Firewall alerts too fast to respond to

Using up to date CIS firewall v10.0.1.6294 with W10 Pro v1703 Build 15063.632, also up to date. I use a custom ruleset with default ‘medium’ alerts frequency. Like to be asked permission, which is why I use CIS.

In last week or so, getting occasional firewall alerts that flash on and off before I can read or respond. Others work as normal. Can’t recall having this happen down many years using CIS. One alert might wait obediently but a group that follow for something else will flash by.

First assumed maybe some lag finding existing rules, but it happens for new stuff with no existing rule, like the monthly MRT tool - this has a new exe each time. Could create a wildcard rule but why suddenly need to?

‘View Logs’ lists what asked. Usually 4 or 5 requests. Not just MRT.

I understand if an alert goes unanswered the request is blocked. If an alert flashes on and off, assuming the default still blocked?

Any suggestions why this is happening? I could check the logs and create rules after the fact but I don’t want to create loads of allow rules to get around this new behaviour. I just want alerts to give me half a chance.

Activating the alert timeout makes no difference. 120 secs is the default.

Windows 10 notifications are on for CIS - could this cause some intermittent glitch?

same problem here too it does it since windows update release this week

There was a similar issue where (some) sound drivers, codecs were interfering with alerts but it’s marked as fixed. Try disabling ‘Play sound when an alert is shown’ option in Advanced Settings > General Settings > User Interface. Restart system. Just to get this one out of sight.

Thanks Windstorm. Already have sound alerts turned off. Like marcel4, only started a few weeks back - only change was a Win10 update. So far seems to affect Msoft stuff, like SIHClient.exe in system32 folder and MRT tool.

I didn’t have a rule for SIHClient.exe but Win updater always worked anyway? I’ve had to create a rule to shut the flashing alerts up. Looks like they default to block which is good, but still annoying. No idea what makes them flash on/off but will keep checking logs. History tells me these mysteries tend to self-correct after a few more updates of either CIS or Windows. :slight_smile:

Hi, Qibbler.

Thank you for reporting. The issue is under investigation. We let you know results as soon as possible.

Kind Regards,

yep the update from windows did something i do not know what i did yesterday set my computer back from a backup from before the update from windows everything worked fine then no problems with the popup alerts after the windows update got the problems again. the audio thing did not work for me.

Maybe try a clean reinstall of CIS/CFW? I don’t have any issue with how alerts appear. If you can, create a video of it happening to show the issue better.

futuretech i did that too reinstall but still the same result and making a video of it is impossible it goes that fast and i dont know when the alerts comes and go sometimes they work and then they flash on and off. if you would record that i have to set a camera on it all day

Does it happen for all applications? What you can do is remove any existing rules for say a web browser, switch to custom ruleset, then open the browser and visit a website to trigger an alert. You could record in that instance.

Hi, Qibbler.

We checked this behavior. This behavior is by design.
Only one of application can generate some different requests during a short time. If these requests will be
set in the queue, then each next request will have a timeout equaled the sum of all previous timeouts. The first alert will have timeout 120 sec, the second alert - 240 sec, …, 100th alert - 200 minutes. It is impossible.
So three alerts are appearing with timeout 120 sec, but the next alerts are appearing with less timeout.
Regarding logs with ‘Asked’ but without ‘Blocked’. It looks like one of your rules used option ‘Log as firewall event…’.
Log ‘Blocked’ will register to the Firewall logs in two cases:

  1. When we click ‘Block’ on the alert.
  2. When we use enabled option ‘Log as firewall event’ for one of the used rules.

The first case (look at screenshots Case_1[1-7]): ‘Log as firewall event…’ is disabled.
In this case three first alerts appear through 120 secs. The next alerts appears with less timeout:
‘Block’ action is absent, because we don’t use action ‘Block’ in the appeared alert and ‘Log as firewall event…’ is disabled.
But if we open ‘Related alert’, we see that ‘Answer’ is Deny (Block).

The second case (look at screenshots Case_2[1-3]): ‘Log as firewall event…’ is enabled:
In this case three first alerts appear through 120 secs, but related alerts don’t appear as alerts.
The next alerts appears with less timeout.

So, to avoid the rapid appearance and loss of alerts, you must respond to alerts in time (apply the action), and not wait until they are lost by timeout.
Checkbox ‘Log as firewall event…’ is enabling advanced logging.

hi sergey.grechko
yes what you have found seems to work but the next problem (my problem)
is that i mark things in the popup alerts what i trust or want to block as remember my answer
and when i go downstairs to drink coffee and come to my comp back an hour later i get the flashing popups again and what did get my mention if i do start my comp again i get the same alerts what i have marked as remember my answer so somewhere there must be a glitch i do not know if this worked for Qibbler
but same story i use comodo firewall from from the beginning when it started years ago never had a problem with it
but i trust it will work out in the future.

Thanks sergey.grechko for time spent and excellent illustrations. The good thing is the fast flashing alerts defaulted to block far as I can tell. Sorted out SIHCLient.exe and MRT using the View logs and created new rules, and will study your illustrations.

Never had this flashing effect (too fast to read) in years using CIS but will master it!

Hi, marcel4.

Thank you for reporting. Could you please provide Firewall logs, config (via Configuration - Select active profile - Export) and screenshots of alerts which you allowed or blocked, but they are appearing again.

hi sergey.grechko

i did a clean install again and now i have no problems anymore
but thanks anyway