v5.0 Selective Firewall Logging and Blocking?

A curious situation has occurred with the v5.0 Firewall on my Win 7 x64 computer in that it will block and log for 3rd party programs I have made Firewall rules for, but there is no logging and evidently no blocking for system programs like Windows\System32\rundll.exe or wmplayer.exe. I made sure that Firewall logging was enabled and ran a series of tests on different programs which have block and log rules in the 5.0 Firewall and the results showed that both Macrium Reflect and Hitman Pro were blocked as instructed, but no matter how many times I ran Windows Media Player the v5.0Firewall would never log a blocked TCP communication like v3.14 would each and every time WMP ran with multiple entries of blocked attempts. Also the Firewall in v3.14 would regularly block and log rundll.exe on 2 occasions each day when it tried to call home to MS and so far v5.0 has not logged a single block as it has been instructed to.

I’m looking for some insight as to why the treatment of these system and MS programs is so different in v5.0 than it was from the way they were faithfully blocked and logged in v3.14?

~Maxx~

[attachment deleted by admin]

Have you created a rule for these apps? I am suspecting it is due to the Trusted Vendors. You could disable that (uncheck it), and (check it) create rules for all applications.

Does this help you any?

What policy did you give to WMP and rundll32.exe? Do you have “Create rules for safe applications” enabled?

I have both rundll.32.exe and wmplayer.exe set to block and log in the v5.0 Firewall and I do not have “create rules for safe applications” enabled.

As far as the Trusted Vendors list is concerned would it be wise to take Microsoft off of the list just to deal with these 2 Microsoft programs in the Firewall?

~Maxx~

[attachment deleted by admin]

John- It helps in as much as the programs that are being blocked and logged by the v5.0 Firewall are not listed on the Trusted Vendors list. Both rundll.32.exe and wmplayer.exe are both Microsoft programs and it is on the Trusted Vendor List so even with a block and log rule in the Firewall evidently they are allowed to call up to the internet anytime they like without being blocked even though there is a rule against it which clearly was not true in v3.14 which applied every rule without exception. Is this also true for all other programs on the Trusted Vendor List also.

~Maxx~

There are 8 Microsoft entries in Trusted Vendors in which one(s) should remove? Since the entries in Trusted Vendors are not checked off but rather completely removed how would I go about restoring them?

At this point I have little confidence that the Firewall in Comodo 2011 is blocking properly because it always reads Firewall has blocked 0 intrusions so far unless it is during a specific test.

If the Firewall was blocking and not logging because I have all my ports stealthed like Eric mentioned in another thread that would be fine, but this not knowing why it refuses to block and log when it is set to block and log an .exe worries me to the point that I may have to go back to v3.14 yet once again to where the Firewall blocks and logs when it is set to and not selectively as Comodo 2011 is doing now on my Win 7 x64 computer.

~Maxx~

If you enable Create Rules for Safe Applications, I don’t see any reason for you not to be able to edit them to block the applications you wish to block.

Once you enable that you should see rules for everything that connects out.

You would probably need to set Security Level to 'Custom Policy to override the safe list.

JamesFrance- First I removed the block and log rule that I had made for wmplayer.exe and then I enabled Create Rules for Safe Applications as you suggested and ran wmplayer.exe and although it created themp files as usual the v5.0 Firewall did not ask if it should allow or block the internet connection that wmplayer.exe always tried to make under the v3.14 Firewall.

I then did some experimentation by starting programs that I know try to access the internet like Hulu Desktop and Foxit Reader and in both cases I got a pop-up from the Firewall asking to allow or block the respective request for internet access.

At this point I know that the v5.0 Firewall is working correctly, but I still don’t know whether wpmlayer.exe which requested internet access with each use and rundll32.exe which made about 10 requests per day for internet access under the v3.14 Firewall are somehow privileged under a Microsoft Trusted Vendor exemption and are above the rules or whether they just suddenly making these requests under the v5.0 Firewall which I tend to doubt???

~Maxx~

[attachment deleted by admin]

I have Windows System Applications and Windows Updater Applications allowed to connect out, I think these rules were there when I installed CIS 2011, so maybe that is the reason. Have you still got those rules shown?

It seems that if you notch Attack Detection Settings to High the intrusion count in the main screens goes up.

Does that also help to get blocks logged? Notice that the way rundll32.exe gets handled has changed with v5 according to egemen. But I don’t know how.

I went so far as to set the alert frequency to ‘Very High’ and still there was no detection when wmplayer.exe was run. Up to this point it seems as though if the v5.0 Firewall gives a pop-up and makes the original rule according to my response then it will show up in the Firewall log when it is fired if I have chosen to block and log it, but if I chose to make a block and log rule for .exe’s the v5.0 Firewall it just doesn’t seem to recognize it like the Firewall in v3.14 would have.

Since the v5.0 Firewall makes rules and blocks and logs Opera 10.70’s UDP out even though Opera is on the Trudsted Vendor’s List it makes me wonder if these Microsoft programs are indeed being handled differently in v5.0 as you mentioned rundll32.exe is.

~Maxx~

I just tried blocking wmp.exe here and it gets logged. As well as with another application that I blocked for reference.

What I noticed was that I saw no block when I told it to go to Media Guide. But got logged when I told it to Browse all online stores.

Eric- Do you suppose that the behavior of wmp could have changed from v3.14 to v5.0 with instructions to ‘go to Media Guide’ instead because the Firewall is not picking up on the ‘Browse all online stores’ behavior that it had before and blocking and logging it as it was in v3.14?

~Maxx~

I must take back when I said it didn’t log connecting to Media Guide. It popped in the logs with a little delay. I therefor overlooked it. My mistake here.

Did you import by any instance your v3.14 configuration?

To see if there is something funky going on with your installation of CIS could you import a back up factory configuration and activate it? The factory default back ups are in the installation folder of CIS. When importing give it a different name like COMODO Proactive Security Test or so.

Eric- I imported the factory default backup of Proactive Security, started wmp and there was no popup to ask whether to allow or block an internet connection and nothing in the log either. BTW I did not import any instance my previous v3.14 configuration.

~Maxx~

This sounds like a bug to me.

Please report it in the bug board following the submitting guidelines in FORMAT & GUIDE - just COPY/PASTE it!.

Eric- Good news! I went to the wmplayer program file and started it manually and the v5.0 Firewall blocked its TCP request and from then on it started blocking and logging wmplayer.exe TCP requests as I was using the wmplayer! I still haven’t seen any logs for rundll32.exe, but as I understand from what you have said the way Comodo handles it has changed.

~Maxx~

[attachment deleted by admin]

Previous times did you start by opening a media file?

No, previous to this I just played media that was opened with wmplayer and there was no blocking or logging in the v5.0 Firewall as there was in v3.14, but now when media is opened and wmplayer.exe tries to call out the Firewall blocks and logs the request as it should.

~Maxx~

Interestingly odd. Are you playing the same media files? Did you, or other person with access to your computer, change wmp settings in the meanwhile?