CPF Log files - What information should be captured?

Help for v2
1

I,m starting a new thread for this as this discussion is unrelated to my original query regarding Loopback Rules. The first part of this discussion can be read in this thread:

https://forums.comodo.com/index.php/topic,6622.0.html

My query is with regard to the information captured by the CPF log files. If one assumes that the four options under ‘Log Events From’:

Application Monitor
Component Monitor
Network Monitor
Application Behaviour Monitor

Are all ‘ticked’ then what information should be captured in the logs?

From the CPF help file:

“The Second Column (Reporter) states which subsystem generated the attack report. (Application Monitor, Network Monitor, Component Monitor or Application Behaviour Monitor)”

Seems to suggest that different categories of events are captured.

From the first part of this query, Panic says:

If you click on a log entry, full details should be shown in the DETAILS section, including app and parent.

and

I've just had a closer look at my logs and have found the same thing as you - only NM and Component Monitor entries. My NM log entries, however do show app and parent details.

When I checked the log entries (several hundred) from my last session, even though I have all the options under ‘Log Events From’ ‘ticked’, every Network Monitor rule set to ‘Log’, ‘Alert Frequency Level’ set to ‘Very High’ and ‘Do not show any alerts for the applications certified by Comodo’ unchecked, I find the only entries in my logs are those under the ‘Network Monitor’ Reporter. I also do not have any information regarding the Application or Parent that generated a log entry.

Soyabeaner also says:

Same here. No application & parent shown on net mon alerts.

The question is, just what information are we supposed to be seeing in the logs. Should the ‘Reporters’ change as the help file suggests. Also, Panic, says he can see Application and Parent names in his logs and yet Soyabeaner and I cannot.

As far as I know, on the versions of CPF I have used, I have never seen this information in the log files and assumed it was not a feature of the firewall at present?

Any help on this would be appreciated.

2

I just tested by browsing with explorer.exe, which I created an Application Monitor rule to block all in and out activity and the log does show explorer.exe. This is expected for Application Monitor, but I don’t think I’ve ever seen this information on Network Monitor log entries since v2.3.6.

3

Interesting.

Here is a post by danp from another thread:

https://forums.comodo.com/index.php/topic,6684.0.html

In which the poster displays part of his log file:

The log says:

Date/Time :2007-02-21 20:30:59
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (firefox.exe:67.32.118.46: :dns(53))
Application: C:\Program Files\Mozilla Firefox\firefox.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Destination: 67.32.118.46::dns(53)

This is clearly a DNS query. Compare that with a DNS Query from my log:

Date/Time :2007-02-25 09:00:12
Severity :Low
Reporter :Network Monitor
Description: Information (Access Granted, IP = 80.243.64.67, Port = dns(53))
Protocol: UDP Outgoing
Source: 80.243.73.187:2858
Destination: 80.243.64.67:dns(53)
Reason: Network Control Rule ID = 3

As I said in my previous post, I do not have any Application Monitor generated entries, just Network Monitor entries.

Clearly, part of my original question has been answered, that is, the ‘Reporters’ change and the Application and Parent are shown, at least they are in danp’s log entry.

The question now, is, why do I not see this information in my logs?


http://img478.imageshack.us/img478/8521/logentriesfromym5.th.jpg

4

I think I can answer another part. It appears that the Application Monitor does not log allowed programs, only blocked ones.

5

Hello Soyabeaner.

At least you seem to be getting Application Monitor Log entries, whereas I am not. As you can see in my previous post, all the options under ‘Log Entries From’ are ‘ticked’, so something is missing somewhere?

6

You can conduct a simple test: create an Application Rule to block all access for a program. Then run that program and try to connect it to the internet. See my example screenshot.

[attachment deleted by admin]

7

I guess that would make, sense in some ways, at least it would cut down on the number of log entries. Although ‘Network Monitor’ seems to show all entry types.

What about ‘Component Monitor’ and ‘Application Behaviour Monitor’, do you see entries for either of those?

8

To be honest, I don’t like to log anything. I only enabled it to test if everything is functioning as one would expect and to address your question. As such, I don’t clearly recall seeing any for CM (especially when it’s in Learn mode) and ABA (which I have not received any pop-ups on suspicious activity in a long time).

9

Looking at the ABA options under ‘Advanced’ they are all geared to monitoring problems as opposed to ‘general’ behaviour.

With this in mind and taking into consideration your comments above, it would seem that we will only generate entries for Application Monitor, Application Behaviour Monitor and I assume Component Monitor when there is a problem.

Would it be possible for someone to confirm this please?

Thanks for you help Soyabeaner.

10

To be more accurate, CM and ABA only log when you deny alerts (good or bad, intentionally or accidentally). I’m not 100% certain, but it looks like it. If that’s the case then I think you’re right about it saving log space. Although I’m sure the power users would rather see everything logged. After all, they are power hungry ;D.

11

Hi soyabeaner !

New avatar (again) ? What’s with “Deleted Posts” 11388 ? Have most of your previous posts been deleted ? ;D :wink: ;D

12

New avatar after every major event (like the forum being offline). No, I think there was a problem with linking the previous one. The deleted posts is merely there to scare newbies ;D.

Back on track: it appears that our theory on only blocked alerts are logged is correct because just look at the default Network Rules. Only the last block all rule is logged. CFP is designed to not bother the standard user on obvious allowed events (though we know a lot events aren’t obvious).

13

That certainly seems to be the case Soyabeaner. I have tried various things during the last few hours, but only problems get logged for Application Monitor.

Its a pity there isn’t an option to specify the level of detail required during logging, as I believe it could be of great assistance when testing new rules.

Maybe in the next release…

Thanks for your help

14

Here’s something you can do. Post it on the wishlist. An option to toggle advanced logging.

15

I have taken your advice, that’s a big list…

16

We have a big user database ;D

17

Yes it is, and you won’t be the first to ask for options in the logs :wink: