Defense+ log doesn't show allow or blocked. Alerts disappear.

When Hitman (a game) wanted to modify a file (CmdLineExt03.dll), I decided to block the action and remember that choice. I won’t go into what the file does since I’m guessing at this point based on Googling for what others say about it; however, it obviously isn’t required as the game runs okay without access to this file.

I checked in Computer Security Policy and found the rule for Hitman. It would sure be nice if Comodo was polite and gave us users the ability to search the rules rather than having to manually eyeball each entry trying to find the relevant one. I waste a lot of time scanning up and down, over and over, through these rules trying to find the relevant entries, if there at all. It is just plain stupid to make users do manual scans to look through hundreds upon hundreds of entries. After finally finding the Hitman entry, I checked its Access Rights for Protected Files/Folders to verify that CmdLineExt03.dll was in its Block list. Yes, it was.

I then go into the logs in the Defense+ section and find where it has several entries as below:

Application: C:\Games\HitmanContracts\hitmancontracts.exe
Action: Modify file
Target: C:\Windows\system32\CmdLineExt03.dll
Date: (multiple times for whenever I started the game)

Okay, so what does that tell me about whether access to the file was allowed or blocked? >:( >:( ABSOLUTELY NOTHING! >:( >:( What is the point of providing a log for Defense+ events if there is no information about whether the attempted action was allowed or blocked?

Originally this research began because my scheduled backup jobs were not running because of an access denied error (that they would report because CFP had blocked access to something). When I went to the Defense+ log, I found entries for Acronis True Image on the relevant date and times for when the scheduled jobs would have tried to start where the action was “Create Process”, so the running processes for Acronis (i.e., its scheduler) tried to start a backup job which CFP killed by denying the ability to start a new process in which to run the job. When I return to the computer, there are no alert windows still open to let me know there was a problem or to let me make a choice of what to do next time. Even if the process no longer exists that makes the request that CFP blocked, I don’t want the alert window to disappear because then I have no way to record what I want to happen for next time. I may be too busy to answer the alert at the moment. I may not be at the computer to see the alert when it freshly appears. I still need to be able to answer the alert so the same prompt doesn’t happen next time. When I review the Defense+ logs, Comodo chose to make it appear that all the events were allowed. Why? Because none of them are shown as allowed or blocked (with blocked a more important status).

:-TD So the HIPS portion of CFP is of limited value if I cannot manage it properly. The deficiencies are:

  • Logs are worthless for letting me know what CFP did regarding the requested action. “Action” in the log is not what CFP allowed but rather what the application requested. Whether CFP allowed or blocked that action is totally unknown when viewing the logs.
  • I cannot record what I want done (for future same events) on an alert because they disappear before I get to see them.

If your a gamer read my sticky.

https://forums.comodo.com/help_for_v3/a_note_to_gamers-t20008.0.html

I only used the Hitman game example because I remembered blocking it from modifying a file (which wasn’t required to actually run the game). I have blocked other actions but couldn’t remember them at the time. It was just an example of the D+ logs not providing essential information about whether an action requested was allowed or blocked (and I’m mostly interested in just the blocked actions).

The real issue was why by backups weren’t running. This was because D+ was blocking the creation of a new child process by the TI background processes to run the backup job. When I reviewed the D+ log to see what CFP had blocked TI from doing, there was nothing evident but that is because the allow/block status is not shown in the log. The user has no clue what D+ did regarding the requested action so the user cannot tell why an application failed, especially one that was scheduled to run when the user was away (or asleep). And because the alert popups disappear, the user has no clue via that mechanism to know they need to allow certain actions.

To get around the problem, I had to run the backup jobs manually and obviously while I was at the computer to answer the alerts. The point of scheduling backups is so that I don’t have to run them when I want to be using the computer.

Thanks for the link to the other thread but that is not relevant in my case. I wasn’t concerned about forcing a learning mode while using an application, like a game. I was interested in knowing via the logs what CFP had done regarding the requested actions by the game. Did CFP allow or block those actions? Can’t tell from the logs. Games aren’t scheduled to run when the user is away, so the lack of the alert popups when I return means that I don’t know the scheduled event failed and the logs don’t clue in what happened regarding the requested actions.

The defence+ log only shows what is blocked.

Thanks for the tip. I figured if there were Allow and Block lists that I could see logging for both. I’ve been hunting around trying to find an option to determine which to show in the logs (allow, blocked, or both) but couldn’t find it. Not seeing the allowed events means that I don’t get a sense of the history of operation on my computer. Oh well, blocked is more important. Glad to know what result is being listed in the log. However, the firewall logging seems the same way that only blocked connects are listed. That means I cannot use the logs to monitor to where anyone, including me, using my computer has connected. Now I know why there isn’t a convenient link to the logs on the Summary page or anywhere else and instead the user has to drill down through the firewall or Defense+ events to click More to get at the logs. Guess Comodo figures users won’t be much using the logs to monitor what is happening on their host.

By the way, I eventually found settings that specify how long to keep the alerts visible. Both firewall and Defense+ alerts default to 120 seconds (2 minutes). Firewall alerts can be short (although I upped it to 5 minutes so I can take care of my real work first until I get to an interruption point of my choosing). I upped the Defense+ alerts to stay visible for 10 hours so I can define any rules needed for scheduled events or anything that triggers an alert while I am away from my computer.