Component Monitor Learn Mode is safest

I am still using ‘Learn Mode’ and think this is safest. See extract from firewallleaktester:

If your firewall has component control, set it to its maximum level (although it requires good knowledge (on your part) about Windows to know which DLL is good, which are needed, and which are not.) Always use the highest mode, [u]sometimes called 'learning mode' [/u] or 'block most mode', so that your firewall will ask you about everything which is not covered by your settings criteria (This way, everything that is not specifically allowed by you will generate a query as to whether to allow or prohibit it).

What do forum members think ?


I think it is not the safest in the case of CFP. Learning mode here means that if you allow an application, all of its components will be allowed automatically w/o user interaction. If you want to see popups about components of an application you need to turn ON the component monitor in CFP. The learning mode is useful in the begining, when a lot of new components need to be given permission.
Maybe learning mode in other firewalls mean something similar to cfp’s ON mode. Bit confusing btw…
Just my thought…

I agree with Blas. Component Monitor’s Learn Mode is not “block most mode” in CFP. Prompt for lots of components (DLLs, etc…) in bulk mode… maybe.

Thanks for your inputs. What you say is correct. However, as soon as
some ‘component’ in a previously allowed application changes,
be it as a result of installing a patch for IE, or an update to one or other
application, I am always alerted in learning mode whether to allow/deny
the change that has occurred - eg. cryptograhic signature has changed etc.

For the sake of having to endure less popups, I prefer learning mode
and still feel looked after by CFP (all ABA items are enabled by default).
Some have also complained that CPU usage increases substantially
with Comp. Mon. on. I can’t say that I noticed this during the short time
I had Comp. Mon. turned on.
Anyway it’s interesting to see what others are doing with Comp. Mon.

  :P    ;D

Mine’s totally disabled because there’s no malware on computer :stuck_out_tongue: and because of the random cmdagent.exe cpu hog when browsing websites if ON mode, but will probably enable it in V3 if it’s still around as a module.

See my sig FAQ link:

[b]Component Monitor[/b],5396.0.html,793.0.html,4057.0.html,6241.0.html,7526.0.html

My understanding is that in “Learn Mode” an allow rule is automatically created, without user intervention, for any component for which a rule doesn’t already exist. In the “On Mode” the user would have to decide what to do about components with no rules.

Once a component has a rule defined for it, it doesn’t matter anymore whether you are in “Learn Mode” or “On Mode” as far as that component is concerned.

In other words, “Learn Mode” allows any new components but alerts you about changes to previously defined components, while “On Mode” alerts you about both new components and changes to previously defined components.