Why so many "Allow" in Component Control Rules ?

I just started using CPF and I must say I’m already in love with it. Of course I have some small doubt s and I’d like someone to help me to make that clear.

In “Component Control Rules”, Learn Mode is set; I see a lot of entries where the component is a DLL and the company is Netscape, Microsoft, Real Networks, Nero etc. All those entries are set to “Allow”.

I’m not sure I’m using that list in the proper way; what gave to all those Netscape, Microsoft, Real etc. entries the “Allow” ? I don’t even think I have any Netscape application installed. Is that a predefined trusted list ?

I’d rather give them the “Block”, especially that big lot of Microsoft ones, and then selectively allow just some specific component. Am I looking for trouble doing so ? Why on Earth should I allow all those Microsoft, Real etc. components to access the Internet from my PC ? What am I missing ?

Thanks in advance :■■■■.

Welcome to the forums SantiBailors!

the trouble with blocking those legitimate libraries is that you run the risk of crippling your machine. Basically you want to install Comodo on a known malware-free machine, use “Learning Mode” for perhaps two-three days to validate the dll’s, then change it to “Turn On” so that you will be alerted to any future dll’s not yet validated by Comodo. The tricky part is trying to determine if they are legitimate or rogue. That is where Comodo helps out by displaying the Company name and Description, making it easier to decide whether to allow it or not. This is just one of the additional security features that augments Comodo’s firewall functionality to better protect your machine. BTW, it is not unusual to see numerous dll’s (libraries) in Component Monitor. Hopefully this helps :slight_smile:

Hi cprtech, thanks for the explaination; now I think the point is what my intended use of the firewall is, or what we mean by “legitimate libraries”, or my (probably paranoid but oh well :)) interpretation of “malware” :slight_smile:

I would like to use the firewall not only to block access to software which was purposedly written to try to hide itself in my PC, take control of it, phone home, collect personal info and send them out etc.

I would like to use the firewall also to block software which I willingly installed but which I don’t want to access the Internet without getting asked first every time: RealNetworks adware built into RealPlayer, various ad/spyware notoriously built into many commercial applications and into Windows, etc.

the trouble with blocking those legitimate libraries is that you run the risk of crippling your machine
That's exactly my main doubt: what could happen if I do ? That is, what does "crippling" mean here ?

My PC wasn’t connected to Internet up to a couple of days ago, none of these components was accessing the Internet, and all was going well; I’d like to use the firewall to make all keep going like before :slight_smile:

Why would I want to grant Internet access to things like “Microsoft Alerter Service DLL”, “Configutation Manager Forwarder DLL”, “Microsoft COM Runtime Execution Engine”, “Microsoft DirectDraw”, “Microsoft events recording service (EVENTLOG.DLL)” ? ??? Why do they want it ? ??? And what are they in the first place ? ;D (the latter is a joke, probably my problem is exactly that I don’t know that :)).

Hi.
It’s really hard to tell what you should or should not allow in component monitor.
If you lets say, want to prevent WGA (windows genuine advantage) you can block LegitCheckControl.DLL, and there might be some more.
I think I have allow on everything there… :slight_smile:
I don’t know for sure, but I think that some of the DLL’s in there don’t connect to the outside, but to the local host and maybe your network if you have one.
They are used to connect together with apps, so you might get some apps not to work as you wish if you block the DLL’s. You have to go by trial and error… :wink:

If you want better control on which app connects and how, you have to go to security/advanced/misc and uncheck “do not show alerts for apps certified by Comodo”, and raise the “alert frequency level” slider to the top (very high).
Now when you click allow and remember, the rule will be more “tight”. Specific port and IP and so on.
Good luck. ;D

Hi,

I don’t know for sure, but I think that some of the DLL’s in there don’t connect to the outside, but to the local host and maybe your network if you have one.
I understand; being no expert, I was hoping that it was possible to univocally distinguish accesses to the outside from other accesses, so to block the former ones only.

BTW, my Internet connection is through an ADSL modem connected to the PC via ethernet, and that ethernet card is used only for the ADSL modem; the LAN is on another ethernet card (which hasn’t even TCP/IP bound to it, just NETBEUI, talk about paranoid ;D). So, if in Component Control Rules I disable the whole universe, I’m just disabling applications access to the network interface used for the modem, right ?

They are used to connect together with apps, so you might get some apps not to work as you wish if you block the DLL's.
That was my fear...
You have to go by trial and error...
and that too ;D

Well, not a big deal after all, since those are legitimate libraries, the worst that can happen is that I get spied, not infected or hijacked, so just let’s take it easy and enjoy life :■■■■

That is easy to do. The first time you are alerted to an application requesting network access, and you want to block it, just create a “Block” rule for it, denying it access to any destination port, ip and tcp/udp, and skipping the parent in the process. You should not get alerted on it again.

Ok, that is basically what I did (even though I just noticed that in some cases I had the parent wrong, instead of “Skip parent”).

For example let’s take Adobe Acrobat Reader: in Application Control Rules I have set a Block rule TCP/UDP In/Out for AcroRd32.exe on any port.

What was puzzling me was that in Component Control Rules I still had several components listed whose path was the one of Acrobat Reader (for example Acroform.ITA, path “C:\Programmi\Adobe\Acrobat 6.0\Reader\plug_ins\Acroform.ITA”) and whose permission was Allow .

Now I’d say that your suggestion closes the matter, thanks guys.

Good news! Just to clarify, “Allow” in Component Monitoring just means that they have been validated by Comodo for the application that requires network access. It does not mean the dll’s are granted network access.

I wouldn’t choose “Skip Parent” when creating the rule. I’d note from CPF popup what the Parent was that it shows, and use that. Barring that, or if I’m uncertain, I’d choose “Learn Parent” instead.

I’m not sure the intended purpose of “Skip Parent”, although I’ve read that it is kind of a lazy way thru the rulemaking, and somewhat of a security risk to do so. Not sure how, exactly, but for the paranoid… :wink: At any rate, FYI, it apparently will default back to “Learn” when the rule is fired…

My preference is to set a parent in the event that there might be more than one (which there sometimes is…). When CPF warns again, you see it’s a different Parent, you set a new rule for that parent.

Also, there’s some info over here: https://forums.comodo.com/index.php/topic,3777.msg29172.html#msg29172 about services in WinXP Pro SP2 that you can Disable; they’re not needed, and security risks as well.

LM