Does comodo overwrite application rules ? [Resolved]

Hello,

last week I created an application control rule saying: “outlook.exe is allowed to skip parent check, applying certain ports and definite destination host”. So far so good, it worked fine.

After a week, I added a second email pop/smtp-acount to outlook, but didn’t change the old rule. When I cause outlook to talk with both the new and the old server - as expected - I got a popup security alert, saying what’s going on. After I pressed “Allow” checking “Remember my answer for this app”, the formerly created rule was overwritten, using new default parameters “any ip” “allow all” etc. ??? The old parameters were gone.

That bothered me - because it took much time to implement the rule (filling out the forms, wrestling with the IP address input boxes which do not accept cut & paste of a whole ip-string, same confusion with tab-/arrow key when hopping between the ip number block dialog etc.)

When does CPF creates new rules (I have a dozen default rules for firefox), and why does it overwrite formerly created rules whenever I say “remember my answer” in the security alert dialogue? Is this a bug or a feature? My experiences with other PF (Kerio) are different with this behaviour, rules are never overwritten, unless you merge them and delete redundant rules manually.

I use CPF 2.4.18.184 windows prof. XP SP2, logged in as administrator, dialup dsl ic, NOD32AV.

regards
univok

Hello,

I am guessing that Comodo was bothered because of the new account, it most likely was using different ports which caused Comodo to ask, then since it was the same application it overwrote your settings. Maybe you should create 2 rules for outlook and set them both to what you want.

OK, so far so good. Of course I can create different rules before, but it seems clear that checking “remember my answer” improvidently stirs up my application rule pool.

Very odd behaviour.

Here’s the deal, univok, and it’s all based around CFP’s Alert Frequency level (found in Security/Advanced/Miscellaneous). By default the AF is at Low. Although popup alerts will show all details about the application connecting (IP, Port, Protocol, etc), the Low setting only creates rules with detail including Application and Direction. No Protocol (Medium), Port (High) or IP (Very High) will be included with the rule, even though showing on the alert.

If you manually create certain application monitor rules which include any details not supported by the current AF level, and respond Allow w/Remember to an alert for that same application, your more detailed rules will be overwritten by a new rule as associated with the more permissive AF level.

Same goes the other way as well… if you have a cranked-up AF level (say, to High), but have manually created a rule to allow application xyz.exe TCP/UDP In/Out to Any Destination IP, Any Destination Port on your Allow w/Remember response to an alert, it will overwrite your existing rule to contain the increased detail in accordance with the cranked-up AF level.

Although annoying, CFP is only doing what we’re telling it to do (yes, I’ve banged my head against this issue before). What it boils down to is that we need to match the detail of our rules to the detail of the Alert Frequency level, as we can’t have it both ways…

LM

Yes - now it works!

Meanwhile I understand that “Alert Frequency Level” - thing. I noticed that the switch is a linchpin inside CPF control behaviour. This might be an answer to some additional problems I got - but didn’t post yet.

regards

univok

Great, I’m glad to hear it. I’ll mark the topic as resolved then, and close it. If you need it reopened, just PM a Moderator (please include a link to this topic) and we’ll be glad to do so.

LM