Why is CPF making new useless rules ?

Hi,

I can’t understand, why CPF makes a new rule everytime I allow and remember a new “special behavior” for an app.

For example: I have a rule out-TCP/UDP/any ip/any port/ for an app. When I get a popup stating another app has just done something (wich I want to be done) with this app and I allow and remember that, a new rule is created, for example: out-TCP,any,port 80. (depends on the popup adjustment in the advanced options).

I know this rule do no harm, but is useless. If I don’t remove them, I have plenty of them in some days.
So, why a useless rule ?

THX

poser

Hi Poser,

I don’t believe that they are useless rules. CPf operates by creating network rules, application rules and component rules, and each have their own role to play.

If you have defined a rule for application X (the first app mentioned inyour post) and then application Y does something with application X that causes a new rule to be created, it’s because something different to the original circumstances happened. A change of parent or triggering application is sufficiently diffferent for CPF to create a separate rule to cover app X being triggered by app Y.

These additional rules are not useless. IMHO, they are thorough, but I do agree that you can end up with a pile of them, depending upon your usage of your PC, though. Others may or may nothave the same issue, as their usage will vary from yours or mine.

Hope this helps,
Ewen :slight_smile:

I agree 200% with Ewan! The main attraction that CPF has for me is the business of checking not only an application, but its parent. Improper use of a normal application (like e-mail clients, browsers, and so on) by malware is one of the more serious threat vectors out there. That’s why checking parents is so critical! (V)

I said it before and I’ll say it again… there are way too many popups with CPF.

Many of these are the OLE ones that can appear hours after you even used the program that appears on the message. And of course there are the numerous IE popups because you launched IE from a different place.

And then there is WMP (wmplayer). I have no clue why I constantly get popups for this one. Even though I disabled all the Internet stuff in WMP I still will get popups.

Too many popups is NOT a good thing. After a while you have no idea what is good or what is bad.

Maybe all you power users out there and of course the developers of CPF can sort out all these popups but the average Joe can’t (IMO). If CPF is aimed at the Power User then so be it. Make that clear. But for average Joe, CPF is like the boy who cried Wolf. After a while no one notices him anymore.

Just my opinion. KISS as they say. Counter Points are welcomed.

FYI… There’s an option in Security >>> Advanced to reduce the number of popups to 1 per program instead of 1 for IN and 1 For OUT. I have found that I would get lots from my AOL Host Manager file on my system as it was communicating VIA OLE/COM with the other AOL programs. Turning off OLE/COM monitoring in the Behaviour Analysis window really reduced the number of Popups!!

Eric

You probably have set these things, but i can say it anyway…
Have you checked the “don’t show any alerts for applications certified by Comodo”?
How do you have your “alert frequency level” set?
I suppose you have scanned for known applications and set a trustad zone if you’re behind a router?
There are a lot of parent popups in the beginnig anyway, but they are nessesary if you wan’t to be safe. I agree with you that there are some OLE popups that i don’t understand if they are nessesary…
One thing that doesn’t work for me is when a program, let’s say Adobe, as a parent tries to open IE, and i choose deny, blocks all internet access for IE? I have learned not to check remember when i block a parent to IE or Mailprogram. Next time i start IE, it asks me again if i want to allow Adobe as a parent, even if i’m not going there. Now i have to click allow, otherwise i wont be able to use IE.
Someone else have these problems?

I have everything set the proper way to get the least amount of popups.

I was a longtime user of KPF and never recalled getting alerts as numerous as CPF produces. When a KPF alert came up, which was few and far between, I knew it could be a problem. CPF and all it’s alerts have desensitized me to them. And some of them I have no idea what they mean, like the OLE stuff. I just reply allow all the time. Some popups don’t even have a message associated with them. What’s this all about?

I realize I could end most of the popups by unchecking stuff in application behavior analysis.

This is not meant to be an indictment of CPF. Just one users opinions based on using it for a few months.

I agree also :). I like to know exactly what is going on with my system so have set to very high. I feel it would be far easier to adopt SKPF4’s way of dealing with communications (i.e, either allow all or define rules when prompted). Btw, is there an option to skip the parent check by default? I’m only really interested in the application that is communicating (i feel that option is required elsewhere).

:slight_smile:

Regarding poser’s original post, I’m sure I’ve encountered identical rules too. Would this have been created because of additional dll’s being used at the time? I’ve checked the details of each of these rules and they are identical (no mention of dll’s used at the time).

:slight_smile:

Yes you can choose to skip the parent in application monitor for that program.
You can check allow all activities for that application, and allow invisible… and skip advanced…

Thanks for the reply AOwL :). I was thinking more of a global rule that would affect all newly created rules without having to edit each rule. I’ve had a look around the interface but couldn’t find an option :(.

:slight_smile:

Same here. :-\

One of the “bigger” threats today, is that malware use a “known” program to get out on the net, so you should be careful not to use “skip parent” to much… :o

As said before, you can adjust this. Also WMP seems to change every time it tries to connect. I have never trusted WMP for this reason as it almost forces itself onto the internet. This is not a CPF issue, this is a WMP issue and will try to connect in various ways and in various OLE’s . Even with ZA, Kerio, WMP would be a constant bother for me. I finally denied the update.dll, WMP connect or whatever.dlls that came with it. It , besides IE, is the single most aggravating program for connection attempts. IE is mostly uses as, and at least is a main component and a browser, WMP is not. Now if you have URGE , you will get double the pop ups. I think it was Ewen that mentioned, when a program changes, CPF will pick up on it. This is what happens with WMP. A pain? Oh yeah. But can be resolved.

For all the NON-POWER USERS- go to advanced tab- miscellaneous >configure and simply set frequency level of alerts . Also go to advanced tab-Application behavior analysis>configure and you can un-check Com\OLE attempts.

Paul

For WMP i also go into Windows Services and set WMDM PMSP service and Windows Media Player Network Sharing Service on manual start.
About URGE there is a solution… uninstall it… :wink:

Yes, IF you don’t want it. :wink: Otherwise, you have to tolerate it. It seems if you block any portion, the online store won’t connect. Even if you block certain aspects of WMP Urge won’t work.

Paul