Relation between modules, problem with ABA

Even though the CFP’s UI looks very clean and pleasant, it does not clearly display the logical working relations between its modules. For instance, does a connection attempt passes the Application Monitor first and Network Monitor later, or is it vice versa? I think this information is so important it needs to displayed somewhere prominently on the UI.

Right now I’ve having massive problem with the Application Behavior Analysis. Once turned on, applications like Firefox will starts to have problem connecting to new sites (or even looking up the DNS of the sites? - I’m not sure about this). I’ve tried to pin it down to a specific rule in the ABA, but with no success until now, as the connection failures appear to be somewhat inconsistent and not alway reliably reproducable.

Since I have no clue about where in the whole process chain the ABA rules are sitting, it is specially hard to locate the problem. As of now, I can only turn off ABA all together, which is of course a rather unsatisfactory solution.

Hallo,
you may find some info reading
Understanding how Comodo Firewall Rules work

I’m not sure about the issue you are having could you please post the application settings for firefox?

Thanks for the link, however that document doesn’t really cover Application Behaviour Analysis.

And my problem isn’t just with Firefox, it’s at least with all applications which try to establish HTTP connections (I say “at least”, so it may not be limited to HTTP). For example, even wget (with default settings) wouldn’t connect to an web server.

P2P applications like eMule or BitTorrent would continue to work - at least to some degree, even though I have the impression they can connect to less peers than they normally would, or maybe they can only continue data transfer with those peers they have already established connection with.

The ABA monitor and report you when certain conditions are met.
The result is a message prompt to allow or deny connections in that cases.

If you are willing to provide more infos maybe it would be easy to pinpoint the problem.

I have few questions for you:

  1. do you have any blocked component in component monitor?
  2. do you use default network rules?
  3. what Alert Frequency Level do you have set?
  4. what rules do you have assigned to firefox? (sorry I need this for reference)
  1. No;
  2. At first yes, then I realized the default rules prohibit incoming connections, so I changed them to practically “allow all”;
  3. High or very high;
  4. Allow UDP out to any address on port 53 (DNS), allow TCP out to any address on any port.

Thanks for the help!

  1. No; Check OK

  2. At first yes, then I realized the default rules prohibit incoming connections, so I changed them to practically “allow all”; :o Check DANGER!!! unrestricted inbound rules are dangerous better to limit port range usage of certain server application and open only inbound blocked ports in log provided that are those requested by application needing inbound

  3. High or very high; Check Warning very-high mode will input the IP too not only the ports. Considering that an app could have as many rules as many parent calling applications if one of these ruled is fired and it has not [any] ip or port there are issues

  4. Allow UDP out to any address on port 53 (DNS), allow TCP out to any address on any port.
    INFO! UDP out could be limited to your router ip , TCP out should work, but you may have problems with ftp transfers

Thanks for the help!
Response I’m still clueless…
I need mode data. (firewall log at the time of undesiderable behaviour?)

BIP

Henry,

It doesn’t sound to me (based on your posts) that you’re having problems with ABA. ABA deals ONLY with certain types of interactive behavior in relation to applications gaining internet access. This would not appear to apply.

Please provide more detail about error message, popup alert, log entry, etc. Also, if you change the Security Level to Allow All temporarily, do you still experience the issue(s) you’re concerned about?

It sounds as well (no offense intended) as if you’ve done a number on your Network Monitor rules. Please note: you DO NOT need ANY Inbound Network rules to browse the internet, do email, download files, etc. Please open your Network Monitor to full-screen size, and capture a screenshot. Save it is an image file (jpg, png, gif) and attach to your post under Additional Options.

You will need Inbound rules if you’re using p2p applications, but those are very specifically tailored for that purpose, and a separate issue. (in gibran’s signature, there’s a link to compiled tutorials; follow that, and read the tutorial for p2p applications, on how to create those necessary rules. within that tutorial, the bold red titles next to each author’s name link back to the original topic where you can ask questions specific to that tutorial)

Don’t worry; we can get you thru this, and working properly!

LM

First, thanks a lot to you guys for taking an interest in my problems. That said, I like to point out I’m not a complete newbee. For many years I’ve worked as an administrator of the largest computer lab of my university, setting up all kinds of network servers - on Windows and Linux systems. Also I was a member of the developer team of the original BitTorrent software - I’m still listed on BitTorrent’s SourceForge project page. So you may consider me as someone with a fair understanding of computer networking.

I’m not that worried about allowing all inbound traffic because I’m sitting behind a router that only allows incoming traffic on specific ports I’ve set up port forwarding for. I need the incoming connection for better performance of several P2P application. Also even though I’ve changed the catch-all entry in Network Monitor from Deny to Allow, I kept the logging on and watched the log extensively. There is nothing fancy going on except some harmless ICPM traffic. And there was nothing suspicious in the log during the time I had my connection problems, either.

And yes, the connection problems disappeared completely when I temporarily set CFP to Allow All Traffic, and they came back immediately when I turned it back to Custom. The reason I believe the issue is related to ABA is very simple - now I’ve turned ABA off, the problems are gone. I did try to turn selective entries in the ABA off so as to narrow it down, unfortunately the applications then behave a bit inconsistently - connection problems were on and off, and I think it might has something to do with some kinds of caching - maybe DNS cache.

I should also declear that my system (Windows XP Professional SP2) has following network related configurations:

  • The tcpip.sys is patched to allow 1024 instead of 10 concurrent connection attempts (the infamous Event ID 4226 patch);
  • The latest version of cFosSpeed, a traffic shaping software, is installed - though my problems with CFP appeared before cFosSpeed was installed;
  • My P2P software - among others, uTorrent - are set to try a large number of connection attempts and keep a large number of connections;
  • I do not use my router as DNS server - which in turn use the DNS server provided by my ISP, which unfortunately is rather unreliable - instead I’ve manually configured the UUNet DNS servers (198.6.1.2 and 198.6.1.3) to be used.

Again, thanks for the help.

Thank for you extensive reply.

I’m sorry for my previous idiotic-like answer (expecially for the BIP :-[)

You fooled my NBA (newbie behaviuor analysis)…
Jokes apart this problem is a though one then.

Please run REGEDIT /E AppCtrl.TXT “HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Personal Firewall\AppCtrl” .
Feel free to edit the resulting file and cut out sensible info in Addrs,Apps,Components,IPC,Zones subkeys but leave the main branch dword keys from OSMode to ShowWindow.

An inconsistent behaviour with no log entries should mean that the firewall maybe is not aware of the situation. Usually when application behaviour fire up it shows an allow/deny form and in such cases an entry is written in the log… But this does not seem to apply to you.

In order to pinpoint the problem and help to solve it in future revisions it should be mandatory to modify the testing environment.

This is up to you. Your skills in winsock programming and debugging would help too.

  • Maybe is useless to try ipconfig /flushdns but I didn’t understood if the same sites give upredictable connection errors or they always give an error during a session (I don’t know if the firewall caches DNS entries or not…).

  • Disabling application monitor instead of ABA helps too?

  • Would you mind to try to limit half opened connections to 100 for a brief period of time?

  • Do you have any kernel hooking code running on your system?

  • Maybe using a debug version of w2_32 or something like Auto Debug for Winsock V1.0 with a guineapig app (e.g. firefox) could help at least devs to focus the problem

I’ll search for other way to get info maybe these suggestions are not very useful but only the devs know the inner workings of the firewall…

I don’t think anything was directly denied by the ABA. It looked like the connection attempts simply timed out, something that usually happens if the network line is maxed out - especially the upload bandwidth, since the TCP ACK packets are delayed then. I’ve seen it on my previous system, and I resolved it by installing cFosSpeed. So this time I didn’t have that many TCP connections (just a few hundreds instead of several thousands, when my old system - respectively the network line - got jammed), and installing cFosSpeed did not make the problem go away.

Btw, what is “BIP”?

Never mind, English is not my mother tongue… I did mean BEEP

So the connection is attempted but not established… hmm

I asked to reduce the number of half opened connections to know if the software firewall is having problems handling the traffic.

Not sure if it is the case but would it be possible that your ip is considered a syn-flooder because of the ack timeouts? Are you able to ping the failing sites shortly after the failed connections?

One more thing. I’m correct that you selectively disabled network monitor,app monitor and component monitor with no effect?

IF ABA were to be the source of the problem, two things would have occurred.

  1. You would have a popup alert
  2. The connection would be instantly blocked (or allowed), based on your response to the alert

ABA does not filter traffic, shape or control traffic. It’s only purpose is to monitor and alert the user to suspicious activity on the part of applications. It does not relate in any way to the flow of traffic (ie, the network monitor); it more closely relates to the application and component monitors, and that’s only nominal.

If your connection timed out, there are two possibilities:

  1. You have a block rule in the application monitor, for the application in question
  2. There is a network monitor rule that is filtering out some aspect of the connection-related traffic

I’m betting on option 2. In CFP, if you set the firewall to Allow All and it connects, 99 times out of 100 it will be the Network Monitor.

Please do the following so that we can help you:

  1. Clear your Activity Logs. You may do so by right-click and select, “Clear all Logs.”
  2. Reconnect, run your scenario, experience the issue.
  3. Go back to the logs, right-click and select “Export to HTML.” Save the file, reopen it, and highlight the entries. Copy the highlighted text, and Paste into your post. You may edit your personal external IP for privacy if you so desire.
  4. Open the Network Monitor to Full-screen. Capture a screenshot, save as an image file, and attach to your post under Additional Options.

Without these pieces of information, we’re just shooting rounds in the dark, and we’ve got a snowball’s chance in a hot place of getting anywhere…

LM

PS: On a side note, if you’ve changed the Block & Log All rule to Allow, you’ve pretty much emasculated the firewall, as CFP’s functions really start with the Network Monitor; that’s the core of its layered security.