Something I have noticed with Component Monitor warnings after updating an application are COM/OLE alerts which require me to re-create rules I have already established earlier. Before I start, here are the settings I use for Comodo:
Alert Frequency Level = Very High
Component Monitor = Turn on (this is after running in Learning mode for a day after installing comodo).
Application Behaviour Analysis options = all enabled.
Do not show any alerts for certified… = disabled
Now an example:
I just updated Avant browser from build 10 to build 11. All necessary rules for avant were already created before this update. Now, with Component Monitor at “Turn on” I got the expected “Cryptographic Signature has changed” warning, followed very soon after by a “Component change” warning after browsing a short while with Avant. I chose to “accept and remember” in both cases. So far, so good. These are responses by Comodo I would expect. Of course my responses were such because I know the update caused those alerts.
But here is the odd part…
…Soon after again after a little browsing, I get a “High Severity” alert warning me that “explorer.exe has tried to use avant.exe through OLE Automation” with a local port given. I “accept and remember” again. However, after going into the “Application Rules”, I notice that the rule I already have in place for avant.exe is newly created: [TCP] [Out] [Destination ip = my machine’s ip] [Local Port = 1101] [Parent app = explorer.exe]
The only difference between this rule and the one I already have in place is that my local port is a range from 1025-5000. Everything else is the same.
I feel that Comodo should not be creating a new rule, since I had already accepted the cryptographic signature change and the component change earlier. I essentially have to remove the old rule and go with the new one. It is almost as if Comodo sees avant.exe as a completely new application.
I do believe this would not have happened if I had placed “Component Monitor” back to “Learning Mode” immediately after or before updating Avant and kept it that way until it learned of the component changes in avant.exe.
This behaviour is likely part of what is causing grief for some who perceive Comodo as “not remembering rules”.
I have attached a ss of the alert. I hope this makes sense.
[attachment deleted by admin]