How to create firewall rules for temporary/transient programs?

Just wondering if anyone knows how to configure Comodo Firewall to specify rules for temporary / transient programs?

I have a VPN that writes a new copy of Ruby each time windows starts (written into a new, randomly named folder in the windows temp folder). So, every time I start up I have to redefine the rules for the program - and, the previous ruleset becomes obsolete and just piles up in the definitions list.

Any suggestions?

Thanks.

You could just go into the old rule and change the file location. v6 (latest version) does not allow wildcards in the file location string; I believe v5 does though so that may be an option for you. In both versions you can ‘Purge’ the firewall rules and the old entries will be removed.

Out of interest, does the application allow you to specify where the temporary files are created? If so, you may be able to create a specific folder for these, create a file group within CIS, then use file group in the firewall rule.

Going into the old rule to change the file location is just as tedious as having to click through accepting rules for the new instance of the program each time.

And the program does not provide for setting a specific directory for each new instance.

I wonder… is there a way in win7 to instruct a program to use a specific .tmp directory?

Also, I wonder if it would pose a security issue to set CIS to allow all files from the default TMP directory? (maybe potential malware, virus, other can operate out of the TMP directory?).

That would pose a huge security risk yes, I highly recommend AGAINST it.

That’s a shame

I wonder... is there a way in win7 to instruct a program to use a specific .tmp directory?

You can change the location for all temp files via environment variables, but that won’t help in this case.

Also, I wonder if it would pose a security issue to set CIS to allow all files from the default TMP directory? (maybe potential malware, virus, other can operate out of the TMP directory?).

As Sanya indicated, that wouldn’t be a good idea.

Any chance you could share the name of the application…

The application is Ruby (Ruby Programming Language). It runs as part of the VPN installed by Private Internet Access.

I noticed that it always creates a directory according to a specific format in the temp directory - that is …/temp/ocr3fec.tmp/bin/rubyw.exe

The “ocr” part of the transient directory always stays the same, the characters after are randomized (i.e., the “3fEC” part in my example). So, I tried specifying a wildcard () in place of the random characters, like so… […/temp/ocr.tmp/bin/rubyw.exe].

It didn’t work. Comodo seems to just ignore the entry and still asks every time what I want to do with the new instance of the program.

Any ideas?

From what I can see, this seems to be a known problem with the PIA VPN. There are a number of threads on their forums regarding Outpost, Zone Alarm and Comodo and these temporary folders. Out of interest, when you were trying to create your exclusion rules, which method did you use, as I’m wondering if it may be possible to use the Protected File/File Groups feature of D+, which seems to support some basic RegEx commands. Once you’ve created a new file group, it will bea available for selection from within the firewall.

Initially, I just clicked the option to ‘remember’ my choice when the firewall alert popped up. Then I tried going in to the Network Security Policy / Application Rules / Add… (also did basically the same thing in D+).

[s]I’ll try the Protected File/Groups in D+.

This might take a while. We’ll see…[/s]

Okay. I tried every iteration I could think of. The Protected Files/Groups doesn’t seem to work either!

I’m beginning to lose hope here.

Did you try a folder path with something like C:\Users\UserName\AppData\Local\Temp\ocr*

I did. I tried:

…/temp/ocr*
…/temp/ocr*.tmp/
…/temp/ocr*|
…/temp/ocr*.tmp/*|

and several other combinations. I copied the “*|” format from some of the exisiting rules I found there. Nothing had any effect though.

May I just take a step back for a minute, make sure we’re talking about the same thing.

  1. The application creates temporary folders in %TEMP% with a different name each time it starts starts
  2. Each time the application starts you receive a firewall alert for the new temporary folder path
  3. You’ve created a new group under Defence+\Protected Files and you’ve added folder to the group
  4. The path to the folder is C:\Users\UserName\AppData\Local\Temp\ocr…
  5. You modified the path with wild cards to compensate for the changes
  6. Under Firewall\Application Rules, you created a new rule pointing to the group you created above

If the aforementioned is correct, it should work. I just installed the VPN and made the changes described above. The path use for the folder was C:\Users\UserName\AppData\Local\Temp\ocr**

Please let me know if I’m not understanding correctly and modify where I’m going wrong.

I think you are understanding it all correctly.

I just tried your syntax exactly (as …\temp\ocr**). Still doesn’t work - that is, I still get pop ups from Comodo asking me what I would like to do.

To note: when I first tried your syntax (as well as other forms) it DID appear to work, at first. That is, when I started the VPN, Comodo seemed to remember my preference and didn’t pop up any windows. Great. Until I restarted windows. Every time windows is restarted it reverts right back to asking/pop ups, as if there were no defined preferences/rules.

To be clear - this approach does ‘half’ work, as the rules seem to be remembered after windows has started. That is, even if I don’t check the ‘remember’ box, Comodo doesn’t pop-up/ask me what to do afterwards when I start the VPN service - but it still does ask when starting windows (it asks about pia_manager.exe, and rubyw.exe - both of which have defined rules and are in the Protected Files/Group).

I’m not even sure how/why PIA is starting when windows boots. I couldn’t find an entry for it in msconfig, or services.msc.

Slightly more confused now than when I started - but apparently ‘half-way’ there :slight_smile:

P.S. - I’m not sure if this means anything, but pia_manager.exe seems to change file size…
I’ve seen it (via windows Properties window) as 89.5MB on disk and 0Kb in the Details tab, and then a few minutes later as 8.75MB on disk and 8.75MB in the details tab. This seems odd to me.

  • Update: I just found an entry in windows Task Scheduler to start pia_manager.exe on windows boot with the option “–startup”. I’ll try disabling this to see what happens…

Success!

I have no idea what the “- -startup” option was doing in the task scheduler. I don’t even know why there was an entry in the task scheduler to start the service when booting windows.

But its working now.

I’m not sure if its the Protected Files/Groups option, or the directly defined rules, as I have both active. I’m just happy its working now.

Thanks for all the help Radaghast!

I’m glad you found a solution and thanks for letting us know :-TU

I really didn’t expect this, but it seems this solution isn’t a complete fix.

It is still working perfectly fine on my computer, well, on one of them. When I duplicated the process on my other laptop it doesn’t work at all.

I’ve double and triple checked to make sure the configurations are exactly the same, step by step.

At this point - on this computer - even the launching application, pia_manager.exe, won’t observe the D+ rule I have created for it (set to “Trusted Application”). I also have it in a group of Protected Files/Folders. It seems to completely ignore anything I define for it in Comodo.

So, on this computer, I’m back to clicking through 11 (!) Comodo prompts to get the VPN started each time.

So frustrating.

You could try exporting the configuration from the PC and them importing it at the laptop. Once imported you can activate it and test… You can always switch back to your current configuration - probably a good idea to make a copy of it first.

Exporting/importing the config did the trick. I only had to minimally edit the config on the new computer (to adjust Username in the temp directory path).

Thanks again!

Hi again - I’m back :slight_smile:

I just found something interesting, which I haven’t been able to figure out.

The fixes are still working for me, no problem. But - I just set up a UAC workaround (via windows task scheduler) so that when I start the PIA program I don’t have to answer every time to allow the program…

What happens now is: when I start the program via the UAC workaround shortcut Comodo seems to ignore all the settings/fixes that were working so perfectly before. And if I go back to just using the old/normal shortcut (which brings up the UAC prompt) it works fine again.

In short: old shortcut works, UAC bypassed shortcut doesn’t work.

As far as I can tell the UAC bypass shortcut has exactly the same details as the normal shortcut. What could be happening? What might I be missing?

Would you be able to provide some details regarding the new shortcut please.