I installed the v5.0 Firewall the first day it was released and over the first week of using it I noticed that id did not block or log many of the .exe’s that v3.14 had. I can appreciate a quiet program, but day after day there were 0 blocks by the v5.0 Firewall where v3.14 with the same rules would have been blocking and logging throughout the day.
I did a number of tests to see whether the v5.0 Firewall would block and log and the results were spotty the last of which was opening Macruim reflect in order to restore an Image with a fully programmed v3.14 on it so I could revisit its detection and blocking using identical rules.
Macrium Reflect tries to access the internet every time it is opened and here is the rule that I set in the v5.0 Firewall and the Firewall’s reaction to Reflect’s request…
There are also other programs like System32\rundll32.exe that I have written block and log rules for that I have never even seen with the v5.0 Firewall and yet this morning when I restored the Image with the v3.14 Firewall the very first thing it did just moments after the computer was restarted was to block and log System32\rundll32.exe as shown in the attachment.
Can someone help me to understand why the v5.0 Firewall is not also doing the same vigilant of preventing programs from accessing the internet that I am used to seeing the Comodo v3.14 Firewall and all of its predecessors that I have run back to v3.8 do by carrying out their instructions to block and log programs that the v5.0 Firewall doesn’t seem to know even exist even though it has the exact same rules.
~Maxx~
PS I have plenty of additional screenshots of the v3.14 Firewall Log showing many more programs that have block and log rules which v5.0 completely ignores.
As name tells, rundll32.exe is not an autonomous exe, but is used to launch dlls.
I am not sure of what monitors it (or not) by default under cis5, but from a customized installation (proactive, firewall and defense+ to highest levels, all image execution checked), i even customized windows operating system.
As a result, rundll32. exe is intercepted at least at 2 levels:
-lauching a dll, assuming that dll is a monitored extension
-and the executable itself asking for rundll32.exe: as an example and at the time speaking, defense+ asked me for a rundll32.exe executable launching permission both for explorer and svchost, and i can choose allow, ask (or even block).
I suppose that you are aware that making a global rule for rundll32.exe shall result in very user unfriendly computing.
I am not concerned about rundll32 launching programs on the desktop in fact it has permission in Defense+ to run with all access. I am only concerned with how the v5.0 Firewall completely ignores the block and log rule for rundll.32 where the v3.14 Firewall with the exact same rule blocks and logs rundll32 10 times a day preventing it from contacting MS.
The v5.0 Firewall never ever blocks and logs rundll32.exe from going to the internet for reporting to Redmond just as it has each and every day when v3.14 will detect rundll.32 and block and log it 10 times every day while the v5.0 Firewall with the exact same rule does absolutely nothing!
What I would like to know is why the v5.0 Firewall acts like this.
If your connection counter isn’t working, View Active Connections isn’t showing any connections and “Block all traffic” isn’t working the firewall is defective on your system.
Can you please verify the above 3?
What’s your Network Adapter type? like build in Ethernet, or USB wifi, 3G Wireless etc?
Again, rundll32.exe is probably not the one showing your underwear at Redmond, i don’t think it “knows” doing it by itself, but you might have some enabled culprit windows service:
i have never observed the numerous alert you are reporting under cis3 (xp, automatic windows update inter alia disabled).
You’re right System32\rundll32 is just an agent, but obviously is assigned collecting data tasks as it is shown doing in the first attached screenshot collecting data for CEIP. The v3.14 logs these actions where v5.0 is completely oblivious and I am looking for constructive input as to why this is so.
What I am primarily concerned with is why the v5.0 Firewall does not give System32\rundll.exe’s access to the internet like the v3.14 Firewall always has as shown in the 2nd attachment when they both have the identical block and log rule?
Ronny- Thank you so much for replying! I’m not looking to find something wrong with the v5.0 Firewall its just that it blocks and logs only a small fraction of the same set of rules that I have set on the same Win 7 x64 computer that the v3.14 Firewall that I had been using up until a week ago and I am hoping to find out why the v5.0 Firewall acts so differently because immediately after going back to v3.14 the Firewall started blocking and logging programs that the v5.0 Firewall seems to be completely oblivious to.
In answer to your questions the connection counter in the v5.0 Firewall is working fine and logged as many as 209 connections during a recent cloud scan. View active connections is also working fine. I’ve never used the ‘Block all Connections’ feature though.
My ethernet network adapter is an Intel 82567V 2 GB Network Connection.
I have screenshots of the logs from the v3.14 which were in the Macrium Reflect backup if you would like to see them. Please help me to understand why the v3.14 Firewall blocks and logs everything in the Firewall rules where the v5.0 Firewall acts like there is nothing to act upon when the v3.14 Firewall clearly shows that there is. I very much want to go back to v5.0 but I need some explanation about why it acts like it does.
Here are some more notifications that were given just hours after switching to v3.14 which I see on a regular basis on my Win 7 x64 computer when using CIS v3.14 Firewall and Proactive Defense+ that I never saw even once using CIS v5.0 Firewall and Proactive Defense+…
I am looking for an explanation as to why v3.14 consistently gives me these alerts, but v5.0 never did although I had written the same Firewall and Defense+ rules for both versions of Comodo. Since on my Win 7 x64 computer taskhost.exe, rundll32.exe and PING.exe are all complete strangers to V5.0 I’m wondering if something has been altered in v5.0 so that it ignores these events that v3.14 faithfully gives alerts for possibly in order to make it quieter and seem more ‘user friendly’?
I was hoping that v5.0 would be everything that v3.14 was only with many more state of the art detection features that no other computer security software in the world has, but from what I have experienced v5.0 has those new automatic sandboxing and cloud scanning features which work wonderfully but it misses many events both on the desktop and in the Firewall that have me concerned that v5.0 is not providing the same ultra high level of absolutely flawless coverage on the desktop and in the Firewall that v3.14 has always provided.
No I did not import the Firewall settings in v5.0 I set them just exactly the same as the rules I set in v3.14.
Thank you for taking the time to do testing on your Win 7 x32 and x64 computers. Its good to know that the FW5 alerts for ping.exe in Custom Policy Mode on your Win 7 x64 computer.
The problem I’m having is that I can force the FW5 to respond, but when left to its own devices it goes for long periods of time sometimes all day without a single alert when FW3.14 is giving alerts all day long for various events that are taking place on the computer which is why the prolonged silence of FW5 makes me feel like I’m in the dark as to what is really happening on the desktop.
Maybe I’ll have to do a fresh install of FW5 because what I have now is really dumbed down compared to the information I’m used to getting from the v3.14 Firewall.
I have the same problem. Version 5 of the firewall seems to not monitor or show any outbound connections. It does not even ask about my GPS or Logitech software which isn’t on the safe vendors list. Are you running Vista by chance?
I had the same problem when I tried upgrading to ver 4. I always end up going back to 3.14
cmillar6- I was running the Comodo v5.0 Firewall and Defense+ on my Win 7 x64 computer for about a week and as you mentioned the Firewall no longer monitors the outbound traffic with the same amount of attention to the rules it has been given the way v3.14 does as in the first screenshot I posted showing that v5.0 Firewall has the block and log rule in place, but it does not respond where v3.14 blocks and logs every time with vigilance.
Have you noticed that v5.0 Defense+ also ignores Windows programs that run frequently? I just switched back to v3.14 yesterday and immediately there were a series of blocks for programs that v5.0 completely ignores which began to show up in the Defense+ log within seconds after switching to v3.14 in the Macrium Reflect Image that I restored.
Are there any other omissions that you have noticed since using V5.0 that showed up regularly when running v3.14?
I am sorry I do not use Defence+ All I have noticed is that ver4 and now ver5 on my Vista laptop do not monitor any outbound connections. Even when I goto View Active Connections it shows nothing except “System” even though many programs like microsoft outlook, google chrome etc are running. Likewise with the traffic monitor on the summary page. I have version 5 installed on an XP box and it monitors and blocks programs as ver 3.14 did. I have been using Comodo Firewall since it was first released so I consider myself fairly familiar with the software. I have tried everything but cannot get it to work. I always end up going back to ver 3.14 I’m really upset as I consider a firewall with outbound protection more effective than antivirus software at blocking virus activity. My GPS and logitech harmony software are blocked by default with version 5 on my XP box with version 5. Version 5 with Vista simply ignores them. That tells me right there something is wrong.
I am having the same kind of detection problems only between v3.14 and v5.0 on the same Win 7 computer. I ran v5.0 for a week and noticed that the detection rates in both the Firewall and Defense+ were much lower so I switched back to v3.14 and every day I see many instances of events which run daily on this computer show up in the logs where v5.0 just ignores them altogether. I appreciate a quiet computer security system as much as the next guy, but I do want to know what’s going on and with each successive day that v5.0 showed me another empty log I became more convinced that there was something wrong. I’ve attached the latest daily activity that v5.0 completely ignored.
Do you know ProcMon from Sysinternals?
Can you please verify if rundll32.exe really does these network calls?
I think it’s related to the fact that CIS is better watching which process is “behind” rundll32
Also you can try to add the “Windows Operating System” to the Firewall rules and see what matches there.
Easiest way to add it is to select it from the “running processes”.
