I think I have the same problem like this bug-report reports:
https://forums.comodo.com/firewall_bugs/safe_mode_and_gui-t29911.0.html;msg247569#msg247569
When I connect to the internet via ISDN then CIS-Firewall (in Safe Mode) automaticly add a application rule for example svhost.exe.
Java Runtime where looking for updates and the Firewall also automaticly adds a rule.
Allow IP Out FROM IP ANY TO IP ANY WHERE Protocol IS Any
Is ther a solution, or must I use Custom Policy Mode?
Welcome. 
This is not a bug.
Definition of Firewall in Safe Mode:
While filtering network traffic, the firewall will automatically create rules that allow all traffic for the components of applications certified as ‘Safe’ by Comodo. (svchost.exe is trusted as part of Microsoft Windows and Java is also trusted as part of Sun Miscrosystems Inc.) For non-certified new applications, you will receive an alert whenever that application attempts to access the network. Should you choose, you can grant that application Internet access by choosing ‘Treat this application as a Trusted Application’ at the alert. This will deploy the predefined firewall policy ‘Trusted Application’ onto the application.
If you would like CIS to alert you for every internet connection attempt, Custom Policy Mode is the mode you should switch to. You will get an alert for all applications trying to connect to the net.
I find in DEFENS+ the point Trust Vendors.
I delete all custom vendors. So there are only 2 comodo entrys there.
Now svhost.exe doesn’t have automaticly an entry in application (when svhost.exe try to access i have to answer a question yes or no) but sun java has one.
Is this because sun java is trusted by comodo?
Was there a security policy for Java already in CIS before you deleted them from the trusted vendor list?
I think no …
But I also delete the application rule for java after I delete the vendor entry for sun.
So it is confusius …