Newbie with lots of questions

Man, I feel like I got in way over my head going with Comodo Firewall Pro. I’m a grandpa and not an expert with computers. I am willing to learn, but I’m going to need some very helpful and patient folks in this forum to help.

Here’s my story and where I’m at with CFP. I bought a home pc about two years ago: Lenovo desktop running Windows XP Pro SP2. Currently I have Eset Nod32, Spybot, and SUPERantispyware (the last two are freeware) protecting my system. A month ago grandma (my wife of 33 years) visited a website about how to play some game she downloaded and the bottom line is our pc got infected with some nasty malware. Major Geeks was wonderful helping us clean our pc. At that time, we only had Nod32 installed. During the disinfecting process, we loaded Spybot and SUPERantispyware.

I’ve been reading about the importance of also having a good firewall (up to now I’ve only been using Windows firewall), and Comodo Firewall Pro was the product everyone seemed to highly regard, so I downloaded it two days ago.

If you are a person who is moderately or highly familiar with the workings of a computer, I suspect you can adapt fairly quickly to the Comodo product. But, to be honest, for someone like me with who is probably somewhere between a novice and intermediary, the CFP is very confusing. I spent time the last two days reading different threads in this forum…including the tutorials, faq’s, and lots of other postings…to try to educate myself, but much of the terminology is way over my head. The more I read, the more confused I get. I’m wondering if I made a poor decision…not because CFP is a poor performer, but rather because it may be too difficult of a product for a computer novice/intermediary to learn.

Here are some initial questions. Please feel free to be honest.

1) Based on my skill level, do you think I should uninstall CFP and possibly pursue an alternate product that may not be the “superman” of firewalls, but still reasonably effective and simper to understand?

2. My CFP firewall security setting is “Train with Safe Mode” and the D+ level is “Clean PC Mode”. Thankfully, I’m not seeing as many pop-ups and alerts as I did the first day or so. But I do keep getting the a Firewall Alert (orange color banner) that says the following and I don’t know how to respond:
   [i]"System is trying to receive a connection from the internet. What would you like to do?
   Application: System
   Remote: 192.168.200.249 - TCP
   Port: nbsess (139)

Security Considerations
System is a safe application. However, you are about to receive a connection from another computer. If you are not sure about what to do, you should block this request."[/i]

I read that if I clicked on the application showing up (System) that a pop-up would show more detail about it. But, I tried that and nothing appeared. So, the bottom line is I’ve either been blocking this request or not doing anything…in which case the message disappears after couple of minutes.

Does anyone have a clue what this Firewall Alert means?

3) If I don’t respond to a Firewall Alert message or D+ Alert message, then what action occurs when the messages disappear after a couple of minutes? Does CFP interpret no response from me as a “Block this request” response…or does CFP “Allow this request” if I don’t respond?

4) I’ve got 82 files in My Pending files. Reading the instructions, I’m supposed to take specific actions on them (Add, Remove, Purge, etc.) but I have absolutely no clue what they are and what they do. Are they safe? I have no idea. Suggestions?

I apologize for the lengthy post and for sounding like an ignoramus. To be honest, the above 4 questions are just the tip of the iceberg, but I figured I had to start somewhere. I welcome your thoughts, opinions, and guidance.

How can you have made a bad decision when Comodo is free. The firewall alert for system is part of Windows so you can allow it. If you pc is completely clean and I mean clean your settings are fine. I also use NOD32 in real time mode and SAS and Spybot only on demand. You might also want to start using Firefox if you don’t already. As far as pending files it can be a pain but it helps when and if you get infected. Just lookup,purge and remove. If you do not want pending files then move the slider of D+ to train with safe mode. Comodo has a great help file system by just clicking on “What do these setting do”. If you still find Comodo alittlle overwhelming you can always use a more user friendly firewall like Zone Alarm Pro. But that comes at a $50 cost. No anti virus or firewall is 100% bullet proof. If you downloaded it and installed something without knowing what it really was then user beware. You need to respond to D+ alerts and firewall alerts or else Comodo will not learn. All firewalls go through a learning process. Alternatiively you can put the firewall in training mode and D+ in training mode. Leave those setting there for about a week or so then put them back to where you had them. That should allow Comodo to learn all your programs on your pc. Now keep in mind the next time you install something that you do not know what it is. First scan it for viruses by right clicking on the file you downloaded.

Vettetech:

Thanks for your response. My comment about wondering if I made a bad decision wasn’t intended as a criticism of CFP’s effectiveness or a disregard of the fact that it is a quality freeware product. But for someone at my skill level, it’s not an easy program to understand. Hopefully, with your help and others, I’ll hang in there with it and obtain at least a working knowledge of it.

I’ve broken out some of your comments below to ask some follow-up questions (yours is italicized and mine is in bold).

(1) “The firewall alert for system is part of Windows so you can allow it.”
As I was reading your above answer, another one of those same Firewall Alerts popped up, so I selected “Allow this request” and “Remember my answer”. Is that correct? (I read “How should I answer” but I’m still unsure when I should click “Treat this application as” versus selecting Allow this request".)

(2) "If you pc is completely clean and I mean clean your settings are fine. "
Boy, I hope this pc is clean…after all we went through with the malware a few weeks ago. I can tell you that we caught a.doginhispen and b.skitodayplease in very early February. As mentioned, we worked with Major Geeks to clean it. About a week into that process, it appeared that Eset added that malware to the Nod32 definitions because we started getting lots of quarantine notification messages. Since then, I’ve been paranoid, scanning almost daily with Nod32, Spybot, and SUPERantispyware (and of course, CFP when it was loaded) and nothing is being detected and all the symptoms we were experiencing with the malware appear to be gone.

(3) As far as pending files it can be a pain but it helps when and if you get infected. Just lookup,purge and remove. If you do not want pending files then move the slider of D+ to train with safe mode.
I have been clicking on and reading the narrative in “What do these settings do” in order to try to understand My Pending Files, but I’m having difficulty. Sorry. I hope you can understand when you don’t have a lot of experience with computers, the language and instructions here aren’t always easy to figure out. For instance, they tell me to “Assess the pending files to determine whether or not they are to be trusted”. I’d love to assess the pending files if I knew how to. As you noted, maybe another option is for me to put the firewall and D+ in training mode. Not sure what that will mean…but willing to give it a try.

Well you should have good knowledge of whats installed on your pc and what programs are what. I have atleast 200 programs installed on my pc so when I have pending files I already know what they are. What it means by access is look through them and see if you know yourself what they are and can clear them out. Please by all means just don’t get click happy. You need to know what your saying allow to. Read all lines. If you still have malware on your pc then your letting it out without even knowing cause your clicking allow.

"Well you should have good knowledge of whats installed on your pc and what programs are what. "
[b]I know what’s installed on my computer. Here’s an example of one of the entries in the My Pending Files listing:
c:\windows\software distribution\download(a bunch of numbers and letters)\sp2qfe\occache.dll
How can I tell from that description whether I can trust it? Or what program it is? Most of the 82 entries in My Pending Files looks like that.

Just before sending this most recent post, I clicked on Purge in My Pending Files and the popup box said it identified most of these files as “not valid” and it gives me the option to remove them from the list. Am I correct in assuming for some reason they were on my system, now they aren’t, and it’s okay for me to respond with a “yes”?[/b]

Thanks for your help.

Yes Ok is good.

Hi doodler,can i just make a few suggestions which hopefully will help.

If you recieve a Firewall alert saying xxx is trying to recieve a connection from the internet you should BLOCK it unless you know what it is.If your computer has not initiated a response from somewhere then look into it.
Have you ran the “Stealth Ports Wizard” function in V3 yet?
This will set up some Global Rules for you which has a Block and Log rule at the bottom(if you choose the bottom option)
Have a look in Firewall/Advanced/Application Rules where you will find a list of all the applications that you have allowed internet access and set up rules for.Here you can edit these to “ask” with a pop-up before they can connect out.
If you do not click on a pop up alert then this will be taken as a “Block”

You will soon get the hang of things,i`m no expert but will help in any way i can

Matty

PS take a look at Toggoe piece on disabling NetBios in the FAQ section as this concerns port 139

https://forums.comodo.com/frequently_asked_questions_faq_for_comodo_firewall/how_to_disable_netbios_on_the_internet_adapter_for_windows_2000xp2003-t14469.0.html

Riggers, Vettetech:

Thanks to both of you for your input. Riggers…I appreciate the note of encouragement.

I think I have crossed my first hurdle by clearing out all 82 of My Pending Files. As I mentioned, I clicked on Purge and CFP identified 80 of them as not being valid. So based on Vettetech’s response, I gave the ok to clear them out. I looked up the remaining two files; they were identified as being Safe (Microsoft and SUPERantispyware related), so those were added to my safe listing.

If I may, I’d like to pursue some clarification on a few things mentioned in an earlier post and I’ve indicated my questions in bold below.

Riggers, since the original install a couple of days ago, I have received a Firewall Alert and two or three D+ Alerts. As mentioned below, the Firewall Alert kept referring to the application “System”. Vettetech’s advice was that this alert was a part of Windows and okay to accept. So, I clicked “Allow this request” and “Remember my answer”. Are you saying I should have blocked this or am I okay with what I did for this specific alert?

Regarding the D+ alerts, they all occurred when I clicked on ThinkVantage update, which is a system update tool for my Lenovo desktop. It connects with Lenovo’s website and scans my system to see all critical updates are current. It turns out I didn’t need any new critical updates, but CFP didn’t seem to like what was happening because the D+ Alerts were the red (severe) ones. Nonetheless, I figured these were safe ones and so I also clicked “Allow this request” and “Remember my answer”. Please let me know if this was okay or if I bungled something.

My Firewall setting remains at “Train with Safe Mode” and the D+ level is “Clean PC Mode”. These were the defaults and I’m assuming they are okay for now.

Riggers, I’ll take a look at the “Stealth Ports Wizard” and the other features you mention. It may not be until later tonight or tomorrow for me to check back into this forum. Thanks for your help! I’m sure I’ll have more questions.

[b]I’m not networked to other pc’s and I don’t run file sharing programs. So, if I’m understanding your comment correctly, it sounds like you are recommending that I select the last option “Block all incoming connections - stealth my ports to everyone”. Question: If I do that, will it mean I won’t automatically receive notification information from Windows, Nod32, CCleaner, etc. about avaiilable updates? Examples: Currently I have my Windows update set to automatically tell me when updates are available but not to download or install them. I have my my anti-virus (Nod32) settings to automatically download/install the newest virus scan files (I don’t do anything…I just see a popup box once or twice a day telling me it’s installing the latest virus signatures). And I have my CCleaner set to tell me when a new update is available. So, in summary, there are some incoming connections that I think I want my computer to continue to automatically handle such as those mentioned above. Does your selection (Block all incoming connections - stealth my ports to everyone) accommodate this or is there a better option given my preferences?

I appreciate everyone’s help. [/b]

Do not worry doodler,if your application makes a connection to ask for an update it has initiated the connection and therefore will be waiting for a response i.e. updated vdf or no update available.

Matty

Good information, Byakuya. And continued thanks to riggers and others for their input. Please keep them coming!

To summarize two basic things I’ve learned so far:
A) When dealing with My Pending Files, it’s a good idea to select Purge first to determine which entries are valid or not.
B) Whenever downloading an application or program, first click CFP’s Installation mode.

I do have a two follow-up questions:

1. Am I correct in understanding (from Byakuya’s post) that setting the firewall setting via the Stealth Ports Wizard to “Block all incoming connections - stealth my ports to everyone” means that if an external system is trying to connect with my pc, it will be stopped…but if an application or program on my pc wants to call out (such as Nod32), it isn’t stopped?
2. Several people in this thread have confirmed that the “application - System” alert I was getting is a legitimate and important Windows process. So, if I change the setting to “Block all incoming connections - stealth my ports to everyone”, won’t that keep this important Windows process from occurring?

Install mode is for when your installing something. Not for when your downloading something. (B)

Vettetech…

In the My Pending Files listing:
c:\windows\software distribution\download(a bunch of numbers and letters)\sp2qfe\occache.dll

I noticed dozens of these files (mentioned earlier) in my pending files this morning, are they Windows updates or some other program.

Thanks,

Mike.

Never actually seen those pending files but just purge them. The submit them. Then remove them.

In the My Pending Files listing; dozens of new files:
c:\windows\software distribution\download\etc, etc.

Just Googled them and found that they are simply Windows Update Files. So safe we assume.

Thought I’d mention it before someone else wondered what they are.

Mike.

LOL. Microsoft do something right. NOT. There are usually always left over files from when you use Windows Updates.

Strangely enough they are not still in the Windows directory (there are only 4 left there) so Defense+ must have picked them up when they were being downloaded, but didn’t recognise the fact that Windows system had cleared them up.

So Windows must have done it’s job; amazed. :o

Mike.

All,

Just a quick update to let you know that, thanks to your help, I think I’ve gotten out of the starting gate with CFP. I’ve followed advice here, including setting the Stealth Ports Wizard to “Block all incoming connections - stealth my ports to everyone” and cleaning out My Pending Files.

Admittedly, there’s considerable terminology in CFP’s Help section that I’m not too familiar with yet since I’m not a power user. But I plan to spend time reviewing and studying it and hopefully make progress. My goal is to figure out what an “average” pc user needs to know and pursue that. (I figure once I get that down pat, I can build on it as needed.)

I’ll probably have more questions along the way, but Ill try to make them more specific if I post them either in this thread or another one.

Again, thanks for your patience and guidance. It’s generous of everyone to share their knowledge and opinions.

I tested the above by changing CCleaner’s application rule to “ask”, but no Firewall Alert appeared when I opened CCleaner and clicked on “Check for updates”. It took me straight to CCleaner’s web site. My understanding of Riggers message is that I should have gotten a Firewall Alert. Can anyone explain?

Thanks Byakuay.

I’m in curiosity mode right now…

1. I scouted around for the “vendor list thingy” (see above in red), but I’m still new to CFP3 and couldn’t find it. Can you give me some guidance?

2. Is there a good rule of thumb to follow when deciding to click “Allow this request…remember my answer” versus clicking “Treat this application as…trusted application… remember my answer”?

3. It’s my understanding the Global Rules settings in the Network Security Policy tab should change to reflect the radio button selected in the Stealth Port Wizard. In an earlier post in this thread you recommended I use the Stealth Port Wizard to select Block all incoming connections - stealth my ports to everyone. I did that…but the Global Rules settings did not change to reflect that new Stealth Port Wizard selection. Any ideas why?