CPF doesn't remember anymore. [Resolved]

It seems that CPF since a few days doesn’t remember anymore many Application Control Rules I have defined. I have set some of these rules to always allow some apps, including cpfupdat.exe, but CPF keeps raising the alert popup for these app every time they attempt a connection; I click Allow and remember but it doesn’t remember and the next time it will ask again.

For example when I use CPF updater to check for updates, I always get 3 alert popups for cpfupdat.exe (see attached “cpfupdat.jpg”), I always click remember and allow, but if try again even just a few seconds later, I get the same popups again. This happens with many (or all, I’m not sure) other apps.

Another thing I don’t understand is that when I allow and remember, CPF creates a new Application Control Rule for that app even if another rule already existed which was allowing any Destination on any Port with any Protocol for that app. See the attached screenshot of my rules (“Application Control Rules.jpg”), check out the first row (avgas.exe) against the ones immediately below it.

I think these two problems are related and probably the second one is just a normal consequence of the first one.

This started after several weeks of normal (which of course means wonderful) functioning of CPF.

The only thing I can think about is that I kept adding new user defined zones (like doubleclick.net and such) and blocking Opera, Firefox and Thunderbird for these zones. Now these blocked zones are 21, furthermore there are maybe 1,000 Application Control Rules defined, because I have the Alert Frequency Level set to Very High so CPF creates a different rule for every combination of app/protocol/IP/port when a connection is attempted (this is desired, not a problem). However these rules are all Allows; the only Block rules are the ones on the zones I defined. Maybe I overloaded CPF with all these rules ? What could cause this ?

CPF ver. 2.3.6.81
Windows 2000 SP4
ADSL connected through Ethernet

[attachment deleted by admin]

That’s kind of odd that it popped you on cpfupdater. ???

For the others, with the AVG rules, I don’t see anything really out of the ordinary… The only duplication I see is for avginet.exe, and it may be that the “Miscellaneous” info is different between the two, such as one being an invisible application or something; it may also be the result of an update to that .exe (once an app changes, to CPF it’s a new app and needs a new rule; it doesn’t delete the old rule, tho).

The rest (for AVG) look like the result of having the alerts to Very High, since this gets you the more detailed popup with IP address, port, etc.

With the rest of your 1000 rules, I don’t know what to tell you. Some users are reporting with the Betas that CPF is not remembering things; I haven’t had that issue. AFAIK, your version hasn’t had that issue (although I could be wrong).

Hope that helps some,

LM

Thanks for the info Little Mac.[QUOTE]once an app changes, to CPF it’s a new app and needs a new rule; it doesn’t delete the old rule, tho
[/quote]
That was a kind of info I was hoping to get, thanks, it explains many things. Not all though; not only CPF keeps popping 3 alerts for cpfupdat.exe 100% of the times I start the Updater; it does exactly the same for AVG updater (see image) and for other apps. I always click Allow and remember, but then I try again in a few seconds and the alerts come again, forever.

The strange thing is that these problems started just a few days ago, without any apparent obvious reason.

I’ll be glad to get possible other comments, however I’ll also wait for the new version coming within a few days (if I’m not wrong) and see whether this changes. A reinstallation and / or a support ticket are also possible.

[attachment deleted by admin]

Perhaps part of it relates to the application/parent relationship… does your current rule for avginet.exe have avgcc.exe listed as the parent (as shown in your alert)?

Also remember, with your alert frequency set to Very High, it’s going to give you an alert for each IP address, and each Port, that the application tries to use/connect to, and whether the traffic is In or Out (so even if you Allow the update to connect Out, when it starts to download, you’ll get another popup for the Inbound traffic, even tho it’s in response to your request). So even if it’s the same IP address, but a different port is being accessed, it’ll give you another popup.

Keep in mind that if you take two seconds to get to the alert to check Remember and Allow, the application may now be trying a different port; having moved on from the first one since it took you “too long” to respond. When you see in the alert 1 of 4, and then 1 of 5, and then 1 of 6 and so on, each one is probably adding a successive port to the list; it keeps trying to connect, as the applications “think” much faster than we move. It tries a port and then moves on, when it’s not automatically allowed. Medium is the highest level at which Ports are not part of the application alert.

LM

[QUOTE]Perhaps part of it relates to the application/parent relationship… does your current rule for avginet.exe have avgcc.exe listed as the parent (as shown in your alert)?
[/quote]
The only avginet.exe rules are the 3 shown in “Application Control Rules.jpg”: the first 2 don’t have avgcc.exe specified as the parent, they have avgamsvr.exe, so actually they aren’t supposed to apply; but the 3rd rule has avgcc.exe specified as the parent, and it’s kind of an allow-all rule (any IP, any port, any protocol, any direction), so IMO this should make so that the alerts in subject won’t appear.

It could be that the exe has changed since that rule was created, as you suggest, but the problem is that when this alert appears - that is all the time - I always click allow and remember, and no new rules get created as a consequence; the application rules for avginet.exe with avgcc.exe as the parent are always those 3.

So the problem can’t even be that thing of the quickly switching ports before clicking the alert (good info though, thanks). If it was that, then at least I’d have to see new rules created for the ports the alerts were referring to in the very moment when I clicked Allow and remember; is this correct ?

The same thing IMO goes on for cpfupdat.exe (note that the option “Do not show any alerts for the applications certified by Comodo” is not selected).
cpfupdat.exe keeps alerting all the time regardless of my clicks on Allow and remember, and never creates new rules: the only rule I ever see for cpfupdat.exe is the one shown in the screenshot, and it’s an allow-all rule as well as the one for avginet.exe mentioned above.

Now, the existence of these allow-all rules could explain why no new rules get created when I allow-remember (that is, because a rule already exists which covers that combination), but then the same existence of the allow-all rule should also have made so that the alert shouldn’t have appeared at all in the first place; is this correct ?

Currently I’m under the strong impression that the reason why CPF started to not remember anymore is because new rules don’t get automatically created anymore, and I suspect that this is because there are too many rules (99% are Allow rules), or maybe I ■■■■■■■ things up somehow with all those user defined zones blocked or something else.
I really think that from a few days ago on, any allow-remember click of mines just serves to allow but not to remember.

So here is the plan to reduce the number of application rules: most of the rules are for the browsers (Opera and Firefox), so I’ll delete all these Allow rules and I’ll define Opera and Firefox as Trusted Applications. The hope is that this will allow them to connect without the need of explicit Allow rules, while the explicit Deny rules will continue to apply. Does this make sense ?

Another thing I’d like to know about: what’s a “reasonable” number of application rules to have ? Is 1,000 an abnormally high number ? How many do people usually have ?

Interesting: so far the only thing I did is deleting all those allow rules for Opera, without modifying any already existing rules or anything else, and now both cpfupdat.exe and avg updater don’t cause an alert to appear anymore: the corresponding allow-all rules seem to act now.

The amount of existing rules seems to matter then ! :slight_smile:

Simple solution. Why don’t you turn down the alert frequency? I have mine on medium.

Another thing I’d like to know about: what’s a “reasonable” number of application rules to have ? Is 1,000 an abnormally high number ? How many do people usually have ?

Wow, and i thought my 170 was high. Thats crazy.

[QUOTE]Why don’t you turn down the alert frequency?
[/quote]
Yes, the plan I mentioned in my previous post isn’t viable, so I’ll do so. I was loving the possibility to allow or deny the connection to the same app on a per-IP basis through the alerts though.[QUOTE]Wow, and i thought my 170 was high. Thats crazy.
[/quote]
I don’t know if it’s crazy, it’s the simple consequence of having the alerts frequency higher than medium and using the Allow and remember checkbox. However I know that it causes the malfunctioning in subject, so I’ll have to lower the alerts frequency.

[QUOTE]consequence of having the alerts frequency higher than medium and using the Allow and remember checkbox.
[/quote]
I stand corrected, the high number of created rules is the consequence of having the alerts frequency set to Very High and not just higher than medium. It’s only at Very High that a rule gets created for each IP the browser connects to.

Now that I brought the alerts frequency from Very High to High and I cleaned all the preexisting IP-specific Allow rules, I realize that it’s what I should have done since the beginning ;D

For example for Opera.exe now I have one Allow rule on any IP on port 80, and several Block rules on specific IP zones. So Opera doesn’t alert and create an Allow rule for every new IP anymore, nonetheless it doesn’t connect to the blocked zones. Excellent :slight_smile:

Great, so is that working for you now? Everything seems good?

LM

Absolutely yes, thanks for your continued help and (V)!

Great, I’ll mark it resolved and closed, then, for other users’ benefit.

LM