How CIS decides what to block and why it does not notify me?

I just installed CIS (disabled antivirus, using another). It is so cool to see it asking my permission for almost everything 8). But there were some issues which bother me.

I installed uTorrent. I received a CIS notification that uTorrent tries to connect. I allowed. Then I run the uTorrent incoming port test. When I clicked it I was ready that CIS will ask me to allow incoming connection on the uTorrent port. But… no messages! And port test failed.

Then I decided to log into my router with putty to check if my router firewall is ok (I thought that if CIS did not ask anything, it let it go, and my router is blocking uTorrent).

And I was surprised again that CIS did not ask my permission to connect with putty to the router. How is that? Some time ago I noticed that CIS asked my permissions for some applications even to connect to the localhost. But now with putty - it just lets it connect to another IP address without questions!

Then I checked with putty that router is ok and opened CIS firewall and noticed many blocked “intrusion attempts”. Uhh… those are on uTorrent UDP port. So why this time CIS just blocked them without asking me at all? A bit inconsistent default settings behavior: svchost.exe - asks permission to connect to localhost, putty goes free, no questions. uTorrent out - asks questions, uTorrent in - blocks without questions. It got me really confused. Of course, I managed to open uTorrent port and passed the port test. But still somewhat confused.

And similar problem with Defesne+. I tried utility autoruns.exe - Autoruns for Windows - Sysinternals | Microsoft Learn
really useful to control startup and get all software nags away after just installing them (various register reminders, schedulers and so on).

So I ran autoruns.exe and unchecked some autorun items. And waited for a question from CIS that registry /Run key is being modified by autoruns.exe. Surprise! No questions. Why so? Is autoruns utility trusted by default? Did not find it in the trusted list.

I even tried this trick.
1.Put Defense in Paranoid mode.
Opened autoruns.exe.
Found a CIS record of autorun item entry under
c:\program files\comodo\comodo internet security\cfp.exe

and with autoruns utility disabled it. Opened regedit to be sure that it has moved from Run to AutorunsDisabled. Yes, it was moved. Without any warnings from CIS.
It even is not protecting itself???

So why such an inconsistent behavior? I know, that at at Safe level firewall has some predefined Trusted apps and Trusted vendors (autoruns.exe has Microsoft certificate built into it, but this certificate has expired some months ago), but it should at least “give a bubble” the first time it detects it so I know that it is working and does not let it pass without any notice.

To start answering your questions. In default mode Comodo will allow known applications that are consiedered safe by Comodo. I don’t use putty but I can tell with 99.9% certainty it is on the white list.

Svhost.exe is a different animal. It can be called be all sorts of programs or services; potentially malicious ones as well.

Autoruns is a digitally signed program by Microsoft. And unless you removed Microsoft from the My Trusted Software Vendors list it would be allowed because of that. It may also be on the white list. Notice that the whitelist cannot be viewed and as far as I know neither there is a list on the Comodo website.

Comodo is protected against modification by programs and allows the user to do as he or she pleases. CIS is not the UAC nanny of Vista that tries to protect the user against him or her self.

As to the logic of blocking incoming traffic by default for applications. I guess that’s what firewalls do as that is one of their main tasks; keep out unknown incoming traffic. Incoming traffic in Comodo first sees the Global Rules which will filter unsolicited traffic unless the user makes a rule differently/

What configuration are you using? Look under Miscellaneous → Manage My Configurations. You sound like you may want the Proative Security (or Optimum security when only using Firewall?) rather than the default Internet Security. For more control you can also up the Defense + Settings and Firewall Behaviour Settings to Safe Mode and Custom Policy Mode.

As to the expired certificate. First of all: good catch. Second thought…hhmm… is that a firewall or an OS task? I have no idea… 88)

Thanks for the reply. Now I have got used to CIS and think it is OK. :slight_smile:
It is bad that users cannot see the whitelist though :frowning: