Parent Control / Csrss.exe / Outbound Protection

Comodo Internet Security - CIS Defense+ / Sandbox Help - CIS
1

My problem:

I’ve been using Comodo Firewall since early v2.x and currently have CIS 3.5 installed. One thing still missing to me from v3 on is a satisfying Parent Application Control. I’ve searched this forum for ages, but never found a solution. So please correct me if the following statements are false and feel free to help me.

As far as I know/understand this functionality needs Defense+ to be enabled although it should guarantee outbound protection as a typical firewall task. In fact, you don’t have sufficient outbound protection without Defense+ enabled.

A typical example for me:

I click a weblink in Outlook Express. So Outlook Express is trying to use/run the default browser.

  1. Without Defense+ it is allowed to “use” (by executing or sending “Windows Messages” to) i.e. Firefox, and I can’t control whatever content is sent to the URL-bar. Therefor, although I don’t like the whole bunch of screens showing up, I have Defense+ enabled and created some rules.

  2. With Defense+ enabled I recognized, that Outlook tries to send “Windows Messages” to Firefox by using “CSRSS.exe”. To gain control over those “Windows Messages” I had to add “CSRSS.exe” to “Blocked Applications” under “Windows Messages”. Now I recognized, that Outlook Express is trying to EXECUTE Firefox. Now that Firefox is allowed to acces the whole internet, this is important to me and I may decide to allow or block it. As I want to decide on a per-case basis, this doesn’t bother me.

  3. So No. 2 would be fine for me. BUT: It regularly takes 5 to 10 seconds before the pop up (“Outlook Express is trying to execute Firefox”) shows up. And during that period the window of Outlook Express freezes. And as Outlook Express is just an example, I have quite a few freezes.

So my questions:

  1. Does anybody know a better way to gain (parent) outbound control?

  2. How can I reduce/avoid the freeze period described above?

I hate it when an application is able to (ab)use another application, which is configured for outbound access. It doesn’t matter to me, whether a (parent) application accesses the internet directly or indirectly - by using a trusted application. For me this is a typical firewall task, nowadays requiring Defense+.

Thanks for any help or advice!

2

You are correct! CIS and all firewalls that passes leaktest (outbound tests) have a HIPS of some sort.
you loses protection if you disable D+, but It will still be a okay firewall. :-TU

The HIPS is there to spot tries to inject code into other applications.
A method sometimes used by trojans and such to connect unnoticed.
Its tecnically very difficult to make a firewall thats strong against leaks without hips.
Since the program connecting is still the same.

As for the freezing, Are your rules cluttered (you got very many)? ???
Maby removing some of them would speed things up.

A silly workaround I know… A real fix may be included in the new beta 3.8 that is to be released in about 6 days. Its lower on memory and include some/many bugfixes. Hopefully it will fix the freezing you experience. :slight_smile: :slight_smile:

If its not fixed and you know whats coursing it or can give a description feel free to submit it as a bug.
https://forums.comodo.com/bug_report_cis-b132.0/

3

I agree with your opinion,but they are good for us to protect the computer.But we should make the policy before the application run,only so can reduce the pop up shows.
It’s my opinion,I don’t if it’s right.Thank you.

4

Thanks for the first replies!

Just to clarify my issue in some points:

  1. I doubt that all Comodo users realize that Defense+ is absolulety necessary to reach a minimum of outbound protection. Defense+ does not only affect what’s going on your computer but also what’s going out of your computer (given the case you have an application configured for outbound access, i.e. your browser).

  2. I don’t bother some pop ups, because I often want to decide on a per-case basis. But I don’t like scenarios when Firefox is used to spread content to the internet without permission.

  3. I don’t understand (and like) the time it takes to process before the pop up reaches the screen. There seems to be some kind of BACKGROUND LOOP:

a) Application is trying to send Windows Messages via CSRSS.EXE
b) → failing, because of blocking rule
c) → application becomes frustrated and is thinking what to do now :slight_smile:
d) → tries to directly run the other application [with parameters ??]
e) → finally pop up shows up requiring user action

The most annoying thing is the freeze during that period.

P.S.: I’m not scared of Trojans. And there may be enough malware causing leaking of data. But what about normal applications? I just want to protect my privacy against the web. But without Defense+ you simply can’t control your outbound traffic. This is a BASIC feature of a firewall, I relied on since early ZoneAlarm.

Cheers