Strange Allow All Rule after BSOD in Applications

I posted at Wilders about what happened to my CPF 2.4,but i think it is better to post here as well:

[quote]…following the attempted creation of an Acronis Image which didnt go well while in Windows…

I was using CPF with highest Level of Alerts
Application Behaviour temporarily completely OFF

After a BSOD ,some cleanup and repeated reboots i have a look at the Applications Monitor and i can see only less than 1/5th of the previous rules…
I notice Superantispyware update rules are missing,so i just tried to make an update to see if rules would stick or not…made the update,BUT the allowed rules wont stick and remain anymore…
Whats worse i noticed that now there is a final rule which allows EVERYTHING …no info at all…
i think it comes from Comodo and not from any hacker or rootkit…

i lowered the Alert Level to just High (it had worked fine like this before)
and removed the Unknown rule ,but it keeps coming back…

I’ll try now to lower the Alert Level to Low to see what happens…
otherwise i think i’ll have to reinstall the darn thing…

Sorry-was unable to insert an image of the rule here so i’ll describe it:

In Application Monitor -the only surviving rules belong to Avira Antivir and Boclean Update- the seventh Rule ,which Icon is the system-like,square,white symbol
is Destination [any] Port [any] Protocol :TCP-UDP OUT Permission: Allow.
Security Risk: Unknown
Connections : Unlimited
Path :
Parent Path : -
Description : Unknown
Invisible : Allow
Version :Unknown

I tried to delete this rule,but it kept coming back.

I tried to modify this Unknown application by changing in ‘Invisible’ from Allow to Ask and it remained that way.

I’ve lowered the Alert Level to LOW to no effect,new Applications are not listed there anymore.

As i have in the last couple of months changed the Alert Level 3 or 4 times and i had the habit of putting Application Behaviour on the OFF whenever installing or making Images, i gather CPF 2.4 cannot sustain repeated changes in config.

If you stop Application Behaviour whenever you got to install or make an Image and/or you change Alert Levels you are prone to instability in the Applications department so that if you suffer a BSOD of sorts you risk loosing some of the rules…
I remember now that when it happened i wasnt even connected as i was Creating a second Acronis Image with my ethernet cable plugged off,
so my non-scientific explanation is that Rules in Application Monitor were already in a non stable situation and waiting for an excuse to disappear away…

I would like very much to know from someone in the know if that file-Rule in Application Monitor is indeed a Comodo file albeit prompted by abnormal behaviour.
I think i will have to reinstall Comodo anyway.

Sorry for the messy state of the previous post,i could not insert an image and at the end it was just like a gigantic quote.
However, i just reinstalled Comodo after a very accurate uninstall and clean up and the final rule is still there,if i try to change from allow to Block a tab warns No application is specified and i cant modify anything:

[attachment deleted by admin]

Hi poirot, welcome to the forums.

Yea, that is weird. I think the only way you could get rid of that is to goto into CFPs registry settings & manually remove the entry (or entries) that are causing this. Was CFP initially set to protect its own registry keys when the strange rule first appeared? Also that same option (which I think is on by default) will stop you from deleting the invalid entries. I’m not current running CFP 2.4 at the moment, so this is based on memory… I think CFP 2.4 registry key is at…

  HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Personal Firewall

PS Or use CFP to add all the details that CFP needs (re your above pop-up), save it & then delete it once it is valid.

Thanks for your reply kail.
What is paramount for me is establishing it is -albeit a weird one- a Comodo file and rule,
just to exclude a third party intervention or malware.
If you too say ‘it is weird’ and nobody ever saw it before in action i am beginning to get worried,in spite of being behind a Router, and running ProSecurity,Antivir Premium,Superantispyware,BOClean etc.

I’ve just seen your reply and couldnt go yet into the Registry because in the pc in question i am running some scans at the moment in order to be (reasonably)sure no malware or rootkit is around,i’m using my other pc now.

As to your PS it is not feasible as not only this Rule stops any change on the basis that
‘you got to choose a valid application’
but also -when you choose an application - it stops you by warning that
‘no valid application has been chosen’
So,whatever i do,its always square one.
It is a very un-Comodo behaviour,which worries me even more.

Unfortunately,until we find the truth about this file, i cant risk using for anything valuable what is my main pc.

Kail,i am in Regedit in HKLM/System/Software/Comodo/Rules
i have just 5 rules listed

and the last one has

ab-predefined-REG_SZ (value not set)
ab-AddrEnd REG_SZ
ab-ADDrStart REG_SZ
-AddrType REG_DWORD 0X00000008 8

i cant see anything wrong here as i couldnt see anything in all previous entries,but i am no expert,of course…

PS-One thing you asked me is about Comodo rule about protecting its registry entries…yes i had that enabled…no sooner i end up all scans i will disable that entry and see if it can then be deleted…thanks.

I have lost my application rules too. With running CPF with a very high alert level.
It is ugly to say the least >:(
My post in here are seldom, as I most post in wilders forum.
My loosing those rules did not involve a BSOD and my computer is also stable. I am angry for needing to post here in this fanboy forum.

Nobody here ever saw before such a Application Monitor Rule?
you can see it in my above pic.
I was eager to find out what and why,but if nobody can help i have no other choice than reluctanctly going back to a previous Image and saying bye bye to Comodo firewall.

Jarmo, from what happened to you,Escalader and me ALMOST in the same time period,
i wonder if it is a bug of the latest version of 2.4 or else.
It’s a pity as CPF could have been the best solution for lots of people.

You should file a ticket to ask official support because they can contact the devs.;msg61484#msg61484

Soya,thanks for the info, at least now i know it happened already to a couple more users,
although the end result wasnt too reassuring and i fear i’m heading for a new image as well.
Just in case anyone is interested in this allow-all tcp-udp phantomatic rule i must say i ran al kind of scans in search of all malware and three antirootkits and nothing was found ,the only non explained thing being this from Rootkit Unhooker,i wonder if anyone can:

[attachment deleted by admin]

ntkrnlpa.exe is a part of Windows’ kernel (at least it is for the legit one).

Soya, yeow adressed me to this thread-dont know if its the same as yours-where you joined into resolving his issue,which is 99% similar to mine:

I was not able to resolve it,though,and went back to a previous Image when Comodo was working well with its 26 Rules and no trace of the beastly rule.

It should be a bug provoked by frequent changing of settings as both yeow and i were into it.
I hope this version behaves until version 3 is available…

Good find on that thread. Even I sometimes forget.