Since Comodo Firewall allows rules for programs specific to the actual IP addresses they connect to I’ve been wondering about setting up rules that only allow something like the update program for software to only use the proper server address. They way I look at it if a program is ever hijacked there would be a rule so it would only connect out to the server it’s supposed to anyway. Problem is I’m not sure how to look up the information about the servers and there’s the possibility of multiple servers it may choose to connect to. Anyone know a good source for IP address information for different programs?
Welcome to the forums, Somebody!
Yes, you’re absolutely right; if you limit the application’s IP connectivity, then you limit the damage it could potentially cause if hijacked. However, with CPF’s Application Behavior Analysis, you’ll get an alert that the program has changed and/or is trying to communicate in a way that looks suspicious and could be the result of malware.
For the server information, you can probably get that from: the software company, the internet (a search), or by triggering the update mechanism and watching CPF’s connection activity (then resolve the IP address if need be). Also, you can go to Security/Advanced/Miscellaneous (in CPF), move the Alert Frequency slider to High or Very High, click OK, and reboot. You’ll get a lot more alerts (obviously), but they will be IP and even Port-specific. Then when you trigger the update mechanism, you’ll get a popup alert and you can create your rule right there…
Hope that helps,
LM
Never mind, figured it out. Thanks.
No problem; glad I could help… ;D
LM