How to Optimize Security in Comodo V 2.4.18.184-Learning Thread 2

For the outgoing connections application rules are considered first. And network rules after that. Comodo's basic first install rules allow all TCP and UDP out. Of course if you block something in network rules, it stays blocked.

It is easier to think network rules as a mask for which app rules are applied and considered first. For things like this udp 53 it indeed makes sense to restrict network rules and so you can allow all in app rules. I personally don't do it though. Prefer to write app rules as specific as possible. All just a matter of personal preference.

 

Right! IMO ( as of this point) This CFW gives the average user (me) to many choices based on the assumption that these users know more than they do!
By the time I'm done I will know more but gad what a process. I have a programming background so I know about rules and sequences but the average joe user doesn't have a clue. So they will not make rules let alone check to see if they are correct!

This is just a personal comment.

 

Its a good idea to add a network rule that blocks inbound tcp/udp to local ports 135,445 and 500. Windows listens on these ports by default and they are only needed for some specialized corporate networking.

I also like to block outbound traffic to remote ports 6660-6669 and 7000. These are the most frequently used ports on IRC servers. The theory here is if by user error (or some new diabolical leak technique) a program is allowed outbound access, it will not be able to communicate to most IRC servers. Guess what? Most botnets take instructions over IRC. While there are other IRC ports in use, I suspect botnet owners prefer to hide on the large servers where there are thousands of channels to mask their presence.

Remember that no firewall is infallible. It is possible for malware to plant a communications driver that will bypass the firewall, or to disable the firewall whenever the malware wants to phone home.

 

Inbound connections are already blocked by default by the last rule (Block IP In/Out).

 

Here just to get away from blocking rules for a rest I have a couple of option page images for people to critique. Fire away, I have no sense of paternity for any setting at all

 

True but...


This rule goes above any "trusted" zone inbound rule, which would allow inbound connections on the 3 ports. It makes a difference if another machine in the trusted zone has a worm.

Its also possible to forget to disable/delete the trusted zone rules before connecting to a public hotspot. Port 139 could be added to the list as well, but turning off file/printer sharing in the network adapter properties sheet does that.

The trusted network rule can be "disabled" by creating a zone 0.0.0.0-0.0.0.0 and changing the zone. Its an alternative to deleting the rules and running the wizard again.

In case you don't realize it, I use a notebook and go from networks that are truly trusted to those that are not. No telling who you are sharing a router with in an Airport or Cafe, and there is no practical possibility of using a hardware FW in those locations.

I often get the feeling that few in this forum do any portable computing.

On another topic..

By the way, the "block while booting" rule while useful can be the cause of a start up delay, particularly on notebook computers with their complex driver installations. Try it both ways if your boot up is slow.

 

Escalader, i dont remember if you use a Router or DHCP,but the first rule in Miscellaneous
is it not giving you any delay in connecting to your provider?
I didnt try that yet,but perhaps it stops cold any attempt to connect via DHCP,DNSs etc.?

As to your second window regarding Behavioural Blocking i am using ProSecurity Pro which already takes care of some,so i unticked
Monitor Inter-Process Modification
Monitor DLL injections
which are the two items PS developer deemed as absolutely necessary to avoid possible conflicts,but i also disabled
Monitor COM/OLE automation attempts
hoping to speed up everything and avoid further troubles.

Following Jarmo suggestion i put the level to VERY HIGH in Alert Freq.Level order to
determine the IP as well for applications, i also have enabled just the first, Enable Alerts
in Firewall alerts , and only the last one to Protect firewall Settings in Program Settings.
This way, in spite of having disabled the 'dont show alerts for certified comodo programs',i
dont receive more alerts than usual and all is working fine.

Diver, what you suggest about blocking is certainly interesting, i hope Stem might clarify if
such blocking add ons are really needed or if we can rely on the 'block all the rest' by Comodo PF.
What you say about notebook 'mobile 'users being not too many over here is true,but when i needed specific info for it i always had it and it was 1st class,so its probably only a lack of posters about these matters.
I am increasingly becoming interested in wireless/radio/pc card connections as i'll have to use it soon, so including you we are at least two...

 

Hi Pirot/Diver:

",,, i dont remember if you use a Router or DHCP,"

yes, as in my signature I use a router which services 2 PC's on the same ISP cable connection. 1 PC is mine the other belongs to a on line gaming computer.


.."but the first rule in Miscellaneous is it not giving you any delay in connecting to your provider?"

I will turn rule 1 it off today just to see what happens for you, but I don't want spys arriving during bootup, bootup happens once so do that during your breakfast!.


I didnt try that yet,but perhaps it stops cold any attempt to connect via DHCP,DNSs etc.?

Stem, can you look into this question for us all?


Diver, I'm not far enough along to really grasp what you are suggesting but it sounds great! I suggest you post a layman's write up and image of your blocking concepts here as i have done so Stem and the rest of us can see a real example, I need to see these rules in the order you have them. You may have invented something!

 

I posted some example rules in a pic by blitzenZeus, for a different firewall, kerio 2.x in your Comodo thread Escalader:
http://forums.comodo.com/help/which_rules_dominate-t10231.0.html;msg74503#msg74503

One has to be a registered member to that forum to be able to see the picture though. That ruleset can be considered a template, there are rules for router users and rules for people who need to use their portable PC in differerent places. One has to take into account that kerio 2.1.5 does not have SPI in UDP.
And everyones connection type or LAN if existing is also different. But they are very useful rules in my opinion. And if understanding them, it is easy to adjust and understand any firewall

To my current install I have only made NetBios block and the Windows services block already mentioned by Diver. And some others are done implicitly by Comodo's final block all rule.
My interest in tweaking Comodo's network rules is diminished by not being able to name the rules and not being able to turn them on/off. I think Diver has also been strugling with this Comodo shortcoming with his portable PC, what I think I understood from his words.

Jarmo

 

your post at comodo's forum was very usefull Jarmo:

simple perhaps,but fundamental.

As to what you mention about BlitzenZeus rules about 2.1.5, i did the same, adapting a French security expert version similar to BZ's at first to 2.1.5 and then to Sygate Pro (i could because it had unlimited rules against the 20 limit for the Free version-your sygate site very helpfull) but now, using either Jetico or Comodo, it is less feasible.

 

Hi Jarmo:

I will go over there and look at your image! I think I'm registered there as I can post. Anyway let me go there and see!

I'm wondering if these shortcomings you guys see in CFW 2.4 are being picked up in V3. It would be a shame if they weren't.

Where does CFW get their $ from since CFW is free?( not my reason for testing/learning with it) I'm guessing from Corporate business and certification work but I don't know (yet)

 

.....,but the first rule in Miscellaneous
is it not giving you any delay in connecting to your provider?
I didnt try that yet,but perhaps it stops cold any attempt to connect via DHCP,DNSs etc.?

I tried it it seems to make no difference at all! So I'm putting it back!

 

Very well then ,Escalader, it must be CPF stops only Applications out at boot.

 

First let me apologize for this long post. It is not mine but drawn from the tutorials from the CFW forum. The author gets all the credit and I hope it adds to the knowledge we are building here on this FW. It expands out the role of the advanced security analysis monitor.

I am copying the last section as it documents what had been discussed about the order of rule dominance for incoming and outgoing packets.

" Re: Tutorials - CFP's Monitors/Rules
« Reply #14 on: February 06, 2007, 05:24:06 PM »
Explanation of CFP's layered rules. By Little Mac

The flow of traffic thru these layers of security can briefly be described as follows:

Incoming Connections

1- Network monitor applies filtering; if successful it passes to application monitor
2- Application monitor checks the target application, if allowed it passes to
3- Advanced security analysis monitor

if these 3 steps are passed, application receives the connection.

Outgoing connections

The order changes :

1- Application monitor
2- Advanced security monitor
3- Network monitor

Re: Tutorials - CFP's Monitors/Rules
« Reply #14 on: February 06, 2007, 05:24:06 PM »

Explanation of CFP's layered rules. By Little Mac

Comodo’s firewall has a layered rules approach to security, which has a tendency to cause confusion with users unfamiliar to this approach. Network Rules are new to many people, as most firewalls don't seem to have separate rules. If an application is allowed, it's allowed, period. Turns out, most firewalls have a much lower level of security than CPF.

Here's a little explanation of how CPF rules work:

Everything communicates in the context of the Network Rules. The Network Rules filter from the top down; if traffic is not explicitly allowed In or Out, it will be stopped by the bottom block rule (meaning, there has to be a rule prior to the bottom block rule, that specifically addresses the type of traffic, in order for it to be allowed). On the inverse side, traffic is blocked either explicitly or implicitly (meaning, a "block" rule will specifically mention a type of traffic - explicit, or it will be blocked because it hasn't been specifically allowed - implicit).

Example: Let's say you do not have a Net Rule to allow IGMP (multicast) protocol traffic (this is true with the default rules). Windows Messenger tries to use IGMP to access the net. CPF filters through the rules, but cannot find IGMP explicitly allowed; thus, it is implicitly blocked by the "Block Any" rule at the bottom. Let's say you wanted to easily identify IGMP traffic, so you create a Block & Log IGMP rule above the bottom rule. Now CPF will explicitly block IGMP traffic.

This brings us to the next area - Application Rules. The Application Monitor contains Applications which are allowed (or blocked) from connecting. Even if we allow an Application to connect, it does so within the context of the Network Rules. So, to use our Messenger example from above, we may allow Messenger within the App Monitor. Then, it tries to use IGMP protocol, which is not allowed by our Network Rules. The connection will be blocked. Even tho Messenger is allowed, IGMP is not. Another aspect of the App Rules is that Comodo allows you to identify a "Parent" application; such as your browser using explorer.exe as its Parent; kind of like your browser using another core application to actually connect with. Thus, you may need multiple rules for one application. For example, Firefox (as a browser) may have a rule with firefox.exe as both Application and Parent; it may have a second rule with firefox.exe as the App and explorer.exe as the Parent. If you click a link within your email, the email client will become the Parent to the browser.

Next we have Application Behavior Analysis. This can be found under Security/Advanced, and is also known as ABA (gotta love those initials...). This module monitors various types of activities that are carried out somewhat "behind the scenes" by applications, and in some cases, their components. A number of these activities will create alerts only if both applications are not in the encrypted Safelist (provided the user has the Safelist enabled, which it is by default). These (such as the COM/OLE Automation) are perfectly normal, and occur because of the way applications communicate internally. While considered safe if both applications are known to the user, CFP does not differentiate (aside from the Safelist) between good or bad applications (ie, malware), and these types of activities may be exploited by malware in an attempt to access the internet. Thus, if both applications are known, it is considered safe to Allow; if either (or both) are not known, further investigation may be required. If you Deny or Allow without checking "Remember" the response is set for that session only; if Remember is checked, a rule will be created. Generally after a single Deny (this will result in the connected application, such as your browser, to be denied internet access), closing and reopening one or both applications will suffice to restore connectivity; in some cases a reboot is more effective.

Final area - Component Monitor. Component Monitor loads all "components" - .dll and .api files, etc that are used by an Application, and verifies their authenticity and relationship to the application. These components are not what is connecting to the net; when they are marked as "allowed" it is so that the application can use them as it connects to the net. Sometimes these components are shared resources between different applications. If an application updates, it may cause this "library" of components to change, and cause a popup alert (whereby you can view and approve these components directly). It is generally considered best to leave the Component Monitor set to Learn after install, for several weeks; or until the majority (if not all) internet-connecting programs have been run with available modules/plugins, etc, so that popups are minimized. Once it has been set to "On" popups will be generated for each new/changed component.

Application Behavior Analysis and Component Monitor combined form the Advanced Security Analysis Monitor, which is truly the final state in our filtering/layering scenario. The flow of traffic thru these layers of security can briefly be described as follows:

- Incoming Connections

1- Network monitor applies filtering; if successful it passes to application monitor
2- Application monitor checks the target application, if allowed it passes to
3- Advanced security analysis monitor

if these 3 steps are passed, application receives the connection.

- Outgoing connections

The order changes :

1- Application monitor
2- Advanced security monitor
3- Network monitor"

 

Well, it happened again. This time I did not have PG free installed but Prevx 2.0, (that can be had free today for a year by following instructions from this link:
https://www.wilderssecurity.com/showthread.php?t=179307 ).

I ran Comodo with very high level of alert setting. And it somehow changed my Firefox rules to having no parent. Those should have had Sandboxie's Start.exe as a parent. OK, I went to edit one (1) rule to have Start.exe as a parent and then all my firefox rules had Start.exe as a parent
I have now absolutely no trust in Comodo's app rules from not getting corrupted, has happened 3 times already to me. Only hope that things will be better with 3.x version. My system did not experience any stability problem like freezing, rebooting itself, all was just fine. Rules just changed itself.

It takes time and patience to build good rules. But I give up. Even once when this type of thing happens is too much and as there is only some script to backup rules, no way. It could be also some conflict with Sandboxie for all I know.

 

Jarmo P:

I wish I had something constructive to say. All it would be is a bunch of standard suggestions you have no doubt already tried many times.

Maybe Stem will respond when he returns to the thread.

You seem to have changed security software today but I have no idea if that is the cause of your problem.

I'm still learning how to make and modify rules in CFW so as to why yours would alter on their own . You didn't do it so some program did as that is the only other way it could happen, which one did it. The brute force method is to remove programs 1 by 1 and see if you can isolate the culprit... other than that... Stem? another poster ask in the CFW forum?

 

Thx for the reply Escalader. It is a mystery. You have maybe noticed that if you generalize an app rule, like allow all the ports intead a single one, it affects all the rules concerned. I saw very clear what happened and should not have. Edited one rule's firefox's parent and the rules were treated as some group. All other rules' parents were changed too.
Plus what happened in the first place, rules loosing their parent.

It is a bug in Comodo. What is shown by just looking at the firefox rules is not all there is. There is some group thing that goes sometimes amiss I am sure about that now.

If Sandboxie does have something to do I don't know. Sandboxie is for me much much more important application than Comodo's firefox outbound control. I allow now all ip's and ports for firefox out. I am too pissed off to try to make those rules better again only to loose them again.

EDIT
Loosing the made app rules does not make yourself vulnerable. You just notice it when Comodo starts ask again for connections that should have a rule made already. In case this happens to anyone else but me.

 

Continuing my odyssey with Comodo's tighter rules.

Decided to use IP ranges = zones in Comodo jargon.
Here are examples of svchost.exe rules and Thunderbirdie email client's.

Localhost = 127.0.0.1
DNS is a 3 ip range that contains my 2 ISP DNS servers.
DHCP is isp dhcp server.
Broadcast = 255.255.255.255
POP3 is my isp mail pop3 and smtp server.
NNTP is news server.

Notice that those people who want to restrict network rules can do that using these zones too. It is just that if you make such tight rules in network monitor with only allowing those only and if those isp servers change, you will only see that something is not working and get no application prompts to allow other. So something is not working and you are in the blind what to do. If you know that this can happen, then it is ok. You can then change the network rules you made. But if you don't know that, then you are in trouble.

For me the goal is to build such rules that my firewall does not alert me no more and same time have the rules as restrictive as possible. Then every new prompt is something that needs a closer examination. Why it happened? Is something missing? Is it a baddie? Not to block in blind but to see what maybe needs to be allowed more or not.

Jarmo

EDIT
and addendum corrected information to the picture attachement. I was thinking why I originally added in the first place those localhost 127.0.0.1 incoming TCP and UDP rules to svchost.exe? It was just to restrict all to loopback address. So I deleted them!
And then got a prompt from Comodo that I blocked. The new rule is: 0.0.0.0, 135, TCP in, Block. If no ill effects it is tighter than in the pic I posted below.
Also you should allow UDP 123 in to your computer. It is for timeserver, though lately it has not been working so well, the default time server I mean. But my other deleted wrong localhost rule in the pic is for that. So something like: Any, 123, UDP in, Allow.

 

Here is a strange one, the other day I found as you did my rules in applications getting altered by the techie gods. Seemed to be centered on FF.

Today FF updated it's no script and the rules have rationalized themselves in CFW with a little help from me. I can now put 127.0.0.1 back. Before this rule wouldn't "take".

I have also moved from IE 6 to IE 7 having waited long enough, but haven't tried to create a 127 rule for IE 7. The one for IE 6 having disappeared!

This rant is not a question just a rant.

IMDO I suspect we are dealing with a buggy 2.4 product.

 

Hello Escalader,

First: "Block all outgoing connections while booting". Please look at wording "connections" this is TCP. From earlier (builds) checks, comodo will not block outbound UDP on boot. (so DHCPboot is OK). I do need to check further, as I cannot account for outbound raw UDP via com/services by comodo~agent (normally seen as local port 1025/1026 outbound).

The re-ordering (combining) of rules, well, yes, I have never liked this, as in earlier versions/bulds, blocking rules where "auto" placed below allow rules (with no way to re-order), so no way (at that time) to block an IP for specific application.

 

Hi Stem:

I have the block while boot on see attached jpg.

So, I'm not sure what else to do on that! That attempted IP connect I PM's you about I traced to FF!

I have removed all the email port rules I put in to the applications rules to try to simulate ZA Pro's set all applications to no send email except MS Outlook.
My ISP only allows ports 110 and 587 so how would you do that email restraint?

 

Going back to your previous post Escalader,i think that it is normal that IE6 rules disappeared when you installed IE7,which lasted only a week on my pc as it provoked all sorts of troubles.

I'm posting because,following the attempted creation of an Acronis Image which didnt go well while in windows(hence connected), i found myself too among the Lost Comodo Rules Herd wandering in the Web in company with Escalader and Jarmo.
I was using CPF with highest Level of Alerts
Application Behaviour temporarily completely OFF

After a BSOD ,some cleanup and repeated reboots i have a look at the Applications Monitor and i can see only 1/5th of the previous rules......
I notice superantispyware update rules are missing,so i just tried to make an update to see if rules would stick or not.....made the update,BUT the allowed rules wont stick and remain anymore.......
Whats worse i noticed that now there is a final rule which allows EVERYTHING .........no info at all......
i think it comes from comodo and not from any hacker or rootkit...
i lowered the Alert Level to just High (it had worked fine like this before)
and removed the Unknown rule ,but it keeps coming back.....
I'll try now to lower the Alert Level to Low to see what happens...
otherwise i think i'll have to reinstall the darn thing...

This is a pick of the Application Monitor:



It is on 'Ask' in the Invisible because i had changed it from Allow into Ask,just trying to see if it would be modified.

 

Hi Poirot.
I have never seen a rule like yours that is highlighted. For me it was nothing as drastic as that. Only lost my "hard worked" app rules a few times. Not all, like I mentioned latest complain it was only Firefox rules last time. Before that it was much more rules though. And I was then alerted to if I should allow FF out. I did not felt like I lost protection, not that.
The network rules remained intact and working.
I have never experienced BSOD running my computer with CPF.

I also run Antivir same as you as my AV.

An answer to Escalader, IE7 in my computer does not need localhost, 127.0.0.1 access.

To you both and who ever reads this thread!
It has been a few times that windows security center has popped out and told I have no protection. I have not mentioned this before in any thread. And when I double clicked Comodo icon, all was red, meaning no protection. But I did pass Shields Up! port scan never the same. Last time it happened was when I had installed Prevx 2 and after a while.
Since then I have not had such bad experience and seems my current security setup with Avira, Prevx2, Sandboxie works just fine.
But I have seen Comodo netmon and appmon turned red a few times even before that incident!

It is alarming since I don't have a router to see CPF all red and windows security center telling me I am not protected. Even if that thing is mostly a placebo.

For me all I can say is that Comodo loosing application monitor rules has happened. With a very stable system. That has not ever had installed any other firewall except Comodo.

Jarmo

 

You never saw it,Jarmo,and neither did i,which makes me a bit uneasy,but,considering that even if CPF fails i can count on the router and i was not alerted by my other programs about anything unusual i can assume it is a VERY STRANGE rule which CPF decided to unleash on my Application Monitor......not considering the 80% of the other missing rules.
I think i will report this in the Comodo forum as well,perhaps someone else there SAW it.
What i gather is CPF 2.4 cannot sustain repeated changes in config.
If you stop Application Behaviour whenever you got to install or make an Image and/or you change Alert Levels you are prone to instability in the Applications department so that if you suffer a BSOD of sorts you risk loosing some of the rules....
I remember now that when it happened i wasnt even connected as i was Creating a second Acronis Image with my ethernet cable plugged off,
so my non-scientific explanation is that Rules in Application Monitor were already in a non stable situation and waiting for an excuse to disappear away....

Really without explanation,apart a NOW confirmed buggy 'lightness' and proneness to instability imho IF not used with lower Alerts and little changes.

I had begun with CPF to have a look at it with a view to installing in place of Sygate in my cousin pc-i was personally happy with Jetico 1.0-but had left it running out of curiosity and bcz it was behaving rather well...
with no theoric difficulties....
now i understand why Version 3 is underway.

 

poirot, Jarmo P, Stem et al"

Thanks to you all, I think we are testing CFW 2.4 and finding weird things.

I agree with the idea that V 3 needs to come out. BUT we have no promise it will work better do we.

Earlier the CFW user forum was told all their developers were on V3 not 2.4 support. But I think it is a good idea for you to post this stuff over there.

I think it was an error for me to go over to IE 7 in the middle of this Optimize Security in CFW 2.4 since that change is pretty fundamental to any PC.

I have attached the last screen of my application rules for your comments. Fire away... I feel no paternity for these rules or the software.

Right now I'm reviewing the stability of my blocked sites in translation by CFW vs what is found in DNS stuff AND what you get ip wise when you reenter the sites! I think some should have changed and CFW didn't do it automatically?

More later