Does component monitor "learn mode" offer protection? [Resolved]

This seems to be a somewhat exhausted topic, so I’m sorry for adding to it, but I’ve searched and haven’t been able to find out if the “learn mode” in the component monitor does anything except compile a list of components.

My question is this: If I never intend to turn the component monitor to “on,” is there any reason to use the “learn mode?” My impression is that the purpose of learn mode is to reduce the number of alerts once most applications have been run and the component monitor is turned on, and that there is no difference in terms of security between “learn mode” and “off.”

Am I correct in my understanding? Because I have CPF installed on a shared computer, most of whose users are basically computer-illiterate, I need the firewall to be as unobtrusive as possible and I will never turn the component monitor to “on.” If learn mode has any direct security benefit, I’ll leave it on, but otherwise I think it’s needlessly using resources.

Welcome to the forum phil

Your source of info is in this bookmark-worthy thread:
** FAQs/Threads - Read Me First **:

[b]Component Monitor[/b],5396.0.html,793.0.html,4057.0.html,6241.0.html,7526.0.html

Thanks for the reply. I had come across all those posts in looking for my answer, and I still wanted to ask because none of them seemed to quite get to the heart of it. They go over in great detail what the component monitor does, but it is never said explicitly whether learn mode itself actually filters anything or whether it just…learns.

From one post: “By disabling the componant monitor of CFP each comonant will be treated as a seperate application and you may need to grant permission for them rather then CFP automatically granting it for you based on application rules - and thus, this may dramatically increase the number of popups you receive from CFP.” This hasn’t been my experience. That’s what happens when you turn it fully on, right? When it’s off it seems to just leave you alone.

And one from you, Soya: “In Learn mode, almost every file is Allowed by default without prompting you. That’s the reason why CFP’s default setup is in Learn mode; otherwise you’ll be bombarded with prompts for known files.” When you say “almost every file is Allowed,” does that mean that learn mode offers minimal protection and does still block or alert for some components, or does it actually allow them all?

Once again, sorry to add to a topic that has been covered so exhaustively, and I apologize if my answer really was in there somewhere and I was unable to find it.

Still, I’m unsure: Is there any difference, in terms of the firewall’s actual level of security, between “learn mode” and “off?”

A simple yes or no with the briefest explanation to this question would help me out a lot. Thanks for your help.

I think you’re right.

That’s a superb question. You actually found a weakness in my answer: I’m not totally certain. The other mods know.

Another great question. If Component Monitor allows every file it monitors then why does the CFP interface under the Security Monitor section indicate a Green check mark rather than something else like a yellow exclamation mark?

Then I guess this post didn’t help at all :frowning:

Just the same, I really appreciate your responses here. I had the same thought about my security monitor status change after disabling the component monitor. Before seeing that, I just assumed that learn mode had been allowing everything, but I didn’t want to risk having merely “good” protection when I could have “excellent.” Anything but that.

Well, hopefully someone else will find this thread and put it to rest. Again, thanks for responding. And sweet avatars.


The following are two extracts from the CFP User Manual

Component monitor ‘Learn Mode’
When you install Comodo Firewall the Component Montitor is set to ‘Learn’ mode by default. Whereas the number of internet accessing applications will usually be relatively small, there is always a huge number of components loaded within these applications. By enabling learn mode the firewall will be forced to learn and build the component profile of the PC. Whenever an allowed application attempts to connect to the internet, Comodo firewall will add all the components it loads to the control rule list. By default, each of these components inherit the applications ‘Allow’ status. Users have the option to change this status by selecting one the appropriate Allow/Block/Ask radio button.

Component Monitor ‘On’
When Turn On is selected, the Component Monitor section of the Summary screen will dispay. This mode forces the firewall to check for the applications’ components in memory before granting them internet access. If any application tries to make a connection to the outside, the firewall audits all the loaded components and checks each against the list of components already allowed or blocked. If a component is found to be blocked, the entire application is denied internet access and an alert is generated. If the firewall detects unknown components (those not listed in the firewall database) then the alert will contain a “Show Libraries…” button. Click to review the components and decide whether or not to grant them access.

In a nutshell …

Learn Mode should be enabled when the firewall is first installed. The user should then run each of his internet enabled applications, so CFP can ‘learn’ what components go with what application. At this point, each component inherits the ALLOW/BLOCK status of the parent application. You can manually modify the permissions for each component.

Once the major internet applications have been learnt, the Component Monitor can be switched to ON. This forces the firewall to apply the current component rules. If an unknown component tries to start as part of an application and that component is not in the database of components associated with that application, then the alert will display the ‘Show Libraries’ button.

Hope this helps,
Ewen :slight_smile:

In either Learn Mode or Off, the Component Monitor is not giving the user an opportunity to respond to Allow or Block the components loaded into an internet-connecting application. In this sense they are the same.

In Learn Mode (since CompMon is still active) components are being added to the database; just they’re all set to Allow. With CompMon Off (since it’s no longer active) no components are being added to the database. Thus, if you ever switch it On you’ll get alerts for whatever varies between what it Learned in the beginning and the then-current time.

In either case, it negates the benefit of Application Behavior Analysis monitoring DLL injections. The idea is that you’re installing CFP on a clean system; thus it is safe to “learn” your system, and turn it to “On” as soon as is reasonably possible (such as having run the majority or all of your internet applications).

As to the difference of the security warning for the various monitors… When set to “learn” the Summary Page of the FW (main page) shows CM’s icon as yellow (I think it’s a piece of paper or something); “off” gives a red x (actually, it’s a red circle w/black x).


That’s all I needed to know. And apparently the answer was in the manual. Who would have thought? Thanks everybody.

I knew the others would know the answer (:CLP). Apparently, most of us hate reading the long manual. It’s like when you’re a kid and always played the video game before reading the instructions. :smiley:

Link this thread to an available mod if you need to open it.