Very good start but
Causes a memory error in Fruity Loops which is still there AFTER re install of FL and un install of Comodo and restarts all round, had to restore two machines to get them to run FL again.
Cant seem to get Windows Update to run on IE7 without turning OFF the whole application section, kept complaining about SVCHOST with parent services.exe wanting to do TCP out port 80 to somewhere
Also, sessions disappear once they are closed, fair enough but it makes it hard to keep track of total traffic to a site which is usefull to help detect bandwidth and data stealing. Perhap a current session bucket and a total bucket since cleared or of limited size would would help
Still inspireing piece of work, and I can’t wait for it to get fixed.
Most guidance in this area assumes expertise, eg I had to learn thant many ports eg GT Than 1024 can send a DNS(53) (requst) to the gateway and get a response, but that unluss I am running a DNS in my internal net, I should not accept any incoming port 53 requests,
Then there is all the ICMP and the IGMP advice and defaults can not easily be restored in say the applications panel or the net panel if you feel you have ■■■■■■■ it up. still a hell of a good start, oh and it runs on MS Server 2003, …paradise!!! I love it.
Very good start but
Perhaps visting the tech support section of Fruity Loops would be a good idea. But for the sake of having knowledge about memory errors i’ll just mention a few things here so you understand exactly what a memory error is.
All electronic storage devices have the potential to incorrectly return information different than what was originally stored. Some technologies are more likely than others to do this. DRAM memory, because of its nature, is likely to return occasional memory errors. DRAM memory stores ones and zeros as charges on small capacitors that must be continually refreshed to ensure that the data is not lost. This is less reliable than the static storage used by SRAMs.
There are two kinds of errors that can typically occur in a memory system. The first is called a repeatable or hard error. In this situation, a piece of hardware is broken and will consistently return incorrect results. A bit may be stuck so that it always returns “0” for example, no matter what is written to it. Hard errors usually indicate loose memory modules, blown chips, motherboard defects or other physical problems. They are relatively easy to diagnose and correct because they are consistent and repeatable.
The second kind of error is called a transient or soft error. This occurs when a bit reads back the wrong value once, but subsequently functions correctly. These problems are, understandably, much more difficult to diagnose! They are also, unfortunately, more common. Eventually, a soft error will usually repeat itself, but it can take anywhere from minutes to years for this to happen. Soft errors are sometimes caused by memory that is physically bad, but at least as often they are the result of poor quality motherboards, memory system timings that are set too fast, static shocks, or other similar problems that are not related to the memory directly. In addition, stray radioactivity that is naturally present in materials used in PC systems can cause the occasional soft error. On a system that is not using error detection, transient errors often are written off as operating system bugs or random glitches.
Therefore, my guess is that you are using non ecc RAM. I would suggest running diagnostics on your RAM to ascertain whether or not it is indeed the RAM which is at fault. As i doubt its actually CPF causing the problem - its more likely that CPF has somehow highlighted an issue with your hardware. Personally i swear by Corsair RAM which also has the added benefit of low CAS latency.
And before this reply gets throughly off topic…
When you are running your windows update, have you tried allowing the connections? There will be a few of them though. The most important thing here though is that CPF is just doing its job, if it wasn’t chucking warnings at you, then i’d be worried. Also, if you search about on the MS site, you’ll find that you can manually download and install the updates as seperate exe’s.
Hope this has been of at least some help. And i hope you get your issue resolved, because as far as i’m concerned (and many others too) CPF is the most secure firewall to grace the internet. (B)
Welcome to the forums, esoteric (:WAV)
Just a couple things:
Can you explain in more detail about the mem error with FL? Do you get a specific error code? If so, will you post that here?
You have to allow svchost.exe. No two ways about it. If you do not, you cannot update your IP/DNS/DHCP/etc. Also, it’s part of Windows operating system. Windows also requires its usage for Updater. Updater aside, tho’, it needs to be allowed.
PS: Rucia, tnx for the detailed explanation about memory errors. Next time, be sure to use “parity” and “non-parity” as well as the ecc/non-ecc; I always like to see stuff I actually know… ;D
Thanks Little Mac,
I thought it best to leave that out. The post would of been 4 times longer and a lot more confusing to people who don’t understand binary. Sure binary to most people means 0’s and 1’s, but often thats as far as it goes. Once you go into the murky depths of how parity checking works i find most people end up asleep. But it’s good to know that you’d be fine with it ;D
Hi Guys, thanks for the response. I was just giving you a quick heads up as I don’t feel like spending a lot of time on this. I have been in the industry for 35 years, starting at IBM on mainframes, then Mobil Oil, as a net (SNA) sysprog, then a couple of banks doing enterprise systems Mgmt and now am a systems architect for a govt dept. I do know a little bit about IT. I have done machine coding or assembler if you like, so I think I understand a little bit about hardware. Still some what hazey on how the internet works in detail, and most people I know still are.
Also, I know from my days in OS or systems software support as a sysprog that one always collects all the data about and error for support purposes before logging a call. I am not logging a call. we neglected good practice as we were quite concerned that the machine had developed a HW problem and really wanted to verify that this was NOT thae case. So we did a restore back to before Comodo, and phew all ok. This machine is and intel p2.8 on an Intel 915GAV MB with an MSI x600 and has NEVER had a single glitch that I am aware of in 2 years. it is still perfect. From my memory however, FL was complaining that it could not WRITE to a specific address. Not a hardware problem i would think. I suggest that something had locked access of the address of that piece of memory… or similar.
Then, the same thing was eveident on an INTEL p1.4 on an intel D845WN MB.
Two machines with hardware errors after installing Comodo, sorry that is vitually impossible.
This 2nd machine after a restore, back to before Comodo is now perfect, as it has been for at least 2 years.
Frankly, I would say that this problem is EASILY re producable in your lab.
I will see if the event logs survived the restore ASAP.
Also, re the IE7, I added SVCHOST, of course, with parent of Services.exe, without parent, tried every thing, did not seem to make any difference. also, I turned on ASK for every thing that looked good, and no, just got a bunch of high level red threat items logged about svchost parent services.exe I think. With NO opportunity for me to SAY allow… (actaully, the way windows update works must look pretty bad to a firewall I would agree. Very intrusive. but, it should be able to work)
I would say that this is also easily re producable in your LAB.
If not, I am prepared to put in a small amount of time to help debug. I have already spent probably 8 hours on this project with 4 machines. The 2003 server I am leaving it on as it has limited protection, otherwise. The other machines I have removed it via a restore for now
If you feel that you have fixed these problems, I am prepared to have another go, provided, your technical people specify exactly what they want in terms of diagnostics if the need arises. I am not really prepared to fiddle around wasting time on guessing games…Or perhps you need a diagnistics switch that the user can turn on for the PRODUCT as well as the popup allow questions…heh heh.
Still, a really good vision. I love to see some one breaking out of the cycle of commerical companies who are locked into producing extremely ordinary to lousy products, and putting most of their effort into marketing and protection. I hope you can persist, as this product has certainly put your name on the map as far as I am concerned. And frankly the Free for home use model, is an increadble marketing tool. your main problem potentially is that M$ will eventually either buy your technology (good for you) or out perform you with a bundled built system (not so good for you).
Thanks for the add’l info. Regarding svchost, you might give this a try (I say this without seeing your log files):
Go to your Application Monitor, Remove any existent rules for svchost.exe. Go to Security/Tasks/Scan for known applications. Run that, follow the prompts. Go to Security/Advanced/Miscellaneous, uncheck the box for “Do not show alerts for applications certified by Comodo.” Move the Alert Frequency slider to High or Very High. Reboot when finished.
Now you should see popups for svchost, which you can “Remember” and Allow. This should set the rule properly.
CPF is not presently a HIPS, to monitor processes, etc. However, the Application Behavior Analysis does; it’s an integral part of the security of the firewall. In some instances, this causes CPF to be hooked into an application in such a way that it may interfere. Perhaps that may be the case with Fruity Loops. I’ll check into it (keep in mind, I’m a volunteer in the forums, not Comodo staff).
What version of CPF are you using?
Thanks for the great tips. Will give it ago asap, the 2003 system still has some problems as per the SVChost one I cant fix. looks the same.
I’m sorry if i invalidated your expertise. It’s now quite obvious that you have more technical knowledge than i do, especially so due to your extensive length of time in the industry. By contrast i’m a 24 year old network administrator, so i’ve got a good way to go before i can match your level.
Anyway, good luck sorting it out. From what i’ve seen the guys on these forums are very good at what they do.
Sample error messages
Comodo Firewall Logs
Date Created: 16:57:01 06-01-2007 Log Scope: Today
Date/Time :2007-01-06 16:55:31
Severity :MediumReporter :Application MonitorDescription: Application Access Denied (spoolsv.exe:192.168.0.110:snmp(161))Application: C:\WINDOWS\system32\spoolsv.exeParent: C:\WINDOWS\system32\services.exeProtocol: UDP OutDestination: 192.168.0.110:snmp(161)Date/Time :2007-01-06 16:51:30
Severity :MediumReporter :Application MonitorDescription: Application Access Denied (spoolsv.exe:192.168.0.110:snmp(161))Application: C:\WINDOWS\system32\spoolsv.exeParent: C:\WINDOWS\system32\services.exeProtocol: UDP OutDestination: 192.168.0.110:snmp(161)
End of The Report
running 184.108.40.206 the 192.168 is my LAN of course
I cannot stop the above messages yet, Tried every thing I can think of
Also, have to turn the Firewall off to print from the server to the network printer at 192.168.0.110, and its driving the mouse pointer mad. flickering.
I may need to read instructions more carefully
Can’t wait for the next release, please feel free to chat to Comodo support about this thread
I will take better notes next time I test.
If you define a zone (SECURITY - TASKS - ADD/REMOVE/MODIFY A ZONE) covering the IPs of your internal devices (192.168.0.1 - 192.168.0.X) and set that zone as trusted (SECURITY - TASKS - WIZARDS - DEFINE A TRUSTED NETWORK), these alerts (which are SNMP calls to LAN manageable devices) will be allowed across your internal LAN.
Is there a reason you didn’t want to define a whole-of-LAN rule? Only asking cause your previous replies indicate very good LAN knowledge.
Hope this helps,
I did define my internal zone. I think in Zone alarm it was just a tick box to say that this zone was trusted, so I did not catch on to the point of the trusted zone wizard that appears to do the same thing as the define a zone option. I would think the two panels could be combined with a tickbox to say trusted or not and be less confusing perhaps. Anyway I went and ran the trusted zone wizard and selected my internal zone. Am still getting the problem, and also, althoug I have deleted svchost and a few other pgms the have not asked me if they are allowed to return. I dose LOOK nice, but from my point of veiw, it is extremely persistant at ignoring my requirements and actions. perhaps if you install it and let every thing default it works ok, but try and change a few things and then see if you can get back to where your were. I seem to recall some restore default function, but control of the scope did not suit what I wanted to reset. I am not overly quick to criticise, and I note the enthusiastic support that most forum members appear to have of this product. however, the issues I have highlighted are complete killers from my point of view. I have noted quite a few people saying that when they add an application, or similar rule, that it appears to have not effect, so i suspect it is not just me. Also the memory issue still being around AFTER un installing the product is death for a vendor. if I have to RESTORE the system, I put the product in the the class of verging on a virus, or at least VERY damaging. And these issue are SO serious, that I would expect action within a few days, if you were serious…Thanks again, and I look forward to testing your next version