Requesting help regarding Application Rules please.

Hi, I have a couple of questions regarding Application Rule processing.

The first question is in relation to the ‘Parent’ of an Application and its
exact function.

Right now I use a ‘Dock’ to launch my most frequently used applications, such as
Firefox and Thunderbird. From time to time I receive the pop-up below, which I
find a little confusing.


http://img167.imageshack.us/img167/1593/popup1hc5.th.jpg

The top portion of the pop-up clearly shows Firefox requesting permission to
perform a DNS query. The lower half, however, seems to suggest that the parent
application, yzdock, is attempting to access the Internet, which as far as I’m
am aware, is not part of its function.

In Component Monitor I have an entry for yzdock.dll, but do I also have to
create a specific application rule for the dock to prevent these pop-ups?

The second question relates to DNS queries. I have created two rules in Network
Monitor to allow DNS queries to be performed against my ISP’s DNS servers and
yet occasionally. I receive requests from applications, such as that shown in
the image above, for an application to perform its own DNS query.

More confusing still, is that Firefox, on my system, uses a proxy (Proxomitron)
through which all web access is performed and therefore has a single rule
defined in Application Monitor, which is:

Firefox.exe 127.0.0.1 8080 TCP Out Allow.

Where 8080 is the port used by the proxy. So the question is, why would this
application try to make DNS queries in isolation of the system wide DNS
rules?

My third question regards the way Comodo processes Application Rules. For
example, if I had several rules for an application eg.:

Proxomitron.exe ANY 80,443 TCP Out Allow
Proxomitron.exe ANY ANY TCP Out Block

where some specifically allowed outbound activity to specific ports and one
specifically denied any additional outbound activity, how are the rules
processed, as there appears no way, as there is in Network Monitor, to define
the processing order?

I Hope the questions make sense.

Thanks for any help.

Not, if your ticking “Remember” & hitting the Allow button. With this, and Component Mode in Learn mode, you’ll only need authorise each application or component once… CPF will learn what you’re using & only prompt you for things that its not seen before or have been updated. But, the amount of pop-ups you will get is really dependent on the Alert Level you have set (Security - Advanced - Miscellaneous).

Whats the Parent stuff about? This is part of CPFs security checks. Leaktests use parent processes to pass messages out to the net via the parent’s child process. So, keeping an eye on parents & their children is an important security check.

The second question relates to DNS queries. I have created two rules in Network Monitor to allow DNS queries to be performed against my ISP's DNS servers and yet occasionally. I receive requests from applications, such as that shown in the image above, for an application to perform its own DNS query.
That's because for outbound communications Application & Component Monitor Rules take priority over the Network Monitor Rules. So, you still need to create the Application Rules. If you're not interested in DNS requests, then you can always stop CPF from checking them. But, I don't recommend this. Since it is often the first indicator that you get of an unknown application is attempting Net access.
More confusing still, is that Firefox, on my system, uses a proxy (Proxomitron) through which all web access is performed and therefore has a single rule defined in Application Monitor, which is:

Firefox.exe 127.0.0.1 8080 TCP Out Allow.

Where 8080 is the port used by the proxy. So the question is, why would this
application try to make DNS queries in isolation of the system wide DNS
rules?


Since you’re using Firefox, I guess that it was either Firefox itself or the Add-ons & Themes checking for updates.

My third question regards the way Comodo processes Application Rules. For example, if I had several rules for an application eg.:

Proxomitron.exe ANY 80,443 TCP Out Allow
Proxomitron.exe ANY ANY TCP Out Block

where some specifically allowed outbound activity to specific ports and one
specifically denied any additional outbound activity, how are the rules
processed, as there appears no way, as there is in Network Monitor, to define
the processing order?


There is no order, since each rule is for an individual application. Each rule is tested as the application is fired. I’ve noticed that CPF often removes negating rules, if not instantly then when either the page or CPF is reloaded.

I Hope the questions make sense.

Thanks for any help.

I hope my answers make sense as well & help.

(:WAV)

Hi Kail, thanks for taking the time to reply.

Not, if your ticking "Remember" & hitting the Allow button. With this, and Component Mode in Learn mode, you'll only need authorise each application or component once.. CPF will learn what you're using & only prompt you for things that its not seen before or have been updated. But, the amount of pop-ups you will get is really dependent on the Alert Level you have set (Security - Advanced - Miscellaneous).

The problem with doing this is that it creates a new rule for Firefox, In this case UDP Out to ANY, which I don’t want. I need only one rule for Firefox and that is to allow it access to the proxy.

Since you're using Firefox, I guess that it was either Firefox itself or the Add-ons & Themes checking for updates.

I don’t allow any application to auto-update, so it must be something else. If I had been using an old install of XP I may have suspected some malware parasite, but as this is a clean install from my MSDN subscription discs, usining only known parasite free apps…

On the subject of rules, a couple more questions, if I may. There is a default rule in Network Monitor TCP/UDP Out ANY ANY Allow. Without this rule present it is impossible to connect, however, what is to stop some unknown nasty, bypassing the Application Monitor rules and taking advantage of this general rule?

Invisible connections, hmm! why would I want to allow any application to make a connection I don’t know about and, right now at least, seems not to be logged?

Thanks again

The best way identify this is to check in CPFs log. This should tell you exactly what was trying to connect to the DNS.

On the subject of rules, a couple more questions, if I may. There is a default rule in Network Monitor TCP/UDP Out ANY ANY Allow. Without this rule present it is impossible to connect, however, what is to stop some unknown nasty, bypassing the Application Monitor rules and taking advantage of this general rule?
No, I don't think it is possible to circumvent CPF in this way. Each application/component must have associated rule. Be it a hidden (Comodo approved app) or not. Otherwise CPF will pop-up & alert you. The rules are layered & the direction of communication dictates which rules have priority.

Outbound: First the Application/Component rules & then the Network Monitor rules.

Inbound: First the Network Monitor rules & then the Application/Component rules.

Invisible connections, hmm! why would I want to allow any application to make a connection I don't know about and, right now at least, seems not to be logged?
There are some programs that you have just got to trust & other security programs, such as AntiVirus programs, fall into this category. In the case of an AV program, you don't really want CPF to interfere with its operations. Otherwise conflicts can result.
The best way identify this is to check in CPFs log. This should tell you exactly what was trying to connect to the DNS.

The only entries I see in my logs are those pertaining to ICMP, even though I have everything ‘ticked’. Perhaps I have missed some way to get extra log data?

Edit. Lol, I lied :slight_smile: I also get loads of Inbound policy violation rules for port 445, which is the MS Directory service port. I just need to disable that though :slight_smile:

No, I don't think it is possible to circumvent CPF in this way.

Are applications that use process injection logged?

There are some programs that you have just got to trust

My paranoia meter just went off the scale ::slight_smile: Personally I wouldn’t want any application, trusted, security, or otherwise, doing something I don’t know about. Is it possible to capture these details in the log?

Me again!

Now I’m confused ??? I had several application rules defined for Thunderbird, which were specific to my email accounts, i.e. allow TB to connect to Server 110/995 TCP etc, as well as rules for DNS lookups at my ISP’s servers.

I just checked my mail and received a pop-up requesting access to a server/port, already defined, which I allowed, and now all I am left with is two rules, UDP ANY Out and TCP ANY out. All other rules have been removed. Why would Comodo remove rules I have created?

I also have one entry in the log suggesting suspicious behaviour and yet the connection requested is as it should be?

If CPF prompted you for an app that was attempting a DNS query, the it should be there (in the log).

Edit. Lol, I lied :) I also get loads of Inbound policy violation rules for port 445, which is the MS Directory service port. I just need to disable that though :)
I get those as well. Since they are inbound, they're from some one else (usually on your own subnet.. same ISP). There are 3 possibilities, 1.. users who are unknowingly broadcasting their systems to the world because they have file sharing or something else switched on.. or 2.. it could be that their system is infected with a worm & the worm is trying to spread itself. Or 3.. they are hackers looking for vulnerable systems (if the hacker is experienced, the source system will probably be a Zombie that they are controlling remotely).
Are applications that use process injection logged?
Yes. This is one of CPFs specialties (plugging leaks).
My paranoia meter just went off the scale ::) Personally I wouldn't want any application, trusted, security, or otherwise, doing something I don't know about. Is it possible to capture these details in the log?

If you want to authorise everything that goes on, then go to Security - Advanced - Miscellaneous & slide your Alert Frequency Level to Very High. Personally, I run on Very Low, so that CPF doesn’t drive me nuts with pop-ups. :wink:

I don’t know. You’ll need to post a copy of your rules (best done by image) & the relevant entries from CPFs log (you can export the log to an HTML/TXT file & use cut ‘n’ paste from there).

If CPF prompted you for an app that was attempting a DNS query, the it should be there (in the log).

You are right, I have just one entry in the last few days, and that was for Thunderbird…

I get those as well

I have that port disabled as its not necessary for me. If your interested (I’m sure you already know, but may be interesting for others) it can be done by disabling NetBios over TCP/IP from the network connector properties box and through, on XP at least, the registry, by going to:

HKLM\System\CurrentControlSet\Services\NetBT\Parameters

In the window on the right, find an option called TransportBindName and set the value to null (blank)

One may also disable the TCP over NetBios helper service in services.

Be advised, however, that doing the aforementioned may prevent you from connecting to other computers and devices on your LAN!!!

Yes. This is one of CPFs specialties (plugging leaks).

Nice to know :slight_smile:

slide your Alert Frequency Level to Very High.

I’ve had it on very high for the last few days, just to see what’s going on. To be honest the number of prompts have been quite low, perhaps only 3 or 4 per session and very little additional data in the logs, if any.

I don't know. You'll need to post a copy of your rules

I’ll recreate the rules and take some pics…

Ok, it’s happened again! This time with Firefox.

I did a refresh on the Comodo forum page and I got this:


http://img234.imageshack.us/img234/4161/comodoffyzolegq7.th.jpg

I decided to allow the connection to see what would happen. Before I did, I had only one rule for Firefox:

Firefox.exe 127.0.0.1 8080 TCP Out Allow.

After allowing the pop-up, my rule has been removed and now I have:

Firefox.exe ANY ANY TCP Out Allow

This is not good. I don’t want my rules being removed/replaced. This is a little worring, at best the new rule should be added to any existing rules. In an ideal world, we should get a pop-up that asks if we would like to create a new rule, not just replace whats already there.

Unfortunately, that is what CPF currently does in a case like this. But, I do agree with you. I don’t think it should remove user created rules either. I recommend that you put this on the CPF Wish List (but, I think it’s probably already there).

But, why only port 8080 for Firefox… is that to bypass a proxy?

I’ll check the wish list and add the request even if it is there. I believe its totally wrong for an application, especially a firewall, changing/removing user defined rules. If the rules are wrong or bad then by all means add an additional rule.

For the proxy I use Proxomitron, here is a good place to start:

http://www.castlecops.com/c14-Proxomitron.html

Basically its a web filter, ad blocker, nasty killer etc. Essentially one configures ones browser to connect to the proxy, default is 127.0.0.1:8080, then configure Proxomitron to do the rest.

In my opinion, its by far and away the best product of its type out there. I tried noscript and adblocker but proxo does all and more, is easier for the novice and more configurable for the expert.

First, your picture is related to OLE Automation (different story I think). Second, I’m not sure, but I guess you had the “Remember my answer for this application” checked/ticked. In that case, CPF will allow all out going TCP traffic as it found that Firefox is a safe (trusted) application.

“Firefox.exe ANY ANY TCP Out Allow” is more general than “Firefox.exe 127.0.0.1 8080 TCP Out Allow” and that’s why it was removed. “127.0.0.1 8080” is a subset of “ANY ANY” and thus not needed (redundant check).

Hi Rami… thanks for thr reply.

To be honest the OLE automation issue may or may not be the same thing, in this case, but thats a different problem and one that remains unresolved.

I didn’t ‘tick’ remember my answer, just allowed the connection.

Regardless, the program should not remove something I have created in favour of its own creation.

CPF’s component does not work as accurately as you have suggested. When Goole’s new toolbar updated itself the new with new .dlls and an executable file they had never used in previous versions CPF said nothing. It allowed access to the net without so much as a peep. A new .dll and executable and learn mode did nothing. When I checked Component Mode the updates were listed, but I was never asked or warned that changes had been make.

I uninstalled all Google related software. I removed all references to Google in the registery and cleaned out Component Mode of all enteries. I then installed the old toolbar ran the regular programs I use and allowed Component Mode to rebuild the list. I then changed the setting from “learn” to “on” and waited for the old toolbar to auto update. It did the following day. Again, component mode did not ask to verify any of the new components or executables. It just happily allowed the toolbar access to the web and my system with its new components.

This really annoyed me, as I consider Google new exec file to be spyware, but that argument is not for these forums.

This gives me cause for concern; how many other bits and peices of software are being updated and not being picked up by CPF’s Component Control.

My Alert level is set to the highest setting, just in case someone asks.

Paris

There are 3 possible reasons for this. 1) The Google tool bar is already registered by Comodo as a trusted application (unlikely). 2) You’ve not used the too bar yet & those are the old components you can see listed (CPF will realise they’ve changed once you try & use them). 3) Firefox’s Application Monitor rule(s) has been set to “Skip advanced security checks” (not a good idea for a browser).

There’s a 4th possible reason but that involves CPF not behaving the way it is supposed to.

  1. I don’t use Comodo’s trusted applications. It is not enabled so it is not that.

  2. If you noticed in my post I said “I cleaned out Component Mode of all entries. I then installed the old toolbar ran the regular programs I use and allowed Component Mode to rebuild the list. I then changed the setting from “learn” to “on” and waited for the old toolbar to auto update. It did the following day. Again, component mode did not ask to verify any of the new components or executables.” so it is not that. Besides, I can tell the difference between a .dll labeled “googletoolbar1.dll” & “googletoolbar2.dll” and the toolbar updates while on line so it was being used straight away.

  3. I wasn’t using Firefox I was using IE at the time so it is not that.

  4. I never disable Advanced security checks. I check each time I create a new rule that this option is still unchecked. I have seen instance when making rules where the “Skip advanced security checks” is ticked even though no such permission was given.

I also run CCleaner and reboot between removing old software and installing new ones even if it is just an automatic update, no matter what the program. Sadly the only programs I use where I can’t turn off automatic updates is Goolge’s toolbar. Everything else I manually update when I am ready, not when the software maker thinks I should be ready.

I think CPF has great potential, but there is still work to do. Some very simple aspects of it do not function properly.

Paris

Never is long time. Things like FTP clients, AntiVirus applications & security applications, with resident components, may require “Skip advanced security checks” turned on to function properly.

On the issue you raised with CPFs Component Monitor & Google tool bar, I would be grateful if you could visit Comodo Support, register on their system & raise a ticket on this issue. Since you seem to have found some problems with CPF there. Thanks.

Hi Kail,

I have raised a ticket about this issue. I am happy to help.

I like this firewall and I want it to work so I can rest easier with regards to my system’s security.

Paris

Hi Paris

Thanks for that. :slight_smile:

It occurred to me, that the response you get from Support might either be a bit slow or… lacking in depth. Its all Melih’s fault. He’s got the CPF development team locked away somewhere (a deep dark dungeon is the rumor) working ■■■■■■■ the next CPF version (which apparently is a biggie).