I don't like this - some connections allowed "in secret"?

I’m still testing Windows 10 in a virtual machine before deciding to upgrade my main Windows 7 computer. I’ve recently installed the latest Comodo firewall on Win10, and I’ve seen a couple of things that bug me (despite I’ve double-checked all settings not to let anything past me):

-tcpview reported some connections to MSN, despite I haven’t run any attempts to thoseservers
-upon running ping.exe to an internet address, Comodo asked me to allow “System” (and not ping.exe as it was on Windows 7) to connect to internet
-running tracert didn’t trigger any pop-up dialox boxes from Comodo at all

This much after about half an hour. I hope I get to fix these anomalies. Any idea why it’s like that? On Windows 7, I was able to configure Comodo firewall in a way that no single process was able to connect out unless I made a rule or decided on a case-by-case basis.

First set firewall to Custom Ruleset, disable “Do NOT show popup alerts”, set “Alert Frequency” to “Very High”, Enable “Filter IPv6 traffic”, Enable “Filter Loopback traffic” then remove all application rules (if you want to set them up yourself) and remove any “Allow” rules in Global Rules.

ping.exe being under “System” is expected behavior, the firewall in CIS for some reason I can’t remember groups several system processes under “System”, it may or may not behave differently on other (older) operating systems.

Thanks, I’ve made the setttings changes which were different before - Alert Frequency was unchecked, but I suppose that’s the same as having it checked and set to Very High?

As for traceroute and ping I now wasn’t asked to allow traffic.

Is there any way to detach System to separate parts? It kind of defeats one of the purposes of a “personal firewall” to have it like this. For instance, I might want to allow just ping and traceroute out, DNS requests, etc., but not the dreaded telemetry reports…

Also, I’ve noticed Windows Firewall is still turned on. Can I (or do I have to) turn it off manually? It used to be disabled when a different firewall (such as Comodo) was installed (at least on Windows 7).

Not sure but I think unchecked is equivalent to low, but again I’m not sure.

It’s not possible, to the best of my knowledge.

CIS hasn’t disabled the firewall since windows 8, if I remember correctly it was because of some windows 8 certificate or something, can’t remember. Anyway, yes you can disable it manually, you don’t have to but it’s up to you.

Are there any rules now hardcoded in the firewall (especially pertaining to System processes)? I read somewhere a while ago that this was done to ensure Windows 10 compatibility (perhaps temporarily), but I’m not sure if it was a reliable source.

Not that I know of, but I don’t have access to the source code so…

Not to my knowledge.


Nothing goes out unless I let it :slight_smile:

To rekindle this “old” thread… On a new test setup (Windows 10 & Comodo firewall + antivirus), I don’t get prompted whenever I use ping or traceroute. I understand these two are under “System” now; however, even so, I have no allow-all global rules, and as for System, it only has “allow send out to Trusted hosts” and “allow receive from Trusted hosts” (whereas under Trusted hosts, only is currently listed). It would only be logical I’m asked at least once per session for allow/block.

The application rules (at the end) look more or less the same as what I posted here: https://forums.comodo.com/firewall-help-cis/does-every-application-rule-need-ask-at-the-bottom-now-t112778.0.html;msg817614#msg817614 )

The “ask & log” part I now added later on, thinking that maybe then I would get the prompt for allowing/blocking, but still nothing. Traceroute and ping work without it, and if I check firewall logs, there are related entries with “allow” there. No related “asked” whatsoever.

A bug, or indeed something hardcoded?

If you ever choose allow for System without remember my answer checked and with the rules you have set, then CIS will remember that action for the lifetime of System process, but if you disable the firewall then set it back to safe mode or custom policy mode and use ping or tracert then you will get an alert.

No, it’s not only within one session of the system process. It’s the same after reboot, with the aforementioned rules. It doesn’t make sense, I should be getting prompt at least once per session.

I created the same rules for System as you did with the firewall set to safe mode and I get an alert when I run ping google.com from the command prompt. I notice you are using Windows 10 and I tested with Windows 7 so maybe its an issue that applies only to Windows 10 or maybe there is something else causing an issue.

[attachment deleted by admin]

Yes, the question is for Windows 10, which I still have “under observation”, before I approve 8) it.
My Win7 works fine - but it’s strange you get “ping” treated under “System”, because on my Windows 7, I get to have separate rules for ping.exe and tracert.exe.

Using Windows 10 and I set up an ask all for System and it showed me an alert when I tried “Ping”

Regarding Windows 7, are you sure you’re not using an older version of CIS on that system?

Yes, I have 5.something on Windows 7 (it has infinitely more optimal screen real-estate usage without extra space, which is especially important with rules and logs - compared to 8 ).
But I was under the impression that the conglomeration of ping and traceroute into “System” is related to Windows 10 architecture, not CIS version.

I think it’s related to which version of Windows Filtering Platform or NDIS filter CIS is using, in CIS 5.x (maybe even 6.x(?)) it uses an older version that differentiates between these processes, later CIS versions uses a later version of these platforms which apparently doesn’t support that and group them all up under “System”