Firewall problems

I am a new user to comodo firewall and I just installed it 2 days ago. It frustrating to me how difficult and complicated it is to configure. My knowledge of firewalls is very low so all the options and rules in comodo firewall is overwhelming me. I use to use ZoneAlarm free and decided to try out Comodo since its been getting good reviews. After 2 days I am about to give up on it and switch back to the much simpler ZoneAlarm.

These are the things that i didn’t like about CPF:

  1. Not user friendly to people who know very little about setting up a firewall.
  2. After install I only added 1 rule to the network monitor so I could run my utorrent client.
    Allow TCP/UDP IN from IP [ANY] where source port is [ANY] and destination port is [55767].
    This was listed in the utorrent boards to successfully forward the port in utorrent. Afterwards I decided to test the firewall with the tools offered by Comodo and it failed every one of those CPIL tests. I then tested it on the Shields UP website and it failed there too. When I was using ZoneAlarm it passed the Sheilds UP tests but failed the CPIL tests. I just don’t know what went wrong with my comodo firewall. All I did was allow connections for programs like Firefox, MSN messenger and utorrent and now it fails every test I took on the net.

If comodo could make an easy setup interface for beginners like the one on ZoneAlarm to make setting up easier.

Can anyone help me on what to setup on the firewall to make my computer stealthy on the internet like when I was using ZoneAlarm? A list of network monitor rules would be much appreciated.

After 10 hours of trying to understand and configure the firewall myself, I have finally managed to make it pass the Shields UP websites test. So far everything is working fine. However it still doesn’t pass any of the CPILSuite tests even if I uninstall and re-install and use the default settings.

How did people pass the leak test with the default settings cuz they didn’t do so for my PC?

Hi, and welcome to the forums.

These threads should answer your questions:

This is a handy video guide to the setup: https://forums.comodo.com/index.php/topic,4766.0.html
And this is for the network rules: https://forums.comodo.com/index.php/topic,1125.0.html

Thanks! Those links helped.

After solving my problems with the configuration, I thought it would be smooth sailing from there but I sure was proven wrong…

This time I am having problems when I click a link on outlook express to open in firefox then I get an alert that says something like outlook express has modified the parent program of firefox and is using it to connect to the net. The description says it might be a trojan behavior, but I am sure that it is not since my computer is clean. After I click either allow or deny my net connection stops and I have to reboot. I searched the forums and other users have had similar problems. OLE monitoring or so they say and that there is no fix for it other than disabling OLE monitoring. If OLE monitoring is an important function then why in must I be forced to disable it just to use programs I used effortlessly with ZoneAlarm installed before. This bug is quite bothersome and is again making me think of switching firewalls and try another brand. >:(

This is similar to what the alert log looks like when I do what I stated above:

Date/Time :2007-01-12 10:05:37
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (IEXPLORE.EXE)
Application: D:\Program Files\Internet Explorer\IEXPLORE.EXE
Parent: D:\WINNT\system32\svchost.exe
Protocol: TCP Out
Destination: 127.0.0.1:10080
Details: D:\Program Files\Mozilla Firefox\firefox.exe has tried to use the Parent application D:\WINNT\system32\svchost.exe through OLE Automation, which can be used to hijack other applications.

Date/Time :2007-01-12 10:05:36
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (IEXPLORE.EXE)
Application: D:\Program Files\Internet Explorer\IEXPLORE.EXE
Parent: D:\WINNT\system32\svchost.exe
Protocol: UDP Out
Destination: 202.163.208.31:dns(53)
Details: D:\Program Files\Mozilla Firefox\firefox.exe has tried to use the Parent application D:\WINNT\system32\svchost.exe through OLE Automation, which can be used to hijack other applications.

Currently downloading other firewalls as I type this message…

I sure hope the developer of CPF fix this problem soon.

This is different from the OLE automation issue, Dman, although similar, in that it falls under behavior analysis… When you click the link in OE, it makes a call to FF to open that link as a webpage. Some malware can do the same/similar thing. CPF monitors these activities, and alerts you. In this instance, since you know you clicked the link, and that both applications are safe, you can check the “Remember” box and click Allow on the popup, and you’re all set.

If you see this happen when you have not taken an action to cause it, that’s when you should be concerned. If you Deny without “Remember” it will drop your internet; you can typically regain by closing and reopening the applications involved. If you Allow without remember, it will only allow it for that session.

The reason you don’t see these types of alerts with ZA (or most other firewalls, for that matter) is that it doesn’t monitor those things.

With the CPIL tests, you have to Deny when you get the popup alert, or you will fail. After each test, you need to reboot to clear out memory. The test creates a DLL injection, which CPF will block (provided you tell it to when it prompts), but the reboot is needed to clear that injection out of memory, or it will cause problems with the next test.

LM

Thanks for the advise!

But I did try clicking remember and allow a few times but it still stopped my net connection. It blocks it when I click either allow or deny with the remember option checked. I just don’t get it anymore… I’ve rebooted my PC more than 5 times already in 3 hours. So I just gave up and just copy and paste links manually from other programs like outlook express to my browser so as not to trigger this annoying bug.

Okay, that’s odd. I had read in your post that you mentioned either allow or deny; I was hoping you hadn’t meant both. Hmmm.

What rules for Firefox and OE do you have in your Application Monitor? Can you post full details on those, please? (if the rules include IP addresses, you can “x” those out for privacy if you like).

LM

These are the settings:

Firefox:

firefox.exe [ANY] [ANY] TCP/UDP IN Allow
firefox.exe [ANY] [ANY] TCP/UDP OUT Allow

Outlook Express:

MSIMN.exe [ANY] [ANY] TCP/UDP OUT Allow

I haven’t checked any of the options in the Miscellaneous tab for either of them.

My network monitor rules are basically default with the following additions:

  1. TCP/UDP IN [ANY] [ANY] [ANY] [my uttorent port] Allow
  2. TCP/UDP IN [ANY] [ANY] [ANY] [my DC++ port] Allow
  3. ICMP IN [ANY] [ANY] [PORT UNREACHABLE] Allow
  4. ICMP OUT [ANY] [ANY] [PORT UNREACHABLE] Allow

Those are the only changes I’ve made to CPF.

What are the “Parent” applications associated with each of these entries? (it shows in the details section at the bottom, when you click the rule)

LM

PS: I’ve moved the topic to the “Help” thread, as it would appear to be a better fit there.

The parent for both is C:\WINNT\explorer.exe.

Maybe I’m getting these bugs because I’m using Windows 2000 Professional. Most people are on XP.

Okay. Shouldn’t have anything to do with Win2K; it’s compatible.

But here’s my suggestion at this point, as I saw another post of yours where you mentioned that both Allow and Deny block your internet connection with the popups. It shouldn’t be that way.

My recommendation/suggestion is to uninstall and reinstall the firewall, to get a fresh start. I’m thinking something may have created a blip with your install.

From the systray icon, right-click and “exit” the firewall.

Then go to Start/Programs/Comodo/Firewall/Uninstall Firewall.

Follow the prompts, reboot when finished.

After you reboot, turn off/exit/deactivate all antivirus, and other real-time protection (such as a HIPS-type program), antispyware, etc.

Then install CPF, using Automatic. Do not choose Advanced or Manual setup. Follow the prompts, reboot when finished.

Watch the install/configuration video here: https://forums.comodo.com/index.php/topic,4766.0.html and follow the info there, if needed, to configure it.

If you see any popups for svchost.exe, with parent services.exe, or an alert that your browser needs to act like a server, or that explorer.exe (not internet explorer) is using svchost.exe for an ntp connection, please allow these. They are internal communications and not a threat.

You can add your p2p rules to the network monitor.

Then see if your Allow button works correctly.

LM

Okay I’ll try what you said. Uninstall and reinstall with my antivirus off. I’m using BitDefender 10.

Thanks for the help LM! Hopefully this works. If it still wont, then I’ll just have to copy and paste links manually for a while and avoid applications that automatically run the browser when I click on a link.

Oy, I’m pretty sure I remember reports of some conflicts/problems with some of BD’s active components (they have some HIPS-type elements, etc). That may be at the root of the problem.

I just recently installed an AV w/CyberHawk (a HIPS) active (I forgot to suspend it), and it alerted me three times to things it didn’t like. I allowed each time, and thought all was good.

However, there was at least one thing wrong with the AV application once it was installed and running. I uninstalled, turned off CH, and reinstalled. Then it was fine.

Normally, I turn all that off when installing programs (especially security programs); that time I forgot, and had problems. It can definitely happen.

I hope that was it, and that doing the reinstall works.

LM

I re-installed CPF and tried out clicking a link in outlook express to launch my browser and I got that alert I did before, but now I clicked allow and it worked. My connection didn’t die and CPF added two new rules to my application monitor for firefox.exe and it had MSIMN.exe as its parent application. It didn’t do that before. Uninstalling and re-installing with my antivirus off seem to have did the trick.

Great! Keep watching it over the weekend, and post back if you have more problems. If not, let us know that it’s still working.

LM