Hi, sorry I have to ask, I’ve spent 2 days searching and reading but still having problems.
I have recently installed Comodo on my Win 7 64-bit system but I’m having problems getting everything to work as it should. (As background I had CFP on my XP system a couple of yrs ago so I understand most of the concepts).
The install automatically disabled the Windows Firewall I had working prior, so good.
Prob#1 - I want to ping my system from my lan (I also have a laptop and network printer all via a router) and be able to ping my lan from my system. I don’t want to allow ping from outside my network. Whatever I do I get blocked. I have added global allow rules above any block condition but it still won’t work. It’s also blocking other traffic from my router despite my allow rules , see this…
2012-01-20 10:20:33 Windows Operating System Blocked In TCP 192.168.0.155 2063 192.168.0.2 5000
2012-01-20 10:23:58 Windows Operating System Blocked In ICMP 192.168.0.155 Type(3) 192.168.0.2 Code(3)
What seems to make this worse is Problem #2…and Problem#3…and Problem # 4…
Prob#2 - I don’t seem to be able to get any Alerts from Comodo despite the fact that I have unticked “Do not show popup alerts”
Prob#3 - When you specify to Move old FW log files it stores them as .SDB files. How am I supposed to read these? (Notepad just goes Not Responding!)
Prob #4 - If something shows as Blocked in the FW log, how am I supposed to know what rule has blocked it? At least if I knew if it were a Global or Appl. rule that would help.
Prob #5 - More of a comment this one - the logs don’t seem to always tally with the Summary screen. Eg on my summary screen it says Defense+ has blocked 2 intrusion attempts. The 2 is a link but when you click it there is nothing in the log that then opens. Is this a bug? Some things seem to get in the Def+ log but then disappear, way before the log would have reached its max size limit.
Hopefully you can help me with these issues please?
Incoming traffic will first go through Global Rules and then though Application Rules. When CIS does not find an application listening it will block it. The default rules for Windows system applications and others are not allowing for incoming traffic; hence why it will get blocked.
Easiest thing to do is to make your router’s IP a Network Zone and make it a Trusted Zone using the Stealth Ports Wizard option 1(Define a new trusted network).
What seems to make this worse is Problem #2....and Problem#3....and Problem # 4...
Prob#2 - I don’t seem to be able to get any Alerts from Comodo despite the fact that I have unticked “Do not show popup alerts”
Are you talking about Firewall, D+ or both? What configuration are you using? Internet Security or Proactive Security? What happens when you put the Firewall in Custom Policy Mode and D+ in Paranoid Mode?
Prob#3 - When you specify to Move old FW log files it stores them as .SDB files. How am I supposed to read these? (Notepad just goes Not Responding!)
In Firewall Events (or D+ Events or AV events) push the More button at the bottom. A new screen opens. Now go to File --> Open and import the database.
Prob #4 - If something shows as Blocked in the FW log, how am I supposed to know what rule has blocked it? At least if I knew if it were a Global or Appl. rule that would help.
There is no such facility in the logs.
Prob #5 - More of a comment this one - the logs don't seem to always tally with the Summary screen. Eg on my summary screen it says Defense+ has blocked 2 intrusion attempts. The 2 is a link but when you click it there is nothing in the log that then opens. Is this a bug? Some things seem to get in the Def+ log but then disappear, way before the log would have reached its max size limit.
Hopefully you can help me with these issues please?
Hi EricJH, thank you for your response and your time.
Incoming traffic will first go through Global Rules and then though Application Rules. When CIS does not find an application listening it will block it. The default rules for Windows system applications and others are not allowing for incoming traffic; hence why it will get blocked.
Yes I think I understand that but if I understand from other posts I read while trying to solve the problem it is not the case for ICMP traffic which does not go through Application Rules. Is that correct?
Secondly I HAVE already added an Application Rule to allow for incoming traffic to Windows System applications, see screenshot1 attached.
Easiest thing to do is to make your router's IP a Network Zone and make it a Trusted Zone using the Stealth Ports Wizard option 1(Define a new trusted network).
Well I’ve done that too I believe. I created a Network Zone called Home that includes IPv4 range 192.168.0.1 to 192.168.0.255 which includes my router address. I haven’t made a zone just for the router but it should be included in that range. Or are you saying that I should make a separate zone just for the router alone? Also I ran the Stealth Ports Wizard and chose the top option so I did that too. Is there any way I can view the Trusted Zones though to re-check?
Are you talking about Firewall, D+ or both? What configuration are you using? Internet Security or Proactive Security? What happens when you put the Firewall in Custom Policy Mode and D+ in Paranoid Mode?
Both. I still have it in the default config as installed which appears to be Comodo - Firewall Security, however I have changed it to make it more secure (added rules etc). No alerts of any kind. I haven’t tried the other configs you mention but I’ll have a go and let you know. [EDIT - No that makes no difference, still no alerts, it just automatically blocks the application until I manually create a rule, exactly the reason I swapped from Windows FW]
In Firewall Events (or D+ Events or AV events) push the More button at the bottom. A new screen opens. Now go to File --> Open and import the database.
Ahhh thanks, easy when you know how. However that has raised another question because some of the logs it has saved today and yesterday are showing just one, a few or a page or so of events. This seems odd for a file that is 40Mb ish. Possibly (probably) related to Problem#5.
There is no such facility in the logs.
No I thought not,. It would have made my life too easy At least it’s on the Wish list now, thanks.
Yes I think I understand that but if I understand from other posts I read while trying to solve the problem it is not the case for ICMP traffic which does not go through Application Rules. Is that correct?
Responding to inbound ICMP echo requests doesn’t require a specific endpoint to be configured through Application rules. However, for a successful reply to be generated the pseudo process ‘Windows Operating System’, (System on Windows) must not be blocked, either directly, or indirectly, via a more general rule. This is the default configuration for CIS. WOS is not covered by the ‘Windows System Applications’ group.
I already have an Allow rule for “System”, it’s the one just going off the top of the list in my first screenshot (first post). If that doesn’t cover it then how do I add a rule for “Windows Operating System”? It’s not one of the File Groups.
Also I’d point out, as can be seen in my first post, that this isn’t just a case that the response cannot be seen, the traffic is specifically being blocked inbound.
Also I'd point out, as can be seen in my first post, that this isn't just a case that the response cannot be seen, the traffic is specifically being blocked inbound.
Can you post an image of your Global rules and full Application rules, please.
Hi, ah thanks for the image, I never spotted that there. Hopefully that will do the trick. It has created another question though, why did “Create Rules for Safe Applications”, which I have ticked, not create a rule for it when it had created rules for System, svchost and Windows System Applications? Like I say this firewall just doesn’t seem to want to do what I ask it to. Or if it didn’t know it was Safe (which it should for Windows Operating System) then should have prompted me with an Alert.
[EDIT - Tested this and it is now working, success!]
Also I read in some other (perhaps incorrect) topic that “Windows Operating System” was what caught incoming traffic when no rules are matched. So is it safe to give it a rule? I don’t really understand what is included in the term “Windows Operating System” in this context. Is it OK to allow it outbound to anywhere but restrict it inbound to my network zone?
And sorry to keep on about it but the main reason I wanted to swap from Windows Firewall was so that I avoided the hassle of manually configuring like this, preferring the alert-based method I remember from Comodo before.
Anyway referring to my edit line above, you seem to have solved my problems, I can now ping my computer however it seems to be from anywhere, not just my safe zone, so I’m gonna have to revisit and re-check all my rules. I’ll have another look and if I can’t spot anything I’ll post the screenshots here of my rules. Thanks again.
Windows Operating System is not a real process in the sense that explorer.exe is a real process, also, as I mentioned earlier, handling of certain types of ICMP packet, is an internal OS process, so you shouldn’t have to create any rules for this to work, apart from making sure WOS is not blocked via rules you’ve created. Because of the nature of WOS and the type of inbound connection, you won’t receive alerts and rules will not be automatically created.
[EDIT - Tested this and it is now working, success!]
Also I read in some other (perhaps incorrect) topic that “Windows Operating System” was what caught incoming traffic when no rules are matched. So is it safe to give it a rule? I don’t really understand what is included in the term “Windows Operating System” in this context. Is it OK to allow it outbound to anywhere but restrict it inbound to my network zone?
WOS is analogous to the Windows ‘System Idle’ process, with both sharing PID 0. In Windows, when a connection has been closed, there is a period of time between closing the application that was involved in the connection and the actual connection being terminated. If you open a command prompt and type:
netstat -ano
You’ll see connections in a TIME_WAIT state assigned to PID 0
Basically, System Idle handles the ‘loose ends’ when a connection is closing. In CIS, WOS has similar characteristics.
As far as outbound connections are concerned, there really shouldn’t be any reason for WOS asking for these, unless something is incorrectly configured. If you receive alerts for this, you should investigate why.
And sorry to keep on about it but the main reason I wanted to swap from Windows Firewall was so that I avoided the hassle of manually configuring like this, preferring the alert-based method I remember from Comodo before.
If the firewall is configured correctly and you’re running with Custom Policy mode, with create rules for safe applications, even with Alerts set to Low, you should receive at least one alert. If you increase the Alert level, you should receive more. If this is not happening, either you have a rule that allows connectivity with out alerting, or there may be a problem with your installation.
Anyway referring to my edit line above, you seem to have solved my problems, I can now ping my computer however it seems to be from anywhere, not just my safe zone, so I'm gonna have to revisit and re-check all my rules. I'll have another look and if I can't spot anything I'll post the screenshots here of my rules. Thanks again.
You’ll need to modify the rule so that it only allows connections from the local zone. However, as I mentioned earlier, if you’ve created the appropriate rules to allow connectivity between nodes on your LAN and your Global rules are configured to block all unsolicited inbound connections, there’s no need to create any rules for WOS.
Thanks for the info, but I’m still not totally sure it’s working like it should or like you explain it should. I’m still getting absolutely no alerts whatsoever, even with Alerts Frequency Level set to Very High. This is making all my Applications a nightmare.
I’ve got one at the moment where I’ve opened all the recommended ports in both directions for it using global rules and defined it as a Trusted Application (which created an Allow rule in the Application Rules list) but it’s still not working. I won’t go into specifics, it’s the principle that matters. [EDIT-scratch that bit it’s working now. I think sometimes I have to reboot to get a rule working and other times I don’t?]
Also regarding WOS I had to add an Allow appl rule like you said before to allow it to connect.
A few other worrying things I have spotted…
No Firewall Events show in the logs for the time that I am logged out of the computer (tho the computer is still on and running). So is Comodo protecting me at this time? If not then this is a big issue.
My network printer is not being found. It is configured with an address in my safe zone and a global rule should let uPnP traffic in from my safe zone. So…?
Also I often get 0.0.0.0 showing as the Source IP for various applications in my FW logs. I don’t understand why? Another topic said it’s when the app doesnt have an IP address, but why shouldn’t it, these are apps in my safe zone or on my own PC, so I’ve created a rule to allow 0.0.0.0 but is that safe?
Sorry to bombard with so many issues. Aaarghhh! And big thanks for your help so far.
PS I’ve attached a screenshot of my Global rules, maybe you can spot something obvious.
Can you please post complete details of your Application rules, Network zones and Blocked zones, if any. It would also help to see which options you’ve chosen for firewall behaviour settings.
Here are two of them, see attachments. No blocked zones.
Would it be better to PM you the application rules? I presume public knowledge of every app I use could reduce my security. (I’m not paranoid, they are out to get me! Even Comodo were pinging me earlier :-). I know cos I’ve been checking my logs constantly at the moment. Was it you? (no joke, I did a whois))
The easiest way for me to see your entire configuration, is to export the active configuration from More/Manage my configurations. Zip the file and attach it here. if you’re worried about security, password the zip file and PM me the password.
One thing, you mentioned earlier you were using Custom Policy mode, but in the screen shot you’ve posted, it’s set to Safe Mode with create rules for safe applications checked. With these two settings you won’t get many alerts…
Also, your Global rules don’t make a great deal of sense, but we can discuss those after I see your Application rules.
One thing, you mentioned earlier you were using Custom Policy mode, but in the screen shot you've posted, it's set to Safe Mode with create rules for safe applications checked. With these two settings you won't get many alerts...
No, I perhaps didn't make it very clear, see the 3rd post in the topic about 1/2 way down " I still have it in the default config as installed which appears to be Comodo - Firewall Security, however..." ...and then I was trying to say that I tried it also in Custom and Paranoid but it made no difference. I should have added "...so I then changed it back again.".
From what I gather Custom gives you alerts for every executable in an application. I don't particularly need that, I just want a standard alert level the first time an application runs, so that I can tell it it's safe and tell it to remember the setting. If it automatically identifies it as safe without an alert then that's fine too...but that isn't happening.
Also, your Global rules don't make a great deal of sense, but we can discuss those after I see your Application rules.
Yes go on, I've probably made some stupid error. However they don't make a lot of sense to me, they are what they are mainly because it wasn't working so I was trying lots of things. I'm aware for example that the rule that covers 192.168.0.1 to 192.168.0.255 is basically duplicating the rule that covers my Network Zone "Home #1" but when it didn't do what I expected using the zone I tried explicitly defining the addresses etc. I'd like to hear what else though.
[EDIT - OK, added the zipped file now. Password by PM to follow.]
As you probably realise, Paranoid mode applies to Defence+ and Custom Policy Mode applies to the firewall. If you want to receive alerts from the firewall, from any application, you’ll need to use Custom Policy mode. If you leave it on Safe mode with create rules for safe applications, unless you run something that’s unrecognised by CIS, you won’t be notified.
From what I gather Custom gives you alerts for every executable in an application. I don't particularly need that, I just want a standard alert level the first time an application runs, so that I can tell it it's safe and tell it to remember the setting. If it automatically identifies it as safe without an alert then that's fine too...but that isn't happening.
You’re thinking about Defence+ in Paranoid mode. With the firewall in Custom Policy mode, you’ll receive one or more alerts, depending on the settings for Alert frequency. If, as you have it, Alert frequency is set to low, then you’ll typically receive one alert the first time the application runs. if you increase the alert frequency, you’ll receive more alerts.
As an example, with alert frequency set to low, the rule created from the single alert will be quite generic:
Application name - firefox.exe
Allow IP out
From MAC Any to MAC Any
Where Protocol is Any
If you increase the alert frequency to Medium, you’ll get one alert and the following rule:
Allow TCP Out
From MAC Any to MAC Any
Where Source Port is Any And Destination Port is Any
With Medium settings, four alerts and the following:
Allow TCP Out
From MAC Any to MAC Any
Where Source Port is Any And Destination Port is 80
Allow TCP Out
From MAC Any to MAC Any
Where Source Port is Any And Destination Port is [Something from the dynamic port range - for loopback]
Allow TCP Out
From MAC Any to MAC Any
Where Source Port is Any And Destination Port is [Something from the dynamic port range - for loopback]
Allow TCP Out
From MAC Any to MAC Any
Where Source Port is Any And Destination Port is [Something from the dynamic port range - for loopback]
Obviously, when you select Very high, there’s more alerts and more detail, including IP addresses.
Yes go on, I've probably made some stupid error. However they don't make a lot of sense to me, they are what they are mainly because it wasn't working so I was trying lots of things. I'm aware for example that the rule that covers 192.168.0.1 to 192.168.0.255 is basically duplicating the rule that covers my Network Zone "Home #1" but when it didn't do what I expected using the zone I tried explicitly defining the addresses etc. I'd like to hear what else though.
A lot of the rules you’ve created, both application and Global, allow both inbound and outbound connections, for the most part, this is unnecessary. The only time you should consider creating rules that allow inbound connections, is when you’re running something that requires ‘server’ type privileges. An example of this, from your configuration, would be emule. In this scenario, unless you let others make connections, you won’t be sharing any of the files you have, so you’ll maintain a low ID. So, taking emule as an example, you’d need Global rules that allow inbound connections to the emule ports, you also need equivalent Application rules for the inbound connections. In addition, the Application rules aill allow for outbound access.
Global rule:
Action - Allow
Protocol - TCP or UDP
Direction - In
Source Address - Any
Destination Address - any
Source Port - Any
Destination Port - Your emule ports [if you have different ports for TCP and UDP you need two rules]
Application rules:
Application name - emule.exe
Action - Allow
Protocol - TCP or UDP
Direction - In
Source Address - Any
Destination Address - any
Source Port - Any
Destination Port - Your emule ports [if you have different ports for TCP and UDP you need two rules]
Action - Allow
Protocol - TCP or UDP
Direction - Out
Source Address - Any
Destination Address - any
Source Port - Any
Destination Port - Any
The aforementioned rules are quite simplistic and may be ‘hardened’ or may even be made more generic, it really depends how ‘involved’ you wish to become creating rules.
I’ve attached a modified copy of your configuration file below (same password). I’ve made some changes to both application and Global rules, I’ve also set the firewall to Custom Policy mode. It will need ‘tweaking’ at your end, but it will give you an idea and from this you can ask further questions. To use, just import the config and set to active, just make sure you give the imported file a different name to one of your existing configs. I haven’t touched D+,
Nope, I don’t think you’re quite understanding my problem. No alerts, zero, zilch. “One alert the first time the application runs” is exactly what I want so therefore I have the correct setting…but no alerts. Not even the first time an application runs!
As an example, with alert frequency set to low, the rule created from the single alert will be quite generic:
Application name - firefox.exe…
snip…alert frequency to Medium, you’ll get one alert and the following rule:
Allow TCP Out
…snip…
With Medium settings, four alerts and the following:
Allow TCP Out
From MAC Any to MAC Any
…snip…
Obviously, when you select Very high, there’s more alerts and more detail, including IP addresses.
Nope.
A lot of the rules you've created, both application and Global, allow both inbound and outbound connections, for the most part, this is unnecessary. The only time you should consider creating rules that allow inbound connections, is when you're running something that requires 'server' type privileges. An ...
...snip...
The aforementioned rules are quite simplistic and may be 'hardened' or may even be made more generic, it really depends how 'involved' you wish to become creating rules.
This is why I need the alerts. I sometimes can’t work out what connection permissions my application would need for its normal functions. I think I was also getting confused by the update functions in many apps, thinking that must be Inbound.
Also some applications I could only get working by Defining them Safe Applications which seems to create an Allow All type of rule for them automatically. I didn’t think I was far off the mark though but I’ll re-check them and have another think.
I've attached a modified copy of your configuration file below (same password). I've made some changes to both application and Global rules, I've also set the firewall to Custom Policy mode. It will need 'tweaking' at your end, but it will give you an idea and from this you can ask further questions. To use, just import the config and set to active, just make sure you give the imported file a different name to one of your existing configs. I haven't touched D+,
Oh great, thanks, I appreciate your efforts and will give it a try later.
I’ve also still got the major queries I raised a few posts ago beginning “A few other worrying things I have spotted…” Can you answer those please too? (Post#9 on page1)
You have to place the firewall in Custom Policy mode, without that you won’t receive alerts, unless the application you’re running is not recognised by CIS. If, when you place the firewall in Custom policy mode, you still don’t receive any alerts, you should perhaps think about reinstalling.
When I imported your configuration file and changed the mode, I was immediately alerted to several requests form various system processes, as my network is configured differently to yours.
Still no alerts. I put it in Custom Policy mode and tried starting Skype, that I hadn’t started before since I installed Comodo. It just automatically blocks it, NO ALERTS. (Pulling hair out).
When I imported your configuration file and changed the mode, I was immediately alerted to several requests form various system processes, as my network is configured differently to yours.
Yes so your Comodo is doing what it should, mine isn’t. Are you on the same version, mine is 5.9.219863.2196 and I’m on Win7 64-bit. I’ve been thinking all along that this isn’t really a problem with my configuration (OK I may need to tweak a few things) as I had Comodo a couple of years ago and have a basic understanding of it. But like the title says it’s not doing what I ask.
Do you have any other ideas what the problem could be?
Whatever it is, it’s not your configuration alone (image) A couple of things:
Are you running any additional security software?
Is Windows firewall disabled?
You could try using another security configuration, or re-importing the default firewall security configuration file from the Program files/Comodo folder.
At least it’s on the Wish list now, thanks.