Comodo Project Experimental Configuration All Welcome

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,716
Starting a project to refine Comodo, but it will take some time. I first got this thought tonight looking at the Firewall rules, and I was having success finding information on ip ranges and then creating rules for applications. This has long been something I have wanted to do, but I then moved forward a little bit, creating ask rules for all of what Comodo defines Temp files and then also for the File Group Windows Sockets. Just simple ask rules, but I started to get that feeling about the config where I wanted more:emoji_sob::unsure:. Only difference this time is I felt for the first time that I can do this, especially starting with the Firewall rules. I think it's going to easily be the best place to start for me.

Hope is to build a default scheme down the road that anyone can use. So to get everyone warmed up, I went looking around and quickly found a list of all executable files. I don't think this is by any means all of them, but I am not 100% satisfied with Comodo's list of executables. That said, I'm not worried, because the strength of Comodo is really in the Container and generally in the default deny concept. However, I do sense that there could be some interesting revelations down the line as the fairies are dancing in my head for creating location rules, such as we see in Easy File Locker for protection of files and backups and then also possibly some new HIPs groups which could be associated with limited HIPs monitoring, meaning only some of the 16 HIPs categories put into action (i.e. interprocess memory access, Write to a Protected Zone, Process Execution, etc.).

OK, for laughs to start here is the list of executables I found:

Executable Files
Executable files contain code that is run when the file is opened. Windows programs, Mac OS X applications, scripts, and macros are all considered executable files. Since these file types run code when opened, unknown executable files, such as those received as e-mail attachements, should not be opened.
Common executable file extensions include .EXE, .APP, .VB, and .SCR.

File ExtensionFile TypePopularity
.0XEF-Secure Renamed Virus File170
.73KTI-73 Application171
.89KTI-89 Application190
.8CKTI-84 Plus C Silver Edition Application File135
.A6PAuthorware 6 Program162
.A7RAuthorware 7 Runtime File189
.ACAutoconf Script183
.ACCGEM Accessory File250
.ACRACRobot Script220
.ACTCAction(s) Collection File175
.ACTIONAutomator Action209
.ACTMAutoCAD Action Macro File271
.AHKAutoHotkey Script191
.AIRAdobe AIR Installation Package193
.APKAndroid Package File167
.APPmacOS Application196
.APPFoxPro Generated Application272
.APPSymbian OS Application284
.APPLESCRIPTAppleScript File223
.ARSCRIPTArtRage Script400
.ASBAlphacam Stone VB Macro File350
.AZW2Kindle Active Content App File267
.BA_Renamed BAT File233
.BATDOS Batch File202
.BEAMCompiled Erlang File325
.BINUnix Executable File181
.BINGeneric Binary Executable File189
.BTM4DOS Batch File400
.CACTIONAutomator Converter Action157
.CELCelestia Script File275
.CELXCelestia Script208
.CGICommon Gateway Interface Script190
.CMDWindows Command File179
.COFMPLAB COFF File210
.COFFEECoffeeScript JavaScript File209
.COMDOS Command File209
.COMMANDTerminal Command File200
.CSHC Shell Script275
.CYWRbot.CYW Worm File200
.DEKEavesdropper Batch File233
.DLDEdLog Compiled Program229
.DMCMedical Manager Script400
.DSTWAIN Data Source271
.DXLRational DOORS Script400
.E_ERenamed EXE File267
.EARJava Enterprise Archive File219
.EBMEXTRA! Basic Macro229
.EBSE-Run 1.x Script200
.EBS2E-Run 2.0 Script File177
.ECFSageCRM Component File223
.EHAMExtraHAM Executable File356
.ELFNintendo Wii Game File188
.EPKLG Firmware Package233
.ESSageCRM Script File400
.ESHExtended Shell Batch File300
.EX4MetaTrader 4 Program File222
.EX5MetaTrader 5 Program File250
.EX_Compressed Executable File221
.EX_Renamed Windows Executable File194
.EXEWindows Executable File173
.EXEPortableApps.com Application223
.EXE1Renamed EXE File225
.EXOPCExoPC Application400
.EZSEZ-R Stats Batch Script300
.EZTEZT Malicious Worm File375
.FASCompiled Fast-Load AutoLISP File227
.FASQuickSilver Fast Save Lisp File267
.FKYFoxPro Macro267
.FPIFPS Creator Intelligence Script233
.FRSFlash Renamer Script200
.FXPFoxPro Compiled Program170
.GADGETWindows Gadget206
.GPEGP2X Video Game217
.GPUGP2X Utility Program200
.GSGeosoft Script271
.HAMHAM Executable File500
.HMSHostMonitor Script File200
.HPFHP9100A Program File500
.HTAHTML Application233
.ICDSafeDisc Encrypted Program191
.IIMiMacro Macro File237
.IPAiOS Application177
.IPFSMS Installer Script350
.ISUInstallShield Uninstaller Script215
.ITAVTech InnoTab Application File400
.JARJava Archive File173
.JSJScript Executable Script229
.JSEJScript Encoded File350
.JSFJava Script Command File226
.JSXExtendScript Script File173
.KIXKiXtart Script File283
.KSHUnix Korn Shell Script360
.KXKiXtart Tokenized Script File325
.LOInterleaf Compiled Lisp File300
.LSLightWave LScript File300
.M3GMobile 3D Graphics Program169
.MACApplication Macro File300
.MAMMicrosoft Access Macro333
.MCR3ds Max Macroscript File193
.MCRTecplot Macro209
.MELMaya Embedded Language File240
.MEMMacro Editor Macro333
.MIOMioEngine Application File350
.MLXMATLAB Live Script233
.MMNeXtMidas Macro File242
.MPXFoxPro Compiled Menu Program225
.MRCmIRC Script File233
.MRPMobile Application File218
.MS3ds Max Script File333
.MSMaxwell Script217
.MSLMagick Scripting Language File200
.MXEMacro Express Playable Macro260
.NNeko Bytecode File256
.NCLNirCmd Script File400
.NEXEChrome Native Client Executable240
.OREOre Executable File400
.OSXPowerPC Executable File267
.OTMOutlook Macro File300
.OUTCompiled Executable File194
.PAFPortable Application Installer File247
.PAF.EXEPortableApps.com Program File208
.PEXProBoard Executable File300
.PHARPHP Archive212
.PIFProgram Information File253
.PLSCMessenger Plus! Live Script File194
.PLXPerl Executable File267
.PRCPalm Resource Code File300
.PRGProgram File231
.PRGGEM Application267
.PS1Windows PowerShell Cmdlet File242
.PVDInstalit Script500
.PWCPictureTaker File200
.PYCPython Compiled File226
.PYOPython Optimized Code229
.QITQIT Trojan Horse File250
.QPXFoxPro Compiled Query Program400
.RBFLEGO MINDSTORMS EV3 Robot Brick File267
.RBXRembo-C Compiled Script290
.RFURemote Firmware Update200
.RGSRegistry Script225
.ROXActuate Report Object Executable File333
.RPJReal Pac Batch Job File233
.RUNLinux Executable File167
.RXELego Mindstorms NXT Executable Program213
.S2ASEAL2 Application300
.SBSSPSS Script325
.SCAScala Script File300
.SCARSCAR Script175
.SCBScala Published Script214
.SCPTAppleScript Script File275
.SCPTDAppleScript Script Bundle200
.SCRScript File185
.SCRIPTGeneric Script File233
.SCTWindows Scriptlet280
.SEEDLinux Preseed File200
.SERVERMySQL Server Script400
.SHBWindows Document Shortcut340
.SMMAmi Pro Macro433
.SPRFoxPro Generated Screen File260
.TCPTally Compiled Program File211
.THMThermwood Macro File283
.TIAPPTiTanium App280
.TMSTelemate Script300
.U3PU3 Smart Application220
.UDFExcel User Defined Function322
.UPXUltimate Packer for eXecutables File333
.VBEVBScript Encoded Script File292
.VBSVBScript File235
.VBSCRIPTVisual Basic Script300
.VDOHeathen Virus File300
.VEXEVirus Executable File200
.VLXCompiled AutoLISP File183
.VPMVox Proxy Macro File233
.VXPMobile Application File202
.WCMWordPerfect Macro175
.WIDGETMicrosoft Windows Mobile Widget209
.WIDGETYahoo! Widget169
.WIZMicrosoft Wizard File267
.WORKFLOWAutomator Workflow167
.WPKWordPerfect Macro500
.WPMWordPerfect Macro File300
.WSWindows Script240
.WSFWindows Script File282
.WSHWindows Script Host Settings229
.X86Linux Executable File267
.XAPSilverlight Application Package178
.XBAPXAML Browser Application File167
.XLMExcel Macro119
.XQTSuperCalc Macro File250
.XYSXYplorer Script File300
.ZL9ZoneAlarm Quarantined EXE File189

A few pop into my mind that I don't see here, and those would be .msi, .mui, and .msc. Not sure about things like .cpl and .mmc.

So that's it. If anyone would like to chime in with anything here anytime, please do. I have started a new config I am calling Experimental Proactive. I saved my current state and then imported it by the name for the new profile. As of now, I am using that profile, but I can go back if necessary. If I can make good enough progress, I will then turn to coming up with some nice default rules. That will be a big challenge, so I'll probably have to go back to a brand new OS image and Comodo firewall installation to do this, so there won't be ANY clutter...just great rules.

Welcome any and all contributors. This may take months, maybe over a year, but I will try to keep good logs in Evernote and then pass them here from time to time...(y):emoji_v::emoji_fingers_crossed::emoji_fist::emoji_pray:
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,542
You can look at the extensions implemented in Run By SmartScreen:
ACCDA, ACCDE, ACCDR, ACCDT, ACM, AD, ADE, ADN, ADP, AIR, APP, APPLICATION, APPREF-MS, ARC, ASA, ASP, ASPX, ASX, AX, BAS, BAT, BZ, BZ2, CAB, CDB, CER, CFG, CHI, CHM, CLA, CLASS, CLB, CMD, CNT, CNV, COM, COMMAND, CPL, CPX, CRAZY, CRT, CRX, CSH, CSV, DB, DCR, DER, DESKLINK, DESKTOP, DIAGCAB, DIF, DIR, DLL, DMG, DOCB, DOCM, DOT, DOTM, DOTX, DQY, DRV, EXE, FON, FXP, GADGET, GLK, GRP, GZ, HEX, HLP, HPJ, HQX, HTA, HTC, HTM, HTT, IE, IME, INF, INI, INS, IQY, ISP, ITS, JAR, JNLP, JOB, JS, JSE, KSH, LACCDB, LDB, LIBRARY-MS, LOCAL, LZH, MAD, MAF, MAG, MAM, MANIFEST, MAPIMAIL, MAQ, MAR, MAS, MAT, MAU, MAV, MAW, MAY, MCF, MDA, MDB, MDE, MDF, MDN, MDT, MDW, MDZ, MHT, MHTML, MMC, MOF, MSC, MSH, MSH1, MSH1XML, MSH2, MSH2XML, MSHXML, MSI, MSP, MST, MSU, MUI, MYDOCS, NLS, NSH, OCX, ODS, OPS, OQY, OSD, PCD, PERL, PI, PIF, PKG, PL, PLG, POT, POTM, POTX, PPAM, PPS, PPSM, PPSX, PPTM, PRF, PRG, PRINTEREXPORT, PRN, PS1, PS1XML, PS2, PS2XML, PSC1, PSC2, PSD1, PSDM1, PST, PSTREG, PXD, PY, PY3, PYC, PYD, PYDE, PYI, PYO, PYP, PYT, PYW, PYWZ, PYX, PYZ, PYZW, RB, REG, RPY, RQY, RTF, SCT, SEA, SEARCH-MS, SEARCHCONNECTOR-MS, SETTINGCONTENT-MS, SHB, SHS, SIT, SLDM, SLDX, SLK, SPL, STM, SWF, SYS, TAR, TAZ, TERM, TERMINAL, TGZ, THEME, TLB, TMP, TOOL, TSP, URL, VB, VBE, VBP, VBS, VSMACROS, VSS, VST, VSW, VXD, WAS, WBK, WEBLOC, WEBPNP, WEBSITE, WS, WSC, WSF, WSH, XBAP, XLA, XLAM, XLB, XLC, XLD, XLL, XLM, XLSB, XLSM, XLT, XLTM, XLTX, XLW, XML, XNK, XPI, XPS, Z, ZFSENDTOTARGET, ZLO, ZOO

The above list is based on SRP, Outlook Web Access, Gmail, and Adobe Acrobat Reader file extension blacklists.(y)
 

Decopi

Level 8
Verified
Oct 29, 2017
361
... interesting project, good job @AtlBo , I will follow your progress in this post...

IMHO, Comodo FF with default settings add almost nothing. But in the other hand, Comodo FF is great and sometimes unbeatable, if default settings are tweaked / not applied.
So, I just wonder why Comodo is not doing something similar to what you are doing in this project, as well as always I wondered why Comodo never used or (at least) promoted CS' settings.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,542
...

Executable Files
Executable files contain code that is run when the file is opened. Windows programs, Mac OS X applications, scripts, and macros are all considered executable files. Since these file types run code when opened, unknown executable files, such as those received as e-mail attachements, should not be opened.
Common executable file extensions include .EXE, .APP, .VB, and .SCR.

File ExtensionFile TypePopularity
.0XEF-Secure Renamed Virus File170
.73KTI-73 Application171
.89KTI-89 Application190
.8CKTI-84 Plus C Silver Edition Application File135
.A6PAuthorware 6 Program162
.A7RAuthorware 7 Runtime File189
.ACAutoconf Script183
.ACCGEM Accessory File250
.ACRACRobot Script220
.ACTCAction(s) Collection File175
.ACTIONAutomator Action209
.ACTMAutoCAD Action Macro File271
.AHKAutoHotkey Script191
.AIRAdobe AIR Installation Package193
.APKAndroid Package File167
.APPmacOS Application196
.APPFoxPro Generated Application272
.APPSymbian OS Application284
.APPLESCRIPTAppleScript File223
.ARSCRIPTArtRage Script400
.ASBAlphacam Stone VB Macro File350
.AZW2Kindle Active Content App File267
.BA_Renamed BAT File233
.BATDOS Batch File202
.BEAMCompiled Erlang File325
.BINUnix Executable File181
.BINGeneric Binary Executable File189
.BTM4DOS Batch File400
.CACTIONAutomator Converter Action157
.CELCelestia Script File275
.CELXCelestia Script208
.CGICommon Gateway Interface Script190
.CMDWindows Command File179
.COFMPLAB COFF File210
.COFFEECoffeeScript JavaScript File209
.COMDOS Command File209
.COMMANDTerminal Command File200
.CSHC Shell Script275
.CYWRbot.CYW Worm File200
.DEKEavesdropper Batch File233
.DLDEdLog Compiled Program229
.DMCMedical Manager Script400
.DSTWAIN Data Source271
.DXLRational DOORS Script400
.E_ERenamed EXE File267
.EARJava Enterprise Archive File219
.EBMEXTRA! Basic Macro229
.EBSE-Run 1.x Script200
.EBS2E-Run 2.0 Script File177
.ECFSageCRM Component File223
.EHAMExtraHAM Executable File356
.ELFNintendo Wii Game File188
.EPKLG Firmware Package233
.ESSageCRM Script File400
.ESHExtended Shell Batch File300
.EX4MetaTrader 4 Program File222
.EX5MetaTrader 5 Program File250
.EX_Compressed Executable File221
.EX_Renamed Windows Executable File194
.EXEWindows Executable File173
.EXEPortableApps.com Application223
.EXE1Renamed EXE File225
.EXOPCExoPC Application400
.EZSEZ-R Stats Batch Script300
.EZTEZT Malicious Worm File375
.FASCompiled Fast-Load AutoLISP File227
.FASQuickSilver Fast Save Lisp File267
.FKYFoxPro Macro267
.FPIFPS Creator Intelligence Script233
.FRSFlash Renamer Script200
.FXPFoxPro Compiled Program170
.GADGETWindows Gadget206
.GPEGP2X Video Game217
.GPUGP2X Utility Program200
.GSGeosoft Script271
.HAMHAM Executable File500
.HMSHostMonitor Script File200
.HPFHP9100A Program File500
.HTAHTML Application233
.ICDSafeDisc Encrypted Program191
.IIMiMacro Macro File237
.IPAiOS Application177
.IPFSMS Installer Script350
.ISUInstallShield Uninstaller Script215
.ITAVTech InnoTab Application File400
.JARJava Archive File173
.JSJScript Executable Script229
.JSEJScript Encoded File350
.JSFJava Script Command File226
.JSXExtendScript Script File173
.KIXKiXtart Script File283
.KSHUnix Korn Shell Script360
.KXKiXtart Tokenized Script File325
.LOInterleaf Compiled Lisp File300
.LSLightWave LScript File300
.M3GMobile 3D Graphics Program169
.MACApplication Macro File300
.MAMMicrosoft Access Macro333
.MCR3ds Max Macroscript File193
.MCRTecplot Macro209
.MELMaya Embedded Language File240
.MEMMacro Editor Macro333
.MIOMioEngine Application File350
.MLXMATLAB Live Script233
.MMNeXtMidas Macro File242
.MPXFoxPro Compiled Menu Program225
.MRCmIRC Script File233
.MRPMobile Application File218
.MS3ds Max Script File333
.MSMaxwell Script217
.MSLMagick Scripting Language File200
.MXEMacro Express Playable Macro260
.NNeko Bytecode File256
.NCLNirCmd Script File400
.NEXEChrome Native Client Executable240
.OREOre Executable File400
.OSXPowerPC Executable File267
.OTMOutlook Macro File300
.OUTCompiled Executable File194
.PAFPortable Application Installer File247
.PAF.EXEPortableApps.com Program File208
.PEXProBoard Executable File300
.PHARPHP Archive212
.PIFProgram Information File253
.PLSCMessenger Plus! Live Script File194
.PLXPerl Executable File267
.PRCPalm Resource Code File300
.PRGProgram File231
.PRGGEM Application267
.PS1Windows PowerShell Cmdlet File242
.PVDInstalit Script500
.PWCPictureTaker File200
.PYCPython Compiled File226
.PYOPython Optimized Code229
.QITQIT Trojan Horse File250
.QPXFoxPro Compiled Query Program400
.RBFLEGO MINDSTORMS EV3 Robot Brick File267
.RBXRembo-C Compiled Script290
.RFURemote Firmware Update200
.RGSRegistry Script225
.ROXActuate Report Object Executable File333
.RPJReal Pac Batch Job File233
.RUNLinux Executable File167
.RXELego Mindstorms NXT Executable Program213
.S2ASEAL2 Application300
.SBSSPSS Script325
.SCAScala Script File300
.SCARSCAR Script175
.SCBScala Published Script214
.SCPTAppleScript Script File275
.SCPTDAppleScript Script Bundle200
.SCRScript File185
.SCRIPTGeneric Script File233
.SCTWindows Scriptlet280
.SEEDLinux Preseed File200
.SERVERMySQL Server Script400
.SHBWindows Document Shortcut340
.SMMAmi Pro Macro433
.SPRFoxPro Generated Screen File260
.TCPTally Compiled Program File211
.THMThermwood Macro File283
.TIAPPTiTanium App280
.TMSTelemate Script300
.U3PU3 Smart Application220
.UDFExcel User Defined Function322
.UPXUltimate Packer for eXecutables File333
.VBEVBScript Encoded Script File292
.VBSVBScript File235
.VBSCRIPTVisual Basic Script300
.VDOHeathen Virus File300
.VEXEVirus Executable File200
.VLXCompiled AutoLISP File183
.VPMVox Proxy Macro File233
.VXPMobile Application File202
.WCMWordPerfect Macro175
.WIDGETMicrosoft Windows Mobile Widget209
.WIDGETYahoo! Widget169
.WIZMicrosoft Wizard File267
.WORKFLOWAutomator Workflow167
.WPKWordPerfect Macro500
.WPMWordPerfect Macro File300
.WSWindows Script240
.WSFWindows Script File282
.WSHWindows Script Host Settings229
.X86Linux Executable File267
.XAPSilverlight Application Package178
.XBAPXAML Browser Application File167
.XLMExcel Macro119
.XQTSuperCalc Macro File250
.XYSXYplorer Script File300
.ZL9ZoneAlarm Quarantined EXE File189
...
Such big file extension blacklists are useful when files are not blocked via command line with extension sponsor. Please check if the below two command lines are blocked in command prompt (hello.vbs present on the Desktop):
wscript
wscript %userprofile%\desktop\hello.vbs

If you blocked in Comodo the .vbs extension and the first command line can be executed but not the second one, then such a big extension black list can be useful.
If so, then in the home environment it is safer to block also some extension sponsors like wscript.exe, cscript.exe, mshta.exe, etc.
The most useful for blocking via extension blacklist is SRP, because only Windows scripts (except PowerShell) and MSI files are blocked when using command lines with sponsors.
 
Last edited:

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,716
So, I just wonder why Comodo is not doing something similar to what you are doing in this project, as well as always I wondered why Comodo never used or (at least) promoted CS' settings.

You and me too Decopi lol...

The most useful for blocking via extension blacklist is SRP, because only Windows scripts (except PowerShell) and MSI files are blocked when using command lines with sponsors.

Thanks for the list @Andy Ful. I am thinking of possibly some special HIPs rules that will allow all but some of the monitored behaviors for say certain types of executables and location based.

Getting started last night I ran into trouble almost right away. I decided to take a look at the HIPs "Protected Objects" dialog, hoping to establish a firm link between that dialog and the HIPs monitored behavior protection for "Protected Files/Folders" (HIPs Settings->monitoring settings). I dropped a folder of files on a flash drive. Then I added a rule to Protected Objects->Protected Files to protect the contents of the folder (E:\Test Folder\*) and ran a cmd script to delete the contents. I had turned off the container, but the HIPs did not alert. I tried it a dozen times and then added the location to "Protected Data". So then I just ran the test again today, and it worked Hallelluya. I don't know, maybe it was settings lag or a need for a reboot for the setting to work? At any rate, I still don't know what Protected Objects->Protected Data is for. The good news is that deleting files is blocked with the HIPs "Protected Files/Folders" monitoring based rule activated (HIPs settings->monitoring settings (next to mode selection at top of settings)). What I read from Comodo help stated that the files become read only, but as per usual with Comodo help, there is no comprehensive list of what the protection does, so I wasn't sure it would block file deletes. Easy File Locker handles read only and delete separately, giving the user the choice to block deletes. It would have been a deal breaker for protecting files/locations with Comodo if the program did not block deletes with this HIPs setting. At any rate, I feel safer having the files protected this way, even remembering that I have played unsuccessfully with this before. Wonder if settings lag or need for a reboot got me then too...

Now I am considering setting up a HIPs rule for all executables or all applications to protect just with this one HIPs rule. Maybe I will need two or three rules for this, idk, because I have to think of the affects of global type rules such as "all executables" on the other protected areas, not just ones that I add. Could be I end up going through alert by alert to set up exceptions for a ton of actions of executable, not sure. That could be alot of work, but I think many aren't aware that Comodo HIPs helps users set up exceptions from alerts.

Here at first with HIPs, the idea is to create an Easy File Locker type of protection for backup drives and then decide from alerts which applications can have access to these "Protected Files". Again, there is the potential problem that the entire HIPs monitoring of "Protected Files/Folders" must be considered. It is defined in the Protected Objects area, but there is only the one way to protect a location from unwanted writes, meaning that any HIPs rule based on "Protected Files/Folders" monitoring that is then universal in scope will affect all the areas in the "Protected Objects" area, including the Comodo default areas. Can't just think of designing a rule for use with the one area I have added. Do I want to have every single executable alerting me for every one of the locations listed by Comodo (not just "Unrecognized")? I might try it and see how it works a little later today.

Maybe this can be rethought some, but I am not sure until I look over everything in "Protected Objects". Seems to me Comodo could make this simpler by making it possible to choose for, for example, "All executables" an option from within the new rule dialog for, say, "located in program folders" or "located in user areas". I have noticed this about Comodo HIPs rules. The containment rules have options but not so much so the HIPs ones.

I appreciate the responses and support. It might be a while before I get to setting up nice rules packages, but I am hoping I can really get somewhere this time. I'll definitely be looking for some ideas, but folder/drive protection is a great start for me at this point. Simple as adding the location/drive to the HIPs->Protected Objects->Protected Files area...:LOL:
 
Last edited:

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,716
Steps forward and steps backward. First, a serious success. I read that log spam was a cause of high processor usage from cmdagent.exe. This is something that has caused me to have to reinstall Comodo several times, so I have always been interested in a solution. Not sure this will solve cmdagent.exe, but I have finally solved the riddle of log spam. It can be one of two things by a standard. They are:

1. Log spam from HIPs memory access blocks-Programs like Process Lasso and Cleanmem access memory of Comodo processes. Comodo blocks and logs every attempt. To see if you have this problem, look in the HIPs log. If you see in the logs a program that is attempting to access the memory of a Comodo process, here is the way to fix the problem:

Once you have located the name of the file that is spamming the HIPs log, write it down and also see what file it is accessing. There is actually more than one way to handle this, but, so far, the most common trigger for this is a process attempting to access memory of Comodo processes. All processes get flagged for this, not just "Unrecognized". For this example, there are 4 processes attempting to access cis.exe in short increments of time. This method would stop the log spam of the 4 processes for any of the processes listed in the second picture below contained under the header (File Group) Comodo Internet Security. So here are the pictures:

1. The group containing the file(s) being compromised by the 4 processes. In this case, the file(s) is/are found in the Comdo Internet Security HIPs rule:

Comodo FIX PL Log Spam.png


2. Clicking once on the entry "Comodo Internet Security", now we can click to edit the rule for this group:

Comodo FIX PL Log Spam (2).png


3. The Edit dialog pops up, and we navigate to "Protection Settings" to find the rule we must edit:

Comodo FIX PL Log Spam (3).png


4. In "Protection Settings" we locate the rule "Interprocess memory access"->Exclusions->Modify:

Comodo FIX PL Log Spam (4).jpg


5. Next choose Edit and the option for "File". Now navigate to the process that is attempting to access the memory of a Comodo process. Add this process to the list here:

Comodo FIX PL Log Spam (5).jpg


This should resolve HIPs spam. It can be any process on any other. You may even have to make a separate rule for both the file attempting to access and for the vulnerable application. More than likely, just for the file being accessed in its HIPs protection settings Exclusions for "Interprocess memory access". You will also need to make sure that the rule is set to Active from Inactive.

After locating which application is being accessed from the log, go to Settings->HIPs->HIPs Rules. Click on "Add" on the menu. Using the file option search for the executable for which the block is occurring. Make sure to activate "Interprocess memory access". Then add the name(s) of any and all processeds that are trying to access its memory. This will stop HIPs memory access rule log spam.

2. Firewall log spam-The key here is to look for "Windows Operating System" and/or svchost.exe in the log being the responsible application for the connection log spam. These are mostly blocks and many of them are on local or semi-local traffic (someone else's local). So the goal is to unblock all of the local ones. Once you know which IP ranges on the local network that each of your devices are registered to use, you can see which domain your devices occupy. Usually, it will be the range 192.168.1.1-192.168.1.255. However, if you are accessing a publc wi-fi in your place of residence, you many notice something along the lines of 192.168.***.***, where the star represents any number up to 255. All the third numbers should be the same.

As an example, if your computers are connecting using something like 192.168.148.*, then you will be using this IP range element in the firewall rules to get rid of the spam. In the above case, the range would be 192.168.148.1-192.168.148.255. Again, the range is usually going to be the standard 192.168.1.1-192.168.1.255 local range. At any rate, you will be looking to set a NEW allow rule for the application shown in the log to be causing the firewall log spam (responsible for the blocks usually). If the application is what Comodo calls "Windows operating system", looking at its log entries, we will be looking at the remote IPs to see if they are on the same local domain as your PC. These are the ones we want unblocked, not access from devices on other networks. So we can create an allow rule in this example for "Windows operating system" for the range containing our local domain to allow this traffic and end its block spams in the log. One more time, almost every time the range to use is 192.168.1.1-192.168.1.225. This will stop most log spam from "Windows operating system" or svchost.exe.

It's important that we, unfortunately, cannot find a way to create a rule for "Windows operating system". For svchost.exe, we can simply create a rule at the top of the firewall list, but "Windows operating system" does not exist anywhere in Comodo by those exact words, "Windows operating system". When creating a rule there is no option to select it as the subject of the rule. This has caused me untold grief over that last 5 years, along with how to deal with svchost.exe. Well, the good news is, that "Windows operating system" is not important, unless it is causing log spam. Also, although it is not available by name to choose as a process/file group for rule creation, we CAN get Comodo to create a firewall rule for us in every situation where we would care to do so. This is because the only time we will care to create a rule for "Windows operating system" is when it is spamming the firewall log. So, if it is doing so, what do we do?

OK, this is really not so bad and really quite simple. If I notice that the log events bar for the firewall is dominating the others, and I discover firewall log spamming from "Windows operating system", I would obviously like to resolve the dilemma with the spam. OK, so there is one important thing to note here. In the case of "Windows operating system", the entries are always going to be in the form of blocks. This is by design from Comodo. The only question then is whether there are too many. If so, because these are block events, we can look to "Unblock applications" on the widget to see if "Windows operating system" is there. Indeed, in every instance where a block appears in the firewall log for "Windows operating system", it will also appear in "Unblock applications". So, to create a rule that we can work with in the firewall area, all we have to do is find "Windows operating system" in "Unblock applications" and right click its entry to unblock its firewall block. Comodo does the rest, auto-creating an allow rule, even though there is no way to choose to create a rule for "Windows operating system" in Comodo (or at least that I have seen). This is great!

However, it's important to note and consider here that the unblock we issued when we unblocked "Windows operating system" or svchost.exe from "Unblock applications" means that we just allowed ALL inbound traffic for this process (not for the entire system) with a new Comodo created "unblock" rule. So, in above examples, what do we do to set up rules nicely to get all blocks but only allows for safe local?

OK, so here is how it's done. With the Comodo allow rule in place, create a new rule and make sure it is ABOVE the Comodo generate "unblock" rule for the application. Having found the range that you would like to allow, we set this new allow rule to allow for TCP and UDP and in. Then we set our IPv4 range below the rule title in the dialog. This is the range of safe IPs we determined to be our local network. OK the rule. Now, with your ranged allow rule in place above the "Unblock applications" rule for the application, we want to make sure now to go back and set the original rule to block. So, click on the original rule and open its Edit dialog. Set the rule to block TCP and UDP in and set it to log. Retitle the rule to match your choices for the rule, i.e. "svchost.exe (or "Windows operating system) Block and Log TCP/UDP In". OK the rule, and you should have the safest possible scenario. This is because you have the block rule in place as clearly Comodo felt was best. Obviously, it was Comodo's choice to firewall block the app in the first place via a firewall block. At any rate, you now have a simple way of allowing local or otherwise safe traffic into the system. You just create a single allow rule above the others any time for whatever IP needs access via the process, but the Comodo generated rule you turned into a block blocks all others. Here is how it will look after you are finished:

After Rules Creations.png


Note in the picture above that I have set one of the rules to log activity. This is not necessary and I wouldn't if it were leading to spam, of course. The important thing is that you are in control of the logging now. Also, you now have the added flexibility of being able to refine Comodo's choice to block "Windows operating system" or "svchost.exe". Don't know if "Windows operating system" affects Remote Desktop, but, if so, I could easily create a single allow rule for the single IP of each of the PCs I would like to use to connect via RDP.

One other not about the above. There are two ranges that I have allowed, because I park two machines next to each other that use connection sharing for one of them to connect to the internet. The PC using connection sharing uses a different local range to make its connections. It considers the server the machine from which it gets its connection...see here:

Connection Sharing rule.png


Again, recall this same thing can happen with svchost.exe or "Windows operating system". And just to reiterate, if you notice a firewall block in the "Unblock Applications" area (lock icon on the widget) for either of these two processes, go to the firewall log to see if the process (svchost.exe or Windows operating system) is creating spam there. If so, go back to "Unblock Applications" and unblock the application for the protections shown that are blocking this application. This will auto-create an allow rule for the application for all IPs. So our job is to refine this situation so that only safe IP ranges are allowed. Back to the firewall area, we must set the allow rule created by unblocking in "Unblock Applications" back to "block", because we don't want to allow all traffic in via "Windows operating system" or "svchost.exe, either one. Find the "Windows operating system" or svchost.exe rule (should be the newest rule at the top). Now click on the "+" left of the entry to expand its rule(s). Change the rule and its title to "block" and OK the rule. Now, still in the firewall rules area, create a new allow rule under the process. Add this rule just above this process' existing rule which you just edited to re-create the block Comodo had originally been making. Make this rule an allow rule for TCP and UDP and in and then set the range of safe IPs (v4) to be allowed. Usually, the spam are in blocks, so you may find that you can get what you want (eliminate log spam) by just allowing the safe ones of these. Now set the range of the rule to your local network. The bulk of the traffic will now be allowed safely, since it is your local traffic. All other traffic will remain blocked. For this to stop the spam, make sure this allow rule is the top rule under the process' rules.

Cure the log spam and you will be laughing with the angels about Comodo. Much if not most of the bugginess and clunkiness will disappear. Here is how a clean log without spam should appear:

Balanced Log.jpg


No one or two categories overwhelm the statistics in the lab. If we see one bar very high and the others very low, this can be a tell tale sign of log spam.

ONE NOTE: When leaving a menu in Comodo settings, make sure to use the button at the bottom of the form to exit the menu. Never use the x's. Rules will not be remembered if the x's are used to leave a menu. Think of a trip into the settings area as a session. During this session, we must use the "OK" button to leave a dialog in order for Comodo to remember the change being made. This means for all dialogs. So, we must back out of the settings area using the OK button. Even one use of an x on the way out will void all changes made. This is obviously important to learn with Comodo. Use an x to escape a settings menu after making a change->expect the change won't be made.

Hope this helps some. Still in the formulative stages of setting some things up.
 
Last edited:

mellowtones242

Level 2
Verified
Aug 11, 2018
95
Steps forward and steps backward. First, a serious success. I read that log spam was a cause of high processor usage from cmdagent.exe. This is something that has caused me to have to reinstall Comodo several times, so I have always been interested in a solution. Not sure this will solve cmdagent.exe, but I have finally solved the riddle of log spam. It can be one of two things by a standard. They are:

1. Log spam from HIPs memory access blocks-Programs like Process Lasso and Cleanmem access memory of Comodo processes. Comodo blocks and logs every attempt. To see if you have this problem, look in the HIPs log. If you see in the logs a program that is attempting to access the memory of a Comodo process, here is the way to fix the problem:

Once you have located the name of the file that is spamming the HIPs log, write it down and also see what file it is accessing. There is actually more than one way to handle this, but, so far, the most common trigger for this is a process attempting to access memory of Comodo processes. All processes get flagged for this, not just "Unrecognized". For this example, there are 4 processes attempting to access cis.exe in short increments of time. This method would stop the log spam of the 4 processes for any of the processes listed in the second picture below contained under the header (File Group) Comodo Internet Security. So here are the pictures:

1. The group containing the file(s) being compromised by the 4 processes. In this case, the file(s) is/are found in the Comdo Internet Security HIPs rule:

View attachment 224287

2. Clicking once on the entry "Comodo Internet Security", now we can click to edit the rule for this group:

View attachment 224283

3. The Edit dialog pops up, and we navigate to "Protection Settings" to find the rule we must edit:

View attachment 224288

4. In "Protection Settings" we locate the rule "Interprocess memory access"->Exclusions->Modify:

View attachment 224289

5. Next choose Edit and the option for "File". Now navigate to the process that is attempting to access the memory of a Comodo process. Add this process to the list here:

View attachment 224291

This should resolve HIPs spam. It can be any process on any other. You may even have to make a separate rule for both the file attempting to access and for the vulnerable application. More than likely, just for the file being accessed in its HIPs protection settings Exclusions for "Interprocess memory access". You will also need to make sure that the rule is set to Active from Inactive.

After locating which application is being accessed from the log, go to Settings->HIPs->HIPs Rules. Click on "Add" on the menu. Using the file option search for the executable for which the block is occurring. Make sure to activate "Interprocess memory access". Then add the name(s) of any and all processeds that are trying to access its memory. This will stop HIPs memory access rule log spam.

2. Firewall log spam-The key here is to look for "Windows Operating System" and/or svchost.exe in the log being the responsible application for the connection log spam. These are mostly blocks and many of them are on local or semi-local traffic (someone else's local). So the goal is to unblock all of the local ones. Once you know which IP ranges on the local network that each of your devices are registered to use, you can see which domain your devices occupy. Usually, it will be the range 192.168.1.1-192.168.1.255. However, if you are accessing a publc wi-fi in your place of residence, you many notice something along the lines of 192.168.***.***, where the star represents any number up to 255. All the third numbers should be the same.

As an example, if your computers are connecting using something like 192.168.148.*. You will be using the IP range element in the firewall rules to get rid of the spam. In the above case, the range would be 192.168.148.1-192.168.148.255. Again, the range is usually going to be the standard 192.168.1.1-192.168.1.255 range. At any rate, you will be looking to set an allow rule for the application shown in the log to be causing the firewall log spam (responsible for the blocks usually). If the application is what Comodo calls "Windows Operating System", you will be looking at the remote IPs to see if they are on the same domain as you. These are the ones we want unblocked, not access from devices on other networks. So we can enter an allow rule in this example for Windows Operating System for the range containing our local domain. One more time, almost every time the range to use is 192.168.1.1-192.168.1.225. This will stop most log spam from "Windows Operating System".

Again, this same thing can happen with svchost.exe. If you notice a firewall block in the "Unblock Applications" area (lock icon on the widget), go to the firewall log to see if svchost.exe (or Windows operating system) is creating spam there. If so, go back to "Unblock Applications" and unblock the application for the protections that are blocking the application. Now go into the firewall area and create an allow rule under this process' existing rule(s) for TCP and UDP. Usually, the spam are in blocks, so you may find that you can get what you want (eliminate log spam) by just allowing the safe ones of these. Now set the range of the rule to your local network. The bulk of the traffic will now be allowed safely, since it is your local traffic. All other traffic will remain blocked. For this to stop the spam, make sure this allow rule is the top rule under the process' rules.

Cure the log spam and you will be laughing with the angels about Comodo. Much if not most of the bugginess and clunkiness will disappear.

ONE NOTE: When leaving a menu in Comodo settings, make sure to use the button at the bottom of the form to exit the menu. Never use the x's. Rules will not be remembered if the x's are used to leave a menu. Think of a trip into the settings area as a session. During this session, we must use the "OK" button to leave a dialog in order for Comodo to remember the change being made. This means for all dialogs. So, we must back out of the settings area using the OK button. Even one use of an x on the way out will void all changes made. This is obviously important to learn with Comodo. Use an x to escape a settings menu after making a change->expect the change won't be made.

Hope this helps some. Still in the formulative stages of setting some things up.


Nice work!
 
  • Like
  • +Reputation
Reactions: AtlBo and show-Zi

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,716
Curious to know what kind of firewall rules I would need to allow only certain IPs access to a PC via Remote Desktop. I assume something like the rule ladder being used for "Windows operating system" in my previous post would be the answer. However, I don't know which process(es) I would need to block in order to then allow the IP of certain specific ones.

I would love to be able to do this. It will be on my mind until I come up with something, because this is another thing I have been hoping to achieve with some program someplace. Maybe it can be done with Comodo.

I am having a great deal of fun with the firewall element for now.
 

koloveli

Level 4
Well-known
Sep 13, 2012
191
Not unprotected files antivirus or suite, is an error!
Setting AtlBo not safe, can in risk
sorry my english
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top