Comodo’s firewall has a layered rules approach to security, which has a tendency to cause confusion with users unfamiliar to this approach. Network Rules are new to many people, as most firewalls don’t seem to have separate rules. If an application is allowed, it’s allowed, period. Turns out, most firewalls have a much lower level of security than CPF… ;D
Here’s a little explanation of how CPF rules work:
Everything communicates in the context of the Network Rules. The Network Rules filter from the top down; if traffic is not explicitly allowed In or Out, it will be stopped by the bottom block rule (meaning, there has to be a rule prior to the bottom block rule, that specifically addresses the type of traffic, in order for it to be allowed). On the inverse side, traffic is blocked either explicitly or implicitly (meaning, a “block” rule will specifically mention a type of traffic - explicit, or it will be blocked because it hasn’t been specifically allowed - implicit).
Example: Let’s say you do not have a Net Rule to allow IGMP (multicast) protocol traffic (this is true with the default rules). Windows Messenger tries to use IGMP to access the net. CPF filters through the rules, but cannot find IGMP explicitly allowed; thus, it is implicitly blocked by the “Block Any” rule at the bottom. Let’s say you wanted to easily identify IGMP traffic, so you create a Block & Log IGMP rule above the bottom rule. Now CPF will explicitly block IGMP traffic.
This brings us to the next area - Application Rules. The Application Monitor contains Applications which are allowed (or blocked) from connecting. Even if we allow an Application to connect, it does so within the context of the Network Rules. So, to use our Messenger example from above, we may allow Messenger within the App Monitor. Then, it tries to use IGMP protocol, which is not allowed by our Network Rules. The connection will be blocked. Even tho Messenger is allowed, IGMP is not. Another aspect of the App Rules is that Comodo allows you to identify a “Parent” application; such as your browser using explorer.exe as its Parent; kind of like your browser using another core application to actually connect with. Thus, you may need multiple rules for one application. For example, Firefox (as a browser) may have a rule with firefox.exe as both Application and Parent; it may have a second rule with firefox.exe as the App and explorer.exe as the Parent. If you click a link within your email, the email client will become the Parent to the browser.
Next we have Application Behavior Analysis. This can be found under Security/Advanced, and is also known as ABA (gotta love those initials…). This module monitors various types of activities that are carried out somewhat “behind the scenes” by applications, and in some cases, their components. A number of these activities will create alerts only if both applications are not in the encrypted Safelist (provided the user has the Safelist enabled, which it is by default). These (such as the COM/OLE Automation) are perfectly normal, and occur because of the way applications communicate internally. While considered safe if both applications are known to the user, CFP does not differentiate (aside from the Safelist) between good or bad applications (ie, malware), and these types of activities may be exploited by malware in an attempt to access the internet. Thus, if both applications are known, it is considered safe to Allow; if either (or both) are not known, further investigation may be required. If you Deny or Allow without checking “Remember” the response is set for that session only; if Remember is checked, a rule will be created. Generally after a single Deny (this will result in the connected application, such as your browser, to be denied internet access), closing and reopening one or both applications will suffice to restore connectivity; in some cases a reboot is more effective.
Final area - Component Monitor. Component Monitor loads all “components” - .dll and .api files, etc that are used by an Application, and verifies their authenticity and relationship to the application. These components are not what is connecting to the net; when they are marked as “allowed” it is so that the application can use them as it connects to the net. Sometimes these components are shared resources between different applications. If an application updates, it may cause this “library” of components to change, and cause a popup alert (whereby you can view and approve these components directly). It is generally considered best to leave the Component Monitor set to Learn after install, for several weeks; or until the majority (if not all) internet-connecting programs have been run with available modules/plugins, etc, so that popups are minimized. Once it has been set to “On” popups will be generated for each new/changed component.
Application Behavior Analysis and Component Monitor combined form the Advanced Security Analysis Monitor, which is truly the final state in our filtering/layering scenario. The flow of traffic thru these layers of security can briefly be described as follows:
- Incoming Connections
1- Network monitor applies filtering; if successful it passes to application monitor
2- Application monitor checks the target application, if allowed it passes to
3- Advanced security analysis monitor
if these 3 steps are passed, application receives the connection.
- Outgoing connections
The order changes :
1- Application monitor
2- Advanced security monitor
3- Network monitor
This last section is taken from Egemen’s post here: https://forums.comodo.com/index.php/topic,725.msg4663.html#msg4663