hi all, (:WAV)
i’ve managed to install CFP3 :BNC
now i’m starving, i’m gonna grab my breakfast & lunch.
but before i leave, need a lil help/questions :
CFP desktop icon doesn’t work ??? i need to open it by clicking the systray icon. is it a known
bug?
i’ve set the firewall & defense+ security level to Train with safe mode , i need your opinion,
is it good enough?
on summary tab-network defense: the firewall has blocked 84 intrusion attempts so
far, where can i see the blocked items/ event list?
summary-proactive defense : the Defense+ has blocked 3 suspicious attempts so far.
i’ve checked the defense+ event viewer, it blocked CBO!! what should i do? is it OK?
any comment would be veeeeeerrryyy appreciated.thx a lot.
Ganda
edit : It’s known that some low-level kernel drivers in Comodo Firewall Pro can’t be installed in safe mode, so please don’t use safe mode. Instead, disable all running programs. If you don’t there will be some interference later on that you may never know (Ragwing)
CFP desktop icon not working.
Under XP, if you do a right click onthe desktop icon and select “Run As” and select the Administrator user, the GUI will open. If you now shut the GUI and reboot, it should be OK.
Train with safe mode good enough?
I hope so - that’s where mine is. This is egemens recommended setting for most circumstances.
and 4. ???
I’ll start digging into it, but I’ve only just got CFP3 installed.
About CBOClean - you may have to give it some extra permissions. Go to the CFP interface and click on Defense+>Advanced >Computer Security Policy>(Select the entry for CBOClean)>Edit>(Check that “Use a Custom Policy” is selected)>Access Rights. On the Access Rights window, check “Allow” for “Interprocess Memory Accesses”; Process Terminations"; “Physical Memory”; and “Disk” .
You can view the firewall activity on: Firewall>Common Tasks>View Firewall Events. You probably will need to click on the “More” button to see much.
(:WAV) hi Ewen,
thx for the quick reply. i’ve just reinstalled CFP3.
tried it, i’ll see after rebooting.
:■■■■
nevermind about Question no.3. i’ve found it. (i was too hungry ;D ).
i hope it’s not a problem. :o
another questions regarding the firewall log:
a) what’s system idle proccess ? it’s blocked several time.
b) i’m not sure, but i think svchost.exe is a legal known application? why it’s blocked?
c) and something about system is blocked too
(i’ve attached the list)
oh, and one more question : defense+ ==>advanced==>image execution control settings
general tab: should i set the bar to normal or aggresive? what prefetching/caching attempts for the executable files means?
files to check tab : should i leave it that way, or add another executable files? maybe like
*.bat ?
Hi Ganda - You will have to revise the permissions for the processes you mentioned. I did not look at your upload (late here), but System Idle Process is a system utility and it basically does system housekeeping. You might want to look at: https://forums.comodo.com/cfp_beta_corner/cfp_308214_beta_workarounds_closed-t12091.0.html
This page has a list of improved permissions that refer specifically to the processes that you mention. The System Idle Process, Scvhost.exe and System should not be blocked. There must have been some problem with your installation, or you have selected a higher security level than the default. You should set the System Idle Process as Trusted by clicking Firewall>Common Tasks>Define a New Trusted Application>Select>Running Process. The System Idle Process will be the top one on the list that pops up. You could set the other two processes as trusted, but this is not really as secure as the settings listed on the link above.
As for the Image Execution Control setting, Normal should be fine - anything higher will result in a lot of pop-ups and log entries.
i’ve run CFP diagnostic,and didn’t find any error. and i don’t see anything unusual regarding svchost or system idle so far. ???
i’ve set the network policy to CUSTOM POLICY MODE. hope it works.
hey, the CBO trick you gave me didn’t work too. still blocked.
1 and 2 - leave them as they are unless you need to change them. Normal image control is fine for 99% of cases. Aggressive adds image checking to the cached copy helh in the \windows\prefetch folder. *.exe is fine for checking (until I learn otherwise ;))
err, i use Admin power user, and still don’t work.
i can’t use administrator user either, i have an admin power user account & don’t use any password for admin. when i use it (without password), i got an error message.
so far, problems left for me :
still can’t open CFP3 via desktop icon or start menu (systray icon is the only way to open it)
not sure about the blocked items (system/system idle proccess)
i have to use clean PC mode (defense+ setting) in order to get CBO to be allowed.
i’ve allowed an application: defense+==>common tasks==>my own safe files==>add (include
subfolders checked). but the defense+ alert still asking me to allow or block it.
;D done! i have a user with admin power and never use the administrator account, (and nobody touch my comp except me) so i thought i never need any password for it.
i’ll try to reboot and see if it works.
meanwhile, mind to answer question no.2,3&4 ? ;D
got this error message when doing “run as” administrator :
C:\Program files\Comodo\Firewall\cfp.exe
The directory name is invalid
>:( >:(
maybe it’s related to make private option when i was creating user account?
i installed CFP on user (with admin power) account.
maybe admin don’t have access to CFP3 ??? naah,stupid thinking.
anyway, if CFP is off, i can activate it using desktop icon/start menu, but when it’s already active, i have to open it from systray icon. >:(
OK, i’ve uninstalled & reinstalled CFP3 now. still got the desktop icon problem. :THNK
these are my problems with CFP3 so far :
can’t open CFP window from start menu or CFP desktop icon when CFP is active.
the only way to do it==> systray icon. but if CFP is inactive, startmenu/desktop icon will
work (open CFP window & activate it).
got many system idle proccess, system, svchost blocked before uninstallation, now after reinstalling, i get none of it ??? nothing on firewall log. is it normal?
defense+ setting is still confusing me ???, how do i allow a trusted application? i have an
invoicing/sales/distribution software on my server, i’ve tried to put all of the software folder (include subfolder checked) to my own safe files (defense+==>common tasks==>
my own safe files). but i still got defense+ alerts asking me to allow/block.
i’ve just noticed that CBO is blocked when it’s trying to access memory, target ==> cfp.exe & cmdagent.exe. so maybe CFP was protecting itself ??? i guess that’s fine then, am i right? ???
If you go to Defense+ - Advanced - Computer Security Policy, you can add the executables for the invoicing app and set the appropriate permissions here.
Hope this helps,
Ewen
P.S> Out of curiousity, Clicking allow and Remember does the same thing, and you can tell it it is a trusted applicaton at the same time. How come you don’t just do this?? Isn’t this easier??
I’m experiencing kind of the same happenings. So in short my questions are:
What’s the recommended network security policy for svchost.exe, System, and System Idle Process?
Is it normal that I’m getting millions of inbounds attempts for these three processes (that CFP blocks because they’re set to Outgoing Only)? Should I worry :o ??? even though they’re Windows processes? (Anyway I don’t see the point in logging this stampede…)
Hi Ganda - CBOClean: Add the CFP processes to the “Exclude” list for CBOC. That will stop it from trying to inspect the CFP processes.
If you added the System Idle Process to your “Define a New Trusted Application” list, you should have it listed on your Advanced>Network Security Policy page. It should be restricted to local communications. To find out your local IP address, click Start>Run>cmd and press enter. From the DOS prompt type ipconfig and press enter. Note the IP address of your computer and the sub-net mask. For me it is 192.168.1.2 & 255.255.255.0. That means that the range of addresses for my local network (LAN) is 192.168.1.0 to 192.168.1.255. This range of addresses and a few others like it are reserved for private LANs and are not available for internet addresses. Use this information and the instructions on the link: https://forums.comodo.com/cfp_beta_corner/cfp_308214_beta_workarounds_closed-t12091.0.html
to do the following.
Create a set of Network Zones (on the Firewall>Common Tasks page) for your Local Area Network, the addresses reserved for internet-wide multicasting and the addresses reserved for Local and Special multicasting. This is three sets of address zones.
Create two new Predefined Firewall Policies (Firewall>Advanced page). This uses the Network Zones defined above to set up a LAN set of permissions and a LAN and Outgoing set of permissions.
On the Firewall>Advanced>Network Security Policies page, change the permissions for svchost.exe and services (and System Idle Process, assuming that you have previously added it to your “Define a New Trusted Application” page). Svchost.exe and Services should have the Predefined Firewall Policy “LAN and Outgoing” applied and the System Idle Process should have the LAN Predefined Firewall Policy applied to it.
This set of permissions is much tighter than the defaults and will correct a number of errors that show up on the logs. Since LAN addresses vary, you have to do this for your system specifically.
if CFP is off, i can activate it using desktop icon/start menu, but when it's already active, i have to open it from systray icon.
Well as far as I know, it’s supposed to work like that like every other program…?
You normally start a program from a desktop icon or from startmenu. If it already runs, you click on the minimizes tab or a systray icon to see the program window. I don’t know why you are trying to open a program that already is open from a desktop icon…? Do you do that with other programs? :o
Is it a problem to click on the systray icon? ok it is a bit smaller but…
Since I have no LAN (at the moment, ADSL modem connection), is it okay for me to grant outbound permission to svchost.exe and System, and no rules for System Idle Process?
Then why is CFP blocking millions of inbound attempts from these three processes (and no one else)? Am I being attacked? Is there something I can do about it, should I stealth my ports or something? The only global rule I have is the “block all inbound”.
I too have the same problem with the desktop icon not working (so does my brother). What is the point of having the icon on the desktop if it doesn’t open the program??
This is egemens recommended setting for most circumstances.
>:( >:(