CIS changes firewall level, disables logging, and adds files to safe list itself

CIS 5.8 latest.

Comodo occasionally makes the following changes sporadically.

  1. New network detected “out of the blue”
  2. Firewall logging is disabled by itself
  3. Firewall level changes from custom to safe.
  4. Non-trusted executable files are placed in the safe files list and they have to be purged almost daily.

Occasionally a new network is detected and I block it because since I’m running off a modem, no new network should be detected. I don’t have any routers connected yet CIS detects new networks without explanation in the range. This is something I can’t figure out. Nothing is logged because the logs are disabled by itself (see #2)

Then when I go into the logs I see there are none so I check the security policy and guess what! Logging is disabled in Global Rules.

Then I notice that somehow the firewall level is repeatedly being changed from custom to safe. Then I have to purge non-trusted files out of the application rules .

What would cause firewall level to change to safe, logging being disabled, and files added to the network security safe list?

Comodo decides to disable logging by default. They will even disable it at random times even after you go into network security policy and edit the “block ip in…” rule to log as firewall event when this rule is fired, which is what you have to do. But change the stealth settings wizard to block all incoming connections.

CIS is the only freaking firewall in the world that doesn’t want you to log firewall alerts.

Christ, this is really getting pathetic.

Please don’t cross post your own issues into other members topics. Since your own topic has not been addressed yet I think you are making certain assumptions that could easily turn out to be wrong and cause confusion. Thanks.

And with your delightful edited addition… I now give you a warning. Do not do this any more. Thanks.

I’ve now split (source topic) & merged your post back to your own topic.

Export the Entire Period of the Configuration Changes log, zip the resulting HTML file and post them here as an attachment.

  1. DHCP… that random address is probably your Network Adapter.
  2. It doesn’t do this. However, your additional text suggests that you’re talking about the Log check box on single Global Rules. The Stealth Ports Wizard process could do this since it rewrites those rules.*
  3. Not heard of this previously.
  4. Please define “non-trusted”, can you give examples? Purged? Temporary installation files?

edit: *The Stealth Ports Wizard is a process, not a setting.

I just realized that I had Hotspot Shield installed previously. I uninstalled Hotspot Shield because it was changing Comodo DNS with it’s own dns. I saw that there was still a BHO still running for Hotspot Shield when I used KillSwitch.
I think it was trying to connect back to the internet when Comodo detected a new network.

These object that keep being added to the safelist is askslib.exe which I think is part of the ask toolbar. It’s not a trusted because when I select purge, it asks me if I want to delete it. This happens maybe once every couple of days. Even though I have unrecognized files set to BLOCK.

As far as the firewall logging being disabled, I can only assume it’s because the stealth ports wizard was accidentally being changed. When I change from stealth all my ports to stealth on a case by case basis, back to full stealth, firewall logging it disabled again.

I’m going to add askslib.exe to my blocked files for now on.

[attachment deleted by admin]

OK. This being the case then this alert should no longer appear.

If the trusted file can be purged that means that it no longer exists. Given that, I would suspect that this file is being created as part of an application installation/update. Blocking the component may work, but it may also break the installation/update process that originally creates it. So, you’ll need to keep an eye out for that.

Yes, the Stealth Port Wizard does rewrite the Global Rules. So, this is clearly possible.