CIS 4.0.135239.724 x64 ignores firewall rules.

I noticed that i received an excessive amount of intrusion attempt alerts. So i activated the “create rules for safe aplications” option in firewall behaviour settings. However, there are still a number of connection that CIS blocks for no aparent reason.

I have manually created rules for them, but unfortunately it makes no difference for CIS.
Here’s a screenshot of my log as well as the rules that i created (allow ICMP for system, and allow UDP for svchost).

http://i984.photobucket.com/albums/ae328/Squassation/logviewer.jpg

http://i984.photobucket.com/albums/ae328/Squassation/networksecuritypolicy.jpg

I have the same problem…

In my case, a make two rules for eMule but i never can’t opening correctly the ports…

Finally, I “resolved” the problem downgrade to 3.14 version…

How I have to configured the Firewall to opening any port…???

Thanks for all…

Best regards…

I haven’t upgraded yet on my production machine, but I notice a couple of inconsistencies in your rules:

  1. the IP range mentions the higher address first, maybe this confuses the engine? Why not use the LAN IP mask instead?

  2. for the remote desktop rule, you should try setting the source port to “any”. I’m not sure the controller machine uses port 1900 locally…

In order to get the rule for svchost.exe to work you first need to move the svchost rule to above the All Applications rule. When it is under the All Application rule it will follow the rule set by the All Applications rule; it is subordinate.

The default Global Rules changed for the Internet Security configuration with v4. By default all unsolicited incoming traffic will be blocked.

You need to make 2 Global Rules. One to allow for incoming ICMP traffic (type(3) code (4) also known as Fragmentation Needed) and for incoming traffic on port 1900 UDP coming from your router.

On a side note. I am puzzled by the fact you get the Fragmentation required ICMP message from your router. What is network situation? A regular consumer local network or are you on a LAN of your work ? What is the name and number of your router?

Thank you all for replying.
What i did is set to “allow all requests” (ICMP protocol) for windows operating system, and allow all UDP traffic for svchost.exe.
I placed windows operating system on top of all and svchost second.
So far i haven’t received any more intrusion attempt alerts. I just hope i haven’t compromised my security by allowing everything for windows operating system.

As far as the ICMP messages, i don’t know if i’m supposed to receive them or not. I’m on a simple home network: my pc and my laptop (which is connected via wi-fi).
My wireless modem-router is Gennet oxygen router.

Also, from to time to time CIS give me a pop up, requesting to add a new private network, totally uknown to me (at least it does not show up in network and sharing center). Sometimes i add it to my blocked network zones. Right now i have it removed, just to see if it is detected once more. I don’t know if is has anything to do with all this though.

And something last: i have selected the “do protocol analysis” option in firewall behavior settings.

I was wondering do the ICMP messages go when you disable "Do protocol analysis)?

Your security does not compromised when allowing the ICMP messages for WOS. It will get rid of them in the logs.

Net time you get the new private network alert see what IP address it reports. It is probably in the 169 range. When Windows doesn’t see a network it will give its self an IP address in the 169 range.

When you see an alert for the 169 range it means there is no connection. Typical causes for that could be failing hardware or drivers or may also be a glitch connecting to your wireless router.

I disabled protocol analysis and removed the ICMP firewall rule for WOS, and the ICMP alerts did come back.

Also you were right about the new private network. It is 169.254.175.187. That means that there is no reason to place it in my blocked network zones.

This is a configuration bug and caused by the “All applications” group.
It allows all out but in this case blocks incoming ICMP traffic destined for WOS.

You can solve this by adding two ICMP rules to the “All applications” rules.

Add Allow ICMP IN any any TimeExceed and Fragmentation needed, and make sure to place them above the “Block and log All Unmatching Requests”.

Dev’s have been notified.