
Sorry, my bad. I somehow figured he started Barca. Sorry.
Anyways, the leaktest will attempt to trasmit the text allnew entered to the Comodo website. As any ‘good’ baddy would do, CPIL did not ask for permission to connect to the internet itself, but modified the “trusted” parent explorer.exe which then started Barca / Maxthon. Thus the alert seems perfectly okay with me (even more so if allnew didn’t launch Barca / Maxthon). I’m not sure I’m right but this is how I understand it (I haven’t done the test myself).
Then there is a bizar event where you saw Comodo asking a question about cpil.exe, one of it's own components! That makes no sense. I personally have no idea what cpil.exe does or needs to do to function. But it looks like I should find out.CPIL.exe is NOT part of Comodo Firewall. "The CPIL suite contains three separate tests especially developed to test a firewall's protection against parent injection leak attacks." So again the alert seems perfectly okay to me.
Granpa. You are confusing me desperately.;DAsk Rednose. I'm a pain in the arse. I sometimes even manage to confuse myself.
It passed the leak test becasue allnew denied something that was rather confusing, ostensibly allnew could easily have said Allow. Barca wasn't running so that warning was innappropriate, and any firewall knows about browsers, it's not hard to make a list of them, there can't be more than a 20! So that warning should have been taken care of by a predefined rule that the user could change later if they wished. (Up pops a window say that has a pulldown list of "browser, email client, pop server, smtp server, eD2K, BT. And poof! it's done. All the default ports in place)I apologise if I understood allnew or you wrong! However, as I understood it I can only say: Should a firewall really allow any application (even if it's a trusted browser) to connect to the internet if it was started by an assumingly compromised parent? CPIL.exe (our assumed baddy) modified explorer.exe (our assumedly safe parent) in memory and made it start barca/maxthon and was, thus, trying to fool the firewall and the user. However, Comodo would not be fooled and informed allnew exactly about what's going on.
Then you mention a "temporary rule", restart clears that?
…err, if I click Allow but not remember, I assume that the rule is appled ONCE, then dies. It should not stay active and in memory, no way!
Normally this is what happens. However, I have experienced Comodo keeping certain “temporary rules” in memory until it’s memory is cleared (e.g. by rebooting). If this is intention or a bug? I don’t know. I haven’t looked into this as it hasn’t yet been a problem for me. Maybe there’s a reason for this.
Letting Comodo make the rules seems to mean that every time OLE is used we have a new parent and another line in the rules list. For a browser that could be 50 lines of rules. Any of which could be a trojan hiding as an app or controlling an app. Nope, nobody could find their way through a mess like that. So we gotta do a "Skip parent check" for Opera, IE Maxthon, Firefox, etc as the only sane solution.Not necessarily. Comodo is the most configurable firewall in my book. If you want 50 rules for a browser, pray go on and create them. If you want just one - fine by Comodo. Setting the Alert Frequency Level to "low" will let Comodo alert you only once, i.e. Do you allow that application to connect to the internet? Nobody cares about components, parents, if it's an invisible application, ports, In/Out, etc. Comodo will create just ONE rule for each app if you tick "allow or block and remember. If you set the AFL to "very high" Comodo will show alerts for both incoming and outgoing connection requests for both TCP and UDP protocols on specific ports and for specific IP-addresses. Hence, 50 rules. So it's up to the user. Still nothing wrong with CPF as far as I can see.
Don't knock Zone Alarm too hard.I've used the free version for a long time and was never disappointed. A very good firewall. However, Comodo is much more configurable, safer (if set correctly) and displays better alerts ;)
The orginal version was a lot easier than ComodoAgree!
and just as effective in practice.I beg to differ!
It’s very late now, so I’ll go to bed in a minute. Hope I could explain myself a tad better and didn’t forget anything.
If I misunderstood anything - as stated above - I really apologise (especially for having confused bilou).
hope you’ll soon figure out what’s going on with samsspade (and the alerts ;)).
Sorry, It was all my fault.
I was testing some other issue and at one point I had the smart idea to update my lan card driver. I have had all sorts of problems and I was not able to continue this thread.
First and foremost sorry If i have to repeat something already stated in this thread, but I’ll be back later to fill in other questions or to report results about SAM spade.
Cpil is a firewall testing app so it acts as a bad guy. Everything it did was “bad” but harmless. The process injection in Explorer.exe was a proof of concept, but cpf recognized that as a threat. As long as that instance of explorer.exe was running, it was flagged as dangerous. So every child process of explorer.exe got an alert. To put an end to this there are two ways: reboot or kill explorer.exe and run a new instance of it.
I denied access again but this implied that Maxthon could not connect to the Internet at all. In fact, I had to disable CFP to be able to post this reply here. At first, I guessed that my answer to the prompt had changed the settings in CFP regarding Maxthon and that I could allow access to the Internet again by going into the settings section of Comodo and re-allowing Maxthon. It didn't work that way. When I denied access to cpil.exe I obviously did not set the "remember my decision" box, so no settings had been changed in Comodo Firewall Pro regarding Maxthon (or any other application using explorer.exe as a parent). So the only solution I could find to allow Maxthon access to the Internet again was to disable CFP (or set it to allow all traffic, which is more or less the same).This behavior should be based also on your alert level, if your alert level is very high only an ip-port would be blocked, if is low an entire app connection should be blocked. But if you close or kill that app and reload it, that app should be able to connect again. If the app is has an icon in the tray area you need to close that icon too.
Should I accept or not that lsass.exe should run as a server. For the moment I have said no. The ONLY apps or services I need to run as a server are the two P2P apps, and AVG E-mail check.
This would be an easy thing Run Sigverif and let it check your system32 directory for unsigned files. if lsass is not unsigned then allow it. But that file should be in cpf whitelist. If you didn’t disable alerts for apps certified by comodo and you had not runned cpil in that session maybe that file is not in the whitelist or it was updated or infected.
The next cpf version will have a >300000 whitelist. And you’ll have an option to submit a file to comodo as always (this way it’ll be added to th WL).
If you look at your post allnew, on the face of it there is something wrong. Barca was not apparently running when the problem occurred (if I understand you correctly so no, it couldn't have tried to access the internet. Just as Media Player wasn't running so it couldn't have triggered the event that had it's name on it.
Can you export you log and post it? If an alert was triggered there should be an application monitor event in cpf log.
Give me one standard rule set that I can implement that bolts Microsoft's so-called "SAFE" (haha!) system to the floor and ONLY allow ESSENTIAL communications, and I'll be a much happier mam with a lot less Googling and head scratching to do. I would also get more sleep.These network rules could be put on top of the others. [url=https://forums.comodo.com/index.php/topic,5372.msg39720.html#msg39720]modify[/url] your network range accordingly...
BLOCK and LOG TCP or UDP IN FROM IP NOT IN RANGE 192.168.0.0 -192.168.255.255
TO IP RANGE 192.168.0.0 -192.168.255.255 WHERE SOURCE PORT IS [ANY] AND DESTINATION PORT IS IN [135,137,138,139,445]
BLOCK and LOG TCP or UDP OUT FROM IP RANGE 192.168.0.0 -192.168.255.255 TO IP NOT IN RANGE 192.168.0.0 -192.168.255.255 WHERE SOURCE PORT IS IN [135,137,138,139,445] AND DESTINATION PORT IS [ANY]
Feel free to add any other known port which is targeted for exploits like DCOM Support in RPC over HTTP (port 593)
I supect it can loose track of what app is doing what under certain circumstances.Same here (who is able to keep track of an entire process family tree? ;D), it is difficult to prove it because to have an idea of what's going on sometimes are needed more details but this would be an issue for many users and would cause unnecessary overhead (in term of gui space and logging depth). But it would be nice an option to enable these advanced logging features only when you need to nail down these strange behaviours.
Regarding spade.exe I made a rapid check…
My bad I finally found what was going on… The app monitor intercept only TCP and/or UDP traffic by design (looked at the dialog). Makes sense, these are the only protocol that map to the application layer, other protocols are handled by network monitor
Hi! It’s me again, the one who started this now-longish thread …
First of all, I’d like to thank everyone who replied to my initial post and tried to help with ideas/suggestions/etc. And especially to grampa who is extremely kind in trying to help new users like me. Thanks a lot, I mean it. (:HUG)
Well, back to the point. Sorry I didn’t explain myself better in my first posts. Here’s some clarification about my PC and what software was running when.
BOTH Maxthon (browser) and Barca (e-mail client) WERE indeed running when Comodo Firewall Pro popped up those windows I posted before. And I had previously created rules for both of them to allow “normal” access to the Internet. Plus, I knew what cpil.exe was and I was deliberately running a leak test.
So the fact that Comodo popped another prompt regarding Maxthon and Barca should have alerted me that something fishy was going on. My (sort of) complaint was oriented to the way that CFP shows those events, not to the fact that it does show them, which is a good security measure, as grampa and others have pointed out. And everything went back to normal after a reboot (which I was maybe too lazy to do before … :-[)
However, I agree with bilou in that a “temporary” rule should be applied ONCE and then die, not be kept in memory until the next reboot. Maybe this is a bug in Comodo, maybe it’s there by design … :-\
Thank you gibran for finally explaining what was going on with the Samspade utility. If I understood correctly that kind of behavior (pings and traceroutes) are handled by the Network Monitor and not the Application Monitor in Comodo Firewall Pro. But shouldn’t I have been alerted that a program was trying to access the Internet even if it wasn’t using the TCP or UDP protocols? I don’t know a whole lot about networks and protocols so I may be wrong, but that seems logical to me.
Since this thread has turned into a bug-reporting / behavior explanation / feedback sort of thing, let me add another subject to the mix
Ever since I installed Comodo, I began seeing a rather high CPU usage from the process “System” as reported by the Task manager and other reporting utilities. By “high” CPU usage I mean occasional peaks of almost 20% (my processor is a 2,6 GHz Celeron D330). I hadn’t seen those before so I strongly suspect they are caused by my installation of Comodo. Has this been reported before? Is this normal?
That’s all (for now … ). Thanks again to everyone here who try to help.
(BTW, English is not my native language so please excuse any mistakes)
good to hear from you again. I was beginning to think I’d really offended you
Although I’m not 100% sure, I think it’s there by design. CPF only seems to keep a “temporary” rule in memory until the end of a session under certain circumstances, i.e. if something “really severe” has happened - like that assumed “trojan”. If you block e.g. a component of your browser, it will start but WON’T connect to the net. If you close your browser and start it again, the “temporary” rule is gone and you can connect without a reebot. So maybe it’s just for protection’s sake???
Thank you gibran for finally explaining what was going on with the Samspade utility. If I understood correctly that kind of behavior (pings and traceroutes) are handled by the Network Monitor and not the Application Monitor in Comodo Firewall Pro. But shouldn't I have been alerted that a program was trying to access the Internet even if it wasn't using the TCP or UDP protocols? I don't know a whole lot about networks and protocols so I may be wrong, but that seems logical to me.Beats me, too! However, if you want to learn s.th. about how the monitors / rules work, here are some very useful links:
Order of Monitor Rules https://forums.comodo.com/index.php/topic,725.0.html https://forums.comodo.com/index.php/topic,2288.0.html
Understand & Create Network Rules
Explanation of Comodo’s Layered Rules
Summary of Network Rules
Constant Same Alerts / Doesn’t Remember Rules
Block Websites by URL
Since this thread has turned into a bug-reporting / behavior explanation / feedback sort of thing, let me add another subject to the mix :) Ever since I installed Comodo, I began seeing a rather high CPU usage from the process "System" as reported by the Task manager and other reporting utilities. By "high" CPU usage I mean occasional peaks of almost 20% (my processor is a 2,6 GHz Celeron D330). I hadn't seen those before so I strongly suspect they are caused by my installation of Comodo. Has this been reported before? Is this normal?This has been reported a lot. Some even report 100% CPU-time. However, there are others where it occasionally peaks to 2% ;D Hope v3 resolves the problem. For your information, here come the links:
Version 2.4 - cpf.exe and High CPU https://forums.comodo.com/index.php/topic,6819.0.html https://forums.comodo.com/index.php/topic,6933.0.html https://forums.comodo.com/index.php/topic,6943.0.html
Version 2.4 - cmdagent.exe and High CPU
That's all (for now ... :D ). Thanks again to everyone here who try to help.Our pleasure! Cheers, grampa.
However, I agree with bilou in that a "temporary" rule should be applied ONCE and then die, not be kept in memory until the next reboot. Maybe this is a bug in Comodo, maybe it's there by design ...AFIK CPF is designed in this way and ONCE rules are applied only once when the app is running. If you alert frequency level (look in Security Advanced Miscellaneous Setting of CPF) is below very high that means the app will not work until is unloaded and reloaded again. The dialog doesn't really point that out (maybe it would help a [b]? icon[/b] to get a detailed explanation what's going on because users who got CPF out of the box didn't set the alert freq level)
If it is Explorer.exe you need to reboot (maybe logoff works too) or kill explorer.exe and reload it.
Thank you gibran for finally explaining what was going on with the Samspade utility. If I understood correctly that kind of behavior (pings and traceroutes) are handled by the Network Monitor and not the Application Monitor in Comodo Firewall Pro. But shouldn't I have been alerted that a program was trying to access the Internet even if it wasn't using the TCP or UDP protocols? I don't know a whole lot about networks and protocols so I may be wrong, but that seems logical to me.I assumed appmon was working this way, but I was wrong, this is not a serious issue but you can request this feature in the [url=https://forums.comodo.com/index.php/topic,6883.0.html]Comodo Firewall Wishlist v5 Section[/url]...
My (sort of) complaint was oriented to the way that CFP shows those events, not to the fact that it does show them, which is a good security measure, as grampa and others have pointed out.Maybe you should suggest a better dialog design or a better description for that event. Without a better alternative to look at I cannot agree with you. That was the simplest description of what was going on without being too generic. The link I posted in this thread pointed to another thread where a legit app showed this behaviour. The red cross in the bubble simbol was a warning to read the alert carefully.
There is a pdf manual you can read about CPF 2.4
Hopefully the next beta version of will solve some of these problems. If you don’t mind fighting with bugs (I say this just to be on the safe side ) you can give that a look and help to improve V3 usability.
I am doing the same as allnew:
“Hi, its me again”
Sorry if I was not able to give more explanation earlier, but I was fighting another battle which was understanding why I couldn’t get Emule and uTorrent to work with my ISPs router even though I had enabled DMZ, forwarded the ports etc. For anyone who may have the same problem, I was able to establish that it had nothing to do with Comodo, and nothing to do with my OS configuration. The final proof needed some work which was to intall PPOE on the PC (which meant finding and downloading the v0.99 RAS ppoe, and connect my PC directly to the modem, throwing away my ISP’s no-name (or rebranded) Chinese router which is a VOIP phone. THEN both Emule and uTorrent kicked in with Smilies. Back to normal VIP phone mode with no changes to Comodo or my PC and both pieces of software reported the ports weree not available again. Armed with that information I could face my ISP.
Back now to the couple of outstanding points which were redflagged in my mind:
Bolting down Windows. Thank you gibran. I can see what the rules do and that should do the job very well. But I may still just leave explorer.exe on “block all except 192.168.0.0 to 255.255” , and see if any problems that may generate are survivable or work-around-able. Using your rules as a backup.
The “Confusing” messages.
I understand that a bit better now but it still looks wrong and confusing. I am on low alert level but an example this moring came up which was a classic designed to give my grandmother a heart attack:
Main running apps: Emule, Opera, Acrobat.
Sunsidiary and security apps running:
Netstat Live so I can keep an eye on connexion speed
AVG 7.5 Anti-virus
BOClean Anti Spy
Dyndns Gives me a pseudo fixed IP on dynamic IP
I downloaded the Comodo pdf manual with Opera (just I have so much time on my hands I just need to find educational things to read to wile away the time until dinner - I don’t think!).
I then popped up Opera’s download list, right-clicked the file and said “Open” or “Open containing Folder”
Boom! The circus started.
(Apologies if I didn’t trancribe the messages correctly but I was in the middle of handling the messages and I found that I couldn’t “copy/paste” the message in the Comodo dialogue box (I’ll keep that on my wish list) and since my log is set to only 5MB the messages had scrolled out of the log by the time I thought to look there
Alert: Emule is tring to connect to the internet. (WTF?, it’s not “trying”, it is doing what it is supposed to!) 220.127.116.11 … “Any program trying to modify another program using this method may be a sign of Trojan Activity”
Translation (my best guess). Opera used OLE to launch the pdf file, this in turn “modifies” explorer, and since explorer is the parent app in the process tree for all the apps… we are now going to get bum alerts for every app running.
No, not quite, but close:
Alert2 (of 11): Emule has modified the user interface of the parent explorer exe by sending special Window messages (yup, right I guess thats another bit of OLE working)
Alert3 (of 14 and counting by now ) Dyndnds updater is trying to connect to the internet… (yeah, OK but it is supposed to, it checks for an update every hour). Any program trying to connect to the internet…
So "…tick remember, Allow, tick remeber Allow, Tick remember, allow. OOOhhh I hope I can tick and click fast enough to keep up with this!
Now if anyone can tell me that this is “normal” behaviour for a top-rated firewall then I will consign their sig to a deep dark hole I keep for such things. Its labelled “Wallies” and gets a Gutmann wipe every 10 seconds.
Please don’t get me wrong, I have come to the conclusion that the Comodo Firewall IS the best out there. Outpost initially attracted me, but during the trial I came to the conclusion that someone there has lost the ball. Programming apps of this stature needs people who really know their stuff. It is NOT trivial, it can be mind-blowingly complex, a labour of love, or a challenge of a lifetime.
I have seen what happens to bought-out apps like Zone Alarm, Norton, Partition Magic, Nero when the orginal designers have gone or been reassigned. They bloat, they slow, they have unexplainable unfixed problems, they struggle, and often die. The “magic” is gone.
So I hope in some small way I can help. If there is something there at the moment then it would be to say “forget the gimmicks and marketing, forget the advanced “features” bells and whistles, just focus on the underlying magic. Make that work well for people who don’t understand protocols or OLE at all, and you will have the app that everyone wants and needs.”
At the moment I am pointing people in Comodos direction with a warning to be patient and look at the overall quality and depth of the design rather than focussing on annoyances. But quite a lot of feedback is saying “Help, am I infested?” or “Jesus, please, I’ll do my Phd when I finish cleaning the kitchen, but in the mean time can somebody please tell me that World War III hasn’t started so I can just check my E-mail”
I still have no idea why Media Player Classic came into the earlier series of alerts, becaue it defintely was NOT running. Maybe there is a bug in a routine that looks up the app name from the GUID ( I think thats what they call it, the long string with the funny brackets around it)
Anyways, gotta go iron my shirts. High Tech stuff. 'Bye for now!
Remember the days when to make a post of more then 10 lines you copied it, pasted it, and saved the notepad file. Just in case Win98 crashed.
If you didn’t copy/paste and save, then it crashed. If you did copy/paste and save, then it didn’t crash.
So my anti-crash strategy was to copy/ paste and save. It worked. Sometimes I could run Win98 for a whole day with no crashes! 8-(
This is “normal” behaviour for a top-rated firewall ;D
Back on topic…
This is an uncommon behaviour, those apps should not give such alerts… :o
I use opera too 8) but on xp. Maybe it was DDE because the app was already opened.
I found that I couldn't "copy/paste" the message in the Comodo dialogue boxThis is by design :'( , they really put an effort to this, It is not possible to get that text using some winspy-like app too. I hope they'll improve the log...
I still have no idea why Media Player Classic came into the earlier series of alerts, becaue it defintely was NOT running. Maybe there is a bug in a routine that looks up the app name from the GUIDNot sure about this but if mplayerc.exe has a guid maybe it was called by opera (reading a page with some multimedia content in it).
Regarding that ICMP traffic…
IMPROVED! Removed non-TCP/UDP application alerts until version 3.0
I still have no idea why Media Player Classic came into the earlier series of alerts, becaue it defintely was NOT running.. Another part of the ABA stuff (application behavior analysis). According to lead dev team guru Egemen, malware use these types of normal communications behind the scenes to try to access the internet. They can do so in such a way that it occurs long after an application is closed. I have gathered from doing some reading in this area (which was way beyond my proverbial pay grade) that even tho' closed, applications continue to communicate with the system (behind the scenes) for some time; bits & pieces remain active...
If MPC previously had a connection, it may retain a part of that even after closed, and prompt an alert. CFP at present does not distinguish between legit and evil connections of this nature; if it relates to the internet, it creates an alert. Users upon users upon users have complained about this; many considered it to be a bug (and may still, for that matter). It was greatly improved for v2.4, and v3.0 will be even more so, largely due to the size of the safelist. The way it’s set up, if both apps are on the safelist, you won’t see the alert (provided you have the “do not show alerts for applications certified by comodo” box checked in Security/Advance/Miscellaneous). At present, the safelist is a little bitty thing; when v3 comes out, it will be quite sizable, and fully integrated.
Hope that helps explain it some,
Note sure if this was ever addressed:
Then you mention a “temporary rule”, restart clears that?When you respond with either Allow or Deny (but without “remember”), it is for that session only. Not that instance only. It holds the rule active until one of these occurs: The internet application is shut down. The abusing application is shut down (not common). The firewall is closed and reopened. A windows logoff/login occurs. A reboot occurs. This area is not clearly defined, AFAIK. Some users report one thing, some another. I find a reboot is the one guaranteed to work for all times…
Inasfar as leaktests are concerned (such as CPIL) you should always reboot after each and every one.
I’ve scanned through the thread, I didn’t note that the original samspade question was answered. I could’ve overlooked that easily enough, though. Allnew, was that answered, or is it still open?
Latest V2 CPF doesn’t alert about non tcp or udp traffic. Ping fall in this category.
Support for non tcp/udp will re-enabled in v3
doesn’t alert for application traffic,no, but should still blocking if network rules are set to block such traffic (which by default I think it does allow outbound ICMP for such things as pinging). So I guess perhaps my response should be “Doh! Why didn’t I see that when I read your earlier post about that?” Ah, well, life goes on…