Now that we have Threatcast out (albeit beta) we want to consult our users if they want to contribute by re-designing our alerts. Afterall those alerts are for you so who better than you to decide what you want in them!
go ahead, the shape, the sections, the wording etc is all up for modification!
Please post your designs back here and we will then all discuss to see the best one!
Cool idea. Actually I have always loved the design and shape of Zone Alarms alerts. They are like quotes. One thing is I think the alerts could be smaller maybe like half the size. Other then that I think they are fine.
Thanks for setting up this thread, Melih.
First of all, i should say that alerts are already great and descriptive. And after some time (after you learn “service control manager”, “interprocess memory access” etc. etc.) it is easy to deal with them.
If i will find one .bat file i tested recently, i will post back here… with suggestion.
please give us more options to the firewall alerts like “allow this program to connect to this ip” so the program is only allowed to connect to all ports to this one IP.
the same rule with port “allow this program connect on this port”
and a combination of both lik “allow connection to this ip and this port”
“this port” or “this ip” should be the port and the IP the program actually wants to connect.
this would be great so you can create cool rules without going in comodo interface
Some suggestions about alerts.
Alerts on snapshots were received during execution of batch virus (more joke than virus, but anyway be careful). Code can be found here (post #9).
First alert (screenshot 1) i’d like to bring attention to. “Safe app tries to execute safe app”. Often this is true, but in current example this is not. You know better than me that reg.exe is very powerful app and can be used in malicious batch file to delete/create/modify registry keys to do harm to system. Although this is possible only if reg.exe has appropriate permissions under computer security policy (and this is possible if user uses frequently legitimate batch files with “reg” command), some warning would be good i guess.
Activities on second, third and fourth alerts (screenshot 2, 3 and 4) do not pose any threat, but can bring minor (yet annoying) troubles to user. My suggestion about some warning is same.
It is just simple example, that shows that unexperienced user may have some trouble, “safely allowing” activities.
Looking a bit further, i think alert for cmd.exe (screenshot 5) should be similar to alert for wscript.exe (screenshot 6), i. e. “unsafe app” because cmd.exe may have permissions to execute reg.exe, tskill.exe etc. and these apps may have some permissions in computer security policy (e. g. user needs such policy because of frequent use of legitimate batch files). In this case once he “safely allowed” cmd.exe the game may be over.
Just my 2 cents.
P.S.: Guys, hope you won’t change current look of alerts much taking in account all “suggestions” for those who used to them and consider them very convinient (B)
Yes, I support the idea behind that! But please don’t clutter the interface with thousands of options. I want to see with one glance, what’s going on and any new option will make this harder.
So I prefer one option “Create custom rule…” Which opens directly the “edit dialog”, which we can reach from the comodo interface of this particular application. Of course not only for Firewall, but also for Defense+ events. I miss this especially for Defense+, where I have to go to the interface quite often, to modify the rules with wildcards…
And a second thing: I like the feature to click on the filenames and getting the file properties dialog. Could you please add an analog feature for IP-addresses, so I click on an IP-address in a firewall alert and CFP will do an DNS Lookup, which gives me the domain name and owner of the IP. So it would become easier to decide, if a connection should be allowed or not
A change to the GUI would allow all Firewall predefined policies to be shown in all Firewall alerts, and all Defense+ predefined policies to be shown in all Defense+ alerts. One’s answer to the current alert can be considered logically independent from what, if any, predefined policy should be applied in the future. “Treat this application as” should not be an option mutually exclusive to allowing or blocking the current request. Rather, “Treat this application as” should be its own logically independent option on the same screen, but not within the same option group as ‘Allow this request’, “Block this request”, and “Remember my answer”. If the developers want temporary policies to be available (I’m not sure if this is the intention or not), then there should be a separate “Remember my answer” checkbox that pertains to only the predefined policy dropdown box. The semantics would be that if one chose a predefined policy to be applied in an alert screen, it will be affect which future alerts may appear, but does not affect the current alert. If one chooses to assign a permanent predefined policy from within an alert, the “Remember my answer” checkbox for the allow/block request should be disabled, since the predefined policy will ■■■■ away any existing rules for the given program.
Not having all predefined policies available appears at first glance to be a bug. Also, not having all predefined policies available may prevent some usage scenarios, such as one I posted about previously and was fixed in a later version of CFP.
Instead of using the terminology that a whitelist program is ‘safe’, perhaps use the term ‘legitimate’ or ‘recognized’. Internet Explorer, for example, is a legitimate program, but it is not necessarily safe!
To make things easier on new users, it would be helpful if alerts for the pseudo COM Interfaces would include the exact same text as used when editing Computer Security Policy. For example, a new user might have trouble understanding that ‘Service Control Manager’ in an alert = ‘\RPC Control\ntsvcs’ in Computer Security Policy.
I would like this also please. Maybe it would be called something like ‘Edit program’s Computer Security Policy after closing this window’ (for Defense+ alert) or ‘Edit program’s Network Security Policy after closing this window’ (for firewall alert). The new window should appear after and not before the alert has been dismissed, so that the rule from the alert is included if it was remembered. This feature would be available only if the user is not currently editing any policy settings, to make life easier on the developers.
In an alert, it would be nice to be able to see what group(s), if any, an item belongs to. For example, in an alert about registry key *\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad* being modified, also include the fact that *\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad* is part of group Automatic Startup. This would help the user know what the registry key is used for. The same idea applies to protected COM Interfaces and protected files/folders. It could even apply to which file groups, if any, an executable file belongs to.
This change would fulfill this person’s request and the similar request I previously made in the wishlist.
This change would help the users understand how the item(s) in an alert are used, in order to make a more informed decision about the choices to make in the alert. Also, this change would require no changes to CFP’s internal data structures and would not impact any other user interface elements other than alerts.
It would be nice if CFP would have a settings dialog box that would specify which user interface elements will appear in the alerts, especially if some of the other suggestions being made here are implemented. The user would then have to see only what he/she cares about in an alert.
In a firewall alert, it would be nice to “ramp up” or “ramp down” the generality of the rule generated, perhaps using the same slider user interface element from Alert Frequency Settings; the default slider position would be the setting from Alert Frequency Settings.
I love this idea. I think a better way to implement it though is BigMike’s way.
Like i said before, love the custom rule idea.
The DNS lookup may not be possible because either comodo would need to run their own dns lookup service or pay some other site for it. I think they have paid enough money developing cfp. Unless ofcourse it is free to do a dns lookup.
Good idea for those powerusers but for novices this might be confusing.
Maybe it could come up during the alert and if you press ok after making the rule it will save and if you press cancel it will go back to the alert.