I’ve problems with Firewall on Custom Policy when trying to execute a program wich is on a UNC Path on other computer. This program when runs tries to connect to port 1433, but CIS it seems doesn’t recognize when I execute the program from a UNC Path.
MY PC: 192.168.0.20
Program place: \192.168.0.21\Share\ProgramName.exe
Port use when executed: 1433 (Ms-sql)
IP destination: 192.168.0.21
SERVER PC: 192.168.0.21
Shared Program: D:\Share\ProgramName.exe
SQL Server: Listening on 1433
I’ve added to CIS the program “\192.168.0.21\Share\ProgramName.exe” to “Network Security Policy” with all the rules opened “Allow all Incoming and Outgoing requests”, but CIS ask me 3 times:
ProgramName.exe is trying to connect to the Internet
ProgramName.exe could not be recognized and it is about to connect the Internet. If it is one of your everyday applications, you can allow this request.
… then I Push “OK” 3 times to Allow but doesn’t run, program gives a Timeout connection finally.
It only works when:
Firewall is “Disabled” or “Training Mode”
Or if I add a final rule on “Network Security Policy” with “All Executables” or “All Applications” can Outgoing to port 1433.
Has anyone knows if UNC exe’s are recognised in CIS ?
I can’t tell for sure if UNC paths are supported, I never use them, but I think they are.
I need a bit more information to see if I can help you out here.
Is CIS running on your PC only or both on your PC and your server? How does the traffic flow from the program started at the server? Does it connect to a web site on the web or does it try to connect to your computer on the local network?
My-PC is previously logged on Server at the share files and has access to \192.168.0.21, over protocols 139 and 445 (Netbios)
My-PC => execute a “MTR.exe” link wich is on My-PC
MTR.exe file is on Server “MTR.exe” at \192.168.0.21\mtrgest\MTR.exe"
Server sends the file “MTR.exe” over protocol 139 or 445 to My PC
My-PC executes on Memory “MTR.exe”
“MTR.exe” executed in My-PC ONLY tries to connect to the Server over port 1433
My-PC asks to allow access (Comodo pop-up), on “Application Rules” has already access, I push allow 3 times, but finally loss conection.
In Comodo Log don’t appears Blocked only appears as “Asked”
After this when access to “Application Rules” Comodo has added 3 new rules at the Program Rule:
Allow TCP Out from MAC Any to IP 172.26.0.21 Where Source Port is Any and Destination Port is 1433
If I try to execute again result is the same, but adds 3 new rules more as point 9.
====================
It Only Runs IF:
I put the status of Firewall as “Disabled” the application runs and no pop-ups
I put a final rule on “Application Rules” created as “Executables” with:
Allow TCP Out From MAC Any to IP 172.26.0.21 Where Source Port is Any and Destination Port is 1433
=====================
Seems doesn’t recognise the application when is over a UNC path and skip the rules inside.
As you can see on pictures all IN Traffic is Open too on “Global Rules”.
I Attach some pictures about it:
Picture 1: “Application Rules” as defined initially
Picture 2: “Global Rules”
Picture 3: “Network Zones”
Picture 4: Traffic without executing the MTR.exe program
Picture 5: Traffic when executing the MTR.exe program (when firewall disabled)
Picture 7: Pop-up when execute the MTR.exe program (pop-up 3 times)
Picture 8: Error connection after the 3 pop-ups pushing Allow.
Picture 9: Log Firewall after I have tried the conection
Picture 10: “Application Rules” after I have tried the conection (Comodo adds these rules automatically when push allow on pop-up alert message)
Thank you for your extensive report. Your name and postcount might suggest you’re a rookie but not with regard to network related stuff. It took me a little while to understand how you set up your network.
Before I continue I have a couple of questions.
Do I understand correctly that you have two local networks? One in the 192.168.1 range and one in the 172.26.0 range (grossly speaking)?
There is server at IP address 192.168.1.21 and a server at 172.26.0.21? Or are we talking about one server with two network adapters connected to two different subnets?
What is the function for the work you do of these two subnets? This may help to get a better understanding of your situation.
Upps sorry for the cut&paste, I made a mistake when I was writting my last post because I copied some parts of the first post when I put IP’s of Net “192.168.0.x.” like example.
There is only one IP net wich is “172.26.0.X”, and is the net you can see on pictures. The correct IP’s are:
“MY-PC”: (172.26.0.20)
“Server”: (172.26.0.21)
I post again the correct message, Thanks again !!!:
Hi Eric,
CIS is only running on “MY-PC” (172.26.0.20)
CIS is not running on “SERVER” (172.26.0.21)
Traffic Flow:
“MY-PC” is previously logged on “SERVER” at the share files and has access to" \172.26.0.21", over protocols 139 and 445 (Netbios)
“MY-PC” => execute a “MTR.exe” link wich is on “MY-PC”
“MTR.exe” file is on “SERVER” “MTR.exe” at “\172.26.0.21\mtrgest\MTR.exe”
“SERVER” sends the file “MTR.exe” over protocol 139 or 445 to “MY- PC”
“MY-PC” executes on Memory “MTR.exe”
“MTR.exe” executed in “MY-PC” ONLY tries to connect to the “SERVER” over port 1433
“MY-PC” asks to allow access (Comodo pop-up), on “Application Rules” has already access, I push allow 3 times, but finally loss conection.
In Comodo Log don’t appears Blocked only appears as “Asked”
After this when access to “Application Rules” Comodo has added 3 new rules at the Program Rule:
Allow TCP Out from MAC Any to IP 172.26.0.21 Where Source Port is Any and Destination Port is 1433
If I try to execute again result is the same, but adds 3 new rules more as point 9.
====================
It Only Runs IF:
I put the status of Firewall as “Disabled” the application runs and no pop-ups
I put a final rule on “Application Rules” created as “Executables” with:
Allow TCP Out From MAC Any to IP 172.26.0.21 Where Source Port is Any and Destination Port is 1433
=====================
Seems doesn’t recognise the application when is over a “UNC path” and skip the rules inside.
As you can see on pictures “all IN Traffic is Open” too on “Global Rules”.
I Attach some pictures about it:
Picture 1: “Application Rules” as defined initially
Picture 2: “Global Rules”
Picture 3: “Network Zones”
Picture 4: Traffic without executing the “MTR.exe” program
Picture 5: Traffic when executing the “MTR.exe” program (when firewall disabled)
Picture 7: Pop-up when execute the “MTR.exe” program (pop-up 3 times)
Picture 8: Error connection after the 3 pop-ups pushing Allow.
Picture 9: Log Firewall after I have tried the conection
Picture 10: “Application Rules” after I have tried the conection (Comodo adds these rules automatically when push allow on pop-up alert message)
I have the same problem, when I run application from network wich is connecting to database server:
\servername\sharename\applicationname.exe
or
z:\applicationname.exe
where z: is mapped drive of \servername\sharename
Firewall Alert pops and I mark Remember my answer and press Allow, but after 3 sec same Alert pops again and never ends. On every Allow press firewall make the same new custom policy for this application:
“Allow IP Out From MAC Any To MAC Any Where Protocol is Any”
I change manually “Out” to “In/Out” didn’t help.
But what is interesting if I remove mark from “Remember my answer” when Alert pops and press Allow application manage to connect to database and no more pops till I run this application again.