Comodo Firewall 5.3 Does Not Block Inbound or Outbound in Default Safe Mode

Vista x64 SP2 and all updates, around 2 dozen programs installed, all fairly popular and trusted (trusted being relative) (Word, Excel, Photoshop, PerfectDisk, Roxio Creator, etc.).
I’m a Computer Technician with ~25years experience, endlessly combating this big mess of customers problems and my own.
Well, by my own choice, I have to admit, so feel free to answer here with adult talk, 3rd grader talk (which I like better), or any other technical lingo. Comodo Firewall for Dummies.

Anyone aspiring to work in the computer field, I advise you not to do it. Work at McDonald’s instead :slight_smile:

Here’s my very bottom line first:
I installed Comodo Firewall yesterday (all default settings) and it isn’t blocking anything at all, in or out.

And there’s a reason for them to think default settings are fine. They are going on their new belief that if anything is in their 2 million strong ‘cloud’, it’s fine, otherwise it gets blocked.

My philosophy is, it’s all bad unless I say otherwise.

Thanks to that CF’s new loosey-goosey blocking methods, after I post this, I have to re-install Windows and all my drivers and software.

Somehow in the last 24 hours, since I installed Comodo Firewall and turned all others off (Windows firewall, modem firewall, and router firewall), I have somehow received something nasty.

All my programs are getting uninstalled one by one. First were my Sidebar gadgets (extremely obvious to see they’re not there). Next (that I caught anyway) was WinRAR (had zipped files on my desktop and their icon turned to a text file icon, exactly the same as a file with no associated program, which it hasn’t). Then AVG Anti-virus (no more taskbar icon) and my sound card drivers (sound quit).

Now, don’t think that I have bad RAM, hard drive going bad, etc. because these programs, take WinRAR for example are disappearing very neatly and methodically, Searching the entire C: drive for anything related to WinRAR yields nothing, same with the Registry, no desktop icon anymore, or any entry in the Start Menu.

If all that’s going on, you can be certain there are system files disappearing too.

Before, when I used CF, I would amuse myself by looking at the Firewall Events or logs and look at the HUNDREDS of attempts to hit my IP address with all sorts of probing, pinging, etc. but CF used to blocked it all, and ask me what to do about it.

But now, after ~24 hours, on the ‘Summary’ tab, it says ‘Firewall has blocked 0 intrusions so far’ and Defense+ says ‘Blocked 0 intrusions so far’. This in contrast to the hundreds of blocks I mentioned earlier, in earlier versions of CF.

Before, I was also not very pleased to find out the large number of Windows itself plus all my programs that were making attempts at the Internet without my permission.

I always disable that option in the programs themselves and never allow it. Well, when I first used CF years ago, come to find out, much to my surprise, disappointment, and anger, they were doing so anyway, behind my back!

Serious reasons why you don’t like that:

Most people may suspect, but not actually know, Windows for example, keeps tabs on practically everything you do. I mean a lot.

I was looking in the Registry Editor once to change some setting or the other and came across some surprising keys with their certain values.

Windows keeps tabs on, and stores in the Registry, every single time you open Word, Excel, etc. and how long it is open, how long it was idle while open, and how long you were active while it was open.

You may expect that behavior out of Microsoft, but here’s worse. I also came across some key that for some reason was keeping tabs on my desktop and was complaining that there was no longer a certain file there.

Well, no big deal, you may say, but the file in question wasn’t a system file or anything, it was a .jpg picture that I had dragged to the desktop where it sat for perhaps 15 seconds before I moved it to the folder I wanted!

Windows had immediately logged that activity to the Registry.

What I mean is, it had the actual name of the picture logged, not just that I had a certain type of media file there!

Somewhat like this
Name Type Data
StillImage REG_SZ Elephant.jpg
DeskTopItem REG_SZ 0x00000001 (1)
IsPresent REG_SZ 0x00000000 (0)

Anyone not familar with bits and bytes and base-16 hex and all that, 8 digits with a 1 at the end means ‘on’ or ‘yes’, and a 0 at the end means ‘off’ or ‘no’.

Yen and Yang, basically. Meaning polar opposites. 0 and 1, on and off, male and female, hot and cold, dark and light, low and high, etc. 8-bit enumeration.

The point of all that is that Windows and other programs keep entirely too much information about your behavior and don’t even hesitate to send it out from your personal machine to the Internet.

Ok. I downloaded CF v5.3.176757.1236 yesterday and installed it.

I left the default setting of ‘Safe Mode’, thinking that would ask me to to block certain traffic or allow it, like CF had always done before.

Well, it doesn’t appear to have blocked much of anything thing! I have a few programs that I explicitly did not want to send or receive from the Internet.

In fact, in ‘Firewall Events’, under ‘Action’ it says ‘Asked’ on most of them and I wasn’t asked even one time.

When I look at ‘Firewall Events’, it seems that around 25% of all my installed software has sent traffic to the Internet and have received traffic from sites I don’t recognize!

My question is, what happened to CF as to where it now has defaults so loose as to allow any traffic at all to come and go, without question.

It can’t be me goofing around in there changing the wrong things because I didn’t change anything at all, just defaults are set.

If I remember correctly, CF a while back was just bordering on annoying at first because it blocked ALL traffic until you allowed it.

For example, Internet Explorer would try to get out to browse and I would allow it and elect to always allow it. Adobe Photoshop would try to get traffic out and I would NOT allow it, and set CF to never allow it.

What happened to all that?

I know there are settings to set to get the behavior out of CF that I want but why wasn’t it set at its strictest by default?

Any help would be appreciated.

Thanks in advance,


For needs mentioned by you, that is, check all outgoing attempts, just keep CIS Firewall in Custom Policy Mode

Right Click CIS Icon - Firewall - Custom Policy Mode.

If you want to see thousands of intrusions attempts to satisfy that the firewall is actually performing

Open CIS - Firewall - Stealth Ports Wizard - Select third option (Block all incoming connections)

Now, Go to CIS - Firewall - Network Security Policy - Global Rules

Select the block rule (block IP from MAC any to MAC any) - double click and tick ‘log as firewall event if the rule is fired’.

The outcome of above in summary

  1. You will get alert for each outgoing request of all the programs in the computer (unless rule is already created under Network Security Policy)

  2. There will be thousands of incoming request blocking to make you satisfy.

Here I would like to mention that 'even if the logging is disabled, CIS will still be blocking the incoming requests - logging is to just make you ‘feel of the efficiency’.

Why safe mode in default settings? CIS thinks that all the programs available in your computer is legal and hence all digitally signed programs are given access and others are given an alert. (There is no reason to believe that this is not a right conclusion !)

CIS is for both newbies like me and technical people like you. You can always tweak it to get more alerts. If you want even more alerts - Just go to

CIS - Firewall - Firewall Behaviour Settings - Alert settings - slide the alerts to very high - You will be glad to see alerts for each port etc. CIS is rock solid when configured according to your requirements.

Hope this helps.

Hi layman,
Thanks for your informative reply and I also would like to apologize to all for the very lengthy post of mine. I guess I over-explain but I wanted my problem to be clear.
I help on the Yahoo help forums sometimes and I hate to see posts like “My computer won’t work, what should I do?”

Ok, as for your post to my question:

Your method of :
a) blocking ALL traffic in and out without prior approval,
b) how to set rules and settings to accomplish this,
c) logging ALL activity.

While waiting for a reply here, I went through every setting I could find and did accomplish what I wanted but it was much more tedious than your directions, which were easy and clear.
e.g. my method took about 20 minutes and yours? Less than 1 minute.

Here’s where I just took the “brute-force” ;D method:
Open Comodo Firewall UI, go to Firewall tab>Network Security Policy>
Predefined Policies tab.
Open each and every ‘Policy Name’ (Web Browser, Email Client, FTP client, etc.) one by one (by choosing ‘Edit’ on each one, of course).

Now, select radio button of each ‘Custom Policy’ if not already set, then going down the several rows of each, (‘Edit’ button again, on each):
a) Change ‘Action:’ ‘to Ask’,
b) check mark to ‘Log as a firewall event…’
c) (for no real reason) change Description: to ‘Ask to allow…’

It worked. Now I can see all activity that I want to see; the many hits per minute.
Now all this activity (hits trying to come in, I mean) is exactly why I always tell customers of mine to NEVER try to access the Internet for the very first time without making sure that modem firewall, router firewall, or at least Windows firewall (on by default) is on.
Like I said, your method was much easier.

One exception to your post: your conclusion that there couldn’t really be any reason besides to stop all outgoing without a pop-up and subsequent approval or denial except to see if all programs were legitimate (trusted by the cloud) or else deny all other traffic (after an Alert).

There are other reasons to deny or approve traffic (esp. outbound).
A Web browser, Windows update, Windows Defender update, etc. all inbound and outbound no problem.

However, Windows sending out my usage data of programs (Word, Excel, etc., which it does do), certain other programs checking for an update, etc., I don’t like that.
Now what I’m talking about is, a lot of programs do this even if you uncheck the option to allow this! Mostly you’re asked for this permission during the initial install of the program.
I always elect not to allow it, but they do it anyway!

I guess the key word here is ‘automatic’, I just don’t like my software doing automatic things without my permission.

For example, my system may be running smoothly, then suddenly I’m having problems like app. hangs, crashing to a blue screen, etc. Well, come to find out, without my approval or even my knowledge one program, or maybe more than one, has asked for (and received and installed) an update of some kind.
So, having no idea what has happened, I’m forced to try to roll back with a System Restore Point, and failing that perhaps, even a complete re-install of Windows.

Anyway, thanks again for the reply and the simple solution to what I was trying to do.


Really happy to know that I could be of help to you.

The conclusion mentioned was the ‘thinking of Comodo’ while setting ‘Safe Mode’ as default configuration and it was not mine. I prefer ‘Customer Policy Mode’ for obvious reasons as mentioned by you.

When I hit “Stop All Traffic” on the summary page it says “Block All” but in fact traffic goes on as before. This is confusing.
Another curious observation: “View Active Connections” on the Firewall tab shows connections but all bytes - out or in - remain zero regardless of ongoing traffic.

This is unbelievable. Someone in your company must have lost it. I’m surprised not many people have taken notice, but when they do, boy are they going to be ■■■■■■ and look elsewhere for a more trustable software.

Why the f would you allow all traffic on Safe mode and not even warn us that the blocks we have put in will be ignored ? Only sick developers would develop something that would do something totally in contrast to what it said it would, and not even warns us about it. When I checked the Events Log, it says ‘Asked, and allowed’ WTF ?? It didn’t even ask, but quietly logged it as being asked allowed which is a lie ! I cant believe I trusted this $hit all these years. I got out of ZA because of the same darn thing in their free version and now you guys mimic them ?

Agreed that Custom Policy is what we have always wanted, we need to control what goes in and out, YOU, as vendors, need to TELL us what is going to happen otherwise, and advise.

Your concept of SAFE is the same as no fking firewall at all. You cannot ever quietly change functionality over time and ignore stuff, unless you were bribed by someone into doing evil.
Initially, the SAFE mode worked the way Custom does now, now SAFE means DISABLED ??

You clowns need to get your act right. And dont try deleting this post, I am going to post it in every forum on firewalls so people are alerted to the fact that they are not really safe.

Good luck handling this situation !

Welcome to the forum :slight_smile:

May I suggest, if you believe you’ve encountered a ‘bug’, take the time to complete a bug report, of if you wish for some help understanding the settings, post a query in the Help - CIS board.

By the way, this thread is a year old…

Thanks for the response, sorry about my harsh language, but you can understand how alarming it is when something doesn’t work the way you think it does.

I know it is > 120 days old, but so what ? It is still a bad implementation. Didn’t want to start another thread as some of the OP’s concerns are mine too.

It certainly isn’t a bug, its a feature as ‘they’ intended it to be, the SAFE mode is actually in the Custom Policy mode, but who knew ? If they changed it, they shud’ve told us.

I have no doubt Comodo is a great software, and it must be the quirk of some idiot manager who thought he was smarter than the rest with this change (make Safe mode Unsafe)

I have exactly the same problem as the OP, and yes, the solution is what follows after that, my point is, it is not evident as they have changed the way this worked over the years.
Just like the OP I don’t like many applications calling home without asking me first.

And contrary to the second post, its not cumbersome to answer each and every request, but rather satisfying to know the firewall is doing its job. Heck, rather than calling it SAFE call it SIMPLE (or ALL ALLOWED), why on earth would people want a darn outgoing firewall otherwise ??

Comodo Firewall is still head-over-heels over others, (wouldn’t have still been here if not)…if they would just accept they were wrong in make it UNSAFE in the SAFE mode, I will relax and not go lambasting in other sites.

This is just as ridiculous as Pidgin storing your password in clear text without alerting you to it. Hate developers who think they know whats best for you without telling you about it.

Unfortunately, the OP is rather rambling, but if I understand correctly, you believe by placing the firewall in Safe mode, all traffic is allowed in and out without alerting the user. Is that correct? If there’s more, please provide some specific details.

THis FAQ may help explain part of it? Though I am not sure what the default alert reduction settings are in firewall only mode: FAQ here.

You have the opportunity to over-ride these rules in the installer of the complete CIS pakacge, probably the FW too, but it is not all that visible.