Setting Up Comodo PF - Not as Smooth as I Hoped (Long)

Hi folks!

A few comments and questions for those who are a bit more acquainted with CPF:

I downloaded and installed the Firewall on my notebook PC last night. Setup was not quite as intuitive as I thought it would be! Perhaps I started off wrong - maybe someone can give me some advice as to what I am seeing vs. what I should be seeing.

First, I selected Manual mode - I don’t usually like Automatic mode for firewalls: A number of items are usually blocked by default in Auto mode that I would prefer to permit. Plus, I like to see each and every item and action that the firewall is seeing and acting upon. Might as well get all my custom settings taken care of from the start! But…

From the start I expected to see a lot of popups asking me whether the firewall should permit certain programs to take certain actions or not. I did not see anywhere near as many as I thought I would, and quite a few applications were blocked from the start without ever asking my opinion - I really hate it when that happens!! Eg, After the post-installation restart, I had no connectivity from my wireless card. I gave my network permissions as soon as I could, but Comodo had already prevented it from obtaining a DHCP address. So I had to take steps to obtain that manually - never had that happen with a firewall before - they have always detected the network and asked me what permissions I wanted to set. CPF never did ask.

Also, my Counterspy Anti-Spyware and NOD32 Anti-Virus were automatically blocked, leaving me with other no protection at all. I was never asked about them; CPF just blocked them on its own. Again, this has never occured with other FW’s.

Actually, even though CPF is in Learning mode I saw very, very few popups asking me to Allow or Deny applications. Then as I continued I would see an occasional popup but exactly how to treat them was extremely unclear. By this I mean that the popup would ask about a specific application and have the Allow and Deny buttons, but it also has a count at the bottom - like, “1 of 20”. I figured this meant that after clicking on Allow for the first alert it would move to #2 of 20, and so on. But as soon as I click “Allow” for #1 the popup disappears. The next time I saw it I decided to try scrolling through the alerts first. So when a popup appeared and said “1 of 12”, I noted what program it was asking about and then clicked on the arrow to the next alert. But the counter changes when I do that; instead of saying “2 of 12”, it now says “1 of 6”; click the arrow again and it changes to “1 of 2”, then “1 of 8”, and then simply disappears.

What in the heck is supposed to happen with such popups? The Help file does not address them that I can see. I would hope for either a separate alert for each action so that I know I properly addressed each one, or an instruction that says to click the arrow to move to the next alert or something a little clearer. I ended up opening the firewall main screen and added every single .EXE file of every application I have installed! (And, yes, I have a LOT of applications!!). Oh - also, many of the systray icons for programs the start with Windows did not appear; the programs themselves started up, but their icons were not in the tray. And, yes - I have all icons set to show; not are “hidden”. Also, many of those apps - most are utilities that I use often - were not fully functional. After manually permitting them, closing, and restarting them they were fine. Weird.

Actually I don’t think that it is working correctly on my installation - I can’t imagine that it would be that tricky! Or I would be reading similar posts by others. Could it be a corrupt installation? Or that my base setup is faulty?

My most immediate previous firewall was the Paid Kerio PF - the latest release is not working at all on all three of my PC’s - a known problem that Sunbelt cannot seem to get fixed. But I uninstalled that via the Add/Remove Software utility, plus I ran a “cleaner” patch from Sunbelt to remove any other fragments that could be left behind. So it should be a clean machine, FW-wise.

I really appreciate any help or advice from you all.

One last question - probably should be a separate thread, but I’ll start by asking here first: I have three PC’s. As long as I can get CPF working well on this notebook, I’ll be installing it on all three. Do I install the same setup file on all three, and use the activation/license code three times? Or must I register three separate times? (BTW, I wrote to Comodo support but received a reply that they don’t do email anymore, and to register my request on the site. Not sure why they put the support email address in the Welcome email then…)

Thanks!

Hi J Mac…
It is a lengthy process if you don’t do Automatic setup as there’s some 8 network rules to create along with lots of other tricky bits and pieces. Did you download and install an old version? There’s some stuff in the FAQs about NOD32 and AVG etc. There is a way around it blocking programs it conflicts with. As far as the Popups are concerned there will be 1 of 20 as it is saving you from having hundreds of popups specifically asking for each individual component of that program and occasionally it may be the number of times the program itself asks to connect to the internet. You can change the level of popups by going to Security>>>Tasks and clicking on Miscellaneous. My suggestion is to reinstall using the Automatic Settings and once you have it installed goto Security>>>Tasks and click on “Scan for known Applications” this will automatically create rules for all the known Trusted Applications" in the Comodo database and it will save you a lot of time and effort. If you would prefer to see a popup for every port that an application tries to access as well as every component file relating to that program etc do asI mentioned previously about adusting the level of popups… Oh… Don’t forget to goto Tasks again and add your Network as Trusted so that it can communicate with your router properly.

Eric

I agree that your best bet is to do an automatic reinstall. Here’s why. Before I elect to use a firewall I do a fair amount of research to determine whether I have a general level of trust in that firewall. I trust CPF (but I also verify).

Before I install the firewall I do all I can to insure that my PC is clean of spyware and viruses, and I verify that any adware I have installed is considered to be trustworthy as well.

Then I install the firewall, giving it its head so that it can do its job of protecting me (the Automatic mode). At this point I will start getting popups, and I deny them (not permanently) unless they look necessary for CPF to run.

Because I trust CPF I then do its scan for trusted applications. If I had less trust in CPF, I would not do that but rely on my own judgment whether to trust an application as they pop-up.

I then run, separately, only my usual networking applications (browsers, email, windows explorer, and so on), allowing them only if the information in the pop-up sounds reasonable to me. If it doesn’t sound reasonable to me, then I check the running processes before allowing it, and then check them again after allowing it to give me an idea of what I have allowed.

I then start doing some things that require interaction between two (or more) applications, such as clicking on a mailto link in a browser while the email program is not already running, or on a URL in a email message while the browser is not running, just to get a feel for how those pop-ups look.

I pay special attention to the “parent” and “hidden” applications in the CPF pop-ups.

In CPF I have always left the Component Monitor in “learning” mode, but I rarely get a popup that surprises me, or that I don’t know what to do with.

Jim

Thanks Eric. Maybe I’ll try again with Automatic - as long as I can then easily go in and undo anything that Comodo does that I don’t like. :wink:

Definately use automatic mode, It’s alot quicker to remove items than to add them :).

By default, CPF acts similar to SKPF4’s simple mode (with “… applications cetified by Comodo” disabled) in that your only prompted for directional rules (i.e inbound or outbound). Also, by default, CPF will allow applications that it trusts (from an internal list) so unless this option is disabled, you may get few alerts. Changing the alert frequency level to “very high” will display the most prompts.

:slight_smile:

Thanks Graham. I made some comments inline.

Jim, I may have that degree of trust in CPF once I know it better. Can you really say that you had a very high degree of trust in CPF prior to trying it yourself? If so, based on what? I can read about the virtues of just about anything online - but I never really know until I try it myself.

And I have been greatly surprised by some!

Before I install the firewall I do all I can to insure that my PC is clean of spyware and viruses, and I verify that any adware I have installed is considered to be trustworthy as well.

My machine is clean. At least I know that much. Daily AV and AS scans, plus their full-time monitors running. I feel comfortable by now with NOD 32 and KAV (NOD 32 on two PC’s, KAV on one). And for my AS, I use Counterspy for the full-time monitor and a daily scan, plus weekly scans with Spybot S&D and AdAwareSE Plus, and SpywareBlaster updated weekly. (Just a touch overdone, maybe, but I feel better!)

Then I install the firewall, giving it its head so that it can do its job of protecting me (the Automatic mode). At this point I will start getting popups, and I deny them (not permanently) unless they look necessary for CPF to run.

Because I trust CPF I then do its scan for trusted applications. If I had less trust in CPF, I would not do that but rely on my own judgment whether to trust an application as they pop-up.

I usually know what each popup is. Occasionally I need to look a filename up, but I mostly know what each file is. To extend your “If I trust the firewall” concept, I did a lot of research on AV’s before switching to KAV and NOD 32 recently, and yet I was still surprised by KAV’s behavior. It has a new module which acts a lot like a firewall, but which they claim is definitely NOT a firewall. It acts enough like one for me to have turned the module off, though. It’s called their Pro-Active Defense, and once KAV was installed it went way overboard on me! It started blocking program after program, claiming that a trojan called Invader was in each of them. I believe it uses some type of heuristic algorhythms to determine this. Basically, from what I could tell, any app that tried to use, or even look at, any other app was blocked for this trojan. It blocked about 60% of the applications on my PC! Even explorer.exe! And, yes, I thought I could trust it before I first tried it. So understand my lack of complete trust until I see how something acts!

I then run, separately, only my usual networking applications (browsers, email, windows explorer, and so on), allowing them only if the information in the pop-up sounds reasonable to me. If it doesn't sound reasonable to me, then I check the running processes before allowing it, and then check them again after allowing it to give me an idea of what I have allowed.

You sound more paranoid than me. Tell me: If you ran only your “…usual networking applications…” and watched the popups, what typed of alerts sounded “reasonable” vs. what did not? I mean, after scanning the PC as corefully as you say you did? You’re talking just browsers, email, and explorer, correct? What kinds of things did not sound reasonable? I’m just curious!

I then start doing some things that require interaction between two (or more) applications, such as clicking on a mailto link in a browser while the email program is not already running, or on a URL in a email message while the browser is not running, just to get a feel for how those pop-ups look.

Shoot, CPF is popping alerts at me here when I click on links in an email message even when the browser is already open! I don’t mind, though, as long as it remembers what I tell it! That’s why I dropped Zone Alarm Pro after a number of years. It now keeps getting a corrupted database - for almost all users - and doesn’t remember your instructions, even though it claims that it does in the settings. It became way too error-prone in the last two years.

I pay special attention to the "parent" and "hidden" applications in the CPF pop-ups.

I assume that these are Comodo’s own odd way of describing process trees? If not, what do they mean by “Parent and hidden”?

In CPF I have always left the Component Monitor in "learning" mode, but I rarely get a popup that surprises me, or that I don't know what to do with.

Jim

Component mode is where I have it right now.

OK, I’ll try uninstalling it and then reinstalling it into Auto-mode. As I said in the last post, as long as I can go in and undo anything it does that I don’t agree with. One thing that I do not subscribe to is the notion that any developer knows what is best for me, whether I agree or not!

Thanks again, Graham.

OK Graham.

My thoughts (And it’s not pretty! - Don’t take it too hard; I do plan to stay and work with it for a while, if you all will put up with me. I am blunt…):

  • Automatic mode is not any better than manual. As a matter of fact, I think I was doing better in manual mode.

  • CPF is, well, not very intuitive; and I am putting that as mildly as possible so as not to get you upset or anything. I figured that in Auto-mode it would be sensible enough to allow common applications. When it was not in the least bit sensible, I ran the “Scan for known applications”. That would certainly recognize most applications, right? Wrong. I do not say this sarcastically at all: Does CPF actually have any application recognition built in at all? It really doesn’t seem to. But if that is the case, what is the purpose of the scan? It did not scan only applications, BTW. It scanned each and every file in the Program Files directory. Can anyone at Comodo explain that to me if I were to ask? Some of my applications have literally thoudands of files, but only one or two executables and a few DLL’s. Why would any firewall need to scan every image file in the folder? (Eg, Web design software has thousands of image files right in the program folder. Plus many thousands more elsewhere. Why would a firewall need to scan each?).

CPF apparently did not recognize one single application on my PC. It disallowed my email clients, browsers, all of my utilities - granted, it may not know some, but ALL? And since it is in Auto-mose, I guess, it did not alert me about blocking any of these programs. That’s not acceptable. What else does it think it does not need to alert me about? It permitted my network - but only the gateway. Blocked access to and from all other network equipment. Again, no alerts about that.

  • And worst of all, yes, it blocked NOD 32 Anti-Virus and Counterspy Anti-Spyware! How in the world can any firewall worth its salt claim to not recognize well-known AV and AS apps? Definitely NOT acceptable! For the second time now it has left me unprotected from virtually ALL threats. (Graham, I coulld write better rules that that. So could you!)

  • It is very frustrating to see most of what has been blocked, but not be able to immediately do anything about it. I’m talking about the log, of course. There is no way to edit whatever rule blocked these things from the very screen where you see what was blocked. I have to go to another screen. Are users supposed to write down all that was blocked before they leave that screen? Or just keep going back and forth? This is poor design for the GUI, IMO.

  • Another GUI issue - you cannot resize the CPF window, though not one single screen fits the information that is supposed to be shown on it. Continually dragging columns wider and back, using the horizontal scroll bar. Again, poor UI design. Both this and the previous item definitely need lots of improvement.

  • There is no user manual, and Comodo explains that this is because they have such a great onboard Help file. Where? Not the one I saw! I wanted to print the log, becasuse I quickly tired of widening and returning the columns, and using the scroll bars, and going back and forth from the settings to the log. But I could find how to print it, or to export it. So I opened the Help file. In the index, I typerd “log” - nothing. I typed in “Print” - again, nothing. I tried, for the heck of it - since this one HAD to be there - typing in “Rules” - Still Nothing!! What is in the Help file? Mostly extremely elementary stuff for beginners. But nothing I could use.

So I guess there is no way to print this info? I do have SnagIt installed, but the too-small window doesn’t let a screen shot show much of anything.

  • Speaking of rules, where in the heck are they, anyway? My network, which has been blocked - apparently in accordance with a rule, but I can’t find the darned rules! And since the Help file never heard of “Rules”, I must ask here. My network, or part of it, is blocked supposedly because: “Network Control Rule ID = 5”. I can find nothing at all that identifies what this rule is. One reason I did not like Trend Micro’s built-in firewall was this same issue. It would block things left and right, never alert me about them, and say it was because of certain rules that, according to T-M, “…we cannot divulge at this time because they are proprietary to Trend Micro”. What? Block my network, say it is in accordance with a specific rule, but don’t identify the rule or alert me to the blocking, because it’s a company secret!!! I figured I would never see that again, so someone please tell me that I can see - and edit - this rule that equals 5 that is blocking parts of my home network!

[li]Alert time-outs - what’s with that? And what happens if an alert times out? Is the action automatically blocked? If so, is a rule then established blocking it always from that point on? I hope not! I tried to set the time-out to several hours - yes, hours, but it maxes out at 300 seconds. That is way too short. I often leave my PC to go to the bathroom; so does everyone else, correct? I do not want CPF to default to blocking something that I do not want blocked just because it hapened to alert when I was away from the PC! I want it to either keep the alert right there on top - what does it hurt, after all? Of log it and hold off taking any action at all until I “rule” on it. But 300 seconds is far too short, IMO.

Graham, I actually have more questions, and I apologize if this post seems a bit too harsh. I have been uninstalling and reinstalling and unblocking and searching and trying to unblock, etc, etc, etc. for too many hours now - it really should not be a difficult thing - and my neck really hurts, and my daughter’s daughter is visiting and is getting way too loud, and I hafta go to the bathroom… :o :o :o :-\ :‘( :’( :cry:

Anyway, I’ll stop back when I calm down an bit and have this thing hopefully a little more under control! (:WIN) (:WAV)

I’ll be back!

Sounds like you having more problems with CPF than SKPF4 :o. I don’t use “scan for known applications” myself but prefer to create rules manually. Try changing the alert frenquency to very high and disable “do not show any alerts for applications cetified by Comodo”. This will make CPF more like SKPF4 packet filter rules. Even just disabling the later should make CPF similar to application rules (SKPF4).

If you have listening applications that require inbound access, you will need to create a network monitor rule to allow these connections. All inbound connections are denied by default, unless an outbound connection was made first which would then allow the connection back in.

:slight_smile:

I’ll touch on a couple of your issues; I’m sure others can discuss the rest.

Another GUI issue - you cannot resize the CPF window, though not one single screen fits the information that is supposed to be shown on it. Continually dragging columns wider and back, using the horizontal scroll bar. Again, poor UI design. Both this and the previous item definitely need lots of improvement.

Agreed, you cannot size the window to whatever size you want but you can go full screen, which helps.

[i]There is no user manual, and Comodo explains that this is because they have such a great onboard Help file. Where? Not the one I saw! I wanted to print the log, becasuse I quickly tired of widening and returning the columns, and using the scroll bars, and going back and forth from the settings to the log. But I could find how to print it, or to export it. So I opened the Help file. In the index, I typerd “log” - nothing. I typed in “Print” - again, nothing. I tried, for the heck of it - since this one HAD to be there - typing in “Rules” - Still Nothing!! What is in the Help file? Mostly extremely elementary stuff for beginners. But nothing I could use.

So I guess there is no way to print this info? I do have SnagIt installed, but the too-small window doesn’t let a screen shot show much of anything.

[/i]
You can “right click” in the logs window and export the logs to an HTML file which is very readable and printable.

[i] Speaking of rules, where in the heck are they, anyway? My network, which has been blocked - apparently in accordance with a rule, but I can’t find the darned rules! And since the Help file never heard of “Rules”, I must ask here. My network, or part of it, is blocked supposedly because: “Network Control Rule ID = 5”. I can find nothing at all that identifies what this rule is. One reason I did not like Trend Micro’s built-in firewall was this same issue. It would block things left and right, never alert me about them, and say it was because of certain rules that, according to T-M, “…we cannot divulge at this time because they are proprietary to Trend Micro”. What? Block my network, say it is in accordance with a specific rule, but don’t identify the rule or alert me to the blocking, because it’s a company secret!!! I figured I would never see that again, so someone please tell me that I can see - and edit - this rule that equals 5 that is blocking parts of my home network!

[/i]
The rules are under “Security”> “Network Monitor”

Hope this helps a little.

DR