Using Installation Mode and other Operational Questions

Permit me to reply in this thread - just delete if this is inappropriate (I’m a newbie and find it difficult to find or get access to the right forum to ask newbie questions).

What is a firewall? If it’s software, it ought to work without requiring me to be the firewall. Otherwise the software is nothing more than an alert system, requiring me to do the firewalling (?).

Here’s a case in point. (Again, please delete if this is an inappropriate comment or inappropriately placed. I.e., act as firewall. ) Yesterday MS released SP 3.5 of .net - a big update. For the first half hour, I responded to each of Comodo’s alerts - orange and red - to items such as svchost and rundll (!) and accepted everything until acceptance got to be just automatic. So what was the firewall (me) doing? At that point I exited from Comodo and ran for the additional hour of download and installation (which also required on-line access: don’t you love MS security?!).

Never - ever - have I run without a firewall before. No one should have to do that or have that as an option to standing in front of a computer keyboard incessantly repeating the “accept” click.

Something seems really wrong with my setup or with my understanding of the philosophy of Comodo. What did I do wrong. It was I the firewall, not Comodo. Is there a “sensible only” alert configuration that I haven’t yet found (yes, I downloaded and have read (most of) the docs.) Is there a way to exclude omnipresent rundll or svchost alerts? (Not in the docs). Is there a way to have Comodo use an intelligent selection of what gets alerted using a database acquired from other users and that can spot the difference between normal and potentially dangerous activity? I want to use and trust Comodo and hope the answer to these questions is not: let it run in training mode for a couple of days… Because then it is me that’s the firewall, not Comodo.

Moderator’s Note: Several Posts relating to CIS Operations have been moved from Melih’s Corner, here so that the user’s questions can be answered without disrupting the previous thread.

Carls2,

Welcome to the forums, and I’ll just respond quickly (I don’t want to sidetrack this thread and only have 2 points to make) to help you understand more clearly.

1. If you switch from Training Mode to Safe Mode (one move up the slider), it will enable Comodo’s built-in Safe/White List which will obviate the interaction for known safe applications (such as svchost).

2. During an installation (such as you were doing), you want to switch to Installation Mode (part of Defense +) which is available from the Summary view. The first alert you get, select to Treat As “Installer” w/out the option to create a rule. It will prompt you to switch to Installation Mode, to which you respond Yes. Every 30 seconds it will prompt you to switch back to previous mode.

More in-depth discussion of Installation Mode and the benefit that offers should be taken to a different board. PM me if you’re not sure where/how.

HTH,

LM

Thanks for the offer to PM you. (Who knew to look in your profile for the link to do that?!)

You said in response to the “what is a firewall” spark (small flame) I wrote:

Welcome to the forums

Thanks, seriously. There is a flood of info here and little personal.

1. If you switch from Training Mode to Safe Mode (one move up the slider), it will enable Comodo’s built-in Safe/White List which will obviate the interaction for known safe applications (such as svchost).

My right-click on the configuration showed everything running in “save” mode during this process. No, svchost did not make it through, over and over again. Installation problem?

2. During an installation (such as you were doing), you want to switch to Installation Mode (part of Defense +) which is available from the Summary view.

Tried this - and for a while it seemed to work. But isn’t this the same as running without a firewall? In fact, since this “training” took over half an hour for the 3.5 .net pack, and still required my constant intervention - that’s why I turned off the firewall for the rest of the install…

The first alert you get, select to Treat As “Installer” w/out the option to create a rule.

I’ll have to look next time, but I don’t think there was an option to create a rule. Again, could this be an indication of an installation problem?

More in-depth discussion of Installation Mode and the benefit that offers should be taken to a different board. PM me if you’re not sure where/how.

Yes, please. The Simple Machine board has options coming out of its ears, but is just one more barrier to getting info. (Yes, I’m familiar with more familiar boards. ) Where exactly do I go (as a beginner) for how to handle installation mode and take advantage of any commonly accepted rules and exceptions.

And again thanks for your carefully worded and accepting message.

Carls2

Carls2,

Tnx for the PM. I’ve sent you a link to this post, to help answer your questions.

Here are some links to FAQ boards about the firewall, which should hopefully prove helpful.

https://forums.comodo.com/defense_faq-b140.0/

https://forums.comodo.com/firewall_faq-b139.0/

In regards to this specific question:

But isn’t this the same as running without a firewall?

the answer is emphatically NO! Installation Mode allows you to suspend the HIPS (in a way) ONLY for the designated installer and its child processes. ALL other rules remain intact and fully active.

If any additional install processes are spawned (not as child processes, such as a hidden install or some malware activity), the HIPS will still catch it and warn you. That could still be legitimate, as some installations will fire off additional installers for another aspect of the application, which can then be designated as an Installer as well. It’s really quite cool…

The links I posted above can be found from the “Home” page of the forums. The third section down the page is “Desktop Security Products” which lists all those sub-boards in the forum. Under the “Comodo Internet Security” is a listing for “FAQ - CIS” which will take you to that specific sub-board.

In fact, the very first section on the “Home” page is “New Member Information” which has a number of useful links and helpful info about the forums. One of these links is specifically a link to various FAQ areas of the forum.

So read through those, and ask questions as you need to help you understand how the firewall works. There’s no reason you should have to turn it off to download and install something, even as big a deal as a NET Framework.

LM

I’m not sure that svchost should always be treated as safe. Shouldn’t it depend on the program or process that’s calling it? Like rundll, one needs to know the app name behind the call. Or not? IMWTK.

Thanks.

If a different app acts as the parent (ie, calls svchost.exe) then you will get an alert for that application, not the one being called.

The white/safe-list identifies the application as it is known to exist (file signature analysis); if it is somehow modified (such as by malware) you will receive an alert because the signature no longer matches. The safelist is encrypted and protected/hidden from view so as not to become corrupted.

LM

Very clear - thanks. However this seems to make it all the more important that the alert show the parent calling process, IMHO. Of course, one can jump to the D+ Events screen to see who’s doing the calling, but that takes time and Alerts seem to disappear after several seconds. (BYW, Where do they go and what’s the default for a non-accept?.

Again thanks for your patience and clear answers.

The alerts do show that there is a new parent process for an exe, dll, etc. There’s no need to go check the logs.

Alerts are set to disappear based on the setting in Defense + / Advanced / Defense + Settings/ “Keep an alert on screen for maximum of ______ seconds”.

The default behavior is Deny.

LM

Thanks for correcting me. I’ll watch more carefully next alert - but I was sure that “Norton Security Scan” was nowhere on the alert screen - I should have seen it.

Carls

but I was sure that "Norton Security Scan" was nowhere on the alert screen

It will be the actual process name (which may not be as obvious), not what we actually know it as... With a lot of applications, there are additional processes that do much of the work, but are not commonly talked about/documented; without the use of an extremely granular and detailed HIPS, one would likely never know about them.

LM

PS: I’ve split the posts surrounding your questions related to CIS Operations from the original thread, and moved them to the thread I created on your behalf, to help answer them without detracting from the other thread.

OK, that was the case and I didn’t recognize it and couldn’t check it out quickly enough for the default 120-second delay on the D+ alert.

However, IMHO, that checking out process seems to me to be the legit job of the firewall. Otherwise I’m operating as the firewall, not Comodo, and that’s not safe or efficient. Maybe a collective effort to create a database of “accepts” that are OK - a database that is developed from a trusted web of users? Anyway, to ask a newbie to track down each spawned process, follow up to each parent, … this doesn’t seem either safe or efficient.

Thanks for moving this thread - I didn’t dare start another and risk losing the help I was getting there.

You can easily change the 2 minute setting to any amount of time you desire. Quickest way to start checking the given application is by clicking it in the popup window. That will take you to the location of the executable file, which is a good start. Then you can check the properties for more detailed info to help inform you.

Inasfar as that being the “firewall’s” job or not, remember that we’re not talking about the firewall itself (ie, the job of checking network-based traffic), we’re talking about Defense +, which is a very tight HIPS (Host Intrusion Prevention System). This is extremely granular application/system control. Unfortunately, there’s no way (at the present) to prevent there from being some level of user interaction and still maintain security. Keep in mind that earlier I noted you should switch D+ from “Training” Mode to “Safe” Mode in order to engage the built-in safelist, which will greatly reduce your popups.

The safelist, BTW, has a community input function. At all times, under the Miscellaneous tab/page, there is an option to “Submit Suspicious Files” to Comodo. This will allow you to send any files you wish to Comodo for detailed analysis. If the files are safe, they will be added to the safelist for the future so that you (and others) won’t have to worry about popups from those.

When you’re in Training Mode, if you look at the Defense + area of the Summary page, there is a place which has “Pending Files” or “Files waiting for review.” These will be applications that have changed, or otherwise no longer match previous rules or safelist. They can be easily purged (as inTemp files created during installs), a Lookup done to check against Comodo’s databases, and Submitted to Comodo for Analysis.

There are, btw, a number of tutorials/FAQs that explain these things, as well as the detailed Help files included w/CIS. It doesn’t have to be just some big mystery…

LM

Well, now I’m a bit embarrassed - because it is only now, a week into Comod, that I finally understand the difference between HIPS and a firewall. No software before Comodo had that functionality, so when I downloaded and signed up for Comodo Pro, I expected my old firewall and AV systems and procedures.

I’ve looked back and tried to see where I missed the boat on this critical distinction - and I don’t see how I could have understood it without going through a week of misunderstandings and thanks to very gracious help on this forum.

IMHO, the HIPS D+ needs to be highlighted as a new functionality that requires a “willing suspension of disbelief” while the (annoying) alerts are handled. Secondly, there needs to be something in the alert that says: “this isn’t the Firewall, stupid - it’s a whole new concept of HIPS,” or words to that effect. Just look at the comments about Comodo in the major download sites: it’s clear that a lot of us missed that distinction and blamed the firewall.

Boy am I glad I sat through the learning period with only a tiny bit of my frustration showing and read all the extremely thoughtful and patient replies to my plaints and questions.

Your detailed thoughtful answer (deleted in this note) was terrific - and, for me, better than the docs and tutorials I’ve been slogging through. It opened up some distinctions that I’d just glossed over before.

Many thanks.

Carls

You’re welcome.

Happy to help,

LM

Hey, just so you are aware ~ the Comodo development team does keep tabs on these forums, and interacts (on a somewhat limited basis) with users. They also have done a great job (IMO) of listening to their users and making changes to the product(s). The point of that is, there’s a very good chance that they’ve already seen your comments.

LM

=======================================================================

Hi Carls2
(:KWL)

***This solution is based on XP (sp2 or higher).

**VIEW:

Imagine you are at home and a number of people press on your door bell. It will be up to you to either allow or disallow them into your home (better more, in the case of a sales representative).

Well, you have just acted as a firewall by allowing or disallowing whoever. You will need to answer the door when alerted by the door bell.

**UNDERSTANDING CIS:

• Whenever you are installing a new application, CIS alerts you if either allow or disallow the application;
• but because you know that the application is not armful to your system, you thereby allow the application the first time and
• when prompted a second time, simply drop down the menu and selcet “Trusted Application” and “Ok”.
• CIS will from therefort, treat your application as a trusted application, whereby refraining from alerting you every now and again through the installation process.

**P/N:
The above also applies to all alerts that you get, as long as you know that the application is save for you. If you are unsure of the application, click the top left link on the alert panel for more information regarding the application or file.

Base on CIS Version 3.8.64739.471: You can use this as a guide if you have a different version.
You can find more information by using the CIS Help file by clicking miscellaneous, and then open Introduction to Comodo Internet Security then selcet Understanding Alerts.

**COMMENT:

If I may mention, that you proberbly need to take some time off to read CIS Help documentation to further familarise yourself with CIS environment and usage. I hope you find this helpfull…Stay possitive and good luck!

With Regards
Divine
(:WAV)

Just a note regarding this: the alert pop-ups actually say “Defense+ Alert” or “Firewall Alert” in the title bar to let you know which component of CIS was triggered.

Of course you’re right - but you might have missed my point. Not to labor it, but I really think it’s important. So let me try once more, please.

My experience, as a new user, was to be overwhelmed - confronted by a blizzard of warnings the first days of running Comodo. I didn’t notices the difference - just the warning screens and the prompts to accept or not.

This reaction turns out to be not that uncommon (from reading reviews and user rants). So my message was meant to be helpful to Comodo. Hopefully the experiences of new users can be used to inform the design. Especially from those like myself who are new to HIPS. That there might be a significant difference between the firewall and Defense+ never occurred to me - and only because I really wanted to make this work did I stay for the show.

IMHO, there really needs to be a bigger difference in the firewall and D+ warning screens. And along with that, there needs to be a distinction in expected user response. Just ticking “accept” time after time doesn’t really accomplish any sense of security…

A new user trying Comodo for the first time needs bigger clues as to what’s going on behind the scenes and how this security system is really different from the firewall that has been the previous experience.

So thanks for your instructions - I think I’m past them now. Tho I still wonder from time to time how my initial uninformed “Accept” responses might still be compromising my system…

Hey, Carls2,

If you did not check the box to “Remember” your choice, no new rules are created. The allowance is only on a per-instance basis (thus, the next time you ran the application, you’d get the same alert).

There are a couple ways to get rid of any unwanted rules (or just in case you’re concerned you might have created some unwittingly).

1. Go into D+ / Advanced / Computer Security Policy and delete rules for applications. Then you’ll be prompted again…
2. Go to Miscellaneous / Manage my Configurations / Select. You’ll have 4 options, 1 will be active already. If you take a different one, it will automatically reset all rules for both Firewall and D+. By default it’s set to Internet Security. Proactive Security has higher-strength settings (and will thus get more popups).

HTH,

LM

I was going to toss off a slightly snotty reply, since I thought meself pretty advanced… then I read the rest!

What a find! Easy to re-do those that seem debatable. This time I’ll read before I “accept.” Thanks.

Now I’m really humble. And thankful I didn’t toss off a superior-sounding reply. My “select” was set to antivirus upgrade. What does this imply? Anyway, it’s now properly set to what ought to have been the default: internet security.

And more thanks!

Carls