network security policy

My network security policy rules look like this 15 minutes after installing comodo firewall:

windows updater
consent.exe
avira webguard
firefox
mcupdate.exe
explorer.exe

Allow IP out from IP any to IP any where protocol is any

I don’t understand what ‘Allow IP out’ means? Shouldn’t it be ‘allow TCP/UDP/IMCP’?

Allow any IP addresses and any protocol?? Those are not sensible firewall rules in the normal sense; that seems to me like a ‘I completely trust this application and will let it do anything it wants’ kind of a rule. Shouldn’t there be a range of ports and specific protocols in these rules? I’ve had two software firewalls in the last ten years, and both totally advised against making this type of generic rule.

Plus I wasn’t prompted to allow/deny any of these programs or set-up rules for them; these ‘complete trust’ rules outlined above were made automatically. I’m running in the default ‘safe’ and ‘clean PC’ modes.

What’s going on? I primarily want a software firewall to stop the trojans/worms that my AV misses, from then being able to leak out. However, comodo’s default behaviour doesn’t seem like it’s going to stop anything? For instance, if a trojan uses firefox.exe to dial home, comodo looks like it is set-up to just let it happen?

In Vista security centre, the windows firewall appears to be on. Does this mean that both are functioning independently, or that comodo is just ‘playing nicely’ with Vista but has really taken over from the windows firewall?

Cheers.

You can change the default behaviour and the details of generated rules using Alert Frequency Settings

You can also define Pre-defined Firewall Policies and assign to the applications as soon they attempt a connection.

Upon installation there is a warning to disable any 3rd-party firewall. This includes windows firewall too.

Thanks for your reply.

Should I delete the rules which have already been made, and manually create new ones?
Or is everything is as it is supposed to be. Eg what rule do you have for firefox?

1a)
Suppose I did allow this generic ‘do anything you want’ rule for firefox, and a trojan tried to use firefox.exe to contact home; would comodo realise that firefox was being manipulated? In other words, are the generic port rules good enough, because comodo emphasises monitoring the components and executables rather than allowing/blocking traffic through the ports?

For clarity, should I have the windows firewall switched off, so the security centre displays a red warning that the system is not protected? Or should I leave it on so that the security centre is green and states that both windows firewall and comodo report that they’re both switched on?

Thanks

You could assign Web browser predefined policy or create another custom policy to apply a more rerstictive ruleset.

You can also delete those Allow IP out from IP any to IP any where protocol is any and CFP will ask you again

The standard settings are only meant to have contol on what app is allowed to connect and what app can act as server for incoming connections
This alone grant a certain degree of security but it’s obviously no match for the details that can be enforced using Full alert fequency settings

Defense+ HIPS component and Safesurf toolbar are able to prevent application hijacking in first instance showing specific alerts.

If the security center dysplay a red shield or similiar warning I guess it’s a frequent windows bug that is related to WBEM repository.

I’m going to take from your answers that the default, generic rule of ‘do anything you want’ is safe enough, even though the other software firewalls I’ve had/tested make very specific rules for specific applications. I’m trusting here that comodo will catch any executable which tries to connect to the internet by manipulating an already trusted program.

Lastly, on disabling windows firewall, it is only the firewall settings page which displays the red badge and states the system is unprotected. Having returned to the security centre, it remains green and states that comodo is enabled. I’m sure that didn’t happen the first time I disabled windows firewall, but it is certainly the case now.

Thanks for your help.
I have questions about ‘pending files’, for which I’ll start another thread.

If you raise the alert level to high the generated rulle will have info about protocol, direction and destination port there is no need for you to stick with the defaults although I would like to suggest to not raise the alert level to very high for an extended timespan since this will trigger alert for each singe IP you are going to connect to.

If this still happen after a reboot you coult try to create a System restore point and rebuild your WBEM repository although I tested this only on XP the last link I posted mention it as a solution for Vista machines too.