I am trying to set up some per-defined policies so that I can assign applications as something other than “trusted” or “untrusted”. The first application that I would like to restrict is windows svchost.exe. When I was a zone alarm ISS user, I had this application set to “ask”, so that it needed to ask permission to access the internet. On start-up, I would get requests for svchost to act as server for local host, and to make some local net connections to my all in one printer. I can list the IP and ports for that if it would be helpful. When I received these requests, I could click allow and I would not get any more alerts for those connections. For example, I would get a request for svchost to connect to 192.168.10.238:161, which is my printer. I would click “allow”, but not select the check box to use “allow” for all future requests. I would not get any more alerts for connections to 192.168.10.238:161 until I restarted, but I would get an alert if svchost wanted to connect to a different location.
I would like to configure rules to allow svchost to make the necessary local net connections, and to make both inbound and outbound connections to the time server. I would like svchost to have to request permission to make any other kind of outbound or inbound connection. I have tried a few things, but I obviously don’t understand how comodo works well enough to do this as my attempts have resulted in the loss of my internet connection or constant popups asking for access.
It might be worth your while taking a look through this thread to get a basic idea about how things work, as well as the kind of rules you’ll need for svchost. Once you have the foundation, we can look at any specific requirements.
Sorry it took forever to get back to this, I have been remodeling my office.
I have looked over allot of the documentation for this and I think I more or less understand how it works.
Maybe it would be easier to start with something simpler, since svchost is used by many apps. What would I do to create a rule that would require ie to ask for permission to connect to the internet. I don’t use ie very often, so that would be a good one to start with.
I tired this by going to firewall > network security polocies > add
I set action=ask, TCP or UDP, in/out, any address, any port.
I moved the rule up to the top of the list. As far as I understand this, if I open ie, I should get a prompt to allow permission to connect. This does not happen, so it appears I have missed something. Do I need to do something with the global rules as well?
I am still not making progress with this. If I add ie to blocked applications, then it is blocked, but if I change the rule to “ask” instead of “block” then it still gets access. What exactly does “ask” mean if there is no popup requesting access? What am I missing here? Changing the alert level doesn’t seem to change anything. There must be some setting here that I am missing.
I switched from safe mode to custom and re-added the rule for ie to ask for permission to connect. I also unchecked the box for firewall > firewall behavior settings > do not show popup alerts. Now when I open ie, I get a popup requesting permission to connect. I am also getting popups for svchost, my other browsers, and the jave jre. I will need to tune this so I am only getting popups for things I want to be alerted about. Why would it ask for permission for a browser to connect if there is not a special rule for the browser like I set up for ie?
So it looks like I want to leave the firewall set to safe mode, add a rule for ie, and then set to show popups. If I use custom mode, I basically have to make a rule for every app, or group of apps. Is that right? Things seem to be behaving as I expect with ie now. I should probably make a rule for apps, like “ask_wan_access” so I can set a whole bunch of apps to that setting.
I would like to set svchost so that it has LAN access, but needs to ask for wan access. Is that easy to do?
Essentially yes. Using Custom Policy mode provides control over application requests for Internet/Network access. if you’re happy to allow ‘safe’ applications access without the need for intervention, then ‘Safe’ mode is probably a better choice.
As an aside, you can use safe mode in conjunction with the Firewall Behaviour setting ‘Create rules for safe applications’ If you don’t use this option, safe applications will be allowed access but no rules are created. Also, when using custom policy mode or ‘ask’ you can use the Alert Frequency slider - also found in Firewall Behaviour Settings - to increase the amount of detail use in rule creation.
Things seem to be behaving as I expect with ie now. I should probably make a rule for apps, like "ask_wan_access" so I can set a whole bunch of apps to that setting.
By default, when using safe mode, a safe application will have full access to both LAN and Internet. If you wish for more control, use Custom Policy mode.
I would like to set svchost so that it has LAN access, but needs to ask for wan access. Is that easy to do?
There’s already rules defined for svchost and some other system services. These are the default:
Windows System Applications
Windows Updater Applications
So you’ll want to take those into consideration when creating your own. With regard to giving system processes access to LAN resources, the easiest way to start, is by using Stealth Ports Wizard, with the first option:
If you feel you need similar rules for svchost, just recreate the two rules introduced, via the aforementioned method, for that process. Incidentally, if you’re considering using the Windows 7 Homegroup feature, you’ll probably need some additional rules for svchost and media networking.
This is not behaving as WYSIWYG as I was expecting, so I guess I don’t understand things quite right.
At the moment, I am in safe mode, with “do not show popup alerts” unchecked, and “create rules for safe applications” checked.
I have a java based program that I assigned to the pre-defined policy “blocked application”, which looks like it works as its name implies. Every time I open the application, I get a request for access???
The pre-defined rule was for the IP protocol, so I added another rule for TCP/UDP. This makes no difference and I still get a request every time I start the program. There is also a rule for java, but that is lower down on the list. That rule allows access, but I get a request for java as well when that starts. I don’t see the point of being able to create rules if they don’t change the behavior of the application.
Is this because I’m in safe mode and the app is overriding my rules with some pre-existing ones? When I switch to custom mode, there doesn’t seem to be any difference. My understanding is that for outbound connections, the application rules are consulted first, so it shouldn’t matter if there is some global rule that would allow access.
If I change to custom, can I set a rule to make all apps request access and then assign them to a group in the popup when they do. Selecting “treat as”, or “remember my answer” doesn’t seem to have any effect either, so I am just not getting this at the moment.
To make informed comments, we’d really need a little more detail about the ‘problem’ applications and your relevant rules. You can either post screenshots of your rules and log files, showing the problem applications or if you like, you can export your active configuration - CIS/More/Manage My Configurations - zip the file and attach it to a post via Additional options.
Can you also provide us with the download link for the Java app? I am not intimately familiar with Java but could you tell me under which Java executable it runs? It could be javaws.exe or so.
I am making some progress with this. I discovered that I had a rule for “executables” and a rule for “applications” both rules were set to “ask” for access and I didn’t see the exe rule above the other specific application rules I had created. This seems to by why I was getting a prompt for access even when I had created a specific rule.
The java was just jave.exe, which I think is just the JRE.
C:\Program Files\Java\jre6\bin\java.exe
After re-reading my earlier post, I think I was talking about a different java app (a marvin app), but it is now properly blocked once I removed the extra rule. I don’t think I can block java.exe and still use web applets and such.
I am still having a few issues. I get some popups from my browser asking for permission to connect TCP port 443, which I think is SSL. I have a rule that allows the browser to connect TCP to that port at any address, so I’m not sure why I’m getting the popup. I am also getting some requests by the browser to connect to DNS at 156.154.70.22. I thought that CIS used it’s own DNS at 8.26.56.26, so I made a rule for that. I’m not sure why there are these other connections.
I backed up my configuration since I restore from an image about once a month or so. The last time I restored, I imported the saved image, but none of my new rules were there. Is there something I am not understanding about how that is supposed to work. I can post the config file if you want, but I don’t know if it really has my configurations in it or not.
I have attached the .cfgx file in a zip as suggested. Let me know if it doesn’t look like it has the rules I have been describing.
I’ve had a quick look at your configuration - I’ll take a longer look later - however, there’s a couple of things you should consider straight away. You’ve configured the firewall to use custom policy mode and you’ve increased the Alert frequency. You’re also trying to use ‘Ask’ rules and have rules for safe applications automatically created. Unfortunately, these configuration options won’t work together the way you might think. As I mentioned in an earlier post above, you should use either Custom policy mode or safe mode.
One other thing to point out, one of your predefined policies - Trusted Application Ask WAN - has two rules, the first asks about IP the second about TCP or UDP. In CIS IP covers TCP and UDP so you don’t need both rules.
I am making some progress with this. I discovered that I had a rule for "executables" and a rule for "applications" both rules were set to "ask" for access and I didn't see the exe rule above the other specific application rules I had created. This seems to by why I was getting a prompt for access even when I had created a specific rule.
The java was just jave.exe, which I think is just the JRE.
C:\Program Files\Java\jre6\bin\java.exe
After re-reading my earlier post, I think I was talking about a different java app (a marvin app), but it is now properly blocked once I removed the extra rule. I don’t think I can block java.exe and still use web applets and such.
It’s quite possible for other java modules to be involved in a connection and thus require individual rules. However, I did try the link above and only received an alert for java.exe. To be fair, I don’t use java and so didn’t test the application further than the main page.
I am still having a few issues. I get some popups from my browser asking for permission to connect TCP port 443, which I think is SSL. I have a rule that allows the browser to connect TCP to that port at any address, so I'm not sure why I'm getting the popup.
As mentioned above, set your firewall settings to use use either custom policy with elevated alert settings or use safe mode with ‘Ask’ rules. using both is likely to cause confusion.
I am also getting some requests by the browser to connect to DNS at 156.154.70.22. I thought that CIS used it's own DNS at 8.26.56.26, so I made a rule for that. I'm not sure why there are these other connections.
Comodo currently uses two different DNS services, one hosted by Ultra DNS, this uses 156.154.70.22 and their own Beta service, which uses 8.26.56.26 Until the beta is ready, it’s recommended to use both of these.
I backed up my configuration since I restore from an image about once a month or so. The last time I restored, I imported the saved image, but none of my new rules were there. Is there something I am not understanding about how that is supposed to work. I can post the config file if you want, but I don't know if it really has my configurations in it or not.
Are you activating the profile once it’s been imported/