FW rule created from alerts swapped Source/Destination IP[V6]

ohgreatitsdavid · February 15, 2013, 3:03pm

Hello all-

I am a long time user of Comodo Internet Security and Comodo Antivirus (3+ years). I was quick to jump on the CIS 2013 bandwagon because I am historically a huge fan of Comodo’s products. However, in this new version of CIS 2013, I am continually experiencing an obvious and annoying issue.

Product Version: 6.0.264710.2708
DB Version: 15259
OS: Windows 7 Ultimate 64-bit
Firewall Settings: Custom Ruleset

Problem:
My global rules are set up to explicitly block certain types of obscure, unnecessary traffic. There are no global allow rules. Therefore, more or less, the only notifications I get are ones that inform me any traffic that is not presently allowed in an application rule. This same scenario applies to svchost.exe which prompts me to accept/deny any inbound RDP activity. However, there is a major problem with the notification system and subsequent rule creation process when I tell CIS to remember the rule.

Example:
I just this second received an inbound RDP request from an unwanted/suspicious IP address of: 60.214.139.74. The alert popped up, as it should, and I selected to deny the activity along with having CIS create a rule for this activity/remember to block it. Immediately after doing this, another window of the exact information pops up even though I just told CIS to remember the denial. I noticed this process would occur for every single denial/acceptance of svchost.exe activity so I decided to research it more.

Findings:
For every denial/acceptance done via popup alert, the corresponding rule that is created is not accurate. When I investigated the rule created by denying the previous RDP inbound attempt, I expected to find, more or less, block TCP 3389 inbound from source address 60.214.139.74. What I actually found was it created a rule to block TCP 3389 inbound where the destination address is 60.214.139.74. This makes absolutely no sense. However, it does explain why even after telling CIS to remember a rule, several subsequent popup alerts still show up. It is because there technically is no rule that says to deny that activity since it swaps the source/destination. Obviously, since learning of this glitch I have manually re-created all of the rules that I assumed were being done automatically. This glitch is new to CIS 2013 as I never had a problem with previous versions while doing this dozens of times every day.

I appreciate any guidance or suggestions. I’ve attached a screenshot of the application rule that is created for svchost.exe after telling CIS to remember to block the activity in the popup alert I was discussing. I have re-installed CIS, updated it frequently, wiped the current rule set, among many other troubleshooting activities. I work in IT and networking so please feel free to ask me for additional information and/or talk nerdy in your response. Thank you!

[attachment deleted by admin]

mouse1 · February 16, 2013, 8:42am

Thank you very much for your issue report.

We would very much appreciate it if you would be kind enough to edit your report to put it in the standard format and add any additional information requested, as this will make it much easier for the developers to diagnose and fix the problem.

The reasons we need all the information in the format, though they may not seem directly relevant to the issue are explained here.

If you are able to do this we will forward this post to the format verified board, where it is more likely to get looked at by developers. You can find assistance using red links in the format and here. If you need further help please ask a mod. If you do not add the information after a day or two we will forward this post to the non-format board. If this happens we will tell you how to rectify this if you wish to.

In the current process we will normally leave it up to you whether you want to make a report in standard format or not. However we may remind you if we think a bug of particular importance.

Many thanks again

Mouse

mouse1 · February 18, 2013, 8:49am

PM sent

mouse1 · February 21, 2013, 8:35am

Thanks very much for your issue report, which is much appreciated.

We have moved it to the non-format bugs board for the moment, because it is not in the standard format or too much of the information we normally need to replicate a problem and fix it is still missing.

We realize some people may not have the time to do an issue report in standard format, and therefore offer the option of a non-format report instead. But the problem is much more likely to be fixed promptly if you edit your first post to create an issue report which reflects the guidance in the Standard Format topic. (You can copy and paste the format from this topic). The reasons we ask for the information we do are given in this post.

You can get your report moved to the format verified issues board simply by ensuring that it reflects the guidance in the standard format topic, and PM’ing a mod who is active on the bug board.

Best wishes

Mouse

mouse1 · March 10, 2013, 4:12pm

Unfortunately we were unable to replicate

Mouse

Chiron494 · June 23, 2013, 7:35pm

Can you please check and see if this is fixed with the newest version (version 6.2.282872.2847)? Please let us know whether it is fixed or you are still experiencing the problem.

Also, note that all bug reports in the Non-Format section of the forum, which is where this report currently is, are not looked at by the devs. Thus, if the bug you were experiencing is still not fixed please edit your first post so that it is in the correct format (found here, with all required attachments, so I can forward this to the devs and get this problem fixed.

Thank you. PM sent.

Chiron494 · October 1, 2013, 6:13pm

Can you please check and see if this is fixed with the newest version (version 6.3.294583.2937)? Please let us know whether it is fixed or you are still experiencing the problem.

Also, note that all bug reports in the Non-Format section of the forum, which is where this report currently is, are mainly not looked at by the devs. Thus, if the bug you were experiencing is still not fixed please edit your first post so that it is in the correct format (found here, with all required attachments), so I can forward this to the devs and get this problem fixed.

Thank you.

PM sent.

Chiron494 · March 7, 2014, 5:24pm

Can you please check and see if this is fixed with the newest version (7.0.313494.4115)? Please respond to this topic letting us know whether it is fixed or if you are still experiencing the problem.

Also, note that all bug reports in the Non-Format section of the forum, which is where this report currently is, are mainly not looked at by the devs. Thus, if the bug you were experiencing is still not fixed please edit your first post so that it is in the correct format (found here, with all required attachments), so I can forward this to the devs and get this problem fixed.

Thank you.

PM sent.

Chiron494 · March 15, 2014, 2:12am

As this has been in the Non Format Verified Board for at least three major version releases, without enough information to forward to the devs, I will move this report to the Outdated section.

If you are still experiencing this issue, and would like this to be forwarded to the devs, please edit your first post so that it is in the required format, and has all required files attached. After this please reply to this post, and send me a PM with a link to this report.

Thank you.