This is an attemtp to get a refreshed appreciation on the content of my 2 previous threads, which i will post here, summarized.
1. Comodo Firewall takes quite some time - up to 10-20 seconds - to apply changes made to the rules, to the running firewall process. This can lead users into thinking their rules are not being applied, or that their machine is not safe. If not a security risk, adding an “Apply Rules” button to the graphical interface could solve this.
2. There may be some bugs or misconceptions implemented in the firewall process itself.
P2P and online gaming applications do not work properly - the default set of rules hinders or does not allow these applications to work properly and therefore the default set of rules needs to be changed by the user:
…2a. Adding a TCP/UDP allow in rule with specified ports with higher priority than the standard “IP block all in” should solve this problem for P2P applications. But from the tests made, at least Emule’s UDP functionality - concerning kadmelia network - was still severely hindered.
…2a. In order for online gaming applications to work, normally a allow tcp/udp rule, with unspecified ports must be added above the standard “IP block all in”. But, for some online games that have parallel anti-hacking processes run with them, the firewall can produce undesired effects - the game freezing, or not running at all. For these to start the firewall has to be entirely or partially disabled. This implies stopping the firewall process or at least the Component Monitor functionality.
The above was also verified with the “allow invisible invisble connection” and “skip advanced security tests” options checked for the tested applications.
3. The effects of adding allow tcp/udp rule, with unspecified ports are suspect and may indicate faulty firewall functionality:
Shields Up online security test, common ports scan results.
~Standard rules with result.~
~Altered rules with results.~
The allow tcp/udp rule, with unspecified ports added to network monitor allows a ping reply? Why?!
All windows services that were detected through the “scan for known applications” task were blocked for this test (alg.exe lsass.exe services.exe svchost.exe system.exe, etc), and the advanced options are set to default except for disabled “automatically approve safe applications” and “secure the host while booting”.
If understood correctly, for In communications the network monitor is the first line of defense. On default rules it blocks everything. But if one adds a rule above the standard IP block all in rule that partially disallows it - like allow tcp/udp in - the traffic is then analysed by the second and third lines of defense- Application Monitor and Component Monitor. Now… i did not allow any process to respond to that ping. What exactly is responding to it?
My guess is that the firewall allows for it to pass inadvertently.
Plus, if i remember correctly ping is part of icmp protocol - ICMP “echo request”, which should be blocked by the default IP block all in rule, so this whole thing gets even more bleak.
An added indication of a hole created by this is the fact that Avast! Anti Virus network shield starts to report attempts to use DCom exploits from different IP addresses soon after adding this rule.
On my previous threads i have pointed out that it could be a virus or a trojan, or other bad software in this system. But i’ve performed 1 offline antivirus test, 2 online security and antivirus tests, spyware s&d scan, hijack this! scan and log; and the fact that recently i’ve formated this machine and had disabled most of the uneeded winxp services, and applied most changes from SafeXP and xpy. So i’m rather doubting that.
Plus, my firewall should report it, no?
Thanks for the attention. Comodo Firewall is still great software. Feel free to refute any of the contents in this text.