Qns from a newbie

Hi guys, I’m still new to CPF so there are some qns that I hope you could help me out in.

  1. Is there a manual that guide us in “hardening” CPF? For example there’s a guide for the outpost firewall

http://www.outpostfirewall.com/forum/showthread.php?s=&threadid=9858

  1. I understand that creating Network Control Rules seems to be the recommended action when using p2p programs. What benefit would there be over Application Control Rules? Network Control Rules doesn’t seem to allow me to specify the application I allow network access to.

  2. Is there a way to create rules that include >2 non-adjacent IPs? For example we can include a few ports in the same rule but not IPs. And also for Ports, we can either choose Port Range/Set of Ports. Can we merge the two for both IPs & Ports? For example: 5612,45812,8564-8695 etc?

  3. After adding/editing the Application Control Rules, the screen is refreshed & results in increased cpu usage. Is there a need for this to happen?

  4. Can we include a rules’ title, especially for the Network Control Rules. It seems a little difficult to identify the use of each rule after a while.

Pardon me if some of my qns has already been asked/answered previously as I can’t seem to find them in the forum.

Welcome to the forums (:WAV)

I’ll attempt to answer your Qs in order… :wink:

  1. Not specifically, no. However, here’s a good place to start, to gain a better understanding of CFP. https://forums.comodo.com/index.php/topic,6167.0.html. It’s a locked compilation of various tutorials, explanations, application issues, etc; just info, no questions. Each topic has an embedded link back to the original thread, where you can ask questions. That, and keep poking thru the forum; other users have asked specific questions about security issues they have had, so the info is available.

  2. See the link above; there’s info there not only on creating network rules, but also how the layered aspect of CFP’s Monitors works together to create security. While Applications are not linked specifically to Network rules as you can do with Outpost, you can create “matching” rules if you want to increase security.

  3. Not at present. I don’t think it’s in the Wishlist (although it might be), so you can add that if you like; Comodo is diligent to monitor those for improvements ideas. The current/new Wishlist is here: https://forums.comodo.com/index.php/topic,6883.0.html. All Wishlists past and present can be found in this board: https://forums.comodo.com/index.php/board,53.0.html.

  4. Not sure exactly what you’re referring to there… Do you mean that CPU usage stays increased, or that there is a momentary increase as the rules refresh? If you’re referring to the latter, yes there is a brief increase as CFP reloads the changed ruleset. Whether from a computing standpoint this is “necessary” I do not know, but it is normal.

  5. No rules titles at present. The closest thing would be if you create a Zone, you can name it whatever you like. If you’re trying to create rules to match identically to each allowed application rule, then yes, it would be confusing. IMO, that’s not necessary, but I understand some people feel they have increased security that way. This is, however, already in the Wishlist.

Hope that helps,

LM

Hi LM,

Thanks for the welcome! :BNC

  1. No wonder I couldn’t find it it the forum, lol. I was wonder what changes could be done to make CPF better. For example it was shown that CPF’s default setting wasn’t the best in terms of security.

http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php

The link you provided definitely helped me understand the layered rules better. Maybe i could come up with a “hardening” manual after a better understanding of CPF

  1. Regarding the “matching” rules, its like what was explained in the layered rules right? Application rules alone would work without Network rules approval right? So if say I there’s a trojan/worm on my system that my antivirus/CPF’s application behavior analysis didn’t catch, won’t it be able to connect to the outside using the network rules since it didn’t specify the application? The above mentioned condition would also mean the worm/trojan could effectively inject into the same application I specified for the network rules. However it does drop the infection down to one application won’t it?

  2. Haha i was a sygate user for years & sort of took their flexibility in the advanced rules for granted. It would be nice to add this in but i would hope to see a less cpu demanding CPF as compared to spending the programmers time on less important request like this.

  3. Yeah you got what I’m saying. It was because it only happened in the Application Control Rules screen but not the Network Control Rules screen, so I thought something was wrong with my system.

  4. Since it’s already in the wish list, I’ll really look forward to see it.

  5. Is there a way to reduce cpu usage? When I’m using bittorrent on this old system (p3 450mhz), it’s maxing out the processor occasionally. I did turn off logging since I only use it to diagnose problem.
    Does Application Behavior Analysis have any significant effect on this?

Regards,

EHL

  1. The “Highest Security” settings they refer to, for CFP are: Go to Security/Advanced/Miscellaneous, uncheck the 2nd box, “Do not show alerts for applications certified by Comodo.” While you’re there, increase the Alert Frequency to Very High. Click OK, reboot. Be WARNED: If you increase the alert frequency, you’re going to see alerts generated on direction, IP address, IP protocol, port, application, parent, etc. It will literally flood you with popups, which to most users seem to be identical (causing frustration as to why CFP won’t remember their rules). If you respond with “Remember” & Allow on these, you will create multiple rules for each application; each one subtly different.

  2. For matching rules, I’ll give an example. One of the default Network Rules is to Allow Out TCP/UDP Any Source/Destination IP Address or Port. This is a general rule to allow pretty much whatever you have to do. But if I want to tighten it up, I’ll take that rule out. Obviously now I can’t even browse, so I add back in a rule to Allow Out TCP/UDP Any Source/Destination IP Address, Any Source Port, to Destination Port (a set of ports) 80,443. This will allow general browsing. To create a “matching” rule setup, I would open my Application Monitor, edit the rule for my browser, and set the Destination Port to a set of ports, 80,443. It now “matches” the Network rule. If I kept the generic network rule, the App Rule would still limit the browser, but anything else could theoretically use the network rule to connect with. By changing the rule details, any application that wants to connect Out using TCP/UDP must do so only on those Destination Ports.

It should be noted, however, that since svchost.exe uses UDP to update your IP address (but not on those ports), this would be blocked as well, and you’d lose your connection. So creating tight rules is a lot of work, and not really that necessary, IMO.

To answer your question, the only way an Application rule would work without Network Rule approval is if the Network Monitor were turned off (which wouldn’t be recommended). If an unknown application (such as malware; ie, not listed in the Application Monitor) tries to connect, you will be warned by CFP that an application is trying to connect. In order for an Application in the Application Monitor to connect, there has to be some rule in the Network Monitor that explicitly or implicitly allows it to do so.

For example, let’s take the browser again. If we have the App rule for the browser set to allow TCP/UDP Any, it will be explicitly allowed by the generic Allow TCP/UDP Out Any network rule. If we have the App rule for the browser set to Allow TCP/UDP Any, Port 80,443, the generic network rule will implicitly allow it (it’s not an exact match, but the Net rule is “loose” enough, so it works). If we have the “matching” net rule Allow TCP/UDP Any, DestPort 80,443, the connection will again be explicitly allowed. If there wasn’t a rule to allow TCP/UDP Out in the network monitor, the browser could not connect, no matter what permission you gave it in the App Monitor.

For the other part of item 2, regarding a malware hijacking an allowed application with a netmon rule to allow connection… You saw the matousec leaktest results; the only thing CFP failed was the Coats test, and that was fixed with version 2.4. I guess it is theoretically possible that a malware could somehow alter an allowed application in a way that CFP’s ABA wouldn’t catch and alert you on. However, I think the likelihood of that is slim, especially if the user pays attention to what goes on with their system. What we have seen happen in the past is that a user’s AV doesn’t catch a virus, but CFP did, when the virus was trying to get back out of the system, as you mentioned. In at least one case, the user was upset because they thought the firewall was failing to remember the rules they set; they didn’t read the alert to see that it was telling them something bad was going on. Eventually it was found that they had a new variant of a mass-mailing worm, and it was effectively stopped by the Comodo FW. (:CLP)

  1. What? You’re throwing extra numbers at me. No fair. ;D With the p2p apps, some users have found it helpful to create a Network Monitor rule to Allow ICMP Out where the message is Port Unreachable. This stops unnecessary blocked activity from the torrent not updating that your computer is no longer connected. You get a lot of incoming requests from the rest of the computers for a while; this message will allow your computer to respond in a way that stops all those connections (since now they know you’re not connected). Make sure it’s above the bottom block rule.

LM

Thanks again LM

  1. I see that was what they were talking about. I thought that they might have added/modified some network/application rules, since the default rules are alittle “loose” for my preference. It’s really good to hear that without making changes in the rules, CPF already scored the highest in those tests :BNC

  2. WOW, that’s real clear & detailed explanation!! I used to think the application rules would still work even without similar nework rules. This helped clear my doubts.

Yeah I heard about what CPF did with the mass-mailing worm & decided I should give it a try. Seriously I’m quite amazed by how well this firewall performed in tests, especially when its free & thrashing those paid counterparts.

  1. Cool, I didn’t know that such a rule existed to reduce workload for CPF. However I’m not exactly sure what u mean by “Make sure it’s above the bottom block rule”? Do you mean just make sure its above the last block rule in network control?

Regards,
EHL

No problem, EHL, I’m glad to help.

Yes, that is exactly what I mean. What that specific rule, exact placement won’t really matter, except as regards that bottom rule (since that’s the “catch-all” rule; the safety net).

When you’re adding rules to the NetMon, there’s a couple ways to do it.

One is just click the “+ Add” button. This will open the dialog box so you can create the rule. However, adding the new rule this way will cause it to be placed last in order, at the bottom; by default, this places it after/below the Block All rule (which means it will get blocked…). Thus, it would need to be moved up in the list to a point where it will not be blocked.

The other option is to right-click a rule, and select Add a Rule from the context menu. This will give options to Add…, Add Before, Add After. In that way, you can avoid having to move the rule after creation, by selecting where to place it when you make it.

Anyway, creating the specific ICMP rule will help with logging & CPU time. However, some users continue to experience a CPU draw anyway, and it seems to be related to logging (a search in the forums will give you lots of results on that - I’d suggest the terms “logging” or “CPU”). There are a few “tricks” users have discovered to help with the issue, so if you continue to experience it, you can definitely find some help. Although they have specifically stated so to my knowledge, I am confident that Comodo is working to address this with the next version (set for Beta testing in mid-April).

LM

EHL,

If and when you get to the point of wanting to tighten up your rules here’s a thread that I’ve found helpful as it illustrates the relations between the Network Monitor and Application Monitor rules. The author (P2U) admits that his being on an untrusted LAN make his settings an extreme case but I found it valuable none the less, especially the loopback settings and access rules for IE and Firefox.

https://forums.comodo.com/index.php/topic,2405.0.html

LM, can I nominate this thread for inclusion in the FAQ (if not already there)? Thanks.

AJB

Good call. Done and done.

Firewall FAQ

Compiled FAQ

LM

Thanks LM,

The ICMP that you taught me helps to cut down the cpu time for cpf.exe. It was taking like >50% previously but dropped to the current 30%. This is the case when I’m doing bt. Is it ok if I block all the ICMP default rules & only allow the one added for p2p?

cmdagent.exe also max out my processor every now & then. It happened while I was loading this forum & typing my reply. Forgot to check the cpu time after hrs of bt, will update after testing it out.

Regarding the logging, I managed to catch the discussion on logging events taking place even though it was disabled. Sad to say I’m having the same problems. I need to manually enable & disable logging everytime I reload CFP, regardless whether I reboot my pc.

I’m still looking for other possible problems that I may be having with CPF. Do let me know of any just in case I missed them while searching through the forum. Is there any threads like the
** FAQs/Threads - Read Me First ** which complies all the common bugs like logging & cpu issues?

Is the packet checksum & monitoring other ndis protocols useful for home users? I read that checksum is only useful to servers. When I tested the checksum function out of curiosity, I see alot of checksum errors being logged when using bt. Is this normal?

Thanks Birdman,

Been looking for something like that :slight_smile:
Even though CPF is good but I still think there are stuff we can modify. Like the DNS queries in CPF’s ABA, it won’t be needed if Window’s DNS Client is disabled right?

EHL

EHL,

Glad that’s helping with the CPU load.

You can change all the ICMP rules to block if you like, to see if they impact your connections. I do not use them myself, but some users find they do need some of them. If you find you don’t need them, you can just remove them, and reboot.

There are obviously some issues for some users with logging and CPU load. Doesn’t happen for everyone, though (I have yet to experience them). You can go to the actual log file (I don’t remember the location off the top of my head, but you can find it, I’m sure) and change the properties to read-only. This means the file will be cleared each day/reboot, but seems to help. You can find a lot of info on it if you search a bit. Use the Advanced Search, Topic Subjects Only, and you can also choose to search only the Firewall Boards. I’d suggest using “CPU” “Logging” “cmdmon” “cmdagent” for search terms. You’ll probably find most of them in the Help section, rather than FAQ. I’m afraid there’s not a Common Issues compilation at this point, but that’s a good idea. PM me and remind me to work on that, if you will…

The packet checksum & othe NDIS protocol are probably not necessary for the average home user. They will likely cause an increased CPU load, and IMO really not that much benefit to warrant the slowdown; not for someone like you or me.

If you check you logs and see common block entries (from the network monitor) that you don’t need, you can create rules (like you did for ICMP) to block and not log them; place them right above the bottom block & log rule (just like you did for the ICMP). That way, the traffic will still be blocked, but you won’t clutter up your log. If you want to do that, and are uncertain how, we can help you with that.

LM

EHL,

With regards to DNS queries, yes I also have Windows DNS Client disabled. I haven’t (yet) turned off the ABA check because I don’t see a performance hit. I do have my port 53 UDP queries constrained to my 2 DNS servers addresses with an outbound network monitor rule.

AJB

LM,

The part on “If you find you don’t need them, you can just remove them, and reboot.”, you mean I have to reboot for the new changes to take effect?

No problem, I’ll send you a pm alright. But I think I’ll go through what I could find & send you their links in my pm. It should reduce your workload alittle, it’s the least I can do for the help you’ve given me :slight_smile:

I see, since the packet checksum & NDIS aren’t needed I’ll just left them unchecked. I’ll be sure to ask for help when in doubt.

AJB,

I did the same thing with creating rules for dns requests. Haha I just thought you might have done the same as me in turning the dns monitor off. Afterall, this is a very old system I’m running so turning off whatever is not needed probably helps :slight_smile:

EHL

CFP has a memory of sorts, once it’s loaded and running. When you change the rules (especially perhaps the NetMon rules), they will not take effect immediately (the memory still has the old rules loaded…). Some users have reported doing the following successfully: Waiting a few minutes. Manually exiting the firewall then restarting. I have tried both, with little success, so I just reboot, and recommend the same; that way there’s not doubt about whether the rules took or not.

LM

EHL,

And how old is your system ? I have one PC w a 450 MHz Pentium III processor and 512 MB RAM successfully running XP and CFP. So I too am always trying to speed things up by turning off unneeded services and avoiding bloated security apps (McAfee, Symantec).

AJB

And I have an IBM P3 500MHz w/640MB of RAM as well. ;D

LM

Hi AJB & LM,

Sorry been busy for last few days.

Didn’t know I needed to restart the system for some rules to take effect. I’ll have to keep this in mind since I’m always editing my rules, haha.

The oldest system I have is a P3 450Mhz with 320Mb of ram. It’s running win2k with CPF. Any idea if CPF will be ported to linux in future? I’m quite disappointed that windows are getting more & more resource hungry with every versions, thinking of making a complete switch in the future.

AJB,

You may want to avoid running XP on the 450Mhz system. Even with non-necessary services turned off, xp is still sluggish on this system. In the end I settled for win2k which you should be able to get for around 20 bucks. Though I’m not sure how things would like for your system since you had more rams than me.

I seem to recall that they have a Linux firewall, geared toward enterprise settings, but I may be confusing it with the fact that they have a Linux system, Trustix, which is geared toward providing a secure environment for enterprise settings. Or maybe Trustix includes its own firewall…

Although my work laptop is much more modern than my home PC, with much better processor capabilities and BUS speed, it has less RAM, and I can tell the difference! There are a number of ways in which the old PC is faster, simply because of the RAM (or at least that’s the only thing I can link it to).

Although I’ve “trimmed the fat” off Windows Services and whatnot, I really haven’t noticed a significant increase in speed from that; of course, my motivation was primarily security… :wink:

LM

EHL & LM,

The 450 MHz machine w 512 MB running XP SP2 is workable although a little clunky at times. And yes my main motivation for turning off unneeded services was also security although believe I picked up a little in execution speed. Here’s to hoping that CPF maintains its modest footprint when they release v3.

AJB

Haha, initially I had wanted to speed up windows & make it more responsive by turning off extra services but since it also provides better security its like an being value-added :BNC

Ok, here’s what I managd to find in the forums with regards to CPU related problems. PM will be sent as well.

High cpf.exe usage (due to logging it seems)

https://forums.comodo.com/index.php/topic,6819.0.html

https://forums.comodo.com/index.php/topic,6933.0.html

https://forums.comodo.com/index.php/topic,6943.0.html

Events being logged even though logging was disabled previously

https://forums.comodo.com/index.php/topic,7086.0.html

High cmdagent.exe usage (due to ABA it seems)

https://forums.comodo.com/index.php/topic,5499.0.html

https://forums.comodo.com/index.php/topic,5972.0.html

https://forums.comodo.com/index.php/topic,6160.0.html

EHL

Thanks, EHL, that should help.

I’ve added them here https://forums.comodo.com/index.php/topic,894.msg5546.html#msg5546, except for the one about logging even tho’ disabled, as that hasn’t had the impact the others have.

They’re really probably outside the intended purpose of the FAQ post there, but it’s the best option to get them in one spot for easy access by anyone experiencing the problem.

Thanks for taking the time and effort!

LM