ICMP In Ask rule for Windows Operating System silently allows instead of asking


Can you reproduce the problem & if so how reliably?:

If you can, exact steps to reproduce. If not, exactly what you did & what happened:
0: Go to Settings > Firewall > Firewall Settings and select Custom Ruleset.
1: Go to Settings > Firewall > Application Rules.
2: Select (or create if it’s not there) and edit Windows Operating System entry.
3: Assuming there are no other rules, create a block all rule (Block | IP | In/Out).
4: Additionally create the following rule: Ask | ICMP | In | [check] Log as firewall event…
5: Place it above the block rule to ensure top priority.
6: Save the rule [click OK].
7: Apply firewall rules [click OK].
8: Go to Settings > Firewall > Global Rules and make sure that no global rule blocks ICMP In/Out.
9: tracert any available host, e.g. (treat tracert.exe as trusted).
10: Go to Logs > Firewall Events to confirm that indeed the most recent ICMP In event was logged as “Asked”.

One or two sentences explaining what actually happened:
tracert went on to trace the route while CIS failed to display a popup asking to allow the Windows Operating System to receive an ICMP connection, meaning that CIS silently allowed it regardless of the explicit “Ask” rule.

One or two sentences explaining what you expected to happen:
As the ICMP rule for Windows Operating System was explicitly stated as “Ask”, a popup should have been displayed asking how to treat an incoming ICMP reply.

I expect that to happen because “Allow/Block” rules do work for Windows Operating System, e.g. if the rule in question was to edited to “Block” instead of “Ask”, that would block incoming ICMP connections, making tracert fail to trace and display * asterisks next to hop numbers.

In a nutshell, Allow and Block rules do work for WOS while Ask rule effectively results in silent Allow.


Exact CIS version & configuration:

OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Win 7 SP1 x64, UAC set to ask for elevation, Administrator account, no VM.

It is by design that you will not get alerts for WOS.

Good point. I think it would be nice to change UI a bit so that “Ask” entry does not show up as a choice when adding rules for Windows Operating System to avoid confusion… Just a suggestion.