Anybody saw this Rule before in Comodo PF?

Discussion in 'other firewalls' started by poirot, Jul 9, 2007.

Thread Status:
Not open for further replies.
  1. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    After a BSOD which deleted most Rules in Application Monitor i found with the few that survived a last one :





    Destination [any] Port [any] Protocol :TCP-UDP OUT Permission: Allow.
    Details-
    Security Risk: Unknown
    Connections : Unlimited
    Path :
    Parent Path : -
    Description : Unknown
    Invisible : Allow
    Version :Unknown


    I cannot delete or modify this Rule ,even after deselecting the Registry Protection.
    I reinstalled CPF deleting all remnants and it still is there.

    in Regedit in HKLM/System/Software/Comodo/Rules
    i have just 5 rules listed

    and the last one (i guess it deals with my Allow Rule) has

    ab-predefined-REG_SZ (value not set)
    ab-AddrEnd REG_SZ 255.255.255.255.
    ab-ADDrStart REG_SZ 0.0.0.0
    -AddrType REG_DWORD 0X00000008 8

    I'd be very grateful if any CPF user would tell me if anybody ever SAW such a rule ever in their Application Monitor.
     

    Attached Files:

    Last edited: Jul 9, 2007
  2. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    I think its just a rule that was corrupted by the BSOD; Ive never seen anything like that btw.
     
    Last edited: Jul 9, 2007
  3. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    WSFuser,it showed up after the BSOD,BUT it is still there AFTER a thorough CF uninstall and REINSTALL! This is what worries me....
    apart from the fact i cannot get rid of or modify....
     
  4. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    Have you deleted all Comodo registry entries?

    If yes and it still shows, maybe youd better post at the comodo forums.
     
  5. hiro

    hiro Registered Member

    Joined:
    Jul 12, 2005
    Posts:
    77
    Hi, poirot
    Try in this mode;
    Regedit==>HKLM/System/Software/Comodo/Rules, right mouse click on it, select "Permission", tick "Full Control"==>"Allow" for all user OK.
    Then "F5" to reload registry, return to key and delete it.

    PS
    What you find in this pipsqueak firewall?
     
    Last edited: Jul 9, 2007
  6. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    WSFuser, i've already posted at Comodo's ,that's why i made a second post here, simply because at C.Forum, section Help,apart from a single helper they all seem to be into the new version.....

    hiro,thanks,i enhanced permissions at Regedit /... Rules ,but i am not so sure now that the Regedit-rule i posted really refers to the new rule,it most certainly deals with the five Network Rules instead....which are ok and must not be touched. I was mislead by a post at comodo forum.
    Proof of it i deleted the Allow All rule in App.Monitor ,rebooted,but it was again there.
    I've looked around in Regedit but cannot find the place were Application Monitor rules are placed.....
    I'll have another look now...
     
  7. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    No, i cannot locate this rule in Regedit.
    In the meantime at comodo forum Soya brought to my attention another thread where the very same App.Mon.Rule had suddenly appeared for a couple of other users........kind of reassuring......excepting for the end result as the cause was never found since the guys in question preferred a reformat.
    What i can now say is that after having searched for all kind of malware and having used three antirootkits,the only finding i could not conclusively explain -although it could be legit- is the following from RootkitUnhooker:
     

    Attached Files:

  8. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Info on that exe file from Bill P Studios (Winpatrol)
     

    Attached Files:

  9. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    Thanks LoneWolf,that's the legit part ,but what about the IoCreateFile?
    At stevie-Goddyn blog i found this reference:


    After a day's research i couldnt find any conclusive proof of hacking,malware or rootkit so i gather it is an extraordinary Comodo bug,perhaps provoked by my HP,DLA-UDF (Iso-type) CD-ROM.
    I know it sounds weird and i have no proof,but is what i think.
     
  10. yeow

    yeow Registered Member

    Joined:
    Dec 11, 2006
    Posts:
    225
  11. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    Thanks for letting me know ,yeow, your problem is strikingly similar,practically the same, although it malfunctioned in a slightly different manner for me,that is, it was more of a baddie, pulp :D , in its behaviour as it refused to react to either permissions,deletions,adding up of rules,deletion of rules, and in the end feigned disappearing when , for instance, i created an allow all rule for Superantispyware updates,only to show up later if i changed the Allow into Ask, etc.etc.
    I wonder if you,too,were given at the time into changing settings often in Comodo, as this is one of my favourite theories for this b... BUG.
    I am 'relieved' :) that its no malware or worse and you need this kind of accidents to learn more....provided there is some measure.
    I discovered your post just a minute after i had redeployed in my notebook a month-old image dating back to when there was no AllowAll rule and now my only concern is updating it to now.....all's well that ends well and thanks again.
     
  12. yeow

    yeow Registered Member

    Joined:
    Dec 11, 2006
    Posts:
    225
    Yes, similarly I could not delete or modify the blank entry. In your case, does it "show up later" only when you have >7 entries in Application Control Table? I remember after re-installing Comodo, the problem initially appeared to be solved, only for it to appear again when I had >19 entries (the blank entry being the 20th).

    Yes I was changing settings often then, many changes...
     
  13. yeow

    yeow Registered Member

    Joined:
    Dec 11, 2006
    Posts:
    225
    Correction: I think I could delete the blank entry, but couldn't modify its settings. My memory's bad, could be wrong on both accounts!
     
  14. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    That's it ,yeow, it was the seventh for me as well -or better: i had been left with only 7 rules by Comodo- the phantom rule being for me as well the seventh one. An unbelievable bug. I personally like this propensity to n° 7 from the Comodo Group....
    Like you, i couldnt modify anything.
    I am talking past as i am back to a previous working image,with a bug-free Comodo and 26 working Rules.........hopefully.
    My best wishes to you, brother in Rule,hope Comodo is comodo for you in the future, at least until we try Version3.0..:)
     
  15. yeow

    yeow Registered Member

    Joined:
    Dec 11, 2006
    Posts:
    225
    Thanks, and best wishes to you too. After that fix, it's been running fine & silent for a few months now.

    I've also learned that when troubleshooting, I've got to clean my registry better prior to re-installations.
     
  16. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,183
    I changed my software firewall. I dont find things like these acceptable.
    Even if I only lost app rules from time to time and nothing more serious than that.
    I know now how Comodo works and mostly it is very stable. Only there is the registry getting corrupted possibility I don't like at all. It means to have a top leaktest passer to also have a firewall that can screw up your system?
    Think why there is no export and import rules existing in Comodo firewall?
    I cannot answer, but I do wonder.
    Jarmo
     
Loading...
Thread Status:
Not open for further replies.