Multiple entry's for Application Control Rules

Hey Y’all, been using CPF now for a coupla weeks, went through having to uninstall/reinstall the latest update and all seems working great! Even went through two FW testers scoring a STEALTH on both! (:WIN) However, just don’t understand the duplicate entries on apps such as winamp, avant, and thunderbird. Some have 4 entries EACH. Others, like Quicken, have only 1. This old man may be dumb, but could someone explain this to me? :THNK

I know some users have stated that they have multiple duplicate/completely identical entries in the application monitor.

I have never seen this myself, and in most instances, have resolved the issue that the entries are not exactly identical. Frequently, the entries have a different Application - Parent relationship, or it relates to a different IP Protocol, a different Port, a different IP address, or some detail under the Miscellaneous tab (such as Invisible Connections).

If you have your Alert Frequency (Security/Advanced/Miscellaneous) set to High or Very High, you’re going to create a lot of “redundant” rules, because the details are minutely different. For example, you could have a rule to Allow abc.exe to connect to 69.123.246.27, and another rule for abc.exe to connect to 69.123.246.28. The rule looks the same, it’s even the same IP range; but the IP is different, and there you go.

If you would like, take a full-screen screenshot of your application rules and post them here; we’ll look thru 'em and tell you what appears to be going on. You can mask out IP addresses & any other personal/sensitive information before posting. You can post directly in the textbox by using an online hosting site (such as imageshack, photobucket, etc - with their generated code), or by attaching to your post under “Additional Options”.

LM

Checked the MISC tab and its set to “low”, so that is eliminated. Going to try and attach snapshot and see if there is a solution to this minor, but annoying problem.

[attachment deleted by admin]

On the surface, they do appear the same. However, there may be some additional information in the “Details” window at the bottom.

If you go thru each of those items, and compare the details. Specifically, you’re looking for the Application to Parent relationship, and the version of the application (if it’s updated or changed in any way, you may get a new rule created).

It doesn’t look like your rules are IP or Port specific, so that’s probably not going to show, but look at the other two things I mentioned.

LM

Thanks Mac! Just got through viewing the “connections” tab and noticed it is constantly changing. On the Avant (browser) my TCP in/out are identical except at the end there are 4 numbrs that are all different on each entry. Same for choicemail entry. Maybe I’m just making a fuss over nothing. Long as everything is running smooth w/no errors, will just leave it be. ::slight_smile:

So, do the IP addresses in question look something like this?

123.45.67.89 : 1234

If so, those numbers following the “:” indicate the Port being used for the communication, which could be the cause of the repeated rules (ie, a different Port in each one). In your Application Monitor, if you see this same sort of thing in the rules, then that’s what it is. Be sure to look in the “Details” section for more info on each Application Monitor entry.

LM

LM

Thanks for the PM, pjgiv, you have a lot of entries for Avant, that’s for sure!

Aside from that, I think the only other apparent duplicates were Acrobat Reader and Winamp. The issue there may be one of the associated Parent application. You might check the details section of the rule. I’m thinking with Acrobat, you may find one with Parent as your browser, another as explorer (if you’ve launched it from the desktop, another as itself (for updates), etc. Then winamp would likely be itself and explorer, is my guess. But check those two out.

As to Avant… ??? :THNK I don’t have an easy answer on that. As the next step, why don’t you do this:

Go thru the AppMonitor, for each Avant entry. Click the entry, and look at the details at the bottom of the monitor. Make a note of all the info there. Compare them for differences. Post back the results. We already know they’re all Allow Any Destination, Any Port, TCP/UDP In/Out, so the remaining options are:

Security, Connections, Invisible, Version, Path, Parent Path, Description.

LM

Ok, did as you suggested and every entry except three were identical. The differences were in the Parent Path and were the last three. They pointed to C:\winnt\explorer.exe, C:\Program Files\H-Menu\hmenu.exe, and C:\Program Files\Mozilla Thunderbird\thunderbird.exe. Still don’t understand the cause of this. Wonder if a uninstall/reinstall would alleivate the problem?

The uninstall/reinstall would be my choice, at this point; something is obviously not the way it should be.

If you leave your AV installed, I’d definitely completely disable it prior to uninstalling the FW.

I’d run a registry cleaner after uninstalling the FW (after the mandatory reboot).

And lastly, if you leave the AV installed, you absolutely must completely disable it prior to re-installing the FW.

Choose Automatic for the installation settings (rather than Advanced).

Once you reboot after the re-install, I’d run the Scan for Known Applications immediately, turn on both options to Skip loopback connections (unless you’re using a dedicated proxy server, such as proxomitron), and make sure that the option for the Comodo safelist is checked (which it should be by default).

LM

Well Mac, printed out your instructions and followed them to the letter. After doing all the deeds, signed on internet, gave rule permission, and signed off. Went right back to see if it was going to ask me again and it did NOT! With all entries emptied out, looks like something is amiss. :SMLR Will be keeping an eye open to make sure it behaves. Thank you so much for the expert advice and a hearty BRAVO ZULU, that’s Navy talk for (:CLP) It didn’t even ask me for the license number it was already registered to me! How nice!

Good, I’m glad to hear it, pjgiv!

Yes, the license info is stored separately, so unless you wipe the harddrive, you should be good to go on any reinstall/upgrade of the firewall. And with version 2.4, it no longer does the activation key thing, so that makes it all just that much easier.

No problem with helping out, I’m glad I could offer assistance. I was always a “ground-pounder” rather than an “anchor-clanger”, so tnx for the BZ. ;D

If you would, post back and let me know if everything seems to be holding steady with the rules. If it looks good, I’ll mark the topic resolved for other users’ benefit.

LM

Sorry to say I spoke to soon. It is going nutso on every site (avant) asking for permission. As I type this, there are 5 entries for Avant. Think I’ll switch over to FireFox to see it does the same thing. Wish I could have said “Fair Winds and Following Seas” on this problem. (:AGY)

Edit: I turned off Application Monitor and the popups ceased. Most of my logged applications are already approved, so think I’ll run in this mode a while…

Curses! Sorry that wigged out on you again. I did a quick search thru the forum to see if I could find any related Avant issues reported, and didn’t come up with anything.

Would you file a ticket with Support http://support.comodo.com/? They should be better equipped to help track this down (or may already know the solution). Be sure to provide them a link to this topic, and keep us updated on their response.

In the meantime, I’ll try to drum up some additional help from the other Moderators; they may have seen this before…

LM

You drummed?

https://forums.comodo.com/index.php/topic,6908.0.html. It’s not abnormal for a program to have multiple different parent executables. It just basically means the program was launched in different ways by different programs.

True, but we’ve been thru that already… all the entries were identical, except for three. So that’s not related to the parent issue, or even to an increased alert frequency, since there’s no related info such as IP address, Port, etc.

LM

If this isn’t a bug, then the only other suggestion is to scan for malware.