What is default setting for Network Rules Protocol

Been using CFP for about a month and am certainly a novice in understanding firewall settings.

Today I mistakenly hit deny to a request and found my IE6 browser unable to connect, so I went thru the network rules and found “IP In/Out” protocol set to Block & Log. I thought maybe this was the problem so I set it to allow but that didn’t help.

Setting the firewall to “allow ALL” got everything to work.

So then I set firewall back to Custom and rebooted - and now everything seems fine - but I don’t know what happened… AND MAYBE the IP IN/Out Protocol should be set back to Block?? Does anyone have a comment - I am now guessing that it was set to Block as the default install setting. Thx

Hi williebgoode, welcome to the forums.

The final Block & Log rule in the Network Monitor is vital. It stops all unsolicited connection attempts. Without it you’re wide open.

The alert for the block you issued will be in CFPs Log (Activity tab). The block you made is probably in either the Application Monitor or Component Monitor.

thanks kail - I’ve reset it to block

In looking back thru the log, there are 2 High severity entries:

Application monitor: Application Access Denied (svhost.exe.64…)
and
Application Behaviour: Suspicious Behaviour (svhost.exe)

So, why would this stop all IE operation until the system was rebooted?? Do I need to set something??

thx in advance.

OK, answering this is a little tricky without seeing the actual alert, but I’ll do my best (aka. educated guesses ;D).

Based on what you’ve said I suspect that you may have misread CFPs alert (actually very easy to do… CFP is different to other firewalls). I suspect CFPs alert used the phrase “could be”… and probably mentioned IEs parent process (explorer.exe). Worded like… Something meddled with explorer.exe, the parent of IE and this could be used to get at IE. So, what you actually blocked was probably the entire explorer.exe-IE relationship (which is quite large). Why OK after a reboot? 2 possible reasons… 1) It was blocked unremembered (a reboot will clear this type of block) or 2) The blocked item has not been loaded into explorer.exe because it was blocked (by CFP) or the blocked item has not be executed yet.

SVCHOST.EXE is SERVICES.EXE (Windows Services) Internet gateway. If a Service needs Internet access it will use SVCHOST.EXE (not always true for 3rd party Services). You should not block SVCHOST.EXE where its parent is SERVICES.EXE as it will break Windows Components, such as Windows Update.

You’ll probably find any blocks related to SERVICES.EXE or SVCHOST.EXE in the Component Monitor. But, you should review all blocks in Application Monitor & the Component Monitor. The Application Monitor contains all those applications that directly used by the user & the Component Monitor contains all those applications, libraries, etc… that the user does not directly run.

General rule with blocking… if in doubt then block unremembered. This way if you make an error, then a reboot will resolve it. Otherwise you can block the item remembered on the next reboot.

I hope that helps.

thanks again kail-

yes, I did deny it unremembered- so that’s why it worked after reboot

I’ve looked around on comodo’s forums - I was looking for descriptions of what the various parts of CFP do and how settings affect performance. Does this exist somewhere? I was looking for something more in depth to the program help files which only say how to set options but don’t explain what those options do ?

thx

Perhaps our FAQs/Threads topic will help?