CF 4/5 vs System, asking to comunicate at every boot

TOPIC TITLE
At any boot CF prompt me what to do with system

The bug/issue

1. What I did: Setted the rule to “Trusted Application” and also I tried to create my own rule where everything was setted to “allow”

2. What actually happened or I actually saw: At any boot CF prompt me about “system”

3. What I expected to happen or see: Nothing, setting it as “Trusted application” let me to think to don’t see the alert message again

4. How I tried to fix it & what happened: try to fix as per item 1, but was like I didn’t anything

5. Details (exact version) of any software involved with download link: N/A

6. Any other information you think may help us: nil

Files appended

1. Screenshots illustrating the bug: No
2. Screenshots of related event logs or the active processes list: YES
3. A CIS config report or file: No
4. Crash or freeze dump file: No

Your set-up

1. CIS version & configuration used: 5.0.162636.1135 (happen also with the latest firewall 4 version)
2. Whether you imported a configuration, if so from what version: N/A
3. Defense+ and Sandbox OR Firewall security level: Both disabled
4. OS version, service pack, no of bits, UAC setting, & account type: XP Pro Sp3 32 bit with all updates and admin account
5. Other security and utility software running: Avira Personal 10
6. CIS AV database version: N/A

[attachment deleted by admin]

You have 2 updating rules not involving “system”, pertaining it to you for them to be allowed or not (and remembering such updates can be a hassle as the update ip is not always the same).

System rules are another question: you can’t of course make of “system” a trusted application, it would be a very dangerous behavior.

But the rules in your screenshot merely show normal netbios communication inside a lan: make a network zone for lan (192.168.1.1-192.168.1.255) and write in your firewall a rule allowing for system whatever in and out as both source and dest are lan zone and for the netbios ports (137-139), of course immediately followed by a block rule for the same ports for any ip.

Thanks Any and Brucine

In a way I agree with both of you.

These alerts are not user friendly, but there is a way of sorting them I guess. Will get Ronny to take a look see what he thinks. He’s the firewall guy!

THans for putting this in standard format by the way.

My opinion (but it’s only mine…) is also to disable automatic update in whatever software for which it is not an emergency: you are not bothered anymore with permanent update requests, and it’s enough to run from time to time secunia (or whatever else you like) to check if your current version of foxit or whatever has some critical vulnerabilities.

Hello, tks for the answers.

I’ll try to set the network zone and see what will happen, but with 3 pc connected with the same router, CF give me this trouble only on one of them, that’s the reason why I’m here.
The computer involved is a PC used by my father, that mean there is no more than MS office, antivirus, pdf reader, winzip and ccleaner installed, the other pc, where I don’t have any problem, have 80 or more programs installed…

I’ll set the network zones as you suggested me and I’ll let you to know if it works, of course I’ll need some time because I have to reboot many times to be sure the issue is gone.

Tks for now

So, finally nothing was succesfull.

I tried to:

• Set the network zone with a IP range, i.e. from 192.168.1.1 to 192.168.1.6
• Setting the configuration from Firewall to Proactive

Nothing helped, same prompt at 99% of every boot (sometimes it stay quiet, don’t ask me why)

I suppose that your wrote the appropriate netbios rules for system.

You must of course take into account not only the firewall settings of the source computer, but those, if any, of the destination computer.

Limiting the network zone to 192.168.1.6 might not be enough: the system might need calls to the router and other lan computers by broadcasting (e.g. 192.168.1.255)

System does not interpret correctly outbound/inbound allow global rules, and you should write 4 of them if only one lan computer is concerned, assuming your are pc1 and your father pc2:
-allow tcp in from (pc2) to (pc1), source port any, dest port (netbios)
-allow tcp or udp out from (pc1) to (pc2), source port any, dest port (netbios)
-allow udp in from (pc2) to (pc1), source port any, dest port (netbios)
-allow udp out from (pc1) to 192.168.1.255, source port any, dest port (netbios).

Moreover, some of the blocking behavior also come from svchost:
-allow tcp in from (pc2) to (pc1), source port any, dest port 135
and, under some specific os/router configurations, you also have to allow the bootp protocol:
-allow udp out from any ip to 255.255.255.255, source port any, dest port 67.

In such a configuration, cis should be set to proactive and the firewall to custom with highest alert settings, everything checked but ics.
system and svchost should themselves be in custom state and not in a pre-defined group, and you should check that no global firewall rule (they are in my opinion useless excepting for icmp) infringes the prcedent ones, while of course the symetric rules should be edicted in the other’s computer firewall.

Once the lan access has been obtained after a bootup, windows (and cis) won’t ask anymore as long as the session is opened, explaining you are not systematically warned: it’s a severe windows flaw, but there’s not much to do about it.

Hi, tks for the full answer.

Now I did the settings as suggested, but It warned me again at the system boot.

What is strange is that just my father’s PC have this behaviour from CF, not the other PC wi-fi connected.

Another strange thing is that if I click on System showed in the allert, the opened window, that normally show you the exe details, show me instead the system32 folder!

For last, I absolutely can set the CIS as you suggested me, my father has 73 years old, and a setting like that mean that he’ll call me every five minutes. That’s the reason why I would to leave him with just the firewall active setted in safe mode only.

Anyway, I don’t understand why on my PC, setting the System to Trusted Application, it stay quiet because that mean, for CIS, that everything from any port can comunicate without any more alerts, but this is not true for my father’s PC only.

I don’t think the reason should be that it’s the only one PC wired connected to the router…
The router is a Linksys WRT54GC vers. 2.0. In my house I have the PC wire connected to a Netgear DG834GT and CIS doesn’t give me all this trouble…

And then, which is the reason of the choice “trusted application” if then I have to set everything manually??

Tks

Brucine seems to be doing an excellent job in helping you, and it may be that it becomes clear that this is a config issue.

So it it’s Ok I will hold off a bit before forwarding it to verified issues.

Best wishes

Mouse

Yes, I am absolutely agree with you and I tks a lot for the time spent for me.

The problem is that any configuration adopted, Brucine ones included, doesn’t help at all. And what is more strange for me is that “Trusted Application” doesn’t fix anything.

What is strange is that System reported in the CF advisory is not referred to any exe file, just a system32 folder…

There is not a Comodo utility for a debug?

The configuration i reported is of course perfectly working for me (xp sp3 pro on one lan side, but 2k and kerio on the other as it is a very small format netbook not supporting whatever else, lan is connected through an ethernet home router), or i wouldn’t have posted it.

But it runs under cis v3.

Please leave me some time to reboot my cis 5 partition (and my laptop) and run the test, i shall make the feedback as soon as done.

Ok, tks a lot for your time and your patience.

Now a doubt raise in my mind: if I don’t remeber wrong that “problem” was not present before I upgraded the router firmware, is it possible??

The router firmware has no consequence itself, excepting it might install its own firewall (and you would of course be in trouble) or set some dhcp or bootp request at boot time, requiring, as i said before, appropriate broadcasting rules.

Please check the administration page of you router for specific settings.
An obvious reason of failure would, of course, be e.g. your router now running dhcp and not assigning any more static lan ip, or your lan range there not fully allowed (specify any of its ip or mac if needed).

I rebooted cis v5 and my laptop, i had to write some new rules, but everything works fine on both sides even after rebooting both sides.
Note in this regard that, if you actually want to browse a computer from the other, you must have at least a windows shared partition and appropriate credentials.

Also note that, during the process, spoolsv prompted me for several defense+ requests, all of them blocked without remembering, and not keeping things to work.

A report of the configuration if it might help.
-The cis 5 computer is a win xp sp3 pro computer.
-cis 5 is proactive
-defense+, altough not relevant here because not saying anything excepting the spoolsv story, is paranoid.
The sandbox is disabled (and every of its settings unchecked).
Everything is checked in the monitoring settings.
Image execution is enabled, but the cloud is disabled, and nothing is allowed as a safe application, unknown applications being seen as unsafe.

-the firewall is set to advanced mode, highest level, everything checked but ics, but no rule created for safe applications.
In this configuration, all of my computers have static ip, dhcp is disabled, and the desktop is 192.168.0.40 while the laptop is 192.168.0.30, both are gateway to the router at 192.168.0.1.
Nothing but icmp blocking in global rules.
A lan zone is created 192.168.0.1-192.168.0.255, and also a netbios port rule (137-139)
Every single rule in the firewall is custom except comodo (outgoing only).

The following rules are needed for pc1 (192.168.0.40) make the symetric ones for pc2 if running cis:
-svchost:
-allow tcp or udp, both, from (lan) to (lan), source and dest ports any
(same for loopback zone)

-system (with rules for access on both sides):
-allow tcp or udp in from 192.168.0.30 to 192.168.0.40, source ports any, dest ports (netbios)
-allow tcp or udp out from (lan) to 192.168.0.30, source ports any, dest ports (netbios)
-allow udp out from (lan) to 192.168.0.255, source ports (netbios), dest ports (netbios) (note the broadcasting request).

If now you want to browse pc2 from pc1, you must also write:
-explorer:
-allow tcp out from 192.168.0.40 to 192.168.0.30, source ports any, dest port 135.

My laptop (running kerio) has fancy rules for 3G connexion, but not relevant here:
-system:
allow udp out, from any ip to 255.255.255.255, port 138 to port 138
-dhcp:
allow udp, both, from any ip to any ip, port 68 to port 67.
Note the broadcasting and bootp rules, the system does not connect anywhere if the latter is not allowed.

Too kind my friend, but I still don’t uderstand why Trusted Application doesn’t work.

For me Trusted application mean that any port in/out from any source in/out can comunicate for that application, so I’m really don’t understand why I have to do a nightmare like that.

I just fixed the problem unchecking, in the firewall options, to show the alerts for UDP.
For my father are enough two things:

1. No strange messages popping out creating panic
2. Use internet and Outlook as usually

Different solutions are, for me, unreasonable, is like to say if a wheel of your car is running in a different way respect the other three, don’t fix it, turn also the other three in the same direction and you will solve the problem of the first weel. :o

This is not an help, just a nice joke

You asked me for a solution, and i provided it.

I don’t think that disabling udp alerts is a safe decision, but it’s up to you.

cis default settings are for “mr everybody”, and it seems that such a basic thing as using a home lan is outside of this scope: i can’t help with this behavior, and it’s the reason for which, in such a situation, i don’t trust anything or anyone, including whatever self proclaimed “trusted application”.

But of course, it leads someone to a little customization of the firewall, largely shorter than any one of our respective messages, as once the software is set to custom, it is only the matter of 3 or 4 rules.

There’s some myth in the assumption of a safe and ready to use firewall and if, of course, you probably can’t ask your father to go through such steps, you are free to not want it yourself.

Of course, cis is at fault, its new versions advertising that everything is ready without ever alerting the user and without ever his intervention: it definitely cannot be true.

Nevertheless, it somehow denies you the right to complain: i am not sure that whatever alternative firewall you would choose in order to do the job transparently in your back, if possible, would be able to confer you an appropriate security level.

Yes, you’re right.
I was looking for a solution at the beginning, then was asked me to start the post here, in the bug section so, if before I was looking for a solution, later I was wondering I have just to help to discover a bug, not to find a solution just for myself in the bug section.

So, I was invited to write here where here was not the right place, that’s confuse me a lot. I suppose to have questions to answer (as normally do the programmer to understand better wher the problem should be), not to shake a computer config just to fix it and bye bye.

I understand that those settings I have adopted for my father’s pc are not the best, but for me is much better than the windows firewall.

Many tks for your time, I very appreciated anyway, trust me

Hi Andy

Brucine’s suggestion is highly secure, and yours seems a bit insecure.

The standard solution for this as far as I am aware, is to allow the automatic detection of network settings wizard to do its job.

This results in:

1. a local network zone definition
2. a global allow rule that allows all comms to and from all traffic in the local network zone

So one solution would be to delete the current network zone, reboot, wait for the autodetection and allow it to do its work. To make sure that no tailored setting is getting in the way a clean install might be even better, then allow auto-detection to work as normal.

Of course I am not a network specialist so I may have misunderstood. I you use the re-install route and the problem is not resolved, then I’ll transfer this to verified reports.

The reason that this might work is that on some people’s machines (eg mine) autdetection has seemed in the past to work better than manually creating zone rules, possibly because it uses masks not IP ranges.

Best wishes

Mouse

If any user choose to void the auto-detection of zone network, it means that CF has to shut up and take care about the rest.
If you suggest that should be better to eneable it, that means also that the opposite choice is not working properly.

I have Fastweb here (ADSL via NAT), eneabling auto-detection means that CF will discover a new network every 6 hours (Fastweb change often the users IP addresses), and that is not accettable. And the funny thing is my PC doesn’t give me any problem with the network auto-detection disabled

So, if the rules for CF depends on other settings to works better, while each one should be indipendent from the others (at least the ones involved in my problem), that mean that no one of them is working 100% as it should do.

I know CF is free, so I’ll not pretend anything from the manufacter, just I’ll keep it as it is, my father is istructed to press always OK at windows start up, that’s my fix

NOTE: I’m not living with my parents, that mean the PC involved in this discussion is not usually below my hands, tks

Network zones are made for the lan ip of your computers, not supposed to change if dhcp is disabled and even if the wan ip changes every hour.

Threre’s no sense in, as far as your first screenshot shows, monitoring netbios communications over the lan ips (should be allowed) or the tcp outbound communications to ports 80 and 443 (also should be allowed in these circumstances, not relevant of what the destination wan ip is).

Discovering new networks in this situation must be disabled once you have written your lan ips as a network zone, and you should in these conditions not be prompted at boot for whatever as long as, as i said, broadcasting and bootp rules are allowed over this same lan.

If now you mean that your father is “completely remote” (i.e. that your computers access each other through the wan, with or without vpn), the question becomes indeed very different, and should probably go through dynamic ip software like No-Ip or similar.

My father’s ADSL is structurated with a wi-fi antenna on the top of the building connected with the ISP (no ADSL via line phone is avaiable in that place), anyone in the buildings have its own static IP released from the ISP at the first installation, into the house come just a network cable that should be connected directly with the PC network card.

I said “should be” because I connect it instead to the WAN port of a Linksys WRT54G, and one of its LAN port to the PC. This configuration let me to use internet in wi-fi with my (dead) laptop.

The linksys is configured as the ISP suggested, and the PC’s network card is configured for the Linksys, like

IP: 192.168.1.2
Sub: 255.255.255.0
Gateway: 192.168.1.1

and the DNS are from the ISP

So, I think there is nothing so strange, also my pc is connected to a router in the same way, so CF should manage just the connection between the router and the PC

In my father’s house there is just one PC connected directly, also connecting with my laptop CF installed on MY PC should be involved only