CIS 5.3.181415.1237 creates wrong firewall rules [NBZ]

freakenstein · March 27, 2011, 9:39am

The bug/issue

1. What you did:
I run a Webserver on my host (10.1.1.1/24:80). Global rule allows incoming traffic on TCP/80. No application rule for webserver.exe exists and Firewall alert frequency level is set to “Very high” - all checkboxes checked except “This is an…ICS Server”. Now I connect from client 10.1.1.2. Alert pops up saying “10.1.1.2 - TCP, Port 80 wants to connect to webserver.exe” and I click “Allow this request” and tick “remember my answer”. CIS now auto-creates an IP MASK rule for 10.1.1.2/255.255.255.0 instead of a rule for just the one SINGLE HOST 10.1.1.2/32. When I don’t check “remember my answer” CIS acts the same way (all subsequent inbound connections to TCP/80 are automatically allowed!) - it just does not create a rule (of course).

2. What actually happened or you actually saw:
CIS creates a IP Mask based rule instead of a Single IP rule in “Very high” alert level for inbound connections.

3. What you expected to happen or see:
“Very high” FW alert level should create a rule/notify me for every different Endpoint (IP:Port)!

4. How you tried to fix it & what happened:
There’s no way to fix this from the user side.

5. Details (exact version) of any software involved with download link:n/a

6. Any other information you think may help us:This bug exists since V3.x already!!!

Files appended

Screenshots illustrating the bug:n/a
Screenshots of related event logs or the active processes list:n/a
A CIS config report or file.n/a
Crash or freeze dump file:n/a

Your set-up

1. CIS version & configuration used: CIS 5.3.181415.1237 (Firewall Only). Defense+ temp. disabled
2. Whether you imported a configuration, if so from what version: No. Clean config.
3. Defense+ and Sandbox OR Firewall security level: Def+:Disabled, Sandbox:Disabled, Firewall:Custom
4. OS version, service pack, no of bits, UAC setting, & account type: Windows 7 Enterprise English, 32Bit, (SP1 installed or not makes no difference - tested both cases) UAC disabled, local Administrator account
5. Other security and utility software running: none
6. CIS AV database version: n/a

Dennis2 · March 29, 2011, 6:38pm

Could you please post the missing information and include it in your first post.

OS version, service pack, no of bits, UAC setting, & account type: Windows 7 Enterprise English, 32Bit, UAC disabled, local Administrator account

Thank you

Dennis

freakenstein · March 29, 2011, 6:58pm

Which info is missing?

Dennis2 · March 29, 2011, 7:16pm

service pack SP1 or not install yet

Dennis2 · March 31, 2011, 5:40pm

Thank you for your issue report in the correct format.

Moved to verified.

Thank you

Dennis

freakenstein · November 13, 2012, 10:21am

And of course it isn’t fixed even in the latest 5.12.x versions and I bet an arm and a leg, that the same BUG is in version 6… Hard to understand why that nasty bug can’t be resolved…

mouse1 · November 20, 2012, 9:36pm

The making of the non-specific rule is one issue, which I understand can be resolved by expanding the additional options box on the alert before making your choice. I think this hidden option is regarded as a ‘design feature’, though not by me.

The fact that it remembers the general rule when you don’t tell it to is another, more serious bug, which i did not know about. Certainly worth testing both against CIS 6.0 beta, and reporting if you can.

Best wishes

Mouse