Why Comodo needs reset firewall settings

Hi,

I’ve been a long time KerioPF (now SPF) power-user, where I love it’s ‘learning’ (training in Comodo) & advanced functions because It has the simplest interface I’ve ever seen (where Comodo lags behind in UI simplicity). But since KPF is gone and SBF is outdated since Sunbelt is lazy, I’m looking for an at least “equal” replacement Firewall…

This’s where Comodo comes in (and maybe goes out). I decide to try it since many tests, forums etc. recommending it and it’s free (guess it’s the gimmick). I uninstalled KPF and installed Comodo at next reboot:

1. Comodo is forceful to make me accept it’s “skin” under my WinXP “Classic Skin” where it looks ‘outcast’ (guess Comodo is one of few out there not using ‘true’ skinability).
2. Comodo advertise itself to be far superior than KPF & gives that initial look. Yet its UI is cumbersome making fuss about changing small settings (you “have to” go through countless parenting screens sometimes).
3. Being used to KPF, Comodo’s “trainer” is simpy ‘dumber’ not allowing me arrange port access & fine tune in “on demand popup”. First you have to allow/block single incident THEN you HAVE TO adjust this created rule, something KPF handles much more neatly.
4. I didn’t give up & try to find the good sides of Comodo; I set up ALL settings (nothing left to default blindly), MANUALLY train Comodo due to previous incident when any application’s to access Internet.
5. Network access: check, Antivirus update: check, Spyware update: check, Downloader access: check, Firefox access: check (somewhat). But when it comes to setting P2P access & more fine-tuning (or messing?) Comodo shows itself (maybe why it’s free) and blocks ALL my internet access.
6. Some may say “recheck what you messed up” but can’t explain that all blocked internet access is back online when I simply switched ‘Firewall Behavior’ from Custom-to->Disabled-to->Custom without changing anything ELSE!!! Voila, like a magic Comodo allows all again by setting it where it was before.

This IMHO is simpy unacceptable and unexplainable. All I do is ‘slide’ custom-to-disabled, apply, then reslide to custom and apply where it works??? No change in any other setting or so. Can anyone (especially Comodo expert) explain this phenomenon to me?

Is it because I try to master most of the ports every application has to use? Or is it that I want to log most of activity? Or is it Comodo bugs when it faces a P2P application (since they have the MOST opening ports etc.)? Or is it because I don’t trust what Comodo "Trusted’ and block or semi-allow to be trusted applications? The number of questions can be increased and fault can be mine too, yet how can one explain ‘resliding magic’?

Don’t get me wrong, I might have been hasty but I really want to see the ‘good’ in Comodo yet up until now I’m a bit disappointed. Before I try to replace Comodo, can someone help me? Explain the sources of error? Safe way to fine-tune Comodo? and etc…???

Thanks…

Hello T14, Welcome to the forums

I’ll try to answer some of your questions. but take note I am not an expert

3. Training mode is doing exactly what it is meant to in Comodo. I’ll try to give an example, You put it in training mode, play a game - and then it will automatically assume it’s safe.

I’ll give you a quick run down about the modes.

FIRE WALL:
Block All Mode: The firewall blocks all traffic in and out of your computer regardless of any user-defined configuration and rules. The firewall will not attempt to learn the behavior of any applications and will not automatically create traffic rules for any applications. Choosing this option will effectively prevent your computer from accessing any networks, including the internet.

Custom Policy Mode: The firewall applies ONLY the custom security configurations and network traffic policies specified by the user. New users may want to think of this as the ‘Do Not Learn’ setting because the firewall will not attempt to learn the behavior of any applications. Nor will it automatically create network traffic rules for those applications. You will receive alerts every time there is a connection attempt by an application - even for applications on the Comodo Safe list (unless, of course, you have specified rules and policies that instruct the firewall to trust the application’s connection attempt).

If any application tries to make a connection to the outside, the firewall audits all the loaded components and checks each against the list of components already allowed or blocked. If a component is found to be blocked, the entire application is denied internet access and an alert is generated.This setting is advised for experienced firewall users that wish to maximize the visibility and control over traffic in and out of their computer.

Safe Mode: While filtering network traffic, the firewall will automatically create rules that allow all traffic for the components of applications certified as ‘Safe’ by Comodo. For non-certified new applications, you will receive an alert whenever that application attempts to access the network. Should you choose, you can grant that application internet access by choosing ‘Treat this application as a Trusted Application’ at the alert. This will deploy the predefined firewall policy ‘Trusted Application’ onto the application.

‘Safe Mode’ is the recommended setting for most users - combining the highest levels of security with an easy-to-manage number of connection alerts.

Training Mode : The firewall will monitor network traffic and create automatic allow rules for all new applications until the security level is adjusted. You will not receive any alerts in ‘Training Mode’ mode. If you choose the ‘Training Mode’ setting, we advise that you are 100% sure that all applications installed on your computer are assigned the correct network access rights.

Tip: Use this setting temporarily while playing an online game for the first time. This will suppress all alerts while the firewall learns the components of the game that need internet access and automatically create ‘allow’ rules for them. Afterwards you can switch back to your previous mode.

Disabled: Disables the firewall and makes it inactive. All incoming and outgoing connections are allowed irrespective of the restrictions set by the user. Comodo strongly advise against this setting unless you are sure that you are not currently connected to any local or wireless networks.

Defence+
Paranoid Mode: This is the highest security level setting and means that Defense+ will monitor and control all executable files apart from those that you have deemed safe. The firewall will not attempt to learn the behavior of any applications - even those applications on the Comodo safe list. and will only use your configuration settings to filter critical system activity. Similarly, the firewall will not automatically create ‘Allow’ rules for any executables - although you still have the option to treat an application as ‘Trusted’ at the Defense+ alert. Choosing this option will generate the most amount of Defense+ alerts and is recommended for advanced users that require complete awareness of activity on their system.

Safe Mode: While monitoring critical system activity, the firewall will automatically learn the activity of executables and applications certified as ‘Safe’ by Comodo. It will also automatically create ‘Allow’ rules these activities. For non-certified, unknown, applications, you will receive an alert whenever that application attempts to run. Should you choose, you can add that new application to the safe list by choosing ‘Treat this application as a Trusted Application’ at the alert. This will instruct the firewall not to generate an alert the next time it runs. If your machine is not new or known to be free of malware and other threats as in ‘Clean PC Mode’ then Safe Mode’ is recommended setting for most users - combining the highest levels of security with an easy-to-manage number of Defense+ alerts.

Clean PC Mode: From the time you set the slider to ‘Clean PC Mode’, Defense+ will learn the activities of the applications currently installed on the computer while all new executables introduced to the system are monitored and controlled. This patent-pending mode of operation is the recommended option on a new computer or one that the user knows to be clean of malware and other threats. From this point onwards Defense+ will alert the user whenever a new, unrecognized application is being installed. In this mode, the files in ‘My Pending Files’ are excluded from being considered as clean and are monitored and controlled.

‘Installation Mode: Installer applications and updaters may need to execute other processes in order to run effectively. These are called ‘Child Processes’. In ‘Paranoid’, Safe’ and ‘Clean PC modes’, Defense+ would raise an alert every time these child processes attempted to execute because they have no access rights. Whilst in one of these 3 modes, Comodo Firewall Pro will make it easy to install new applications that you trust by offering you the opportunity to temporarily engage ‘Installation Mode’ - which will temporarily bestow these child processes with the same access rights as the parent process - so allowing the installation to proceed without the usual alerts.

Training Mode: The firewall will monitor and learn the activity of any and all executables and create automatic ‘Allow’ rules until the security level is adjusted. You will not receive any Defense+ alerts in ‘Training Mode’. If you choose the ‘Training Mode’ setting, we advise that you are 100% sure that all applications and executables installed on your computer are safe to run.

Tip: This mode can be used as the “Gaming Mode”. It is handy to use this setting temporarily when you are running an (unknown but trusted) application or Games for the first time. This will suppress all Defense+ alerts while the firewall learns the components of the application that need to run on your machine and automatically create ‘Allow’ rules for them. Afterwards, you can switch back to ‘Safe Mode’ mode).

Disabled: Disables Defense+ protection. All executables and applications are allowed to run irrespective of your configuration settings. Comodo strongly advise against this setting unless you are confident that you have an alternative intrusion defense system installed on your computer.

If you adjust the alert level (FIREWALL ->ADVANCED ->FIREWALL BEHAVIOUR SETTINGS ->ALERT SETTINGS), rules will be created based on direction, protocol, destination address and required ports. The standard setting just creates a rather generic “ALLOW” rule.

Ewen

[ at ]Kyle:

Thanks for clarifying the options. Yet this doesn’t explain WHY Comodo suddenly decides to block e.g. Firefox (already defined by me regardless of being safe by Comodo) to access Internet at all. So this shouldn’t have anything to do with settings since first it works, then nothing works “”“despite no setting has changed”“”. Anymore ideas?

[ at ]panic:

Thank you for the option I’ve already found earlier within the first 24hrs. I’'ve spent while playing with Comodo settings. Assuming you’ve never tried Kerio Personal Firewall once; in KPF you’ve less settings than Comodo and I’ve always used “Learning-Custom Rules” stage where every application has to be granted by the user when they first try to access Internet through a popup. Unlike Comodo popup which is giving allow/block/treat options and just explanatory about ports, KPF allows to define ALL (really ALL options) through it’s popup. What I mean is; I can define port ranges, local-remote IP ranges etc. IN POPUP without having to go through UI like Comodo forces me too. I think Comodo should inherit such ease of use in future. Try KPF once, you’ll see what I really mean…

Yet this doesn’t explain my situation either. I’m currently suspecting ‘flood’ settings might have something to do with it, confusing legit packets with abusive ones. Since no pointers came from here I’m going to poke here & there in Comodo until I finally give up to wait for a better Comodo. Until then I’ve love to hear your inputs…

Thanks…

!!!JACKPOT!!!

I edited post since I decided to look for flood settings as I was writing before editing. After that I opened Comodo status window, wait for a minute; no increase in number of attacks, trying to reach Google on already opened Firefox; INCREASE in number of REPORTED attacks, Firefox fails and wait for another minute; no increase in number of attacks…

AFAIC Comodo is STUPID enough to confuse Firefox’s (bare no extensions) legit packets with the intruder packets. I guess 20/20/20/20/20/20 flood settings or something else altogether is wrong. Or there can also be another setting (not in the same category) that shouldn’t have been touched yet I’ve changed. But I don’t know how ‘sliding magic’ (which also eliminates that the problem is “rule” oriented) helps this situation at all? Please help me after this diagnosis…

Thanks again…

Can you please post an extract of any relevant log entries (as an attachment) from a period when the Firefox traffic is being blocked.

AFAIC Comodo is STUPID enough to confuse Firefox's (bare no extensions) legit packets with the intruder packets

This may be a bit harsh, since you’re the first reported instance of this occuring (this being written inside a FF window).

Ewen

wow Kyle, that is the best and most pointed “manual” a rooky could get to get the feeling and understanding for the different modes: short, precise, understandable and most easy to follow. Who needs a user manual on that section anymore Thankx man

Hallo t1470258,

Please don’t get me wrong but I must ask you to post your CFP feedback to Feedback/Comments/Announcements/News and your help requests in this board.

Before submitting an help request please read the Help board stickies.

Even if we have noticed that you were a previous Kerio user and you are not comfortable with CFP, if you are writing an help request please focus on describing the issue you get in a way that everyone could get an idea of what is going on and ask other related questions.

Topic in the help section are not only to be helpful to the originator writer but to other members as well (that’s why we encourage member to search first before posting) thus it would be desirable to state the purposte of a topic and follow it.

Can you please summarize the issue and add other relevant information like suggested in the sticky topic I linked?

Hey GDA. I copied and pasted that from the help manual. LOL