How to Optimize Security in Comodo V 2.4.18.184-Learning Thread 2

Thanks, I'm still in learning mode. Since the way these learning threads work is questions are put answers come in and they may be 100% correct like yours here now.

But I do zip, until Stem gives us his expert view and he will sometimes do real tests at his end before answering. The test may not be needed in this case but I wait. Plenty of time right? What's another day or so?

This whole idea of the learning thread is really neat, like our old chemistry labs. Some guy (like me) puts a question like what happens if I turn off the Bunsen burner to the Prof! The Prof is out of the room and another student leaps in with an answer. I say right and do it, then the next we hear is the sound of fire trucks. The analogy is imperfect of course but you get the idea.

 

Hi Jarmo, I installed my Windows patches this morning, and my CFP application rules are still in tact. Perhaps you have another problem but you coincidentally noticed your rules were gone after the update.

 

Hi yourself!

What you describe sounds real ugly! I also updated windows xp yesterday and all my network blocking rules are still in place! Check if yours are gone!
If they are, then that may give Stem a clue. Also I would post your issue on the Comodo FW forum. They May know.

To help you, is their anyway you can go back via restore points or a backup image that would put you back where you were? Backup images are the only real way to cover these situations off!

Don't get mad ( I was about to say get even) but let's find out so the issue can 1 fixed, 2 added to the beta v3 work, or put down as a big black mark on CFW.

If your setup is only one with this problem ( which I doubt) others need to be warned off!

Stem, have you heard of this one?

 

Thx twl and escalader.
It happened to me. Sure it was ugly but this thread is no place to continue talking about it if you did not experience it. I have now some exploration to do, things to find out why it did happen to me.
Did not affect my network rules, only my application monitor rules.

Best wishes from me,
Jarmo

 

Users like to look for any possible gaps in their protection, and will then add another full HIPS. This then can actually lead to less protection due to conflicts.

No, an HIPS would be decribed as protecting the full OS. CFW 2.4 is concerned with applications making internet access and any program making interaction with these.

Yes, (it is said), from the screen shots I have seen I would agree, but have not yet looked at this.

 

Best to ask if anybody else who has CFW application rules lost them all on the recent windows update.

Let us know if you figure it out!

Good luck!

 

Rats, I should have read this one before my 800's post here!
It is good news for Jarmo in an odd way since it seems to say it wasn't CFW that wiped out his rules! He can now try other solutions via elimination.

 

Hello All:

I've been over in the CFW Forum lately to get some rules in the applications monitor and the network monitor that will block any application from sending email other than MS Outlook. Here is a post from a guy there who to his credit is trying to help me do that. Anybody who was watching the ZA Pro Learning thread may recall that all you had to do was tick a block box beside all applications in send mail except the mail client.

Draw your own conclusions as to which is easier to do!

But easier does not equal better!

So it seems we can opt for less frightening call homes with CFW, or easier settings with ZA who does the unauthorized call outs!

Since security trumps ease of use for me I will choose the rule process but I don't have to like it do I? I hope (different than know), that CFW V3 will be easier in this area. Time will tell.

If Stem or anybody has a better way to do this let me know! What follows is the post from CFW forum in red with Quote marks

"Here's what you're probably going to want to do, to tighten that up.

You will set your rule for Outlook in the Application Monitor, to specify those two ports under Destination Port, as a Set of Ports (the rule is for Outbound; that's all you need for it). You'll input those in Destination Port: A set of ports: 110,587 (no space after the comma)

Then in the Network Monitor, you want to create two rules. They will both need to come in above the default Allow TCP/UDP Out, Any Source/Destination/Port (or any other rule that is "loose" or "general" enough to allow the traffic). So you can right-click and Add/Add Before, or Add where-ever and use the Move Up button to reposition them. The rules flow from the top down, so keep that in mind.

For the sake of this example, we'll just put them in positions Rule ID 0 & 1 (which probably wouldn't hurt, anyway, but that's up to you).

Rule ID 0 will be:

Action: Allow
Protocol: TCP/UDP
Direction: Out
Source IP: Any (or your IP)
Destination IP: your email server's IP address (which should be static)
Source Port: Any
Destination Port: A set of ports: 110,587 (no space after the comma)

Rule ID 1 will be:

Action: Block
Protocol: TCP/UDP
Direction: Out
Source IP: Any (or your IP)
Destination IP: Any
Source Port: Any
Destination Port: A set of Ports: 110,587

To really tighten it up, make sure your Alert Frequency (security/advanced/miscellaneous) is at High; this will make sure that information on Ports are included in the popup alerts, and thus in the Application rules. This way, you will get an alert for any other application that might try to communicate to one of these remote/destination ports. Be forewarned, this will give you a lot more alerts than at a lower level of detail, and it may seem like they're all the same...

Even without that, though, you should be fine. The flow of the Network rules is such that traffic outbound to your email server on those ports is allowed. Traffic not set for that IP on those ports will pass that rule and be cut off at the pass by the very next rule, which is set to block those same ports. The order here is very important, as you can see. This is also why you don't want a rule to Allow TCP/UDP Out to Any IP on Any Port preceding these two rules; it would allow the connection before it could be properly filtered.

There's not much point in putting IP address in Application rule, IMO, Unless you have alert frequency at Very High (which then references every single IP address you go to when surfing...too many alerts! )... With AF any lower, the IP won't matter, cuz CFP isn't referencing it.

For the Network Monitor rules, you can (in the Destination IP field), set it for a Range of IP: 206.190.36.17 - 206.190.36.38. Then set the ports as I mentioned previously. For the block rule, don't include the IP addresses, just the ports.

So for the example I gave you, Rule ID 0 will be:

Action: Allow
Protocol: TCP/UDP
Direction: Out
Source IP: Any
Destination IP: A Range of IP: 206.190.36.17 - 206.190.36.18
Source Port: Any
Destination Port: A set of Ports: 110,587

Leave Rule ID 1 just as I gave before.

Your Application (Outlook) is defined/allowed to create an Outbound connection to Any website (IP address) on those two specified ports (destination ports). Since the AppMon rule for Outlook does not contain a specified IP addy, it will pass inspection of Rule ID 0, and will be able to contact that website (which is specified within Outlook itself). Even if another application (say Outlook Express) were to gain internet access and somehow want to utilize those same ports to send and/or receive some special/secret email (wherein you would get an alert because of an unauthorized application), it will be implicitly stopped by the NetMon rule ID 1; it's using those ports, but not that website... thus it will be blocked.

Oh, I just read you don't have an Application monitor rule for Outlook. That's easy enough to add. Open Application Monitor, click the button to Add a new rule. Browse for the Application Outllook.exe. Should be in c:\program files\office\office11\outlook.exe (or something like that - you can always right-click your desktop icon for it, select Properties, and check the Start In and Path information to find where it is, then browse in the rule creation window). Parent you can set to Learn; that should work (it's probably explorer.exe, or will be). So you'll build the rule to look like this:

Application: Outlook.exe
Parent: Learn
Action: Allow
Protocol: TCP/UDP
Direction: Out
Destination IP: Any
Destination Port: A set of ports: 110,587
Miscellaneous: (leave it blank)

That's it. FYI, if you look at the two FF rules, you'll probably see one has a parent of explorer.exe, the other firefox.exe."

 

You cannot restrict applications in network rules. The only thing I saw that was restricted that those ports the isp mail needs were restricted to just your isp's email servers. That is all.

Where you can restrict is application monitor rules. If you use very high level of alert settings, you dont need those network monitor rules at all. If you use lower level of alert settings they might be useefull.
Remember that every email client that tries to connect to internet and has no app rules made to it will will cause a comodo alert popup.

In Comodo 3 there is i think also a hips, something like my processguard, that will control also the execution of programs.

 

Thanks, Jarmo P.
Sounds like I should add a processguard like you have or wait for a stable V3. ?

But in any case let's get Stems views now that I have created enough of my usual confusions

Stem, can you weigh in here when you have time, about best way for me to restrict mail to just MS Outlook to the exclusion of ALL other applications?

I think I'm trying to duplicate what ZA pro did with whole column of blocked send mails on all non MS Outlook applications?

 

Now - I run Thunderbird as my email client and use as my default Gmail's POP3 & SMTP servers, set to run directly from TB. [Gmail does allow POP3 & SMTP direct, unlike other web mail providers], but uses SSL, Port995 for POP3 & Port 465 for SMTP.
Is there a way to control both Gmail & my ISP (I use my ISP rarely as it's unreliable.) How do I find the I.P addresses for Gmail & my ISP?

 

Hi Rogervernon:

Sorry, I have no clue on your question. I'm still working on MS Outlook.

Maybe Stem can help you. I assume you are using CFW 2.4 as per this thread?

 

Security- Advanced - Misc. - place the alert slider to "very high", now you delete the rules for TB, and open it- answer prompts.

You'll end up having specific rules for IP's, ports and protocol, as they are requested by TB. Probably one of the IPs requested is TB updates, but the rest is Gmail, ISP..
If you want to return to normal prompts, just return the slider to the original position.
This is a quick way, then you can look them up (the IPs).

 

I have seen reported problems between Comodo+PG, and have had conflicts myself on such a setup. I never looked further into this, as at the time it was reported comodo had no interest (due to upcoming of inclusion of HIPS function within comodo), and the fact there where reported problem of contact with PG developers (yes, I do have a full version of PG, so I could set up to check~ when time available,.. but I admit, I have never liked making windows auto updates)

I am on catch up at the moment, so need time to look at/check the other posts before reply.

 

Many thanks for you telling all that Stem. For the Escalader's question for my loosing Comodo app rules after windows patch update.
My computer is very stable and never has installed anything else but Comodo firewall, so it is quite "virgin". Also no other hips except PG free.

I had also a brief episode of crazy things with Sandboxie when it would not start normally, and in one case i needed to cold reboot my system.

Now all is fine, but I have seen sometimes a prompt that "you are not covered" by any firewall and Comodo is all "red".
So it has happened, conflicts of software or what ever, even I sometimes doubt if I had always running Comodo with medium alert level this might not had happened. It is after all what all in Comodo forum suggest to do.
One makes to think that when running Comodo with a very high level of alerts, it gets messed up.
That is only my opinion though!

Jarmo

EDIT
To Escalader, comodo 3 is just in alpha stage. It might take 6 months or more and maybe then. I sure know that Melih guy wants a Vista version out. But it takes time and I hope Egemen is able to resist. The real good software takes time to develop. I rather wish a version of Comodo is put out with both XP and vista and able to export rules and a better logging. Something in 2.x line.

 

Continuing now with the CFW 2.4 learning thread.

Stem:

Attached is a snap shot of many FF applications rules they go on for pages! Here are my questions.

(1) Why so many? Have I done something wrong (again)?
(2) Theory: I get many pop ups asking for FF access and since I know I'm just say logging in to my ISP I approve them so my guess is I'm creating these myself by accepting them? There must be a better way?
(3) Should something be changed here?

The goals remains unchanged, maximize XP security and minimize outbound packets that have no business leaving the PC.

Again, thanks for your help on this. I've been fishing in another thread dealing with SpySweeper upgrades and email scanning, but that is calmer now.

 

Escalader, i take i you moved the slider to very high. That's how i use it, but you must do somethings to reduce the number of rules and pop-ups:

Look at the rules made. Generalize them a bit.
Like Firefox on your pic., you have rules for outbound- port 80 - specific to IP's. Like this, you will never finish it. Pick one of them, right click - edit - now on the IP, choose any - OK. All the others will be gone. You end up with one rule for browsing on the most used port for HTTP, port 80. There are others, and for HTTPS - port 443.

Very high is good to automatically allow programs to update to their respective servers, but then browsers require much more, as you browse you request many servers. Here it's good to learn a bit by generalising (with a z or s? spell checker isn't working..) what you observe to be needed.

 

I agree with Pedro in his comments.
Your localhost address 127.0.0.1 rules for firefox need also edited to allow any port or a port range To also not have them building up IF you continue to use that alert level in normal use.

It is interesting to see your second rule in your pic. That parent sure is not what normally starts your firefox?
As I have posted someplaces, I have a little lost my faith in currently running CFP with highest alert level setting. But for building new apps IP restrictions in rules it is of good use, just not very convenient in general use as Pedro told.

Jarmo

 

Hi Jarmo/Pedro:

Thanks guys, boy are you fast! Don't worry about spelling, I flunked grade 3 spelling and bless the day spell checker and grammar checkers were invented!

It will be interesting to see what Stem has to say about this FF pile up!

I am on High alert to catch bad outbounds ! So that has precedence over convenience ..

I'll see what I can do to generalize but I fear ranges may let a bad one by!

Learning !

 

Hello Jarmo P,
At the time I found problems with Comodo+PG was at low level. I did not see such problems as you have posted. The main problem I had was with testing, for example, most leaks where prevented by Comodo, but with the combo of Comodo+PG, some leaks did bypass (low level conflict)

 

Hi Escalader,
Do take note of the posts made in reply (by Pedro/ Jarmo P) to your post.

Setting the alert to "High" will cause many rules to be created, these rules will not only be related to the IP/ports/protocol but also to the parent application.
I see you have a rule to "any: any: TCP/UDP in/out", if this rule as parent of "Explorer" then the other rules should not be needed.

You do have in place many blocking rules (on the network rules), these cannot be bypassed with application rules.

 

Yes, thanks Stem as in the learning thread method, I will now work on the Pedro/Jarmo posts, and the any any parent. Still trying to get my head around the parent idea. I gather it is a different concept than application and component?

I want my blocking rules to override any application rules the reverse would be unacceptable.

 

Does this imply that when V 3 CFW comes out of beta and into a full blown release that those who have HIPS software will be wise to set it aside?

This is a speculative question I know, but having 2 HIPS strikes me as similar to having 2 real time AV's?

What do you guys think?

 

Hi Escalader, Do you think we need hips if we're using BOClean and our other anti Spyware apps?

 

That is similar to the question I asked as well, although you are introducing BOClean and I know zip about that tool. I think it is a ASW tool?

BD and SS have some behavior powers to detect but I'm unsure they match a full HIPS. I doubt it.

Let's wait for Stem to weigh in on this HIPS issue.

Right now. I don't have a HIPS per se. ZA Pro has one but I had to remove it to meet my no hard coded call home security goals. You close one issue off and another opens up

CFW which is this thread at 2.4, doesn't have HIPS but V 3 when it goes into wide use coming out of Beta will have HIPS. That I have verified.

I think we should have 1 HIPS at the moment but I'm waiting due to other safeguards.