Firewall cannot handle rules correctly for Python script

I use the firewall with custom rules,
in latest updates Python script filtering has been improved but unfortunately the rules management doesn’t works fine with some python scripts and Comodo seems unable to save the rules asking continuously if I want to allow the internet access for same scripts, and It makes a new rule for every execution saving in

C:\ProgramData\Comodo\Cis\tempscrpt

tons of different

C_python.exe_somehashcode.cmd

for the same script (one for each execution)

To reproduce the issue: set the Firewall to use custom rules, download qBittorrent x64 and try to use the search torrent feature that is based on Python, for every search CIS will ask you if you want to allow the internet access, despite you have set it to remember the rule.

all these rules have been created for the same script

Software version: latest CIS 10.0.1.6209 all updates installed
OS: Windows 10 x64

Cmd can be executed by malware to erase mofificar files in our PCs, before blocking now execution isolated in auto-containment, even so in certain cases cmd can execute malicious commands.

CIS is correct

CIS must identify what script has been launched and save the rule according my decision, not creating each time a different rule for the same command. Blocking CMD commands and scripts launch is correct, the inability to save the rule is a bug.

Turn off embedded code detection for python in settings advanced protection > miscellaneous > Do heuristic command-line analysis for certain applications link > switch off under embedded code detection column for python.exe.

This lower security level of the firewall. As I have said the problem isn’t in the detection itself that is correct, but in the way firewall saves the rules that for some python script doesn’t work well probably due to a bug or poor rules management

If you look at the contents of those cmd scripts in the tempscrpt folder you will notice each one is different which is why you have so many because each script has a different name due to the hash being different. Those hex digits represent the hash of the file.

The script is the same, only the argument is different, these cmd are generated by CIS,
and Firewall shouldn’t calculate hash of the whole command, the hash should be based on what script is requiring internet access and rule should list the related script not such temp cmd files. It’s clear that something is wrong and isn’t a correct behavior.

This rule is not safe, but it can serve until Comodo find a solution.

C:\ProgramData\Comodo\Cis\tempscrpt\C_python.exe*.cmd

The wildcard eliminates the hash part.

You don’t have to try Torrent software. Windows 10 is already enough to run into these issues.

Scheduled tasks periodically create sets of files running Dismhost and the cleanup manager as part of Windows updates and system checks.

As these activities usually happen when the system is unattended (in the middle of the night), pop-ups won’t be confirmed.

It would be nice to have as part of the heuristic scanning of scripts a component that recognizes safe scripts and allows them to run without further firewall/HIPS pop-ups.

Cheers,
–Jürgen

Same problem in 2019.

Can you please elaborate the solution for 2019 CFirewall version?
Thanks in advance.

Assuming you are referring to trying to use Python and/or the ‘Search Engine’ feature in qBittorrent that requires python, then as futuretech has already stated, you will need to disable ‘Embedded Code Detection’ for python.exe.

You can try and leave ‘Heuristic Command Line Analysis’ Enabled.

Hello and thanks for the fast answer. I made what you recommend but doesnt seem to fix the problem.

I have that problem with jupyter, spyder from Anaconda Python IDLE. (Do not use any torrent service)

Looking forward,
Dave