I have CIS v4 installed on two pc’s, both running XP with admin accounts, fw in safe mode, D+ in safe mode, Proactive policy.
One has rules under network policies for FF and Thunderbird, the other does not but both apps connect to the internet on both pc’s?
Is the pc without rules for those apps supposed to be able to connect without rules/warnings/questions?
The default config in Firewall/Advanced/Network Security Policy is for All Applications to pass All Outbound Traffic. It effectively behaves like Window’s own firewall by default now.
My personal preference is to edit that rule so as to log every single Allowed. Then work my way thru all the reported Allows in the Firewall Event Viewer, adding custom policies for each application (whereby gradually reducing the number of Allowed entries to the log).
Another approach that others here are advocating is to delete the All Application rule, wait for COMODO to pop up a million dialogues and have COMODO build custom policies for your machine in this manner (which is close to how 3.x would have behaved).
I thought by switching to Proactive it removed that rule?
You are right here. The Proactive config doesn’t have that All applications rule.
In the default settings of the Proactive configuration CIS is set to not make rules for Safe applications (Firewall → Advanced → Firewall Behaviour Settings). That way the registry doesn’t get filled as much with rules. Is the difference may be there?
Nope. Didnt tick that box on either pc.
I am worried it is allowing all outbound on the one pc for some reason.
So am I right in thinking even if it is a trusted vendor, CIS should still be alerting if an app trys to call out?
To be alerted for traffic of all applications put the Firewall in Custom Policy Mode and enable Create rules for safe applications. That can both be done under Firewall -->Advanced → Firewall Behaviour settings.
Also delete the rule for All Applications in the list of Application Rules (Firewall → Advanced → Network Security Policy) or change to Proactive Security (More → Manage My Configurations).