pending files

Firefox updated today to v3.3, about twenty minutes after I installed comodo.
Now I have 29 ‘modified’ files, all firefox related, in the ‘my pending files’ section.

They are mostly dll files, with firefox.exe itself plus helper.exe, updater.exe and crashReporter.exe

What am I supposed to do with them?
The options appear to be ‘remove’, or ‘move to my own safe files’?

I assume that if I click remove, I am deeming them safe and they are removed from the list, however next time firefox updates they will end up back in the pending section? And I assume that if I move them to ‘my own safe files’ I’m telling comodo to disregard any future changes to these files (bad, because a trojan or worm could modify them)?

Thanks.

If you remove them CFP will consider them trusted.

My pending list autofilling was enabled for all CFP D+ modes but it is now limited only to cleanpc mode.

You can use the purge button to remove the file paths for deleted files then you can use the Lookup button to check Comodo central DB to see if any onf those files was recently analyzed and it is considered trusted. Any unknown (to Comodo) files will be automatically submitted for analysis although you can disable this feature.

As soon a file is listed in my pending list cleanpc mode will not learn that app anymore. This mean that you’ll get an alert for each new action that app will attempt until you remove it from the pending file list.

You can also use the pending list to check what files were modified.

The move to safelist (using the move to button) function is only meaningful if you are going to use D+ Safe or Paranoid modes.

Thanks for your reply.

Sorry, to clarify:

remove = ‘this file is safe, but alert me when it gets modified again’
move to safe list = ‘this file is very safe, and so don’t alert me if it is modified in future’

?

Remove just removes the file from whatever list it is in(you will get some Defence+ alerts for it)
If put in “My Safe Files” it will be given “Trusted” status by Defence+ (In other words it will have exactly the same policy as a “Trusted Application” which is to allow everything except “Run an executable” which is Ask.

Regards,
Matty

Using D+ cleanpc mode you will only receive alerts for new actions that weren’t previously learned as soon as an app is added to pending list.
D+ catch app changes made by untrusted apps in realtime and the app has been changed alert that was featured in CFP2 has been removed.

Nope. I still don’t get it.

Firefox was on my computer when I installed comodo.
Avira was on my computer when I installed comodo.
Comodo has been set in cleanPC mode since I installed it.

Firefox updated itself.
29 firefox files were listed as pending.

Avira has just updated itself, as it does every two hours.
16 more files are now listed as pending.

If files are legitimately modified when software is updated, I want to tell comodo that the modified files are OK. But I also don’t want a list of 1000’s of updated files to build up in ‘my own safe files’; that would be insane.

So do I ‘remove’ these updated files from the list, or do I have to add them to ‘my own safe files’? I still don’t understand what the hell comodo is trying to actually do with these files:

Yes they’re modified.
Yes I know about it - I instigated the update for god sake.
Yes I want you watch the ‘new’ files in case a virus modifies them in the future.

How do I tell comodo this??

During software updates, my old firewall simply told me that a file (firefox.exe) had been modified, and asked if I knew about it and wanted to update the ‘signature’ for this file. Doesn’t comodo do the same type of thing?

This is getting frustrating. My last firewall was vastly more complex and powerful than comodo, yet it was a ■■■■ sight easier and quicker to get it working and configured, and I didn’t have to post to any forums to do it either.

Thanks for your responses so far.

You can either switch D+ to Safe mode (this will prevent the automated pending list refill) or use CleanPC mode and purge the pending file list after you used the lookup fuction to chek if the changed files are considered trusted.

If you trust those files you can removed the on the spot.

If you don’t trust them you can leave them there and youl’’ be warned as soon these apps attempt something different from what you previously allowed (even implicitely by clearing the pending list in Cleanpc mode).

The cleanpc mode was designed to train D+ soon after installation in order to have all existing app automatically learned.

Nope. When an untrusted app modify a file you’ll be warned immediately so you’ll be never asked to reconfirm an existing policy because the app has been changed.
If you use custom policies each apps will be allowed to do only specific actions.

When an untrusted app modify a file you’ll be warned immediately so
you’ll be never asked to reconfirm an existing policy because the app has been changed.

Apart from not understanding the ‘pending’ feature, I now don’t understand this statement.

Virii and worms WORK by modifying apps.
It is no good to state once, in Oct 2008, that firefox.exe is trusted, give it a policy and then it is never checked again. Because in November it could be modified by a worm and used to phone home. If a modified firefox.exe tries to access the internet, I ■■■■ well want to know about it, even if I previously gave firefox.exe a policy!

D+ trap file access in realtime. If firefox attemp to modify a specific protected file you’ll get an alert. If you mark that action to be remembered you won get an alert if firefox attempt to modify that file again.

The same goes if you assign a trusted policy to an app or set a default allow action for protected file access of an app policy.

The best way to understand the pending file and cleanPC mode feature is to actually try it and observe the defferences.

If you choose an app without a policy and add it to the pending file list you can launch that app and see what happens.
You can then remove that app from the pending list and remove the generated policy from Defense+ Tasks > Advanced - Computer Security Policy and launch that app again.

The difference in behaviour is what I failed to explain.

Thank you for your patience.

The cleanpc mode was designed to train D+ soon after installation in
order to have all existing app automatically learned.

Yes, I understand the concept. But not the execution.

OK, even though the help file suggests not to, I gave the Avira updater the ‘installer/updater’ profile instead of ‘custom’, and it appears now that the avira files that are updated every hour are NOT added to the pending list. That was the behaviour I was looking for.

I occurs to me that ‘cleanPC’ mode is NOT a good mode for a new pc, so I’m now using ‘safe mode’ instead.

IMO, it is silly to use cleanPC on a new PC because you are just about to add all your software! All you’ll end up with a ‘my own files’ whitelist with thousands of files in it! The better time to switch to cleanPC is when you’ve finished installing all your software, and want comodo to learn its behaviour without prompting, but want to be prompted about all new executables that you haven’t actively installed yourself.

I still don’t know what ‘remove’ does to pending files. There are also other issues, like why all programs with a security policy have ‘no’ set in the protection settings by default; surely you want your safe programs to be protected against injection and modification??

But to be honest I no longer care. This program is a mess. Firewalls are notorious for being difficult to set-up, but I have never had to spend an entire day doing it and still have no idea how this program is actually protecting my computer!! It’s insane! Outpost has thousands more configuration settings than comodo, yet I had it set-up and working in about three hours, and more importantly I knew exactly what it was doing and why, and how it was protecting my computer.

Thanks so much for your patience and help yesterday, but I’m still at a loss. I’ll leave comodo running for a day or two and see what happens, but I suspect that it will be uninstalled if I can’t work out how it is actually protecting my computer.

I’m sorry to hear that.
Maybe other members will be able to clear your doubts.

D+ safe mode acts more like a standard HIPS but it could generate more alerts.

If possible always submit new installed Programs to Comodo as this should be able to update the withelist adding new trusted executables and let CFP learn trusted applications without alerts.

Maybe other members will be able to clear your doubts.

I don’t have doubts over its ability - it is in the top two software firewalls regarding leak-protection.
But if you don’t understand your security program, then you are better not have one at all…

The biggest danger is thinking you’re protected when you’re not, because by your own ignorance you have disabled or changed important settings, or you misunderstand how the software works and so respond inappropriately to prompts.

Anyway, I’ll keep it running for a couple of days and see if it all makes more sense after that. But I can’t afford to spend any more time actively researching/learning how it functions - I’ve got work to do that I didn’t get done yesterday!

Just two questions for now:

• Why are the ‘protection settings’ for all the trusted applications set to ‘no’ by default?

• Defense+ is using a ‘CRC hash’ for known programs isn’t it? Not just the filename/location?

Cheers.

Some of the protected entities (termnation, memory access etc) could be needed by a trusted application.

eg If You protect notepad.exe against termination you won’t be able to terminate it using task manager.
CFP executables only are protected using Protected setting by default.

Besides all protected entities can be also trapped using access rights. eg if an app attempt to terminate another app you’ll get an alert as soon as access right\temination default ask is not set to allow (or block) or you already marked that action to be remembered.

This provides a way to protect an app against ,eg,termination in a simple way.
You can review D+ predefined policies in Defense+ Tasks > Advanced >Predefined Security Policies to check what actions these policies apply by default.
AFAIK Permission settings cannot be set using alerts but only by direct editing.

Whitelisted apps use some sort of hash to recognize trusted apps to be automatically learned.
Other apps/policies don’t use hashes and rely on absolute paths

ok, thanks for your help!
If I manage to find my way through the confusion, and decide to keep comodo, I’ll report back.

Although I’ve noticed I’m not the only one who doesn’t understand; there are many posts around the net from people who have just disabled Defense+ simply because they don’t understand what it is doing and how.

Cheers for now!

I’ve been following this thread with great interest and I must say I have to fully agree with Anti. Although I’ve learned a lot in this forum, it’s not enough. I’ve worked with ZoneAlarm, Outpost and others over the years. I consider myself a pretty advanced computer geek, dba, programmer, etc. Comodo is the most confusing app I’ve ever used. Every person I know that’s tried it had said the same, but it gets such good reviews I had to try it.

Bryan