Hello all-
I am a long time user of Comodo Internet Security and Comodo Antivirus (3+ years). I was quick to jump on the CIS 2013 bandwagon because I am historically a huge fan of Comodo’s products. However, in this new version of CIS 2013, I am continually experiencing an obvious and annoying issue.
Product Version: 6.0.264710.2708
DB Version: 15259
OS: Windows 7 Ultimate 64-bit
Firewall Settings: Custom Ruleset
Problem:
My global rules are set up to explicitly block certain types of obscure, unnecessary traffic. There are no global allow rules. Therefore, more or less, the only notifications I get are ones that inform me any traffic that is not presently allowed in an application rule. This same scenario applies to svchost.exe which prompts me to accept/deny any inbound RDP activity. However, there is a major problem with the notification system and subsequent rule creation process when I tell CIS to remember the rule.
Example:
I just this second received an inbound RDP request from an unwanted/suspicious IP address of: 60.214.139.74. The alert popped up, as it should, and I selected to deny the activity along with having CIS create a rule for this activity/remember to block it. Immediately after doing this, another window of the exact information pops up even though I just told CIS to remember the denial. I noticed this process would occur for every single denial/acceptance of svchost.exe activity so I decided to research it more.
Findings:
For every denial/acceptance done via popup alert, the corresponding rule that is created is not accurate. When I investigated the rule created by denying the previous RDP inbound attempt, I expected to find, more or less, block TCP 3389 inbound from source address 60.214.139.74. What I actually found was it created a rule to block TCP 3389 inbound where the destination address is 60.214.139.74. This makes absolutely no sense. However, it does explain why even after telling CIS to remember a rule, several subsequent popup alerts still show up. It is because there technically is no rule that says to deny that activity since it swaps the source/destination. Obviously, since learning of this glitch I have manually re-created all of the rules that I assumed were being done automatically. This glitch is new to CIS 2013 as I never had a problem with previous versions while doing this dozens of times every day.
I appreciate any guidance or suggestions. I’ve attached a screenshot of the application rule that is created for svchost.exe after telling CIS to remember to block the activity in the popup alert I was discussing. I have re-installed CIS, updated it frequently, wiped the current rule set, among many other troubleshooting activities. I work in IT and networking so please feel free to ask me for additional information and/or talk nerdy in your response. Thank you!
[attachment deleted by admin]