Does "Application Rules" ignore Attacks on "Windows Operating System"

Hello,

I’d like to report a weird behaviour of CPF v3 that bugged me for quite some time:

At the beginning I used Comodo v3 more or less with the pre-defined rules, but since I switched over from Comodo v2 I added a final blocking rule to the gobal rules, like it was the case in v2 (seems like Comodo reduced the global rules in v3 to the absolute minimum).

Last global rule: “Block IP In From IP Any To IP Any Where Protocol Is Any”

The strange thing is according to the event logs Comodo blocks now a lot of intrusion attempts on “Windows Operating System” it never noticed before!
As far as I know “Windows Operating System” is listed as “System” in the Application Rules tab.
I run Comodo in “Custom Mode” (ask what to do on every connection attempt), but I never got any requests “Some IP tries to connect to application: System. Allow or Block”!

So, does Comodo only block intrusion attempts on “Windows Operating System” if you block them with a global rule, or does it also block them if you run Comodo with the standard rules and simply doesn’t show any Pop-Up messages even if you run it in “Custom” mode (ask for every connection)?

All my Windows programs are set to outgoing only. Read here for more info.

https://forums.comodo.com/empty-t14948.0.html

Windows Operating System (WOS) and System are not the same. WOS used to called System Idle Process (more or less confusing? :wink: ) in CFP3, and indicates traffic not routed to any particular application. System is the Windows Kernel functions. Your block all indicated WOS because it is blocked before it hits any particular application. You can list WOS in the application rules by going to the running processes and selecting it if you prefer that to using the global rule.

You are right about that. When I deactivate the global rule, I get incomming attempts on svchost.exe port 137.
But those occur just every few minutes. As soons as I activate the global rule the logfile notices attacks every second!
Those can’t be just the connection attempts that are directed to svchost and intercepted by WOS.

So there are definitely some connection attempts that simply “vanish” if you are using Application Rules only, even if you log all blocked connection attempts and set the firewall to “custom” mode!


http://img3.imagebanana.com/img/bm7g92v7/thumb/attacks.png