Help: No parent application checks anymore?

I can’t seem to get v3 to check for parent applications. This is regardless of how I have Defense+ on/off, what settings I have, and even if I remove all rules (not on training mode or clean PC)

In addition, even if this IS a defense+ feature (and I still can’t get it to happen), I’d say, it should still be part of the firewall part (at least for applications granted net access)

Hi Trel, I don’t believe this is a pert of V3. The architecture has changed a great deal since V2.

Well that kind of make it so it WILL fail some leaktest, doesn’t it? If I’m not prompted when an unknown program launches my browser, it could send anything via GET.

Only if that application has been allowed in D+ and the firewall

But that’s not happening. An app I didn’t allow in either is launching my browser and I’m getting no additional alerts.

Care to post some details please?

Well for example, I tried the Wallbreaker leaktest. I had IE allowed in firewall and defense+. I didn’t have wallbreaker allowed in anything. However, I failed all 4 tests.

I’ve since gone back to 2.4 and don’t have this problem.

I think you neglected to tick a box somewhere. When I run Wallbreaker I get lot’s of pop-ups which I have to allow to make it work, see the following:

[attachment deleted by admin]

I take that back, the only alert I got pertaining to that was the access the screen directly.
Now, I’m on XP, so I don’t know if it makes a difference, but I don’t think it should.

Can you send a screenshot of your defense+ settings?

D+ is in Train with Safe Mode, I’ve done nothing else to the standard install.

I’m on XP too

the same for me - on ‘Clear PC’ mode. I downloaded ‘Comodo Parent Injection Leak Test Suite’ (after installed CF, so test files was NEW) - no questions from CF or D+, just answer from Comodo homepage: “Your firewall didn’t pass the test and transmitted information to our website. Get Protected. Download Comodo Firewall Pro Now.”
(:LGH)
But when I try to delete those ‘viruses’, D+ freezes about minute and then alert: “Total Commander trying to change protected files…” ok, but Total Commander IS set as trusted application (instead of CPILSuite.exe) .
OK, 'Train with Safe Mode" pass this test, but too many questions about TRUSTED applications in this mode.

Even with the three alerts you have, none of them mention that wallbreaker is trying to launch or use your browser. So, if it’s not trying to access the screen, and it’s not automatically detected as malware bahavior, and just goes for your browser, doesn’t that mean it would get through?

I think that CFP3 relies on its Defense+ for a lot of the checks that made v2 so impregnable but that also annoyed so many average users. Trel, the only thing I can think of is that you already had the leaktest in your hard disc before installing CFP3, and you left D+ in its default “clean pc mode”, so it considered safe anything already in the system at the time of installing. I think that if you look in the computer security policy for the rules concerning the leaktest (generated by the clean pc mode), delete them, then switch D+ at least to “train with safe mode”, you should pass the leaktest.

I at no point had Defense+ on Clean PC, I first had it on disabled, and then I moved it to paranoid. After paranoid is when I downloaded wallbreaker.

Also, when I uninstalled to go back, I checked there first, I had no rules regarding wallbreaker.

I also miss the parent check. It may be the only thing I dislike about v3.

For example, when I click the www.7-zip.org button from 7-Zip’s “About…”, it launches Firefox without asking me. I really don’t like this behavior and I can’t find any way to prevent it. Blocking 7zFM.exe (7-Zip File Manager) itself won’t help at all. I need to define it as a blocked child of Firefox (which is not possible).

This is not a reason for me to revert to v2.4, as I think Defense+ is very powerful. But it makes me wonder what kind of control there actually is in CFP 3, concerning outbound connections. Just because I let Defense+ allow a program to run, doesn’t mean I want the program to have the right to start Firefox.

Gotta put this up on the wish list, if it hasn’t already been done.

/LA

Would you antipate this making it into the next or one after version?

Regarding toggie’s response showing the 3 alert popups from CFP3 and Trel noting that none of them alert that iexplore.exe is being called by wallbreaker.exe:

Even if there were a program launch rule to allow wallbreaker.exe to run, that doesn’t mean you want to let it call iexplore.exe. The parent-child (which was denoted by Application and Component monitors) is gone from CFP3. Too bad. It permitted control that the forward-looking only access rights options cannot regulate for firewalling. You might have a child program for which you decide to permit one or a select few callers to execute it but you don’t want every program to be able to call it. Also, you might not want a parent program to be able to execute a particular child program but allow it to execute others.

I was looking at Online Armor as a replacement for CFP3 (because it is simpler to use and doesn’t separate firewalling rules into outbound app rules and inbound global rules, just app rules for in, out, or in/out connect requests). Alas, it also doesn’t regulate which parent can call which child to make a connection. So now I’m looking at CFP v2.4 to regain the parent-child control and using ProSecurity for HIPS (I gave up on AppDefend because its author has abandoned the product and System Safety Monitor can be too easily disabled by the new breed of unhooking malware).

So HIPS got added to CFP in version 3 but, alas, we lost the parent-child control that was in version 2.4 for firewalling.

Here’s a couple more pop-ups for you showing parent-child interaction. I hope it helps. Please note the wording carefully.

[attachment deleted by admin]

“Antipate”, do you mean anticipate? If so, I have no idea. I can’t understand why this feature has been removed from CFP 3 in the first place. :-\ If anyone knows a way to actually get parent-child control, I’d be happy.

Perhaps it’s possible to make custom Defense+ rules for all conceivable “children”, preventing them from executing other software (like the internet browser)? But still let them run? I think I can recall that there is such an option. (I won’t be using a CFP 3 equiped machine for the next 10 hours)

The first screen shot, I’ve never seen such an alert?

/LA

Not sure why LA, I have D+ rules for both fx and 7z, but not for allowing one to use the other…