The Problem with CFP

Hi, I just started using CFP the past few days. After reading through 60+ pages of the forums, my observation is that CFP’s ability to stop leaks was well intended, however, in my opinion it was not well implemented.

CFP touts its ability to pass several leak tests and I think that is what drove people to try it. I would say it’s one of the major features. As a firewall that blocks applications that directly asked for access to the internet, it works well. But when it comes to leaks (indirectly), it might work too well.

To give you an example of what I mean and why I say what I said above… let’s take svchost.exe (the application) and services.exe (the parent application). We all know that these are Windows processes and should be considered safe and allowed to access the internet. At this point, everything works well.

Now let’s say that a malware captured your information and attempted to use svchost.exe to send the hacker your data. An alert should pop up alerting to you what is happening: malware attempted to use svchost.exe (the application) / services.exe (the parent application) to connect to the internet. In this example, you would want to deny it which stops the leak.

However, by stopping the leak it basically stops svchost.exe from accessing the internet for all other legitimate programs unless you reboot.

Indeed that happens. I’m not very knowledgeable in these things, but the firewall merely detects that svchost.exe was used, and allows or denies svchost to access the internet, because that’s the one that does connect.

It could be related to why they want to introduce HIPS, to control what can or not use svchost.exe before any connection attempt. But i’m just guessing here.

Hi Teq9er

Someone is correct. Under the scenario you propose with SVCHOST, CFP would detect that an unknown component is attempting to access the Net via SERVICES/SVCHOST & warn the user.

CFP is often accused of being too verbose or repeatedly displaying the same warning. On closer examination these duplicate warnings are, in fact, not duplicate. This is because CFP pays close attention to not only Net-enabled programs themselves, but also the relationships between them and other components… right down to the DLLs & OCXs.

I understand that… that’s why I gave two different examples. I didn’t say the alerts is the problem… like you said they are different warnings. What I’m saying is that once you act on an alert, you act on them all if the application accessing the internet is the same.

I could have iexplorer.exe (application) / explorer.exe (parent application) and the malware attempted to use iexplorer.exe to access the internet. If I then deny it, I’m denying iexplore.exe from normally browsing the internet also.

If CFP alerts me by looking at the relationships, then I think it should take them into consideration when allowing or denying something. In the example above: deny when application is iexplorer.exe, parent application is explorer.exe, and malware through OLE automation. But not when it’s just the application, iexplorer.exe and the parent application, explorer.exe.

But the tricky part there is how Comodo will prevent/ block the malware from using iexplore? Only working at the process execution level (etc.) - HIPS.

Maybe it’s possible, but i think it’s got to be tricky.

Say you blocked the malware. Now you have to clean it before connecting imo. When it’s not malware, but simply something you want to block, again, i see it as tricky.

Do other FW’s allow you to do what you’re saying?

Yes, it’s going to be tricky. I’m no expert, but I think since CFP is able to identify the application / parent application combination with OLE automation, global hooking, etc. thrown in the mix, then it should be able to create a rule or “mentally” take note of those combinations.

I’ll use the same examples I used before… svchost.exe (application) / services.exe (parent application)… let’s say there is a legitmate application trying to use svchost.exe to connect to the internet… call it goodapp.exe. Then the combination of svchost/services/goodapp should be allowed to connect.

However, if there is a malware, call it badapp.exe that is trying to use svchost.exe to connect to the internet. Then the combination of svchost/services/badapp should be blocked.

I know that this may create endless combinations, but I feel that it would be better than it is now: blocking svchost.exe once (doesn’t matter what alert) blocks it for all until you reboot.

To answer your question: the only other firewall I have used is the free version of ZoneAlarm, but it doesn’t tout it’s ability to stop leaks like CFP does. That’s one of CFP major attractions, so I’m hoping they get it right.