Custom mode - showing no alerts when apps are launched

As usual, I must start by saying that I’m not that computer-literate - so would appreciate a minimum of technical terms. Sorry about that.

I’ve been using Comodo Firewall for a while. Despite being a seriously complicated piece of software to use, I’ve gradually learned more about it, and come to trust it.

My preferred Firewall settiings at the moment at the moment: Proactive Security, with the firewall set to Custom and alerts to High. I’d like to keep these for some time, until I’m confident that a couple of old infections have really gone.

I’ve increased the time for alerts to remain visible from two to four minutes, which usually gives me a chance to look up anything I don’t recognise which is trying to sneak out. For the time being, I’m happy to put up with constantly “allowing” apps (or blocking those which aren’t recognised by me, or needed at the moment).

Defence Plus is set to “Safe” for the same reason.

Until today, even launching Firefox has involved a couple of alerts and the need to click “allow.”

Since today’s updates, nothing seems to be happening - not one alert. The Firewall and Defence Plus event logs show that the firewall has blocked a few unidentified Windows apps; Defence Plus shows no activity other than a change to its setting - back to “safe.”

Incidentally, the firewall and defence plus settings returned from Custom and Safe, respectively, to Safe and (I think - didn’t write it down) Clean during the update. Worrying.

I’ve done nothing more complicated with the Firewall or Defence plus settings than what I’ve outlined here

• why does no action seem to be taking place?

I realise this may be an update-related bug, so will shut down Windows as soon as I’ve sent this and fire up a Linux partition. I’ll check back over the next day or so, in the hope that the problem - if there is one - has been solved. (I was just starting to like this firewall - it’d be nice to be able to keep it!) (Unfortunately, I,ve just realised that I need to do some work with this system tomorrow- so I’ll monitor these board this evening from the Linux partition in hope of a solution.)

Thanks for reading - hope this makes sense!

PS Confirm there is no way of resetting the firewall to its default settings in the event of an error? I’ve already reinstalled as the only way I could unblock something which I’d blocked in error!

What version of CIS are you using. The latest version is 3.10.102194.530. There was a problem with .529 which would delete all rules.

I am not sure what may have caused CIS to go back to different settings. I assume you are the only one using this computer? Or are there other person who have access?

To reset the firewall you can use the manage my configuration under Miscellaneous. Choose to import a configuration. Now navigate to the Comodo installation folder and look up COMODO - Proactive Security.cfg and import it. You need to give it a name. Name COMODO - My New Proactive Security or something similar. After importing activate it and you are back to default.

Thanks for the response, EricJH.

It’s version .530 - and yes, I’m the only one using the computer. It’s a second hand machine, but had recently been restored to factory settings. Until I’m reasonably sure nothing nasty’s leapt aboard, I’d like to know whenever anything tries to connect to the internet - even if that includes legit applications. I may be wrong, but my impression was that setting the firewall to “custom” and Defence Plus to “safe” would alert me to everything.

I need to work on those configurations - I suspect (hope!) it’s less complicated than it looks!

Ah - found it. I’ll give it a try. Is it possible that an expanded “white list” may have affected things? I’m still determined to learn to like Comodo - but goodness, it’s a handful for the non-expert. Thanks again for your advice!

On a side note. What do you mean with “restored to factory settings”?

CIS stores it rules in the registry. So when you put back a back up of your registry or did a System Restore with Windows you may have changed how CIS is set.

One thinsg is not totally clear in your story. You had noticed CIS’ settings have changed. Did you change CIS back to your old settings. What are you current settings?

Can you run Diagnostics and see what it says. Diagnostic can be found under Miscellaneous.

I explained that all rather badly.

The computer is a second hand one, recently bought off eBay. The previous owner used the machine’s “product recovery disc” to reinstall the operating system, along with the various drivers and other minor pieces of software included by the manufacturer. So - I suppose strictly a reinstall rather than a reversion to factory settings.

Having removed the Norton 2006 included in the reinstallation media, I downloaded CIS. The AV part was not installed, as I am more comfortable with Avira at the moment. (I have installed the full CIS suite on an even older and less powerful laptop, and will try it on that for a while.)

The only settings I applied to the Firewall and to Defence Plus were Custom and Safe, respectively; alert settings were increased (sorry - I’m using the Linux desktop and can’t remember the exact setting labels applied on the laptop); the time for alerts to remain on the screen was increased from 120 to 240 seconds.

A day or two later, the latest update arrived. The settings outlined above returned to the original defaults. This was easy enough to change back to what I described in the previous paragraph. I’m still concerned that no internet traffic seems to be blocked. Before the update, I even had to “allow” Firefox. Again, I’ll have to wait until I’m back on that computer tomorrow to check the events logs.

I’ve run Diagnostic on several occasions - every time, it says that everything is fine.

The reason I removed Norton is that, to be honest, I was finding it annoying and very resource-greedy. It did occur to me that some remnant of Norton might be causing trouble, as it has a reputation for being difficult to uninstall. However, I DID run the Norton uninstall tool twice in safe mode and twice in normal mode, and used the Windows search function to check for left-over Norton/Symantec files - it found nothing more than the removal tool and an old log. (I did remember to search hidden files and folders - despite being a fairly inexperienced computer user, I’ve had a problem with a Norton security suite before - just unlucky with Norton, it seems.)

I’ll re-check settings on the laptop tomorrow (later today, actually), and post back should I find anything useful or potentially interesting.

Again, thanks for your response. Even when I’m confused, I’m finding this interesting!

Did you update CIS from 3.9 to 3.10? You then lost your settings when you updated to the first incarnation of 3.10 (.329). Did you then update from .529 to .530?

Notice that at this very moment there is another CIS update to be had (.531).

Hi again, EricJH.

“Yes” to all three questions.

I’ve updated to .531. My settings were retained this time.

However, the firewall (or should that be Defence Plus? not sure, now!) still seems to be alerting me to very little other than odd Toshiba processes trying to gain access to the internet. And why they need internet access, goodness only knows.

I’d like to keep this really simple. Despite the fact that the computer had its operating system restored just prior to my taking it over, I’d like to keep a close eye on what various programmes are doing for the first few weeks - just in case of infections. I certainly can’t guarantee that it is a “clean” machine.

Comodo’s very good about spotting anything trying to modify registry keys etc and producing an alert, offering the choice to allow or to block the process. I’m NOT convinced that it’s spotting everything trying to connect to the internet. As expained, I’d like, initially, to know every time anything does this - in or out-bound.

And Defence Plus now seems to do a lot of “learning” - which it didn’t, initially.

The logs show a lot of un-named Windows processes having been blocked - no idea which ones, but it doesn’t seem to have affected the running of the computer. I have Windows updates set to notify me of any new updates, and this seems to happen fine - as does downloading and installing the updates. I am concerned by the fact that Windows updater is obviously connecting to the internet without Comodo telling me about it.

The same applies to Firefox - initially, I had to click “allow” three times (I think) every time I launched Firefox.

In due course, once I’m reasonably happy that the machine IS clear, then it will be more convenient to allow Firefox, Windows updater and the like to connect to the internet without asking my permission first. In the meantime, however, I want to be able to allow or block EVERY connection - once I’m used to the “regulars” and have had a chance to look up the rest, then I can start actually modifying their individual custom policies to allow them unimpeded access to the internet.

Have I misunderstood the settings? I thought that by setting the Firewall to “Custom,” and Defence Plus to “Safe,” I would be notified of ANY attempts to gain access to the internet, and required to click “allow,” “block,” “treat as installer” etc.

Is there perhaps a “whitelist” somewhere in Comodo which can be temporarily disabled? This could be what’s suppressing alerts, I suppose.

Any suggestions gratefully received - and I’d really appreciate it if they took my ignorance into consideration! One of the problems facing the newcomer to Comodo is that it has its own jargon and terms - lots of them - which can make it a little daunting.

I’ll continue checking the forum from time to time - please forgive any delays in responding to suggestions!

Place the Firewall in “Custom” and have the “Alert settings” to at least High this way you should receive an alert for anything which doesn`t have a rule for it in Firewall/Advanced/Network Security Policy/Application Rules

There is one small caveat to this (isn`t there allways) in that by default there is a rule made named “Windows Updater Applications” in Application rules.
Allow TCP or UDP Out from IP Any to IP Any Where source port is Any and destination port is Any

Now if you look in Defence+/Advanced/Computer Security Policy->Find the entry for Windows Updater Applications you will see the applications the entry covers (svchost.exe being one of them).

You can change the above rule to “Ask” and you should get a pop-up when one of said items connects out. Just remember to not have “Remember my Answer” ticked otherwise a rule will be created.
This can create problems as svchost is used for DHCP, or getting an IP address so it is best advised to leave the rule as it is.

What you can do is create rules from pop-ups for Firefox for example by selecting “Web Browser” and having “Remember my Answer” ticked(picture below).

“Windows Operating System” is the default entry given in the logging to anything that is blocked that is not covered by another block rule, if you are behind a router you may see quite a few of these.

Matt

[attachment deleted by admin]

Thanks for that, Matt. I’ll do a bit more experimenting and see what happens.

I’m away from the computer concerned at the moment - if memory serves correctly, there is more than one svchost.exe present in task manager. It’s tempting to just leave it - but trying these things out does seem to improve my very limited understanding of what is going on.

Part of the hassle is that I tend to mix up firewall and defence + functions, but I’m starting to get the picture.

I know I’ve ended up reinstalling the firewall in the past after inadvertently blocking (and telling it to “remember”) something vital - I suppose a quicker answer in the event of this particular blunder is to examine everything under Computer Security Policy and look for something that’s blocked, then change it back to “ask.”

Your point about the router is well taken - it hadn’t occurred to me that this might influence Comodo’s actions and records.

Although I still find Comodo firewall horribly complicated to use (probably just me, as it’s certainly popular) it’s obviously worth persevering - there seems to be quite a bit of scope for “fine tuning” settings, and I assume it’s a piece of software that rewards perseverance.

I really do appreciate all the assistance you folk offer, and the time you spend analysing my problems , then explaining what’s happened and posting suggestions.