-solved-

BrokenSoul · June 12, 2007, 10:15am

-solved-

Andreas · June 12, 2007, 10:20am

Thanks for your interest post!

In generally! Why did explorer.exe modify any user-interfaces???

Andreas

Damitha · June 12, 2007, 11:39am

Hi Brokensoul,

Have a look at this thread it might solve some of your problems!

https://forums.comodo.com/faq_for_comodo_firewall/alert_user_interface_modified-t8971.0.html

Secondly when ever you update your program or you do a reinstall the cryptographic signature changes! The firewall cannot identify whether this is a legally changed like a program update or due to an infection. So it does what it is supposed to do! Warn the user! And when ever the signature changes you have to update the rules as well! (AFAIK)

regards,
Dam

Damitha · June 12, 2007, 1:25pm

BrokenSoul:

Thats not what I am talking about! Of course its a good feature when the Firewall warns me about that at all! BUT firstly it makes absolute no sense NOT to warn when I use the modified file first time local for a while and just warn if that file uses the internet! If it is a dangerous behaviour then all the catastrophe is already happened when I am using it local and not only if I go online with that modified file!

Secondly it should tell the user the truth because then NO confusion would happen! If CPF would say the truth, meaning that the File has changed since last checking then everything would be ok! Then I know it is because of the update! But why on earth does CPF tell such stupid and insane messages like “explorer is going to change the file and going to change the cryptographic signature” ??? Thats totally craziness because that happened already before without a message from CPF! And last but not least its totally funny and I must laughing when CPF offers me to deny this action! LOL! A deinstalled old version isnt on the system anymore and the new version is already installed since ages and CPF means to tell me that there is the possibilty to deny this action (means to not allow the already done update) LOOOOL !

Oh I get what you are talking about now! ( I hope you are using version 2.4 not the 3.0 alpha)

Wel you have a little misunderstanding here!

CPF 2.4 is a firewall only! It checks whether a service/app is trying to make a connection to the internet and if; so whether it should be allowed or not! CPF 2.4 does not monitor file modifications; technically speaking 2.4 doesn’t have HIPS.(2.4 version; 3.0 alpha has HIPS) So if you need to monitor such activities (changes that are made to your dll s and apps) you need to install software which has HIPS. CPF only checks these modifications if, and only if an application is trying to connect to the Internet. So it doesnt see the change when you play a file in your hard disk! Version 3 has what you need all integrated; HIPS + Firewall. It’s still being tested!

Hope this helps!

regards,
Dam

Damitha · June 12, 2007, 6:12pm

Hi BrokenSoul!

Ok you need clarify certain things first of all, before jumping into conclusions

First of all what is a firewall and what’s its functionality! I can explain this for hours but I’ll let the Wiki explain it to you! Cuz it’s the place where everyone seem to go nowadays!

From Wikipedia

A firewall is a hardware or software device which is configured to permit, deny or proxy data through a computer network which has different levels of trust.

Here is the full article read it if you have time!

The firewall doesn’t monitor the changes that are made to application in real time! And it doesn’t log those events real time. Since that is not what a firewall is suppose to do. Although nowadays you see PRODUCTS which has firewalls integrated into them do such activities! That’s what I meant by HIPS in my previous post!

And CPF 2.4 is only a firewall nothing else! (And trust me it’s the best available!) It only LOGS an applications signature when it’s trying to send data through the network interface! A firewall will not know anything about an application which is local to the machine. If only it’s trying to connect will the firewall know the existence of the application. Then only will it check the signature and log it!

You can not add other functionalities to a FIREWALL. Cuz then it’s not JUST a firewall!

CPF 3.0 has what you need! But you can’t call it JUST a firewall since it adds HIPS which has nothing to do with the firewall functionality!

I hope it’s clear to you now!

regards,
Dam

Little_Mac · June 12, 2007, 7:22pm

A deinstalled old version isnt on the system anymore and the new version is already installed since ages and CPF means to tell me that there is the possibilty to deny this action (means to not allow the already done update) LOOOOL !

This alert doesn't mean that it will deny the change to the file (which as you note has already occurred). This alert means that the now-changed file will be denied access to the internet.

Given Damitha’s explanation about it being a firewall and not a file monitor (or HIPS), the alert is (theoretically) notifying you that malware has infected your computer, and your other defenses (antivirus, antispyware, HIPS, etc) have failed to detect or stop it. Said (theoretical) malware is now trying to access the internet. The firewall is giving you the most excellent option to deny that connection. This will afford you the opportunity to investigate what the (theoretical) malware is, how to stop it and remove it (which your other defenses already failed…). Thus, this FW is already doing more than a FW should ‘technically’ do.

version 3, with its HIPS feature, will do even more; then you will get the notification 3 days ago (or whenever it first happened) that something wants to modify the file. Then you’ll be able to deny the initial change in real-time.

LM

Little_Mac · June 13, 2007, 5:11pm

The ‘special windows messages’ is different from the application changing due to an update. That would be more along the lines of the ‘cryptographic signature’ alert.

The windows message issue would be occurring more in real-time, as the application is trying to connect. The cryptographic change was in the past, yes, but it is “real-time” inasfar as its connection to the internet; until it tries to connect, the change is irrelevant to the firewall.

I agree that the alerts can be confusing, and it would be very nice if they were to clarify what the situation is, in “real-life” terminology, instead of computer-speak…

LM

gibran · June 13, 2007, 6:18pm

I have not tried V3 till now because I intend to do a full system reinstallation.

INMHO this is a serious V2 Design Flaw. I understand that CPF is working as intended but there is one big problem with this design.

If the AM checks the app signature only when a connection is made this would lead to a big security compromise.

If you update the app you know it will get a signature warning. So if that app file will be modified afterwards by another malicious process you will mistakenly ignore the alert because you don’t know that the app was changed two times.
This should get a support ticket.

"Any program trying to modify another program using this method may be a sign of trojan activity." WRONG! Not any program did try to modify - I installed a new version.

like Little Mac said this is a correct and useful CPF alert. A window message is a way to interact with an application without user intervention, so you should be warned about this. windows messages don't change the application files so if you reboot or you kill the app you wil not get another alert until that app will get a new windows message.

Some leaktests use windows messages to make internet browsers (which are usually allowed to connect) leak some user info. Look at Wallbreaker Leaktest. If you wish you can also confirm the workaround to make cpf fail tests 1 & 3 (no one relpied :'().

I hope this issue will be solved in V3 but if I recall correctly the v3 hips should prevent that.
So if anyone can confirm this that would be of great help.

Little_Mac · June 13, 2007, 6:45pm

Good point, gibran, about the signature update delay and malware getting in there in the meantime.

So far, v3 has given me an alert if an application (any application) looks at anything. That’s an exaggeration, of course, but it is very thorough (doesn’t have the full safelist in it yet, to quiet things down). But yes, it is set to monitor actual changes to the files, regardless of source or connectivity.

LM

Damitha · June 13, 2007, 7:19pm

So if that app file will be modified afterwards by another malicious process you will mistakenly ignore the alert because you don't know that the app was changed two times.

A darned good point! Never crossed my mind!

gibran · June 14, 2007, 1:16am

I will install my system from scratch in the next few days ( very painfull process)
I can hardly wait to test v3