A. The bug/issue
-
What you did:
Added a firewall rule, allowing
“ping.exe”, out any, source any to target pool.ntp.org, source port any, target port any
“ping.exe”, out any, source any to target crl.verisign.com, source port any, target port any -
What actually happened or you actually saw:
- The hostnames resolve to various IPs. crl.verisign.com resolves to crl.verisign.net in first place
- In case of pool.ntp.org
If pool.ntp.org resolved to 23.23.23.23 and 42.42.42.42, ping will be allowed to contact any host in the network range 23.23.23.23 - 42.42.42.42 - In case of crl.verisign.com
CIS asks me on every IP change if I would like to allow ping to contact the host after the IP has changed
-
What you expected to happen or see:
If the hostname resolves to a certain IP at the moment, the rule should allow ping to communicate exactly with this host - not with more or less! -
How you tried to fix it & what happened:
and no, adding 100s of IP adresses to replace the hostname is no workaround!
- If its a software compatibility problem have you tried the compatibility fixes (link in format)?:
-
Details & exact version of any software (execpt CIS) involved (with download link unless malware):
ping.exe 6.1.7600.16385, contained in Windows 7
ping.exe 5.1.2600.5512, contained in Windows XP -
Whether you can make the problem happen again, and if so exact steps to make it happen:
- Add a firewall rule, allowing
“ping.exe”, out any, source any to target pool.ntp.org, source port any, target port any
“ping.exe”, out any, source any to target crl.verisign.com, source port any, target port any - Ping pool.ntp.org and crl.verisign.com several times. Try pinging IPs inside the network range of to IPs, pool.ntp.org resolved to
- Any other information (eg your guess regarding the cause, with reasons):
CIS isn’t able to handle hostnames that resolve to a different hostname in first place (otherwise, ping crl.verisign.com would probably behave as ping pool.ntp.org)
I have no idea, what causes CIS to behave as strange in the “pool.ntp.org case”
B. Files appended. (Please zip unless screenshots).
-
Screenshots of the Defense plus Active Processes List (Required for all issues):
certainly not, but ok… -
Screenshots illustrating the bug:
- Screenshot of rules for ping.exe and ping2.exe (a copy of ping.exe)
- Screenshot command window, pool.ntp.org resolved to 74.118.152.85; trying ping -n 1 crl.verisign.com results in an alert
- Screenshot command window, pool.ntp.org resolves to 173.9.142.98 now (this host doesn’t reply to echo requests), can ping2 -n 1 75.0.0.2 now without alert!
- Screenshots of related CIS event logs:
- There are no entries for ping2.exe; one for ping.exe corresponding to the alert from screenshot in 2
- A CIS config report or file.
- Crash or freeze dump file:
- Screenshot of More~About page. Can be used instead of typed product and AV database version.
C. Your set-up
-
CIS version, AV database version & configuration used:
CIS 5.9.221665.2197, 1 (AV is disabled), COMODO - Internet Security, but all firewall rules were removed, firewall is set to custom policy mode -
a) Have you updated (without uninstall) from from a previous version of CIS:
No
b) if so, have you tried a clean reinstall (without losing settings - if not please do)?:
- a) Have you imported a config from a previous version of CIS:
No
b) if so, have U tried a standard config (without losing settings - if not please do)?:
- Have you made any other major changes to the default config? (eg ticked ‘block all unknown requests’, other egs here.):
- Removed the default rules of the firewall config
-
Defense+, Sandbox, Firewall & AV security levels: D+= , Sandbox= , Firewall = , AV =
D+=Clean PC Mode, Sandbox off, FW=Custom, AV=off -
OS version, service pack, number of bits, UAC setting, & account type:
XP SP3 32bit; also tested on 7 SP1 32bit, UAC on, admin account in both cases -
Other security and utility software currently installed:
- Other security software previously installed at any time since Windows was last installed:
- Virtual machine used (Please do NOT use Virtual box):
no
[attachment deleted by admin]