CIS (V3.x - 5.0.x) creates wrong firewall rules [#179]

The bug/issue

1. What you did:
I run a Webserver on my host ( Global rule allows incoming traffic on TCP/80. No application rule for webserver.exe exists and Firewall alert frequency level is set to “Very high” - all checkboxes checked except “This is an…ICS Server”. Now I connect from client Alert pops up saying “ - TCP, Port 80 wants to connect to webserver.exe” and I click “Allow this request” and tick “remember my answer”. CIS now auto-creates an IP MASK rule for instead of a rule for just the one SINGLE HOST When I don’t check “remember my answer” CIS acts the same way (all subsequent inbound connections to TCP/80 are automatically allowed!) - it just does not create a rule (of course).

2. What actually happened or you actually saw:
CIS creates a IP Mask based rule instead of a Single IP rule in “Very high” alert level for inbound connections.
3. What you expected to happen or see:
“Very high” FW alert level should create a rule/notify me for every different Endpoint (IP:Port)!

4. How you tried to fix it & what happened:
There’s no way to fix this from the user side.

5. Details (exact version) of any software involved with download link:n/a

6. Any other information you think may help us:This bug exists since V3.x already

Files appended

1. Screenshots illustrating the bug:n/a
2. Screenshots of related event logs or the active processes list:n/a
3. A CIS config report or file.n/a
4. Crash or freeze dump file:n/a

Your set-up

1. CIS version & configuration used: CIS 5.0.162636.1135 (Firewall Only). Defense+ temp. disabled
2. Whether you imported a configuration, if so from what version: No. Clean config.
3. Defense+ and Sandbox OR Firewall security level: Def+:Disabled, Sandbox:Disabled, Firewall:Custom
4. OS version, service pack, no of bits, UAC setting, & account type: Windows 7 Enterprise English, 32Bit, UAC disabled, local Administrator account
5. Other security and utility software running: none
6. CIS AV database version: n/a

Yes setting Alert level to Very High should cause incoming rules to be created on Single IP AND Destination Port.
Just like it does for outgoing connections.

OK so this looks valid, to judge but Ronny’s comment

I would very much appreciate it if you would edit you first post and its title to put you bug report in the standard format. See here. Please see below for why.

When you have done that I will forward it to the verified issues Board, and it will be given a bug number so we can track the devs attempts to fix it.

Many thanks in anticipation for your co-operation


Bugs/issues can be impossible or very time consuming to fix if not well described. Since CIS is free, development time is limited. So if you want your issue fixed, please use the format below to describe it.

To avoid clutter, issues not described in the format below your post will not be moved to the ‘moderator verified’ issues topic. This means that the developers may not look at it.

Done. Thank you.

This verified issue is still not solved in 5.3.175888.1227 : I’m a little bit surprised, since this is not a trivial one and does exist since years… :-TD

This thread’s topic should be renamed, since the bug is also present in versions >5.0.x