CIS Difference between Custom ruleset and Safe Mode

I’ve been using the free Comodo firewall for years, and recently paid to upgrade to CIS .
I’m confused about the difference between the firewall modes Custom Ruleset and Safe Mode. My configuration is the following:
Create Rules for Safe Applications is DISABLED
Do not show popup alerts is DISABLED.
Alert Frequency is High

I’ve read the General firewall help topic:

and I get the impression that Safe Mode only matters if the first two options are enabled. For my configuration what is the difference between Custom Ruleset and Safe Mode - do the two firewall modes operate the same, or is there something I’m missing? Thanks!

It works in tandem with File Ratings. If a file is unknown or untrusted by Comodo you’ll receive a altert but if the file is in the file list as trusted, you won’t see a altert. Ticking create rules for allowed application will fill the firewall application rules with set rules for each application. Custom rules is more for if you want to limit applications or block trusted applications from connecting out or updating but the easiest and still safe option is to leave it in safe mode. Anything untrusted will throw up a altert and contained in containment anyway.

I already know what Create Rules means and Popup Alerts checkboxes mean. What I don’t understand is, how does the firewall behave DIFFERENTLY between Safe Mode and Custom Ruleset for my specific configuration. What is the DIFFERENCE between the two options - what will the firewall do or not do.

For example, you wrote that in Safe Mode it will throw an alert, but in Custom Mode I am getting alerts. So what’s the difference?

In simple terms. They did this to improve usability some years ago. Networks you connect to are automatically added as trusted networks unless you change the Network Settings under Firewall.
In Safe Mode - If Comodo determins the file is safe then it will allow the connection to the trusted network.
In Custom Mode - You will see an alert for every application.

Another factor is the alert frequency which you’ve set to High. You’ll need to reboot to ensure the new configuration changes are in effect.

In a traditional sense, you’ll probably want to go with Custom mode and make your own decisions but I prefere a set and forget setup and just get alerts for untrusted connections.

This also works in combination with the file rating/ settings in the UI, and the vendor list. If you remove all the millions of certificates listed there (for every company under the sun…) any application signed with any of those certificates will no longer be considered ‘trusted’ and you will get a popup about them.

After using your system for a little while you should see “unrecognized files” numbers grow in the main page of the UI and you can add those detected there as trusted if you like.