CIS Changes Predefined Firewall Application Rule to Custom Rule

Why does CIS change a firewall rule that I set up from a predefined rule to a custom rule?
For example if I create a firewall rule for C:\Windows\explorer.exe and use the predefined ruleset “Allowed Application”. After a few minutes, when I look back at the firewall application rules, the “Treat As” column will show this entry changed from “Allowed Application” to “Custom”.

The description of the rule changes from “Alllow all Incoming and Outgoing Requests” to just “Allow all Requests”. But looking at the details of the rule it doesn’t look as if anything else has changed.

This behaviour occurs on many different applications I create rules for, not just explorer.exe.

Probably because you responded to a popup for an application to be launched under explorer.exe, with remember checked and it overwrote the rule.

Yes that was the reason. Great Answer aim4it!

Explorer.exe was getting blocked by HIPS and showing up in the Blocked files list. When I saw it there I was unblocking it which must have been overwriting my rule.

The odd thing is that, according to the log file, HIPS was blocking it for trying access memory, and its target was the Comodo cis.exe file. I wonder why it is always going after that one Comodo file?

The other thing is that I have a HIPS rule that sets explorer.exe as an “allowed application”. So it is allowed to access memory. The only thing an allowed application is not allowed to do is run an executable. So I wonder why HIPS was blocking explorer.exe in the first place?

The comodo internet security file group HIPS rule has the protection settings for interprocess memory access enabled which prevents all processes except what is set in the exclusions from accessing CIS processes in memory as part of its self protection. You can add explorer to the exclusions if you want to stop the block logged events.

That makes perfect sense. You don’t want other programs messing with your firewall!