How to reset application behavior analysis notices?

andyo · May 2, 2007, 12:24am

Hi, I just installed Comodo Firewall Pro. I have Windows XP Pro SP2.

When I first started running it, aside from the usual application access notices, some other notices appeared due to the Application Behavior Analysis (I think some DLL injections). Now I would like to know how do I reset those to come up again, for instance if I mistakenly accepted one once, and it doesn’t show anymore, and now I would like to block it.

Thanks a lot.

grampa · May 2, 2007, 1:02pm

Hey andyo,
welcome to Comodo forums!!! (:WAV)

I’m not sure I understood you correctly, so my answer may not be what you wanted. If my answer is not related to your problem, please tell me and reformulate your question so that even I can understand ;D (a bit daft at times, you know)

If you want to block an app you mistakenly allowed:

go to “Application Monitor”, edit rule, and set to block (or delete rule and tick “remember / block” when promted).

If you want to block a special .dll:

go to “Component Monitor”, search for the .dll you want blocked and tick “block” (or delete)
NOTE: If you delete a .dll and “CM” is in “Learning mode” the .dll will be reset to “allowed” once it’s loaded with an allowed application! In this case it’s better to “block”.

If you want Comodo to ask you again for a certain app /.dll you’d better delete it (if it’s a .dll set NM to “on”) so as to get an alert.

Hope that helps. If not, let me know.
Cheers,
grampa.

Edit: Sorry (see below). I corrected the mistakes. Please forgive an old man.

sullo · May 2, 2007, 1:42pm

The dll’s associated with programs in app monitor are Listed in component monitor.
This thread might help
https://forums.comodo.com/index.php/topic,7412.0.html

Sullo

Little_Mac · May 2, 2007, 2:38pm

If you selected “Remember” when you hit Allow then you will have modified that application’s rule in AppMonitor. If you know the application this applies to, simply go to that app rule and Remove it. Then when you run it again, CFP will prompt.

If your Component Monitor is still set to “Learn” as it is at installation, you won’t get an alert about a component, unless there is a change to the component, or if something like a DLL Injection has occurred.

If your CompMon is set to “On” and you redo the App rule, you’ll get a popup about the components. If you click on View Libraries on the popup, you’ll get a list of all those components. If you choose to Deny/Block any of those, the entire application will be blocked, as the components are a “part” of the app connecting. CFP views the decision to Block as an indication that a leak is occurring, and so it stops the offending application(s); at that point, if there’s malware, you’ll need to remove it before continuing.

Hope that helps provide some info for you…

LM

grampa · May 2, 2007, 2:44pm

Sorry, I meant “Component Monitor” not “Network Monitor”. My fault!!!
(:SHY)

Cheers,
grampa.

sullo · May 2, 2007, 3:18pm

Well I’m not going the say anything, not the way my brain is functioning at the moment.

Thanks LM that’s helped my understanding a lot more.

Sullo
(Never should have installed that bl**dy spell checker)

grampa · May 2, 2007, 3:29pm

What can I say. Your temporary problems are permanent ones for me ;D.
And thanks for forgiving me my moment of “braindeadness”. :BNC Much appreciated.

And once again:
SORRY andyo for telling you this nonsense.
Cheers,
grampa.