Doesn't actually block anything

New user, fresh install on Vista x64, 3.0.25.378. No other anti-virus, firewall, etc applications ever installed on this machine. All the latest Microsoft patches.

My issue is, I want to use this for application control. It’s frightening and disturbing to see how much apps constantly talk/check in with Internet sites.

My steps:
Installed Firewall only
Rebooted
Identified LAN and allowed
Firewall - Firewall behavior - Custom policy, Alert settings - High

Now when I did this, according to what is written, EVERY app should prompt me for Internet access. The issue is, I have 2-3 dozen Internet based apps running with only one or two prompting. Firefox prompted, iTuneshelper.exe prompted. Stream, EveMon, AquaController (pulls website data for my reef tank) vista gadget, you name it all running without prompting. That being said, all those likely use 80/443 to get out. However, a few apps that DON’T use 80/443 still also work, like Trillian.

Nothing in View Firewall Events other than me blocking iTunes. PLENTY of things listed in Active Connections. Traffic on the main page is blank (I’ve seen a lot of other posts about that, so that’s probably an unrelated bug). Nothing listed under the Network Policy for all the apps working that shouldn’t be working. I even went Firewall, Advanced, Network Policy and whacked items including Microsoft related.

So my concerns are two fold.

  1. Are apps that call something via 80/443 just automatically allowed since Firefox and other browsers are allowed? To me this would kill 99% of the protection of this program. I know some apps “pull” your proxy settings, but don’t know how integrated into the browser individual application web calls are.

  2. I’ve seen mentions of “known good apps” multiple times, but don’t see it anywhere. I would have assumed that putting the settings above would have still prompted me for allow/deny EVEN if it was on the “known good apps” list.

Hello what mode are you running Firewall in? and did you install it with basic leak prtection?

Firewall only. I believe I put the rest of the settings in the above post. If you’re referring to “install mode”, no it’s not enabled.

Comodo → Firewall → Advanced → Firewall behavior settings → What mode is the firewall in?

When you installed comodo did you get basic leak protection?

Again, just firewall only. I did not select basic leak protection.

Well then you won’t get any alerts for applications that are “Leaking”

I don’t follow. What is the point of a firewall with application control if it doesn’t control any applications? Furthermore, why did it prompt for a couple apps, but not the other 2-3 dozen that are reaching out.

From all of the documentation and searches here, the firewall piece should work just fine installed by itself. What I’m seeing is standard, nothing fancy/tricky applications, custom settings on the firewall piece saying prompt me for everything (don’t learn anything), and nothing is happening. It’s bypassing it, being allowed, or something isn’t triggering the allow/deny alerts.

You only selected inbound protection, You need to reinstall the firewall and read more carefully.
Sorry, I’m not trying to be rude - just trying to help you.

And where is that listed? I don’t mean to be rude, but you’re contradicting Comodo’s documentation I’m reading. If outbound only is what is meant below, it’s a VERY poor description and should be re-written. No where in the install section do I see anything about inbound only or outbound only. It reads as attempting to identify apps trying to “leak” “sneak” or whatever term you’d like to use past a firewall and/or typical means of identification. Nowhere does it state “leak” “sneak” means normal outbound application attempts. That’s not “leaking”, it’s standard connectivity/communications.

And again, why would Comodo then build inbound/outbound firewall rules if it’s an inbound filter only?

Install documentation.

Firewall ('Leak Protection' option NOT checked)- This option is only recommended for experienced firewall users that have alternative Host Intrusion Prevention software installed on their systems. Choosing this option will install ONLY the packeting filtering network and will not offer leak protection - essential for blocking malicious software (like worms and trojans) from making outgoing connection attempts. This isn't to say this option is an unwise choice (the network firewall is one of the strongest available - offering highly effective and configurable inbound and outbound protection) but it is important to realise that, on it's own, it does not offer the leak protection afforded by Defense+.

And no offense, but please don’t jump on me for asking what seems to be simple questions (although aren’t) and telling me to “read more carefully”, especially when I had to re-answer multiple items already covered in the first post. It doesn’t seem to be working as advertised and listed in the documention. I’m trying to do what I can to learn the application. Maybe I’m over-complicating due to being a network/security engineer.

Firewall ('Leak Protection' option NOT checked)- This option is only recommended for experienced firewall users that have alternative Host Intrusion Prevention software installed on their systems. Choosing this option will install ONLY the packeting filtering network and will not offer leak protection - essential for blocking malicious software (like worms and trojans) from making outgoing connection attempts. This isn't to say this option is an unwise choice (the network firewall is one of the strongest available - offering highly effective and configurable inbound and outbound protection) but it is important to realise that, on it's own, it does not offer the leak protection afforded by Defense+.

What you have just quoted from the help manual is what I am trying to say. If you don’t have “Leak protection” which means “Going out” you only have very basic outbound protection.

That part of the manual should be re-written then. Specify for attempted outbound application control that it’s required.

Uninstall attempt #1, blue screen, reboot (obviously)
Uninstall attempt #2, success, reboot, all network connectivity is gone. Luckily I had the installer still.

Instead of just one or two apps blocking, I have maybe 50%. Steam (Valve gaming client/chat) still goes out without prompting. Trillian (ICQ/AOL/MSN/Jabber/etc all in one) still runs without prompting. All Vista gadgets run without prompting. Mode set to custom and paranoid. A number of apps that reach out via 80/443 for update checks are still getting through.

At this point I’d say it has MAYBE 50% chance of blocking anything at the current highest level (other than block all traffic) that I can find/set. Is there anything else I can do to make it more accurate or increase the chance of it catching the apps?

Well we will have to agree to disagree on the manual.
as for making the firewall more effective, Defense+ is extremely good.

hi
sorry to jump in,

If I am right vista gadgets and asome of the apps you mentioned run under svchost.

If svchost is allowed outbound acess on all ports you wont get any alert.

This is happening with me HP scanjet updater runs as %windir%\system32\svchost -k hpscx80 and since I have allowed svchost out ,

i am not presented with any prompt only an entry in log file about svchost connections

hope it clears

I have also installed firewall without D+ and basic leak protection now i will watch carefully after reading your post

regards

Adi

aditya_dmj, feel free to jump in. I looked at the custom rules and the firewall logs. Nothing listed about svchost as of yet.

svchost is bundled in with the entry “Windows Updater Applications”