How to Optimize Security in Comodo V 2.4.18.184-Learning Thread 2

Okay here we go next learning item, a simple question.

How do we determine if I set up my The Trusted Network Zone Correctly?

I used their wizard see copy/paste below: (the image examples are missing but users can see them in help under wizards) I want the router to remain untrusted since it is shared with a nasty gaming PC! I share zip with this PC. No need.

"Wizard
Computers or Web sites in the Trusted Zone have full access to your computer. The trusted zone is for machines you trust - filesharing is allowed, and by default no stealthing is done. The Trusted zone includes the computer under protection and usually the local network and allows any network operations. These network operations are expected safe because the zone is trusted. There are still some restrictions though, to prevent fragmented packets or denial of service type attacks and port scanning.

You can specify the addresses of trusted machines and websites either by name or by IP address.

To begin adding a trusted zone, click 'Next'

The wizard auto-detects any new network zones and displays the range of IP addresses to be contained within the trusted zone. This will usually represent your computer and other machines on your local network. Click next to continue:


You are now required to selected the network zone you wish to 'Trust'. Select the network zone from the drop down list and click 'Next'. At the ensuing confirmation dialog, please take a moment to review your settings and click 'Finish'. If you wish to alter settings at any time, press 'Back'."

In my set up it id's the network card and set that as allow/in/out. It is not inside the router so I think it meets the definition of NOT being the router but I'm interested in Stem's view of that in view of the 200 posts on ZA around this issue.

Attached is a jpg of my the wizards work it places these accept rules at the top of the list, the other rules following are my own set of block rules based on previous ugly experience. Users of those ips in my view are like buyer beware, fool me once shame on them, fool me twice shame on me, since I should have blocked them.

Anyway, Stem, let me have it! What have I fouled up so others can avoid the same errors!

 

The Zone (your NIC (intel)) will be the LAN, which will include the router IP (check the IP range for that zone)

In your setup, when you do not want to trust the LAN/router, then you should have no need to set a trusted zone. (loopback is covered with other settings mentioned)

 

Okay but since post 1 I changed a few settings so I have attached an updated image for your critique!

My question then is with these settings can I then delete the 1st two rules in the Network FW page and then KNOW I have the router as "NOT Trusted" ?

 

If you remove the first 2 rules, yes, the router would be treated as internet.

 

Hi Stem:

Done, they are gone !

Thanks, I will report any consequences!

What about my image of the loopback settings? Does your testing setup match that? Any flaws in mine?

 

Hi Escalader,

Based on your "Alert frequency settings", you could also uncheck the "Skip UDP loopback".
From default windows, it is IE that uses this (if this is denied, then IE will be very slow on surfing), but you would at least get a popup to any program attempting this, and there would only be the one alert (due to your settings)

 

Stem:

I went back to your earlier post and I think I've done the changes suggested.
Not much point in looking for updates to 2.4 anyway since there aren't any due to V3Beta.

Here's an old buggabo back to pester us (I posted this on CFW forum as well just to see what they say.

On my list of blocked sites, I "manually imported" 24.153.19.207 to 24.153.19.207. These were a holdover from ZA Pro which I was trying to prevent from calling home to NON updating sites. For more information on that there is a 200+ post thread here Wilder's on that saga. See attached image.

Now that I have removed ZA Pro and replaced it with CFW I am puzzled why my PC is still attempting to do connects in bursts of 4 or 5 attempts 10 minutes apart?

Would someone else with win xp sp2 and CFW 2.4 latest and greatest PLEASE put that range into their blocked list and see if it happens on their PC?

If it does happen on another PC them we will know this is NOT unique to my setup and a function of a common piece of software. The most likely are M$ software, or some other piece of common software. Can I assume that CFW does not try to access these? My CFW update continues to work fine.

Thanking you in advance

 

Is there an application associated with this outbound (selct one of the log entries, what does it say?)

 

Done: This is what 1st one says: Application? I'm thinking email with the http 80 but it doesn't give program name like ZA Pro did.

COMODO Firewall Pro Logs
Date Created: 10:48:57 11-06-2007
Log Scope:: Today Date/Time :2007-06-11 08:53:43
Severity :MediumReporter :
Network Monitor Description: Outbound Policy Violation
(Access Denied, IP = 24.153.19.207, Port = http(80))Protocol: TCP OutgoingSource: 192.168.1.100:1271
Destination: 24.153.19.207:http(80) TCP Flags: SYN
Reason: Network Control Rule ID = 9

 

It says I apologize for wasting your time, these 4 ip addresses lie within the range of my own ISP. Why I had them tagged before was as possible ZA & M$ collection site.

So I'm going to ask my ISP for the minimum # of ip's I have to NOT block.

In the mean time I'll remove that rule.

Thanks, Stem, I going to the back of the class now to stand in the corner!

 

I have also my PC connecting to some IP's when starting that seem to be from my ISP but belong to Akamai. I read your thread in Comodo forum concerning this. I dont block specific IP's in network rules though.
http://forums.comodo.com/help/why_d...ect_to_this_ip-t9718.0.html;msg70431#msg70431

I found it out a few months ago by having CPF in very high alert level setting and then saw that it was svchost.exe doing that.
Tried to make restricted IP ranges in application rules and it sure worked, but connecting to M$ I had to make new IP ranges and new rules so I eventually tired and now svchost.exe is allowed any IP TCP 80 outgoing.
First I sure was spooked out same as you thinking why my PC is connecting with svchost.exe to some IP in my ISP IP pool range.

 

Where is the first Comodo learning thread? I've searched for it but cannot find it. Thank you.

Acadia

 

Include me in the above also. I have no input at the moment, but I want to be included in the learning process.

 

Hi Acadia:

There was no 1st Comodo Learning thread that is why you can't find it!
Just kidding!

There was a ZA Pro controversial learning thread # 1 from my numbering scheme with over 200 posts many were almost spam like in nature in MO. I finally gave up on ZA the reasons are too numerous to repeat, but read that thread if you want the whole ghastly saga.

So this is my CFW learning thread, read post/ 1 and 2.
I rarely post replies to other learners unless I really do know, that is what Stem does, my role and yours can be to pose questions on how to optimize CFW 2.4's security.

So plunge in ask questions, there is nothing to lose!

 

Jarmo: Thanks for this, I haven't had this problem, tell me again how to alter the alert settings, can you post the screen image you refer to?

I make restricted ip ranges in network rules, as you may see from the post images, in applications I'm for now just in learning mode setting still have been since I installed CFW.

 

Post away, every body who wants to learn can post, normally I don't/can't respond unless I'm sure of the answer, new questions we leave for Stem.

You don't need input to participate only questions you need answered on CFW!
But I end up doing work from Stem when he asks me to check something or show my settings etc!

 

I was referring to what you were asked about, meaning what application caused to you those log entries. By blocking something in network rules, you will only block the traffic, but never know what app caused those connections. It is most propably svchost.exe as I told you.

My settings on a screen capture. Notice the alert lever slider. The slider is used for making new application rules. If you use it that high up, you will learn about apps connecting to specific IP's if they have not already a more open rule made for them. When using this setting all the time, you do have to edit made rules a bit more open regarding IP access, but it is easy to do that. Propably not suitable to average joe's, but since you are into blocking might just suite you.

 

Well, I need to ask as to why your PC is connecting out to your ISP. This should not be needed, and personally, I would leave those IP`s blocked untill an explanation is found.

Do you still have software installed from your ISP (from when you first set up your ISP account?)

Myself, I installed the software from my ISP to set up/create my account (3 years ago), this was then removed as my router performs needed ARP/DHCP to/from my ISP gateway

 

My Comments in Red

 

Thanks, I'll try it! I wish I didn't distrust these ip's so much but I do.

Thinking of things on a wide basis I have another of my ideas today.
I get worse and worse as I learn more!

What if I blocked every single WWW ip address in the universe for outgoing.

Then using your high level alert slider idea, I detect the good guys I need to send to. Then allow them 1 by 1 as higher in the list allow rules, once an outbound fails the allow rules it falls down the list to the universal range block? Qed all unknowns are blocked?

What would happen? What is wrong with this idea?

Go ahead posters, blast away but have a better idea when you do!

Sorry Stem, if this shows my faulty thinking but that is why I do these learning threads! Expose and correct flaws in security thinking using what ever tool we are on as the discussion vehicle!

 

Stem et al:

"With HIPS type applications".... borrowed this from the old ZA thread.

(1) I gather that ZA pro was a HIPS type, so why would a user need 2 hips's?

(2) CFW 2.4 is it a hips?

(3) Is CFW V3 Beta is testing a hips feature?

 

Hard to say, I am thinking there are different ways to operate a firewall. You can try
It brings into my mind the CFP default network rules. They allow TCP and UDP out with no restrictions since if you make tight app rules, it is these that control outbound instead your network rules, to access/block specific IP's besides the usual port number control.

I can include my little modified network rules. They are basically made to filter out some noise in log. Well there is netbios outgoing blocked, but that you should be disabled in network connections already.

They have no IP blockings as I really believe in making tight application rules instead. You see Comodo considers outgoing connections with application monitor first. If something is discarded = blocked in there, does not matter if network monitor rules allow everything. It remains blocked.
Of course if you really know some bad IPs why not block them with network rules "globally" by all means.
Jarmo

EDIT
(2) I am not exactly sure what a hips really is. CFP allows parent-child rules, meaning to specify what app is allowed to start an internet connecting app with specific rules. And also that component control. But I think those apps are still already started and just not allowed to connect to net, not sure about that. So if it is not able to stop application execution ( for those internet accessing apps) then it really is no hips, just a relative tight application rulemaker.

 

Hi Stem:

I have had CFW running for a few weeks now in learning mode. So I think it is about time to turn learning mode off. My 7 original goals were:

"....a FW that has the following features

(1) No hidden call homes to mother ship on the FW software itself
(2) Ability to detect other software calling home as well and then allow me to block that ip and ranges of ip's and the site itself
(3) Doesn't force or try to force me to set the router/Lan to trusted as ZA did
(4) Control by applications as to which have access to internet and those that don't.
(5) Doesn't force me to create expert rules at first try!
(6) Gives complete logs of in and out blocks that can be used for further checking
(6.1) Responsive user support and user forum
(7) Updates to product as required

No doubt I've left out NB items but as I'm behind a H/W FW and a router my main concern is outbound packets!"

I think I have learned quite a bit about 1,2,3,6,6.1 forum anyway, and 7.

What I still need to work on is 4 and 5 which may be related?

Here are some more questions:

What should I expect when turning off learning mode? Do I have to do anything or decide something?

The applications and components almost all seem to have allow, except for a few games I have blocked. Is that normal?

How should a user proceed to tighten up settings when some of the applications and particularly the components have meaningless names? Do I have to google each one? Or is there a method/list of blockable applications and components? There must be some method to make that task easy.

Blocking ip addresses as I have been doing seems really futile.
I think if I understood right the applications monitor rules come first in checking and if they allowed access to the internet the network block rules have zero effect? Is that correct? I'm confused (again). Should I have loose application rules or tight and loose or tight network rules. Maybe I should have tight rules for both? I could block every application and component but maybe that has been done in learning mode by CFW software and I should view the settings as set by a higher being?

Stem over to you and thank you in advance for your help.

 

Hi Escalader, When I had CFP for about 3 weeks I decided it must be time to take it off learning mode. Upon doing so, I discovered I was a bit premature. I started getting more pop ups. Someone told me to leave it in learning mode for a while so I put it back in for a few more weeks. The second time the pop ups didn't really increase.

 

Hi from me too Escalader.

This Comodo firewall is still like a toy. I got windows patches today and guess what?
All my application rules were gone after that. I had to built all as new.
So what is the use 3 months tight rules and then this Win update?
Building tight application rules is after all what it is all about to find when apps connect to ip's like you have asked in this post and knowing what applications are in the same time. Since logs only are mostly about network blockings.

I don't say Processguard not might have something to do with it. It started reminding me of windows update while in a limited user account.

But very nice, that is all I can say duh. Angry as hell.