Help on Global Rules and Rulesets for CIS Pro 2013

I am a newbie for this Forum. If the contents of this post would be insufficient, please advise. I’ll stop it. My post here is based on that Geekbuddy are not allow to help CIS users with Windows registry layer.

I noticed for a last few days that ‘Global Rules’ and ‘Rulesets’ panes of Firewall for CIS Pro 2013 display NOTHING unless I expand the panes (by stretching the lower right corner), when I was investigating within Windows 7 Professional 64 bits resources interoperatively that may trigger “no such name” DNS replies for bogus DNS exploit queries containing several different flags on each queries-- a svchost.exe and the system PID 0 generate them, and odd SSDP/UPnP queries including a small size of TCP stream-- I stop this by blocking a multicast address (239.255.255.250) on CIS Pro firewall-- SSDPSRV and UPnP local service have been disabled. Fake DNS queris bypass ‘DisableReverseAddressRegistrations’ on a Tcpip registry entry I add.

Meanwhile, I found the number of added 34 Global Rules I regularly use exist in the registry nevertheless I uninstalled CIS Pro 2013 for re-installing the latest standalne program (cispro_installer_x64.exe) on Feb 4th (Mon) as a solution attempt. Right now, I set Comodo Proactive Security configuration on a wireless public networking interface (multi-band/streaming specification). As far as I remember for sure, HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\ entry did NOT exist when I checked the registry after uninstalling/rebooting from a Windows 7 professional 64 bit PC.

I do want to know if this entry is automatically erased when you uninstalling CIS Pro 2013. Otherwise, the starange issues could be caused by a program of the rootkit embedded into my PCs by the hacker/s I have been struggling for many years.

HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro\Configurations\0\Firewall\Policy\Global Rules … the subkey is consist from 0 to 3
HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro\Configurations\1\Firewall\Policy\Global Rules … the subkey is consist from 0 to 4
HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro\Configurations\2\Firewall\Policy\Global Rules … the subkey is consist from 0 to 4
HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro\Configurations\3\Firewall\Policy\Global Rules … the subkey is consist from 0 to 34

Strangley enough, the contradiction is that the default (5 ICMP block entries) ‘Global Rules’ for a wireless public network connection exist within the xxx\Configurations\3\Firewall\Policy\Global Rules. However the rest of 29 rules are NOT displayed in the Global Rules pane instead they exist in the registry entry. Further, I could not find the registry entry for the default Rulestes, although the Ruleset Name (6 items) only comes out when stretching the lower right corner of the window.

A basic troubleshooting via “chkdsk c: /f” and “sfc /scannow” pass the filesystem integrities.

Does anyone can help me to solve the issue? Should I e-mail this at CIS developer’s URL site? Last resort I may take will be to find a good restore point that I created with Acronis True Image Home-- this will take a long hours. However, bogus DNS queries issue always reside in my PCs including Mac OS X and Linux that I do not use now.

Best regards,

tranchedevie

I now downloaded “Comodo_Internet Security_2013_ver.6.0_User_Guide.pdf” and noticed there is a difference on Advanced Settings\Security Settings\Firewall\Application Rules\ between CIS Pro 2013 I reinstalled and on the page 324 of the User Guide.

The User Guide shows “System” that contains ‘Allow System To Send Request’ and ‘Allow System To Receive Request’, however mine do not have this “System” entry. Instead, there is a C:\Program Files (x86)\Acronis\TrueImageHome\TrueImage.exe . The definition is “Allow UDP in From IP in [192.168.100.254/255.255.255.0] to MAC Any Where Source Port Is Any And Destination Port Is Any” treat as Custom. Does anyone who hinstall Acronis True Image Home on your system has the same phenomenon?

Also, I found “Windows System Application” got the one entry only that the definition shows ‘Allow IP Out From MAC Any To MAC Any Where Protocol is Any’. However the User Guide shows four entries visible as you may find. Besides, there is no “Application Rules” entry in the Registry.

CIS Pro 2013 I reinstalled seems to trigger a security problem.

Anyone, please advise.

tranchedevie

The difference in the rules shown would depend on what Security Configuration you are using (Internet Security, Proactive Security, Firewall Security, etc.).

Your “Application Rules” are listed under

HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\1\Firewall\Policy

were the 1 represents the configuration you are running CIS in. (Advanced Settings > General Settings > Configuration)

Thank you for your reply.

AMENDMENT on my last post:

I found there is “Application Rules” entry in the registry in a different name. All keys including the default Ruleset for CIS Pro 2013 keep the consistency with the application configuration entries.

UPDATE on the issue that displays a blank screen on Global Rules and Ruleset:

Verifying the issue recursiveness in reinstalling CIS Pro 2013 V.6.0.260739.2674 via the built-in auto updating and a manual installation via the standalone package, this problem recurs. However, the previous version does not recur the problem. I think my Windows 7 Pro 64 bit for the double byte Japanese platform may affect on the current version. I am now using the previous version for a workaround.

I switch Comodo DNS servers to Google public DNS server (8.8.8.8/8.8.4.4) and vice versa from time to time depending on the hackers attack vectors. Google server has a resistance feature against maliciously bad or inverse DNS queries. It protects some vectors to deny forwarding their queries to a higher server or root server even if the queries contain “do recursive query” flag. This contributes to make the hacker’s action delay a bit. However, Google DNS server replys with AUTHORITATIVE NAME SERVERS: 168.192.in-addr.arpa: type SOA, class IN, mname prisoner.iana.org for QUERIES: 100.100.168.192.in-addr.arpa: type PTR, class IN, also 224.in-addr.arpa: type SOA, class IN, mname sns.dns.icann.org for QUERIES:252.0.0.224.in-addr.arpa: type PTR, class IN. This could unexpectedly occur an ‘information leakage’.

Regards,