ok … I don’t get this…Why do i have to make the settings yet again whenever I do a software update. Does the Firewall check the file version or date created to compare it with firewall rules!!!
I guess I need to thoroughly read the forum topics to understand how this really works!!!
Yes, you will get another popup about a previously allowed application, once that application updates the main executable or any components thereof. This is part of CFP’s security and protection against malware taking over your system.
Here’s what happens (basically): Each application has a signature (if you will) that identifies it, and CFP uses that signature to define the application and its components. When the application updates, that signature changes, so CFP asks you to allow it again. If you allow & Remember, it should overwrite the previous rule without any problems. If only the components update, they will no longer match up to the previous definition provided by the signature, and so CFP asks you to allow them again.
The malware scenario is that IF somehow you get a virus, trojan, etc on your machine, that wants to get back out, it will frequently attempt to make changes to known applications, to ride out on an allowed connection. That isn’t possible with CFP’s monitoring systems; it will detect the change, and alert you. If you know there has been no authorized change, you can deny the connection and get to searching for malware…
Hope that helps,
LM
Hey LM
thanks a lot…It really did explain a lot of the questions I had. All this time I just allowed it just by looking at the application name :). Guess I shouldn’t be doing that!!!
thanks again :BNC
No problem, Damitha.
There’s some good info here: https://forums.comodo.com/index.php/topic,6167.0.html
Obviously checking the name of the application is important, but be sure to look at the other details, to see if anything doesn’t seem right. If you set the Alert Frequency on Low or Very Low you should see very minimal prompts about applications. This won’t diminish security as long as you have Application Behavior Analysis enabled, but will just keep you from getting extraneous alerts about applications. Thus, you know if there is an alert, you need to look at it.
Make sure the parent application hasn’t changed unexpectedly, that the alert is not about the application being hijacked in some way, and so on. A lot of the ABA alerts can still be Allowed, as long as all applications are known (such as sending special windows messages, OLE automation alerts, global hooks, and so on). Others to watch for are the Parent changing, and the cryptographic signature changing.
Parent may change if another application is launching it. For instance, if you use a desktop shortcut, explorer.exe will be the parent. If you click on a link in your email client, that will become the parent. And so on. If an application you are not using, or do not know, shows up as the parent, you know there may be a problem, and can Deny.
Cryptographic signature changing is what we’ve already talked about; this is what you will see after an update. You could also see it if a malware has modified the application code, and is trying to pretend to “be” that app (such as Firefox); in this scenario the parent would likely be the same, nothing out of the ordinary except the signature item. So if you know you haven’t updated…
LM