Hmmm, interesting.
1 AVG Antivirus
2 It’s off, see screenshot. However it was on when I installed Comodo as I believed, correctly, that Comodo would automatically disable it during installation, which it did appear to.
Is there an installation log I can check for Comodo that might give a clue? (I got no errors or messages at the time however!)
[attachment deleted by admin]
Does AVG have any kind of firewall/application control? There is a log, but it depends whether you’ve deleted temporary files since installation. Usually the install log can be found in:
C:\Users(User Name)\AppData\Local\Temp
Have you run More/Diagnostics?
I only have the anti-virus, they do a Firewall as well I think but I don’t have it. Not sure what you mean by application control here? I have the Resident Shield active. With this obviously the antivirus checks everything to make sure it’s safe and would stop it if it wasn’t. I really don’t know much more than that as to how it works.
To pre-empt your next question I’ve already added the Comodo folder to the Exception list in AVG.
There is a log, but it depends whether you've deleted temporary files since installation. Usually the install log can be found in:C:\Users(User Name)\AppData\Local\Temp
Yes I still have it I think. Is it “cmdinstall.exe_12-01-10 22.33.51.log” or “Comodo Firewall_12-10-10 22.37.31.log”. Perhaps I’ll check both. Thanks for the info.
Have you run More/Diagnostics?Yes no problems found.
Right now, I’d be inclined to try a different security configuration, maybe there’s some registry corruption on your PC which is affecting the configuration file you’re currently using. Other than that, you could try disabling AVG temporarily.
Edit: Just a thought, did you have any other firewall/security product installed before CIS?
OK will try when I get a few minutes.
Only what I already said - Windows Firewall and AVG Antivirus. There are others I have installed that I run on a scheduled or occasional basis eg Malwarebytes but without any resident/active/realtime protection element set.
EDIT - just to add, I am happy and capable of checking or editing my registry if you want me to check anything.
EDIT2 - OK I think we’re getting somewhere. From your earlier post…“You could try using another security configuration, or re-importing the default firewall security configuration file from the Program files/Comodo folder.”…
I think you have narrowed the problem down now. I tried Comodo - Internet Security configuration and it seemed to give me alerts for my new apps. I went back to Comodo - Firewall Security and zero alerts for the same apps, either with or without “Create rules for Safe Applications” ticked. It just automatically blocks. So the problem is either with Comodo’s default config or my Firewall Security configuration has been corrupted somehow. So do you recommend I re-import the misbehaving configuration from the Comodo folder? Only thing is, I don’t understand, because if my Configuration was corrupted then how come it played nicely for you?
Comodo stores all it’s configuration data in the registry at:
HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO
HKEY_CURRENT_USER\Software\ComodoGroup
When you import a configuration file, it’s being imported into an existing framework. It’s possible there’s some problem, on your system, related to that specific configuration but not actually part of the configuration, but that’s only a guess. Maybe it’s worth completely removing CIS, making sure all the registry entries have been removed, then starting with a clean slate.
With regard to the functionality of the configuration files, as far as the firewall settings are concerned, they’re very similar, only Internet security differs with slightly different global rules. changing the settings for alerts works in the same way.
OK I took the plunge and decided to re-install. I unstalled first as the Repair option was strangely greyed out and unavailable, then checked the registry entries had gone, then re-installed.
Touchwood so far all seems well. Except I’m back to square one in configuring my rules.
I’ll let you know if the problem is now cured.
EDIT - No it’s bad news I’m afraid. Exactly the same problem after the re-install. First it automatically recognised my network and created a safe zone for it. I got a couple of alerts at first, then I looked at my rules. All I added was the block rule at the bottom of my global list. Straight after that my log started filling up with “Blocked” entries instead of asking me with an alert. ■■■■!!!
Unless you have any other ideas I’m afraid Comodo will have to go. At the moment it’s no use to me. In fact it’s a pain in the ****.
How did you set your Alert settings for the firewall? Another thing to do is to remove the “All Applications” rule in the Application Rules of the Firewall.
What is the intention with the basic rule in Global Rules? What target are you trying meet? If you want to be asked you need to change the block rule to always Ask and Log.
I’ve tried all the settings. When I tried it didn’t seem to make any difference. I currently have it set to Low.
Another thing to do is to remove the "All Applications" rule in the Application Rules of the Firewall.Well my thought process behind this was....If a rogue application was trying to phone home I want to block it (and log it). If the program is not genuine (hence caught on its way down the Application rules) then it will be blocked at the end. However I see how "Ask" would be better if I want alerts. But I don't particularly want alerts for Safe applications. It should be recognising them as Safe. Anyway I've changed the All Applications rule to Ask. In fact I actually, since re-installing, imported the revised configuration that Radaghast left for me earlier (though I've had to tweak it again and put a few things back in that weren't working else). This may be why I get the occasional alert now. Yes I am getting the odd one or two. But also a lot of things are still automatically blocked.
What is the intention with the basic rule in Global Rules? What target are you trying meet? If you want to be asked you need to change the block rule to always Ask and Log.Are you referring to the Block All rule at the bottom of the Global rules list? If so the idea is to prevent any incoming connections from hackers. I should maybe consider changing this to an Ask rule also, yes. I'll try it and see if it helps and get back to you. EDIT - no cant do it, in Global rules I only get the choice of Allow or Block!
EDIT - No it's bad news I'm afraid. Exactly the same problem after the re-install. First it automatically recognised my network and created a safe zone for it. I got a couple of alerts at first, then I looked at my rules. All I added was the block rule at the bottom of my global list. Straight after that my log started filling up with "Blocked" entries instead of asking me with an alert. ■■■■!!
In the configuration file you sent me, you’d added a block rule to the end of application rules and to the end of global rules, both blocked inbound and outbound connections, is this what you’ve added again?
I’ve made the one at the end of the Application rules an “Ask” rule now, probably why it’s much better and alerting me sometimes. The global rules only let you choose Allow or Block so it has to stay as Block. As I understand it the system works from top rules to bottom rules so it should only block anything I haven’t allowed higher up. But if I have “Create rules for Safe Applications” ticked and allow it to use cloud-based lookup behaviour (which I allowed during install but can’t find the setting now) and also above the block rules there are allow rules in and out from my network so no reason why this shouldn’t work.
Yet still I get things Blocked. Check this out…
2012-01-24 01:53:09 Windows Operating System Blocked In TCP 192.168.0.155 2388 192.168.0.2 5000
2012-01-24 01:53:21 Windows Operating System Blocked In TCP 192.168.0.155 2388 192.168.0.2 5000
2012-01-24 01:53:45 Windows Operating System Blocked In TCP 192.168.0.155 2388 192.168.0.2 5000
2012-01-24 01:54:33 Windows Operating System Blocked In TCP 192.168.0.155 2388 192.168.0.2 5000
2012-01-24 08:25:38 Windows Operating System Blocked In TCP 192.168.0.155 2051 192.168.0.2 5000
2012-01-24 08:25:41 Windows Operating System Blocked In TCP 192.168.0.155 2051 192.168.0.2 5000
2012-01-24 08:25:47 Windows Operating System Blocked In TCP 192.168.0.155 2051 192.168.0.2 5000
2012-01-24 08:25:59 Windows Operating System Blocked In TCP 192.168.0.155 2051 192.168.0.2 5000
2012-01-24 08:26:23 Windows Operating System Blocked In TCP 192.168.0.155 2051 192.168.0.2 5000
2012-01-24 08:27:11 Windows Operating System Blocked In TCP 192.168.0.155 2051 192.168.0.2 5000
So are you saying that Comodo doesn’t recognise “Windows Operating System” as a Safe application, even with cloud-based lookup? Or that Comodo doesn’t recognise that 192.168.0.155 is in my Safe Zone ie between 192.0.0.1 and 192.168.0.255? Only in those cases should it get to the Global Block at the bottom. (This was why I had the Upnp rule in my first try, before you took it out in your revised ones but I’m rapidly getting back there to the same point I had before.) EDIT Just remembered we talked about WOS before didn’t we (Comodo doesn’t recognise it as an application) so if I add that rule back in we should be getting close to a working solution.
However more alarmingly, why no events logged while I was logged off? See the time gap? Maybe coincidence but like I raised before, I am still being protected while not logged on aren’t I?
Also for background check this topic…
https://forums.comodo.com/firewall-help-cis/comodo-alert-reduction-t79337.0.html;msg578630#msg578630
…I agree with clockwork.
EDIT2 - PS It’s still doing stupid thing with the logs, the logging system seems to be completely ridiculous.
Check out the two screenshots attached. Over a Gigabyte of data for two days worth of logs. One of the logs I opened up and as you can see it has 19 lines entries in it. WTF!!! They’re all like that, some even less!!!
EDIT3 - PPS I just remotely logged in to my PC from my network. It worked fine…but according to my rule (the global one you set for me Radaghast), it should have logged the event in the FW event log…but no, nothing there. Like I say this Comodo seems to have a mind of its own.
[attachment deleted by admin]
If you’re running the firewall in Custom Policy mode, having an ‘Ask’ rule is redundant.
The global rules only let you choose Allow or Block so it has to stay as Block. As I understand it the system works from top rules to bottom rules so it should only block anything I haven't allowed higher up. But if I have "Create rules for Safe Applications" ticked and allow it to use cloud-based lookup behaviour (which I allowed during install but can't find the setting now) and also above the block rules there are allow rules in and out from my network so no reason why this shouldn't work.
If - as in your earlier configuration - you’ve created a Global rule that blocks both inbound and outbound connections, only those connections with a specific outbound global rule will be allowed to connect, unless you’ve created a more generic global rule that simply allows all outbound traffic. Likewise, unless the inbound connection is specifically allowed, via Global and Application rules, or is a response to a prior outbound request, it will be blocked.
Yet still I get things Blocked. Check this out.....2012-01-24 01:53:09 Windows Operating System Blocked In TCP 192.168.0.155 2388 192.168.0.2 5000 2012-01-24 01:53:21 Windows Operating System Blocked In TCP 192.168.0.155 2388 192.168.0.2 5000 2012-01-24 01:53:45 Windows Operating System Blocked In TCP 192.168.0.155 2388 192.168.0.2 5000 2012-01-24 01:54:33 Windows Operating System Blocked In TCP 192.168.0.155 2388 192.168.0.2 5000 2012-01-24 08:25:38 Windows Operating System Blocked In TCP 192.168.0.155 2051 192.168.0.2 5000 2012-01-24 08:25:41 Windows Operating System Blocked In TCP 192.168.0.155 2051 192.168.0.2 5000 2012-01-24 08:25:47 Windows Operating System Blocked In TCP 192.168.0.155 2051 192.168.0.2 5000 2012-01-24 08:25:59 Windows Operating System Blocked In TCP 192.168.0.155 2051 192.168.0.2 5000 2012-01-24 08:26:23 Windows Operating System Blocked In TCP 192.168.0.155 2051 192.168.0.2 5000 2012-01-24 08:27:11 Windows Operating System Blocked In TCP 192.168.0.155 2051 192.168.0.2 5000
These are inbound UPnP connections, which unless you create a specific rule for svchost, will be discarded by WOS, as there’s no end point for the connection.
So are you saying that Comodo doesn't recognise "Windows Operating System" as a Safe application, even with cloud-based lookup?
As I mentioned earlier, WOS is not a real process, there isn’t a WOS.exe anywhere, it’s simply a pseudo process used to, amongst other things, ‘clean-up’ connections for which no Application rules exists, or when the process has been terminated.
Or that Comodo doesn't recognise that 192.168.0.155 is in my Safe Zone ie between 192.0.0.1 and 192.168.0.255?
192.0.0.1 and 192.168.0.1 will be completely different subnets of your mask is 255.255.255.0. For your zone range use either:
192.168.0.1 to 192.168.0.255
or
192.168.0.1/255.255.255.0
As mentioned above, when something tries to connect, there must be a Global rule that allows the protocol and port and there must be an Application rule listening for the inbound connection. If either of these are missing the connection will fail.
Only in those cases should it get to the Global Block at the bottom. (This was why I had the Upnp rule in my first try, before you took it out in your revised ones but I'm rapidly getting back there to the same point I had before.) EDIT Just remembered we talked about WOS before didn't we (Comodo doesn't recognise it as an application) so if I add that rule back in we should be getting close to a working solution.
The Global rule is not the issue, at least in this case. If you want to receive inbound UPnP connections, I assume from your router, you need to create inbound rules for svchost, in addition to allowing the connections through Global rules. If you have something like media streaming on your network, or you’re using Windows 7 Homegroups, the easiest way to make sure svchost is covered is to add the In and Out to/from LAN:
Application Name - Svchost.exe
Allow IP Out
Source Address - Any
Destination Address - LAN
IP Details - Any
Allow IP In
Source Address - LAN
Destination Address - Any
IP Details - Any
However more alarmingly, why no events logged while I was logged off? See the time gap? Maybe coincidence but like I raised before, I am still being protected while not logged on aren't I?
Was anything happening when you were logged off, what about the WOS events?
Also for background check this topic...https://forums.comodo.com/firewall-help-cis/comodo-alert-reduction-t79337.0.html;msg578630#msg578630
…I agree with clockwork.
Unless you’ve placed a check in the box ‘Do not show popup alerts’ it’s not really relevant to this discussion. However, the firewall will work pretty much anyway you want it to. If you want alerts, you can have them, if you don’t, it can be told not to show them. It’s all down to how you choose to configure things.
EDIT2 - PS It's still doing stupid thing with the logs, the logging system seems to be completely ridiculous. Check out the two screenshots attached. Over a Gigabyte of data for two days worth of logs. One of the logs I opened up and as you can see it has 19 lines entries in it. WTF!!!! They're all like that, some even less!!!
I believe this may be a conflict between AVG and CIS, take a look at Log file problem
Hi, thanks for your continuing assistance. Hope I’m not too much of a nuisance.
These are coming from my own network so …
1 There is already a rule for svchost
2 How am I supposed to know UPnP is handled by svchost? (OK this may be something I should have known)
3 Why didn’t it alert me and give me the option to allow?
4 Why isn’t it recognised as a Safe Application?
192.0.0.1 and 192.168.0.1 will be completely different subnets of your mask is 255.255.255.0. For your zone range use either:
Doh, this was just a typo in my post. I meant 192.168.0.1 to 192.168.0.255. In my Network Zones settings it IS set correctly.
The Global rule is not the issue, at least in this case. If you want to receive inbound UPnP connections, I assume from your router, you need to create inbound rules for svchost, in addition to allowing the connections through Global rules. If you have something like media streaming on your network, or you're using Windows 7 Homegroups, the easiest way to make sure svchost is covered is to add the In and Out to/from LAN:Application Name - Svchost.exe
Allow IP Out
Source Address - Any
Destination Address - LAN
IP Details - AnyAllow IP In
Source Address - LAN
Destination Address - Any
IP Details - Any
Well I already have those exact rules in place.
Was anything happening when you were logged off, what about the WOS events?I need to do some additional checking to make sure. I'll get back to you on this, but I suspect it's related to the other log problem.
I believe this may be a conflict between AVG and CIS, take a look at [url=https://forums.comodo.com/firewall-help-cis/log-file-problem-t73209.0.html]Log file problem[/url]
This is major league disappointing for 3 reasons…
1 The link you give shows the topic is from June last year yet nothing has been done to fix this major flaw several months later.
2 I wished I had known about this incompatibility issue earlier. I feel I’ve wasted your time and mine.
3 There is no way I can go on with a situation like this. Not only would I run out of disk space and make all my backups, disk checks etc take longer but also I’m not confident I am seeing the log entries I need to see.
Really is Comodo serious about this business? Many applications I use create log files without any difficulty or conflicts with my antivirus. It’s really not that difficult. I’ve programmed the same myself. If Comodo gives me a job I’ll come and do it for them for God’s sake. (sorry!)
If your logs are indeed filling up with entries due to another applications behavior, Comodo is doing exactly what it is supposed to be doing. Alerting you to this behavior. It isn’t Comodo’s fault if the other application is basically ‘spamming’ these behaviors. Short of some sort of ‘quit notifying me after xx repeated notifications’ type of an option, I fail to see how Comodo could fix this as the problem is external to their application. If your neighbor keeps ringing your doorbell, would you ask the manufacturer of the doorbell to fix the incessant ringing?
You could try the steps listed in this FAQ thread to see if you can make the other product play nice. Making other security programs work with CIS (v5)
Er no it isn’t though. If you open the logs, as seen in my screenshots, there is absolutely no indication of what is going on or why the logs are so large. If that were the case then it would be justified but it isn’t.
I fail to see how Comodo could fix this as the problem is external to their application. If your neighbor keeps ringing your doorbell, would you ask the manufacturer of the doorbell to fix the incessant ringing?
Well I got to admire your faithfulness to Comodo but honestly. A better analogy would be that the neighbour walks past the front of the house and the doorbell incessantly starts ringing of it’s own accord, refuses to stop even though you’ve answered the door, electrocutes the door handle so you can no longer open the door, makes your telephone ring incessantly too even though there’s no-one on the end of the line when you answer and to add insult to injury the manufacturer denies that it’s their problem even though all the other residents of the street have perfectly working doorbells! EDIT - forgot to add …and sometimes the bell doesn’t ring even when pressed by a visitor.
You could try the steps listed in this FAQ thread to see if you can make the other product play nice. [url=https://forums.comodo.com/install-setup-configuration-faq-cis/making-other-security-programs-work-with-cis-v5-t65578.0.html]Making other security programs work with CIS (v5)[/url]Thanks, I have read that topic already. I have already executed any applicable steps as best I can to my knowledge bearing in mind the topic is somewhat vague.
There’s a great many inbound requests here, do you know what’s generating them?
1 There is already a rule for svchost
Please post details of the rules you’ve created for svchost.exe
2 How am I supposed to know UPnP is handled by svchost? (OK this may be something I should have known)
There’s no real answer to that other than, if you want to start creating custom rules, some knowledge of the traffic flowing through your network is helpful.
3 Why didn't it alert me and give me the option to allow?
Because you have a block rule that discards all unsolicited traffic. If you want inbound alerts, you need to remove the inbound global block rule. Please see:
Alert me to incoming connections and make my ports stealth on a per-case basis
4 Why isn't it recognised as a Safe Application?
Inbound traffic, unless in response to a prior outbound request, is typically considered unsafe.
Well I already have those exact rules in place.
Please post details.
Er no it isn't though. If you open the logs, as seen in my screenshots, there is absolutely no indication of what is going on or why the logs are so large. If that were the case then it would be justified but it isn't.
Would you mind zipping one or two of the log files and attaching them to a post, please.
If it is UPnp then the only thing must be my network printer.
Because you have a block rule that discards all unsolicited traffic. If you want inbound alerts, you need to remove the inbound global block rule.
That would surely be as safe as having no firewall from a hacker’s point of view.
Please post details.
See attachment.
[attachment deleted by admin]
I have attached one. As can be seen from the screenshot also attached only a single entry is shown in the log even though it takes 40Mb unzipped. This is with “Entire Period” shown.
[attachment deleted by admin]
[attachment deleted by admin]
If it’s a HP printer, they’re known to be quite ‘noisy’ you may also need to install the appropriate printer software on your PC to handle the UPnP connections.
That would surely be as safe as having no firewall from a hacker's point of view.See attachment.
Not really. All unsolicited inbound traffic will generate alerts and if an alert is not answered the packet is discarded. It would appear you’re also behind a router?