I’m new to CPF and to the forums, so please excuse the newbie question if this has been answered elsewhere. I did have a look around but couldn’t find anything specific (although this post was very helpful with my general understanding of how the firewall works).
I’ve been using Sygate for years prior to Comodo, but was having problems with ActiveSync when I connected my PDA, so I finally took someone’s advice and completely uninstalled SPF (which I didn’t believe could work, since I’d tried to allow ActiveSync through the way the Microsoft troubleshooting guide said to, and I’d tried setting SPF to “allow all” traffic and it still hadn’t worked). To my surprise, the PDA synchronised just fine after I’d uninstalled SPF, so I had to look around for another firewall. I had a quick read through some of the posts here and they seemed very helpful, so I managed to install the firewall and create a rule to allow ActiveSync traffic to/from my PDA’s IP address within half an hour (this is after spending nearly a day going through troubleshooting guides, countless posts on obscure forums, installing and uninstalling various versions of… you get the point). So I have to say that thus far I love what I’m seeing from Comodo, and I’ll take a steep learning curve for an advanced product over a simple but not-so-effective product anyday!
Anyway, enough ranting an on to my actual question: Is there a quick way to unblock an application once you’ve selected “deny” (without ticking “remember”) in the popup alert?
My specific case was that an application had tried to open a page in my browser, and the popup asked me whether I wanted to allow or deny it (as you’d expect from a good firewall, since the request wasn’t initiated by the browser but by a parent app). I said deny, but after that, any requests from within the browser were also denied. Is there a way of saying “start allowing everything from this app again” without having to shut down and re-open the browser? Or do I have to specify a rule specifically for the parent app that initiated the browser request?
Other than restarting the associated application, I don’t know of any way. I think I read somewhere in this forum that it was designed this way in relation to some security purpose like browser leak tests. Don’t quote me on this.
Same as above. During this stage without enabling the remember option, you won’t see those failed parent applications that you denied as Application Monitor rules. The parent app only needs to be specified if you so desire it in order to restrict programs to the legit ones, but you probably already know this. Again, app mon rules will automatically be created for every different specific parent app that loads the program in question like your browser if you tick the remember option on such alerts.
(You can also manually create or edit App Mon rules for a particular program to have different parents, but I think this is diverging from what you’re after).
Ok, guess I’ll just have to restart my browser - I’m a creature of habit, though, and I like to have my “work” applications started in a certain order (don’t ask…), so if there’s something like a “feature request” forum, I’d love to see that feature added, i.e. either have a “only for this parent app” checkbox in the alert that applies to allow/deny in conjunction with the “remember” checkbox, or have the option of right-clicking on the application in the app monitor when it’s being blocked and saying “allow again” (or “the special parent app case is over, resume normal traffic monitoring”).
So if I understand you correctly, if the same scenario happens again and I say “deny” and “remember”, then restart the app, it should be allowed through except when initiated by the same parent app, in which case it will be blocked just for that parent app’s request (without having to ask me again) and otherwise I’ll be able to continue as per normal? (Hope that sentence makes sense…)
Place to throw requests/wishes: Comodo Firewall Wishlist v5. The other mods might be able to explain more, but they’re sleeping right now (except Ewen).
I knew it! It was a poor explanation just as I suspected :-\
I’ll use Firefox (since that seems to be the most popular browser for this forum’s members) as an example.
FF = Firefox
AppMon = Application Monitor
X = example of some new parent application other than the default explorer.exe (Windows shell)
X tries to launch FF and you are alerted:
If you deny it without remember then FF “dies” and you can’t browse. To undo this just restart FF. Subsequent attempts of X launching FF will alert you every time it happens because there is no blocked AppMon rule automatically created.
If you deny it with remember then subsequent attempts of X launching FF will fail and you won’t be alerted again, even if you restart FF because the remember option automatically created a AppMon rule. You can verify this by opening AppMon and you shall see a blocked rule on FF. FF “dies” and you can’t browse. To undo this “havoc”, delete the blocked FF rule in AppMon and restart FF.
Essentially, the remember option auto creates an App Rule (either specifically allowing or denying the new parent app in question). Every time a parent app is denied access, whether through a new alert or due to it an existing AppMon rule, FF should not be able to browse websites until it’s restarted with an allowed parent (like explorer.exe). From thereon, if FF is launched by either the Windows default explorer.exe or an approved parent app then FF can function normally.
Thanks a heap for taking the time to go into so much detail - great explanation by the way ;D
I can see how this structure would make a lot of sense for apps that are opened and closed frequently. Guess it may be annoying for my browser (which is Opera, incidentally, far more often than FF, but let’s not get into that ) until I get all the parent app rules worked out the way I want them, but most likely worth it in the long run.
That’s why AppMon is regarded as the primary “safelist” for most users. The others like myself like to block only a few apps from here to not be bothered by the same alerts again. By default every app is blocked (except the certified Comodo database, but that option can be disabled).
You’re home ;). I use Opera, too.
Exactly. AppMon, like other mechanisms implemented by CFP, does indeed leave a lot to be discovered/explained because it’s not (completely) documented in the help file. For example, the rule ordering does matter: top has most priority, bottom has least priority.
if this has been answered elsewhere. I did have a look around but couldn’t find anything specific (although this post was very helpful with my general understanding of how the firewall works).
