How to Optimize Security in Comodo V 2.4.18.184-Learning Thread 2

If I read them right at Comodo, the HIPS in version 3 will be an elective. I hope.

 

Yes, I hope so since some users have a HIPS they like/trust and use CFW. In that case an option to NOT use the V3 HIPS would be good to avoid conflicts!
IMO. I will go there and ask this question straight out! More later.

 

Soya at CFW forum replied:

"Melih said yes on more than one ocassion before. However, the first alpha release of 3 doesn't have the option yet. That and among other functions (I don't know as I haven't tried it) haven't been implemented."

 

Hello Stem/Pedro and Jarmo P!

I did some rule consolidation work as suggested and it finally dawned on me what this parent application business is all about (slow learner).

Correct my wording if I get this learning statement wrong.

Each application rule has a parent application that applies. For example I have CCleaner which is one of the parents of IEXPLORE.EXE. Spysweeper is another and so on down the list. I have 9 entries in total for IEXPLORE.EXE.

Rules can be consolidated by sets of ports and protocols and in or out!

I shrunk the FF and 127 rules down, and applied the same approach to other application rules as well.

I will attach version 2 for your critiques! Fire at will! It can only get better!

What I like is the fact that my list of sites to block overrides these application rules!

 

Hello Escalader

In the CCleaner's case, it's when you check for updates i think. It doesn't update itself, so when you check for updates, it opens your browser to visit the website. So CCleaner is the parent of FF, because it's opening FF.
Basically, a parent app opens the child app.

Yes, Network Monitor rules over Application Monitor. NetMon has TCP and UDP SPI.

On the pic, i see that eventually you will get those rules for localhost (127.0.0.1) in one, but my suggestion is keep using it like that if you have the patience. That way you observe the behavior, and trim it down as you see needed. Not much to learn after some point, but for us unexperienced, it sinks in better. Not for this rule alone, but in general for all programs.

Firefox for 127.0.0.1 goes at least to port 4000 (sorry i'm trying another FW ).

 

Comodo as you found out has a parent for internet connecting apps. Usually it is explorer.exe. I include a screen capture of a very useful tool Process Explorer that can be used to see what processes are run in a hierarchical parent/child tree and then search internet whether they are legal or not by google and it has many more capabilitites.

In my case my Comodo rules are such that instead explorer.exe the parent is only Sandboxie's Start.exe for browsers, im's, email clients and torrent client. It is not shown in the pic tree view since it only runs to start the apps. I do have PG free too as a hips, but this way I can be sure even without it that I or something else don't accidentally allow normal instances of these programs to internet with only Comodo's app control. Since I dont have explorer.exe as a parent in rules. Then if i want to update for example Firefox or extensions, I do have to answer some popups for the unsandboxed instance that i dont put to "remember".

Jarmo

EDIT
Your rules look good. You could do as Pedro told with just one loopback rule for Firefox.
And for udp 53 you could restrict it to your ISP's DNS servers that you can find out by running CPF with the very high alert level, if you want to make it really tight.

 

Thanks for the image! I have Process Explorer and you are dead right it solved a few mysteries for me! I guess when CFW V3 hits with the HIPS you have some testing to do!

On thing I noticed is you have ctfmon.exe.

This one I would advise you scrap! It is in 99% of the cases a trojan! I may be exaggerating but MS says it has to do with alternate types of input devices for office. Most never have that!

If you are nervous about killing it outright just disable it first! I think it is one of M$ call homes. I got rid of it years ago and still run MS Office fine in spite of the FUD around that point! Spybot S&D has quite a write up on it.

Search here on the key word or google it it's quite a read.

Anyway I thought I'd tell you my view so you know!

 

No it is not a Trojan on my computer. When I used to run system safety monitor (SSM) i bothered a lot about ctfmon.exe though. It is not only with MS Office, since I have only XP Pro and then Open Office only, in fact i believe it is now part of Win XP os.

I am very much against tweaking my system. I used to believe in it, but not anymore. I let firewall and PG and antivirus etc. do their protection. Disabling ctfmon.exe is not so clear though I read many things concerning it once it bothered me. It perhaps is not part of an english language XP but sure is part of a Finnish language one. I don't touch anymore wwdc or other such tweaking tools. Sooner or later some functionality of a puter is lost. I hope no offense is taken by not following your advice.

From this thread there is one comment I find interesting and agrees with mine,
http://www.neuber.com/taskmanager/process/ctfmon.exe.html :

 

Jarmo P:

"I hope no offense is taken by not following your advice."

Of course not, this is a forum, I provide my views and experience and you do the same! You may very well need it for non english input!

Keep providing your ideas! For myself, it works for you not. That is why everyone should verify all advice from what ever source!

 

Indeed, ctfmon.exe is absolutely normal and installed by MS office.

See this microsoft KB on how to disable it:
http://support.microsoft.com/kb/282599

Cheers,
Fax

 

Fax, you are a ZA User Forum Guru and use ZAISS and aren't using or learning CFW. So this is a read only thread for you please! Don't attempt to HJ this thread as before. I have you blocked in this thread and recommend other learners do the same.

Hi Fellow CFW learners

Jarmo P et al: Yes, thanks, I got down to 1 loopback rule in two steps rather than 1!

On your UDP 53 idea, could you expand on that notion a bit, how can we be sure that only my ISP uses that port for 53, I will ask them. I do know the names of the ISP servers. Could I trouble you to write out or image a couple of your 53 rules since learning by example is best.

 

I am not Hijacking anything here... you posted misleading information... and just posted back to give you correct info as well as link to remove the 'evil' office executable.

If you are not concerned just ignore the post. I was actually answering to Jarmo. You don't need to be hostile at any cost here, this a public forum... you are not the owner. Forum moderator can freely reemove the posts that are deemed OFF topic, not you...

If you post back you practically hijacking yourself the thread no need of posting to say do not post...

Cheers,
Fax

 

Normally you get when you get a prompt from comodo, for dns, it asks for 2 IP's.
Might be different for some connections. So if you know your DNS servers, also to be found in control panel network connections and there some "state" to be read, translated and cannot give you more clear than that.
Then those are your isp dns servers that you only need to specify. You can find out them also by just deleting your current rule of allowing udp 53 to all ips. And then with cpf very high alert level.
If it is needed to be so strict, I don't know, since most users dont do that.
Take it as an extreme restriction, as you wanted that. works for me anyways

 

Jarmo P thanks again but I don't quite see this rule since I posted 1st they have consolidated so here is a fresh look for comment.

Stem, can you help a bit here it is my fault for not grasping the point.

 

As before my comments in red
Stem: Attached is the log of ip blocks that I want blocked, but I want to know which application on my PC is doing this call out trys so I can prevent this!

How do get that done in CFW?

 

Something like this, regarding restricting DNS to your isp servers.
They are mine and dont take any advantage! lol
Why you posted your log, just to spam this forum? Was a joke.
But why you cannot see is because you have allowed all (or any) for port 53.
Jarmo

edit
Ok i read it again.
Logs of comodo basically sucks, never have found any use for comodo logs.

 

Hi Jarmo P.

Sorry no joke, I wish it was (BTW I would never spam this forum!)

To clarify I have 2 questions here at the same time.

One is post 89 dealing with UDP 53. So I am waiting for Stem to help us grasp how to proceed. TY for your settings I won't use them as you requested but they may help Stem explain what I need to do.

The second post #90 you thought was spam regarding a recurring block is a different issue. It simply shows multiple blocks that I need to tie back to an application or it's components to see the cause! I want this IP blocked unless I have misidentified it.

I am following thread guidelines on CFW not to slam the product, the goal is to learn how it can be optimized what ever it's flaws may be.

If you wanted to you could put a feature improvement request in to CFW forum. But that is up to you. I will do that at the end of the learning thread.

 

It is used for Domain Name Server that gives your computer a web server IP's needed when you type www.something.com on a browser URL field.
Your DNS servers are of course different from mine unless you happen to have the same ISP.

Comodo already blocks it, no need for you to do any. As I told that Comodo's logs suck since they are mostly on a network level so it is hard to find the application except shutting down what you run and see if the blocks stop coming. There is no need for me to post any on Comodo forum since all users know that 2.4 version of logging are far from perfect. The GUI does not work well at all.

Jarmo

 

"Jarmo P" is explaining to enter your DNS servers into the rules for DNS lookups. (Basically this is to bind any DNS lookups to the servers). Your DNS server IP`s can be found by: Start menu / Run (type cmd ) at the prompt, type IPconfig /all (then press enter/return). This will show the info for the DNS servers. You can then enter these servers into rules to restrict where DNS lookups can be made. (If you do this, and your DNS servers change IP, then it can cause problems). Make sure there is a blocking rule, to block other DNS servers (with logging on)

Personally, with Comodo, I would set these rules in the "Network Monitor

 

Stem knows
That's what i do also, and be done with it. Every application now has to conform, no matter what App rules you have.

 

Hello Stem / Pedro and Jarmo P! Thanks for all the tutoring help (I need all the help I can get )

Right! Got it. Network rules dominate. I believe I have my ISP server names, so if I use those any ip changes would be automatic? Is this correct?

Would DNStuff still work? Since I use that service to id sites for blocking!

Mean while I will proceed as suggested. One step at a time!

 

Okay, done. I put it in as network rule 1 see attached AND added a rule 2 blocking any any for port 53 UDP. Comments please on the wisdom of rule 2, was it needed?

Also the ISP dnsstuff whois report listed

xx.yy.zzz.0 - xx.yy.zzz.255 which includes the dns server found by IPconfig all.

Should I allow the whole range or just the specific ip?

 

First try not right. Should be destination port that is 53. Also there typically are 2 dns servers, look in my app rules for firefox as an example.
You could make restricted network rules, remember that default install rules allow all TCP and UDP out. I still have almost basic allow all out network rules.

It is though application rules that are considered first. So in a sense they dominate for outgoing connections. For incoming connections it is reversed, network rules are considered first.

 

The 2nd rule is needed or not depending on the other rules. If there is no general rule that allows that, not needed. But if there is, or when starting to build the rules, i say yes.
You could set it to log the blocking rule, and it always serves a purpose as such.
Place the primary and secondary IP's.

EDIT: Jarmo is right, i now see that. port 53 is the DNS server's port 53, not yours. Log the blocking rule, not the allow, unless it serves a purpose.

 

Thank guy I changed the port as per Jarmo's advice

Here is my second try! Took out logs of allow's saw 1 work and unticked it.

So far I have only found 1 DNS for my ISP with a range of port numbers.

Stem has recommended these 53 rules be in network so that is what I did.

Stem, please confirm for me that applications rules dominate for outgoing and network for incoming. I'm not saying it is wrong but that is the way it works in these learning threads or I get blown in all directions!