Blocked Zones blocking unspecified & apparently unrelated site [M276]

Comodo Internet Security - CIS Format verified Issue Reports - CIS
61

Why not register this defect as a specification defect?
Defects are there. Who said that the specification is impossible to have defects?

62

The new defect will be an open defect, it will be more general than the current defect and flagged as the probable cause of it.

I don’t mind (objection?). If this defect is not closed.
I’m not against a new defect. I am against the fact that this defect will be closed.

63

It may end up there, but I would not advise that as an initial strategy, as Comodo does not yet recognize that idea on their tracker (though the mods tracker does). Instead we have agreed with them a ‘Confirmed and Deferred’ status which covers the situation when the spec needs changing then the product, amongst others.

But we are speculating. I think we need to draw a line now and let Chiron decide what the new issue should be initially logged as. Then we must let the devs decide - ultimately we have no control unfortunately.

64

My opinion you know. Do what says your process.

65

If you want to keep the original issue open, I’m sorry but I’m afraid you need to make a case that is not dependent on application level control, and argues that discontinuous Zones are needed as well as Webfilter.

There is a general rule in QA systems that ‘issue drift’ is normally to be avoided, as unfair on the devs. This one was about zones, and I think should remain so.

I hope that’s OK. If you open a new issue on DNS resolution we will process it, and if you make a case in this topic that discontinuous Zones are needed as well as WebFilter we will look at that. Please try and make the case in one post though if you can so we can resolve this asap.

Best wishes

Mouse

66

About new defect
You can be open new defect from bug description above (below first bug)
Agree with

67

About issue drift
I do not agree that this is issue drift1. In the CIS there is a function. It should either work, or be removed.

  1. Function cannot be considered correct for any assumptions.
    Thus, the user is not alerted to the fact that the function works exactly.
    No have some user would not think that the function works exactly.

  2. Function cannot be corrected by adding descriptions of the features of its work in the documentation.
    This follows from the following scenario.

  1. Add domain name block rule
  2. domain name in DNS containt one A record (one IP)
  3. Site owner, independently of us, this add records to a CDN
  4. Old rule now works correctly.
  5. There is no way for the firewall administrator to control it, except as the result of failure.
  1. WebFilter, as I understand it, does not block ICMP and other protocols for zone (FTP, ssh, SMTP ?).
68

Corrected post

About issue drift
I do not agree that this is issue drift

  1. In the CIS there is a function. It should either work, or be removed.

  2. Function cannot be considered correct for any assumptions.
    Thus, the user is not alerted to the fact that the function works exactly.
    No have some user would not think that the function works exactly.

  3. Function cannot be corrected by adding descriptions of the features of its work in the documentation.
    This follows from the following scenario.

  1. Add domain name block rule
  2. domain name in DNS containt one A record (one IP)
  3. Site owner, independently of us, this add records to a CDN
  4. Old rule now works incorrectly.
  5. There is no way for the firewall administrator to control it, except as the result of failure.
  1. WebFilter, as I understand it, does not block ICMP and other protocols for zone (FTP, ssh, SMTP ?).
69

At this point I think the best thing to do is to create a new bug report for this. Splitting from this topic may just become more confusing. Thus, fdsc, please create a new bug reporting topic in the main bug reporting section and we will continue from there.

Thank you.

70

I would not like to re-create a new topic. Could you transfer description of the defect, which was merged with this topic again in a new topic. Originally these were two themes.

I would like to remind you that I never received a response about the opening of this defect, as I wrote in the last post.

71

Thus specific bug cannot be re-opened. However, the other can as a way to try and alleviate some of this issue.

Also, as the issue which will be reported in the new topic is slightly different, and the bug reporting format has changed a bit, it does not make sense to transfer over the old format. Thus, please try to create a new topic, with the new format, and let me know if you have any questions.

Thanks.

72

Perhaps it’s time to finish to use your products

73

I should point out that I am a volunteer Moderator. Thus, I have no directly control over these sort of decisions. The best I can do right now is ask that you create the other bug report, and promise that I will forward it for consideration.

74

A. THE BUG/ISSUE (Varies from issue to issue)
Can you reproduce the problem & if so how reliably?:
Yes, the problem can be reproduced with 100% reliability,
on every PC that can run the Comodo Internet Security or the Comodo Firewall.

If you can, exact steps to reproduce. If not, exactly what you did & what happened:
1: Install Comodo Internet Security or Comodo Firewall.
2: Set Firewall → Custom Ruleset
3: Choose Firewall → Settings
4: Select Firewall → Application Rules
5: Right-click, select Add
6: In the Name field, click Browse-> Files, and browse to %APPDATA%\uTorrent\uTorrent.exe

    • or some other application that creates a lot of connections to several different IP addresses.
      7: Create these 3 rules (in this particular order)
      …rule 0: Allow IP In From windowsmedia.com To MAC Any Where Protocol Is Any
      …rule 1: Allow IP Out From MAC Any To windowsmedia.com Where Protocol Is Any
      …rule 2: Block IP In/Out From MAC Any To MAC Any Where Protocol Is Any
      8: Click OK
      9: Start up uTorrent (or the other program that connects to a lot of different IP addresses)
      10: In CIS, select Tasks → General Tasks → View Connections
      11: Watch as uTorrent (or the other program…) connects to a lot of IP addresses that does not resolve to windowsmedia.com

One or two sentences explaining what actually happened:
The domain name windowsmedia.com currently resolves to 2 separate IP addresses: 64.4.52.182, and 157.56.59.199
The Domain Name parser in CIS is not handling this properly by creating 2 separate rules with 1 of these 2 separate IP addresses in each rule,
instead it creates a single rule, where the IP address is set as the range from 64.4.52.182 to 157.56.59.199
The proof can been seen when watching uTorrent connect to all IP addresses that are within this range,
but not any IP addresses that are on the outside of this range.
It can also be seen when looking at the registry entry created for this rule:

[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\0\Firewall\Policy\0\Rules\0\SourceIP\Address\IPV4]
"AddrType"=dword:00000010
"AddrStart"="64.4.52.182"
"AddrEnd"="157.56.59.199"
"Name"="windowsmedia.com"

One or two sentences explaining what you expected to happen:
CIS should always create rules with the same “AddrStart” and “AddrEnd” when parsing domain names.
If the domain name resolves into 2 or more separate IP addresses, it should create 2 or more separate rules.
In this specific case with windowsmedia.com, it should have separated the two addresses like this:

[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\0\Firewall\Policy\0\Rules\0\SourceIP\Address\IPV4]
"AddrType"=dword:00000010
"AddrStart"="64.4.52.182"
"AddrEnd"="64.4.52.182"
"Name"="windowsmedia.com"
"Index"="0"

[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\0\Firewall\Policy\0\Rules\1\SourceIP\Address\IPV4]
"AddrType"=dword:00000010
"AddrStart"="157.56.59.199"
"AddrEnd"="157.56.59.199"
"Name"="windowsmedia.com"
"Index"="1"

If a software compatibility problem have you tried the advice to make programs work with CIS?:
Not a compatibility problem

Any software except CIS/OS involved? If so - name, & exact version:
No other software involved
(except for the one proving that CIS are allowing a lot of connections to other IP addresses than the 2 that the domain name resolves to,
this software may be uTorrent or some other BitTorrent client, or a server with a lot of traffic, version number is irrelevant.)

Any other information, eg your guess at the cause, how you tried to fix it etc:
No more information should be needed, I think.

B. YOUR SETUP

Exact CIS version & configuration:

Comodo Firewall
Product version: 7.0.317799.4142

Configuration used: Start with the default one,

  • for the “Comodo Internet Security” product, that is configuration #0 : “COMODO - Internet Security”
  • for the “Comodo Firewall” product, that is configuration #2 : “COMODO - Firewall Security”

Then, do the exact steps I described earlier in the post;
that is, select Firewall → Custom Ruleset, then create a new policy for uTorrent.exe, then create the 3 rules, etc. etc.

Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
Firewall : Custom Ruleset
Auto-Sandbox : Disabled
HIPS : Disabled
AV: Not installed in Comodo Firewall

Have you made any other changes to the default config? (egs here.):
No

Have you updated (without uninstall) from CIS 5 or CIS6?:
No, I uninstalled CIS 8.0.0 (4344 updated from 4337), rebooted,
then found and removed the 6 CavWp.* and 5 CIS.* and the cmdupd.CisUpdater classes, along with their CLSID’s,
then the AppID’s (CavWp.EXE and 895A8A5F-…, cmdupd.EXE and 8A5056E3-…) and the TypeLib’s (14FBD7D3-… and BAFAD68A-…)
…and then I installed Comodo Firewall 7.0.317799.4142

 [b]if so, have you tried a a a clean reinstall - if not please do?[/b]:
 n/a

Have you imported a config from a previous version of CIS:
No

 [b]if so, have you tried a standard config - if not please do[/b]:
 It IS the default (standard) config, then you create a policy with a rule that uses windowsmedia.com, or some other domain that resolves into 2 separate IP addresses.

OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Windows 7 SP1 x64, UAC disabled, Administrator account, no V.Machine used

Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
a=none b=none

Here is an image that shows the policy with the 3 rules;
this policy should have blocked almost all connections, allowing only those to and from windowsmedia.com,
but instead, it allows connections to and from all IP addresses in the range from 64.4.52.182 to 157.56.59.199.

http://i.imgur.com/Lu05EXb.png

BTW, this same thing will of course also happen if you use such a multi-address domain name (“Host Name”) like windowsmedia.com
when adding a New Address to a Network Zone that you have defined. If you later export the configuration file, you will see a line like this:

<IPV4 AddrType="16" AddrStart="64.4.52.182" AddrEnd="157.56.59.199" Name="windowsmedia.com"/>

[attachment deleted by admin]

75

Please export your configuration (from the given steps).

Thanks.

76

Here it is - you are welcome! :slight_smile:

The Comodo Firewall policy for uTorrent is located in the lines from 799 to 838.

I have attached 2 versions of the config:

1) “comodo_domain_name_res_uchiuke_config.cfgx”
This is the config just exported as it is.
However, if you are going to try to import and use it, it will not work, since the address of the filename is
“C:\Users[b]Uchiuke[/b]\AppData\Roaming\uTorrent\uTorrent.exe”
So then, it is better to use the second version;

2) “comodo_domain_name_res_multiuser_config.cfgx”
This one will work for everyone, since it has wildcards for the user name…
“C:\Users[b]*[/b]\AppData\Roaming\uTorrent\uTorrent.exe”

(I have also attached a new CisReport which was created when this configuration was active,
and have as few as possible extra processes running. The previous one was made when I had lots of programs running.)

[attachment deleted by admin]

77

Thanks for this excellent bug report.

The developers have said that they do not wish to fix this bug, which is M276 in the mods tracker.

However I disagree and will suggest reopening it for fixing next time they have a bug fixing session on the Firewall. It may not get fixed soon, but it should be fixed sometime.

For the moment I will have to move to resolved, but if they agree to reopen, I will move to format verified.

Kind regards

Mouse

78

Could someone please check on CIS 8.0 if this is still valid?

79

Thank you for being positive for fixing it! :wink:

As you may have guessed, these are domain names used by Windows Media Player
and its media sharing on the LAN, and just to make this a complete reference,
there are some other domain names in this also…

Name:
www.windowsmedia.com.akadns.net

Address:
65.55.164.201

Aliases:
www.windowsmedia.com

Name:
windowsmedia.com

Addresses:
64.4.52.182
and
157.56.59.199

Aliases:
windowsmedia.microsoft.com
and
windowsmedia.msn.com

Name:
origin.redir.metaservices.microsoft.com.akadns.net

Addresses:
137.116.242.248
and
137.135.204.246

Aliases:
redir.metaservices.microsoft.com
and
redir.metaservices.microsoft.com.akadns.net

Regarding the title, it is not actually “many ranges”,
but 2 (or in some other cases, more) separate, single addresses…
…which are incorrectly interpreted as a range.

For some domain names, this behavior may be kind of acceptable,
e.g. this one:

Name:

Addresses:

  • a list of 10+ addresses in your ISP’s network, where the reverse is “cache.google.com

…this is interpreted by Comodo as one range, from the lowest address to the highest address in the list.

Regarding the CIS 8.0, I have not checked since I would have to uninstall v7, install v8, uninstall v8, reinstall v7,
but I am 99.99% sure that this is valid for Comodo v5 - v8, maybe also v4 and earlier versions.
It is simply a way they chose to handle those not-so-common “more than one address per domain name” cases in the old days,
and it has been that way since no one have complained about it.

Even though Comodo started as a Firewall, I feel it have now moved in the “fully automatic, all-in-one complete security solution” direction,
so I was not so surprised to learn that “they” did not want to bother to fix this.

However… Comodo has an open XML → Windows Registry based config solution,
so I am thinking that it may be a good idea to just create a separate program
which could do things that Comodo does not, and output CFGX config files to be imported into Comodo.

In the meantime, I will just manually look up the domain names and enter their IPv4 addresses…! :slight_smile:

80

A. Firewall/Network zones/Blocked zones/Add by host name blocks whole IP4 range from lowest to highest IP for multiple IP4 hosts)
Can you reproduce the problem & if so how reliably?:
100%
If you can, exact steps to reproduce. If not, exactly what you did & what happened:
1: Added by host name “mail.ru” to Blocked Zones and found myself without network at all
Investigation:
nslookup mail.ru

Name: mail.ru
Addresses: 2a00:1148:db00:0:b0b0::1
217.69.139.200
94.100.180.200
217.69.139.201
94.100.180.201

regedit

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\3\Firewall\Blocked Addresses\1\Address\IPV4]
“AddrType”=dword:00000010
“AddrStart”=“94.100.180.200”
“AddrEnd”=“217.69.139.201”
“Name”=“mail.ru

One or two sentences explaining what actually happened:
Weird internet problems for many years (but with smaller IP range (34.224.109.77-54.174.159.172))
One or two sentences explaining what you expected to happen:

If a software compatibility problem have you tried the advice to make programs work with CIS?:
N/A
Any software except CIS/OS involved? If so - name, & exact version:
No
Any other information, eg your guess at the cause, how you tried to fix it etc:

B. YOUR SETUP
Exact CIS version & configuration:
CIS 10.1.0.6476, custom firewall configuration
Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
Only AV & Firewall enabled
Have you made any other changes to the default config?:
Firewall - custom ruleset
Not using Comodo DNS servers

Have you updated (without uninstall) from CIS 5, 6 or 7?:
One computer with clean install of CIS v10 (Others computers updated through 5-6-7 to 8.2/4 - all the same)
if so, have you tried a clean reinstall - if not please do?:
N/A
Have you imported a config from a previous version of CIS:
Yes
if so, have you tried a standard config - if not please do:
On intact “Comodo - Internet Security” config - the same
OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Windows 8.1 64 bit, UAC on, admin account

Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
None. Windows firewall is off