If you’re running the firewall in Custom Policy mode, having an ‘Ask’ rule is redundant.
The global rules only let you choose Allow or Block so it has to stay as Block. As I understand it the system works from top rules to bottom rules so it should only block anything I haven't allowed higher up. But if I have "Create rules for Safe Applications" ticked and allow it to use cloud-based lookup behaviour (which I allowed during install but can't find the setting now) and also above the block rules there are allow rules in and out from my network so no reason why this shouldn't work.
If - as in your earlier configuration - you’ve created a Global rule that blocks both inbound and outbound connections, only those connections with a specific outbound global rule will be allowed to connect, unless you’ve created a more generic global rule that simply allows all outbound traffic. Likewise, unless the inbound connection is specifically allowed, via Global and Application rules, or is a response to a prior outbound request, it will be blocked.
Yet still I get things Blocked. Check this out.....
2012-01-24 01:53:09 Windows Operating System Blocked In TCP 192.168.0.155 2388 192.168.0.2 5000
2012-01-24 01:53:21 Windows Operating System Blocked In TCP 192.168.0.155 2388 192.168.0.2 5000
2012-01-24 01:53:45 Windows Operating System Blocked In TCP 192.168.0.155 2388 192.168.0.2 5000
2012-01-24 01:54:33 Windows Operating System Blocked In TCP 192.168.0.155 2388 192.168.0.2 5000
2012-01-24 08:25:38 Windows Operating System Blocked In TCP 192.168.0.155 2051 192.168.0.2 5000
2012-01-24 08:25:41 Windows Operating System Blocked In TCP 192.168.0.155 2051 192.168.0.2 5000
2012-01-24 08:25:47 Windows Operating System Blocked In TCP 192.168.0.155 2051 192.168.0.2 5000
2012-01-24 08:25:59 Windows Operating System Blocked In TCP 192.168.0.155 2051 192.168.0.2 5000
2012-01-24 08:26:23 Windows Operating System Blocked In TCP 192.168.0.155 2051 192.168.0.2 5000
2012-01-24 08:27:11 Windows Operating System Blocked In TCP 192.168.0.155 2051 192.168.0.2 5000
These are inbound UPnP connections, which unless you create a specific rule for svchost, will be discarded by WOS, as there’s no end point for the connection.
So are you saying that Comodo doesn't recognise "Windows Operating System" as a Safe application, even with cloud-based lookup?
As I mentioned earlier, WOS is not a real process, there isn’t a WOS.exe anywhere, it’s simply a pseudo process used to, amongst other things, ‘clean-up’ connections for which no Application rules exists, or when the process has been terminated.
Or that Comodo doesn't recognise that 192.168.0.155 is in my Safe Zone ie between 192.0.0.1 and 192.168.0.255?
192.0.0.1 and 192.168.0.1 will be completely different subnets of your mask is 255.255.255.0. For your zone range use either:
192.168.0.1 to 192.168.0.255
or
192.168.0.1/255.255.255.0
As mentioned above, when something tries to connect, there must be a Global rule that allows the protocol and port and there must be an Application rule listening for the inbound connection. If either of these are missing the connection will fail.
Only in those cases should it get to the Global Block at the bottom. (This was why I had the Upnp rule in my first try, before you took it out in your revised ones but I'm rapidly getting back there to the same point I had before.) EDIT Just remembered we talked about WOS before didn't we (Comodo doesn't recognise it as an application) so if I add that rule back in we should be getting close to a working solution.
The Global rule is not the issue, at least in this case. If you want to receive inbound UPnP connections, I assume from your router, you need to create inbound rules for svchost, in addition to allowing the connections through Global rules. If you have something like media streaming on your network, or you’re using Windows 7 Homegroups, the easiest way to make sure svchost is covered is to add the In and Out to/from LAN:
Application Name - Svchost.exe
Allow IP Out
Source Address - Any
Destination Address - LAN
IP Details - Any
Allow IP In
Source Address - LAN
Destination Address - Any
IP Details - Any
However more alarmingly, why no events logged while I was logged off? See the time gap? Maybe coincidence but like I raised before, I am still being protected while not logged on aren't I?
Was anything happening when you were logged off, what about the WOS events?
Also for background check this topic...
https://forums.comodo.com/firewall-help-cis/comodo-alert-reduction-t79337.0.html;msg578630#msg578630
…I agree with clockwork.
Unless you’ve placed a check in the box ‘Do not show popup alerts’ it’s not really relevant to this discussion. However, the firewall will work pretty much anyway you want it to. If you want alerts, you can have them, if you don’t, it can be told not to show them. It’s all down to how you choose to configure things.
EDIT2 - PS It's still doing stupid thing with the logs, the logging system seems to be completely ridiculous. Check out the two screenshots attached. Over a Gigabyte of data for two days worth of logs. One of the logs I opened up and as you can see it has 19 lines entries in it. WTF!!!! They're all like that, some even less!!!
I believe this may be a conflict between AVG and CIS, take a look at Log file problem