Why are OUT connections allowed even if I don’t have a Global rule that allows TCP/UDP out??
Are all loopback requests allowed by default in v3? I haven’t gotten any requests since I’ve moved from v2.4, and I use the same programs that used to connect to 127.0.0.1
I’ve read that System Idle Process being blocked is just some generic traffic being blocked, but how can I turn of its logging?
Why is Comodo generating a great number of logs about cfpupdat.exe being blocked? It does so when utorrent is running and it says that destination port is actually utorrent’s listening port!
EDIT: I’ve just noticed in Active Connections that utorrent isn’t listed, but all its traffic seems to be associated with cfpupdat.exe (CF hasn’t generated any popup alert for it). How come?
alg.exe and nlsvc.exe are listed in Active Connections, listening on some ports. Why aren’t any alerts activated and permissions asked? Traffic is 0 B. Are alerts suppressed until traffic starts?
Out for a basic firewall (Windows) is generally allowed unless blocked intentionally. Comodo uses a list of safe programs to automatically determine whether programs are allowed or blocked…
Most are set to ask, but ask seems to have some problems. For many programs, there are rules in the Comodo Library (which I have never seen)
Haven’t seen a complete explanation for all this stuff-some of mine came from visited sites, lots came from unknown sites (probably associated with the visited sites). Maybe just to show that Comodo is blocking lots of intrusions? . In any case, if you make a rule in Firewall/Advanced/Network Security Policy/System to “Block TCP from HTTP Ports”
Block (do not alert/log or the intrusion counter will keep rolling)
TCP
In
Source IP Any
Destination IP Any
Source Port HTTP Ports
Destination Port Any
your intrusion counter should stop rolling (reset it by turning CFP off and on) and you will be able to read your log without sorting through the clutter. AFAIK, no one has discovered a problem with leaving all this stuff blocked. And there are reasonable explanations for some of it as various trafic from the visited servers, other is ?
4) Beats me; I don’t use P2P. Does utorrent use a proxy? Comodo doesn’t really recognize them.
5) System programs seem to have built in permission, like lots of known programs in the Comodo library. I think that anything that gets permission because it is in the library should move a rule to the appropriate Security Policy when it is activated, so users can modify/remove as necessary. May make for a bigger Security Policy list, but something like a button that allows the explicit rules to be expanded to include the implicit rules would suit me.
I expect a lot of these issues will be addressed as Comodo 3 matures. But I suspect that real problems will keep them busy for a while before they get to nuisances. Maybe others will chime in with more insight on your issues.
There are a number of programs that are known to be safe (signed and on Comodo’s database). These programs have “Safe Program” privileges and the rules governing programs control the outgoing connections prior to the application of the Global rules. Incoming connections are governed by the Global rules first.
This is also a result of the safe list.
3.The logging of the System Idle Process may reveal a connection that you actually want to happen. You can look up the IP address and see who is trying to connect at http://www.who.is/ to see if you know who it is. (maybe your ISP?). To turn off the logging, click Firewall>Advanced>Network Security Policy>(locate and select the System Idle Process>Edit>Select the “Block Unmatching Requests” rule (the last one) and click Edit. On the Edit dialog, uncheck “Log” and click apply there and on all the parent screens that show “apply”.
This sounds odd to me. It does not happen on my system, but then I don’t use uTorrent. You seem to have a misconfigured rule for uTorrent.
I don’t know the two programs that you mention, but they might easily be recognized as safe and so no alerts will occur unless you re-write the rules for them.
Hmm, Comodo states that for outgoing connections it does check the global rules. v2.4 had the specific default rule to allow TCP/UDP out.
No firewall allows OUT by default (at least not ZA and Outpost that I’ve used), it always asks for a permission.
2) Most are set to ask, but ask seems to have some problems. For many programs, there are rules in the Comodo Library (which I have never seen)
5) System programs seem to have built in permission, like lots of known programs in the Comodo library. I think that anything that gets permission because it is in the library should move a rule to the appropriate Security Policy when it is activated, so users can modify/remove as necessary. May make for a bigger Security Policy list, but something like a button that allows the explicit rules to be expanded to include the implicit rules would suit me.
I agree. I don’t like the idea about an invisible library of allowed applications that completely bypasses user’s firewall rules. If there is such a library, all the programs that are in it and are detected on a user computer, should appear in the applications list and be available for the user to change. Better yet, there should be a standard program alert (with suggested default settings).
3) Haven't seen a complete explanation for all this stuff-some of mine came from visited sites, lots came from unknown sites (probably associated with the visited sites). Maybe just to show that Comodo is blocking lots of intrusions? ;) . In any case, if you make a rule in Firewall/Advanced/Network Security Policy/System to "Block TCP from HTTP Ports"
Block (do not alert/log or the intrusion counter will keep rolling)
TCP
In
Source IP Any
Destination IP Any
Source Port HTTP Ports
Destination Port Any
Thanks, I’ll try this.
4) Beats me; I don't use P2P. Does utorrent use a proxy? Comodo doesn't really recognize them.
utorrent doesn’t use a proxy.
As I said above…not a good idea to have a “secret” safe program list that bypasses user rules.
3.The logging of the System Idle Process may reveal a connection that you actually want to happen. You can look up the IP address and see who is trying to connect at
http://www.who.is/ to see if you know who it is. (maybe your ISP?).
I can’t think of a connection that I would like to allow in for System Idle Process. If a specific application wants incoming, it will ask.
To turn off the logging, click Firewall>Advanced>Network Security Policy>(locate and select the System Idle Process>Edit>Select the "Block Unmatching Requests" rule (the last one) and click Edit. On the Edit dialog, uncheck "Log" and click apply there and on all the parent screens that show "apply".
It isn’t listed.
4. This sounds odd to me. It does not happen on my system, but then I don't use uTorrent. You seem to have a misconfigured rule for uTorrent.
I have 3 rules for utorrent:
Allow TCP/UDP In ANY ANY ANY DestPort [utorrent’s port]
Allow TCP/UDP Out ANY ANY ANY ANY
Block and Log IP In/Out ANY ANY ANY
There is only one rule for Comodo, the default outgoing one.
5. I don't know the two programs that you mention, but they might easily be recognized as safe and so no alerts will occur unless you re-write the rules for them.
If I recall, uTorrent can use a range of ports. Try changing the uTorrent port to a different one. Maybe that will resolve the cfp.exe conflict.
You can add SIP to your Network Security Policy: click Firewall>Advanced>Network Security Policy>Add>. In the dialog beside Path, click “Select” and from the balloon, pick “Running Processes”. SIP is the top of the list. Then you will have to write some rules. If you have a single computer, you can use the predefined policy for “Blocked Application”. If you have a LAN, I am not sure if it needs to communicate with the other computers/devices on that network - you can try the Blocked App rule and see. Once it is defined, edit the Block rule to uncheck the “Log” checkbox.
I believe that torrents, by default, use a randomly chosen port for connection, but you can configure it to use a static port. This is the best method for creating tight rules to allow inbound p2p traffic.
I’ve deleted all the logs and restarted. It seems like it no longer associates CF with utorrent traffic. I’ll keep an eye on that one.
You can add SIP to your Network Security Policy: click Firewall>Advanced>Network Security Policy>Add>. In the dialog beside Path, click "Select" and from the balloon, pick "Running Processes". SIP is the top of the list. Then you will have to write some rules. If you have a single computer, you can use the predefined policy for "Blocked Application". If you have a LAN, I am not sure if it needs to communicate with the other computers/devices on that network - you can try the Blocked App rule and see. Once it is defined, edit the Block rule to uncheck the "Log" checkbox.
Why didn’t I think of that Thanks for the tip. I do have a LAN. Will try block all and see.
It is set to a static port. I always do that and turn off UPnP. It seems as though everything is ok since restart.
I’m still a little puzzled as to why a global allow OUT rule isn’t required in V3.
The Out connection rules are defined for each application. The application rules are applied first for outward connections. This avoids undefined applications having an out privilege.
Yes, and if/after an application passes the Application rules, the global rules are checked. It’s stated so in multiple places. So why is it not necessary to have a global allow out rule?
That’s what I’ve been trying to figure out since the beginning. All I know is that it’s due to the System proccess having the Outgoing Only predefined rule in Application Rules. Whenever I remove that rule, I find that the old TCP/UDP Out rule in Global Rules is required. Not sure why…
I forgot that there are a number of “Safe” listed programs that will have in/out privileges. They don’t appear on the Network Security Policy page because they are known digitally signed programs that cannot be altered without altering the signature. The signatures can be checked using information provided by the software’s manufacturer for authenticity. Generally, these programs have limited need for internet connection and, I hope, no way of being used for malicious purposes by malware.
I don’t like the fact that CF has a list of preapproved programs that I can not see and have no control of, if that is the case. Anyway, none of the programs I have that are listed in Network Security Policy needs a Global OUT rule, even though Comodo states it is necessary.
I can’t argue with your sentiment on the unknowns on the Safe list, especially when Microsoft has made it so hard to stop some of its software from phoning home. And now that they’ve started farming some of their update and other customer service functions out (Akamai currently), it’s hard to know who has access to your computer.
. In any case, if you make a rule in Firewall/Advanced/Network Security Policy/System to “Block TCP from HTTP Ports”