Advice Request "Create rules for safe applications"

[CoherentCrayon]

I am using Comodo Firewall at @cruelsister settings. But one thing bothers me, and that thing is that the firewall component in Comodo blocks way too much. Examples of programs it's blocking (some connections, not all) are Avast, Windows Defender, GTA 5, Steam, Chrome, Spotify, qBittorrent etc. Not all of these blocks seems to cause any issues, but some blocks do cause issues (for example it blocks Spotify sync, Steam In-Home Streaming and qBittorrent). Also the "Network intrusions" is currently at 1400+ blocks. But one setting, which should be Disabled according to cruelsister settings is "Create rules for safe applications". It seems that these issues (Comodo blocking safe applications) wouldn't happen if this setting was turned on.

But would this setting (having it enabled) lower the security of the computer?

steel9

 

[Aerdian]

If it's not blocking as much, it would be more likely to miss something infectious, however, I use Comodo Firewall and when it blocks something, it just gives a notification, which you can choose allow and the program will run as usual. I haven't changed any settings on mine and it allows Windows Defender and Google Chrome without even manually choosing "Allow." I would say to choose "Create rules for safe applications." If you set it to only allow certain processes, you would choose the processes, so it should still block anything malicious.

 

[shmu26]

Create rules for safe applications will not cause less blocks. It will only create a rule AFTER the application was whitelisted, or the application was run (and the vendor was on the trusted vendors list).

 

[Nestor]

I am using Comodo Firewall at @cruelsister settings. But one thing bothers me, and that thing is that the firewall component in Comodo blocks way too much. Examples of programs it's blocking (some connections, not all) are Avast, Windows Defender, GTA 5, Steam, Chrome, Spotify, qBittorrent etc. Not all of these blocks seems to cause any issues, but some blocks do cause issues (for example it blocks Spotify sync, Steam In-Home Streaming and qBittorrent). Also the "Network intrusions" is currently at 1400+ blocks. But one setting, which should be Disabled according to cruelsister settings is "Create rules for safe applications". It seems that these issues (Comodo blocking safe applications) wouldn't happen if this setting was turned on.

But would this setting (having it enabled) lower the security of the computer?

steel9

Strange.I am using CIS set to Proactive and it doesn't block anything.The only blocked item, due to firewall, is a minor Windows 10 file.NPE also blocked, by HIPS, but is still running.(i believe is blocking a secondary action).

 

[shmu26]

If the OP is using Comodo 11, there is a bug that certain files are treated as unknown, even though in truth they are not unknown. That bug could easily produce the described behavior.
They already put out a beta version that fixes the bug.

 

[Nestor]

If the OP is using Comodo 11, there is a bug that certain files are treated as unknown, even though in truth they are not unknown. That bug could easily produce the described behavior.
They already put out a beta version that fixes the bug.[/I think he is talking about Comodo 10.

I think he is talking about Comodo 10.

 

[CoherentCrayon]

I think he is talking about Comodo 10.

If the OP is using Comodo 11, there is a bug that certain files are treated as unknown, even though in truth they are not unknown. That bug could easily produce the described behavior.
They already put out a beta version that fixes the bug.

I'm using Comodo Firewall 10. The firewall component is very strange regarding what it blocks or not...

 

[shmu26]

I'm using Comodo Firewall 10. The firewall component is very strange regarding what it blocks or not...

Have you made any changes to the Trusted Vendors List or the File Rating Settings?

 

[Moonhorse]

I think he is talking about Comodo 10.

The bug exist in comodo 11 and is happening with unrecognized files, not with blocked applications

 

[cruelsister]

Steel- Although I am not familiar with some of the applications that you are having issues with, I am familiar with WD, Avast, and Chrome. None of these should have presented you with any Firewall issues. What is of concern is the amount of FW blocks you are receiving. But in order to resolve (if possible) your issue we need to baseline your system; so let's proceed as follows:

1). I am assuming that Spotify, QBT, Steam are NOT starting with Windows- if they are, Kill them.
2). Open up the Comodo GUI, go into the Advanced Mode>Network Intrusions and click the "Cleanup Log File". We should now have ZERO for Network Intrusions
3). Immediately reboot you system and DO NOT USE IT IN ANY WAY for about 1 hour.
4). After that time has passed (I suggest you use this time to go to a store and buy your Girlfriend jewelry), open up the Comodo GUI again and look at the number of Network Intrusions that are listed.
5). If they are under 10, let us know. If, however they are, like, over 50- open up Killswitch, click on the Network tab and see what it is that is connecting.

M

 

[LDogg]

I think this is one of the reasons why I do not tweak with any settings and leave everything be at default. But I know it's down to experience and personal choice for things, which to me makes sense. Cruelsister settings is definitely the best out there for CFW.

~LDogg

 

[CoherentCrayon]

Have you made any changes to the Trusted Vendors List or the File Rating Settings?

Nope

 

[CoherentCrayon]

Steel- Although I am not familiar with some of the applications that you are having issues with, I am familiar with WD, Avast, and Chrome. None of these should have presented you with any Firewall issues. What is of concern is the amount of FW blocks you are receiving. But in order to resolve (if possible) your issue we need to baseline your system; so let's proceed as follows:

1). I am assuming that Spotify, QBT, Steam are NOT starting with Windows- if they are, Kill them.
2). Open up the Comodo GUI, go into the Advanced Mode>Network Intrusions and click the "Cleanup Log File". We should now have ZERO for Network Intrusions
3). Immediately reboot you system and DO NOT USE IT IN ANY WAY for about 1 hour.
4). After that time has passed (I suggest you use this time to go to a store and buy your Girlfriend jewelry), open up the Comodo GUI again and look at the number of Network Intrusions that are listed.
5). If they are under 10, let us know. If, however they are, like, over 50- open up Killswitch, click on the Network tab and see what it is that is connecting.

M

Thank you, I will do this whenever I've got time. But should I remove all firewall exclusions first? I've made exclusions for Windows Defender and Avast to be 100% sure they don't get blocked, also I've made exclusions for other applications which didn't work properly otherwise

 

[cruelsister]

Steel- Understand Cruel Comodo was set up to be EASY. Any additions (like Rules) complicates things and this is where folk run into issues (self-created). So let's change things up a bit:

1). Back up your Rules and save them somewhere.
2). Now Kill all the Rules
3). Proceed as in my previous Post.

And by all means only do this when you have time!

 

[CoherentCrayon]

Steel- Although I am not familiar with some of the applications that you are having issues with, I am familiar with WD, Avast, and Chrome. None of these should have presented you with any Firewall issues. What is of concern is the amount of FW blocks you are receiving. But in order to resolve (if possible) your issue we need to baseline your system; so let's proceed as follows:

1). I am assuming that Spotify, QBT, Steam are NOT starting with Windows- if they are, Kill them.
2). Open up the Comodo GUI, go into the Advanced Mode>Network Intrusions and click the "Cleanup Log File". We should now have ZERO for Network Intrusions
3). Immediately reboot you system and DO NOT USE IT IN ANY WAY for about 1 hour.
4). After that time has passed (I suggest you use this time to go to a store and buy your Girlfriend jewelry), open up the Comodo GUI again and look at the number of Network Intrusions that are listed.
5). If they are under 10, let us know. If, however they are, like, over 50- open up Killswitch, click on the Network tab and see what it is that is connecting.

M

I've now done what you said. After 1h passed without me doing anything on the computer, only 6 network intrusions were blocked.
These are:
- svchost.exe inbound connections from my printer and Sonos speaker
- nvcontainer.exe (NVIDIA) outgoing connection from and to 127.0.0.1 (loopback)
- SearchUI.exe outgoing connection

The reason I didn't get many blocks now was because the block-generating apps weren't running.
I still don't understand how Comodo decides which connections to block or not. Some legitimate apps can connect how they want, while some connections (by legitimate, digitally signed apps, whose developer is in the Trusted Vendors list) are getting blocked.

 

[cruelsister]

Steel- Comodo, like almost everyone here, HATES data being collected about you without your knowledge (wether the exe is signed or not). But Comodo, unlike other security products actually alerts you to this (Gotta love it!!!!).

1). Why the FxxK are your printer (is it an HP?) and speakers using svchost to connect out? To collect and sell data about you. Keep this blocked- or even better look at your startups and kill this stuff from starting with Windows.
2). Although nvcontainer.exe in your case is just a is normally innocuous (and is so in your case), it has been known to transmit info about you (via NVIDIA Telemetry Container) to their servers which they then sell. However this info is really general and I wouln't worry about it (on the other hand I will Never Ever use a Nvidia product myself). You can allow this one.
3). SearchUI.exe is probably from Cortana (I assume you are on Win10?). I hate Cortana and deactivate it. But it is not malicious.
4). Now to your 1000+ Outbound blocks- I'll bet this is due to QTorrent. What I would do is put the Firewall in Custom Mode, start the Torrent application, then at the Firewall prompt allow its use.

I REALLY hoped this helped and that I did not confuse you!!!!

Meghan

 

[codswollip]

Comodo, like almost everyone here, HATES data being collected about you without your knowledge

Relatedly (?)... What is the purpose of "Comodo Telemetry" in my Task Scheduler? Am I wrong in disabling this?

 

[CoherentCrayon]

Steel- Comodo, like almost everyone here, HATES data being collected about you without your knowledge (wether the exe is signed or not). But Comodo, unlike other security products actually alerts you to this (Gotta love it!!!!).

1). Why the FxxK are your printer (is it an HP?) and speakers using svchost to connect out? To collect and sell data about you. Keep this blocked- or even better look at your startups and kill this stuff from starting with Windows.
2). Although nvcontainer.exe in your case is just a is normally innocuous (and is so in your case), it has been known to transmit info about you (via NVIDIA Telemetry Container) to their servers which they then sell. However this info is really general and I wouln't worry about it (on the other hand I will Never Ever use a Nvidia product myself). You can allow this one.
3). SearchUI.exe is probably from Cortana (I assume you are on Win10?). I hate Cortana and deactivate it. But it is not malicious.
4). Now to your 1000+ Outbound blocks- I'll bet this is due to QTorrent. What I would do is put the Firewall in Custom Mode, start the Torrent application, then at the Firewall prompt allow its use.

I REALLY hoped this helped and that I did not confuse you!!!!

Meghan

Thank you very very much for your detailed responses! It did help me, but I have a few questions, if you've got some time.

You said that Comodo alerts you about telemetry connections:
1) How does Comodo decide which connections are telemetry-related?
2) When Comodo blocks outgoing connections from trusted applications, does it only block connections related to telemetry?

One last question in this post.
3) I tried the "Create rules for safe applications" setting in Comodo, and it automatically (by creating rules) allows all trusted applications to connect out. Will this setting lower the security? It only creates these rules for safe applications according to the setting name.

Just one thing - regarding printer (Canon) and speakers, I am not sure it has to do with telemetry as the connection attempts are within my network (local source and destination).

 

[cruelsister]

Updates.

 

[JoseyWales]

I'm using Comodo Firewall 10. The firewall component is very strange regarding what it blocks or not...

You need to remove version 10 and do a fresh install with ver 11. After the installation...AND YOU USE YOUR SYSTEM FROM A STANDARD ACCOUNT ONLY...run your daily system usage, let Comodo catch up on how you do things with your system.

After a day's workout, examine the trusted vendors and trusted file listings. Make your edits accordingly to not only the vendor list and file lists, but to also make your decisions for HIPS rulings and Firewall Rulings. Allow Comodo to do most everything- while I admit I enable Trust applications signed by trusted vendors(and that list gets edited/purged) and I disable 'Trust files installed by trusted installers'. In the end, its about making sure Windows is protected, Comodo is protected and my apps used for business are secured. Even while using a standard account, I make my own folders that hold pertinent information plus a weekly backup to either a flash drive or a backup drive. If I have to delete a corrupted account, I'm still covered. But let me add that I'm not of the deviant mindset, going underground looking for trouble on a daily basis. I even have steam blocked to go online while I still enjoy those games I purchased from Steam. If I need something from Steam, a simple firewall edit is all it takes. I believe I'm rambling now, looking at the clock, I'm well passed the time to hit the pillow.
PS- rule #1....disable Steam's service since it is designed to override your firewall settings.