No alerts for subsequent connections on same port & protocol diff IP [M235]1[v6]

A. THE BUG/ISSUE (Varies from issue to issue)
[ol]- Summary - Give a clear summary in the topic title, NOT here.

  • Can U reproduce the problem & if so how reliably?: yes, 100%
  • If U can, exact steps to reproduce. If not, exactly what U did & what happened:
  1. Application: any app which can make multiple connections to different IPs (browser, WinSCP)
  2. My settings:
  • application is in “Trusted Files”
  • application does not have firewall rules
  • firewall is in custom rules mode
  • firewall alert frequency: very high
  • firewall create rules for safe apps: disabled
  • firewall do not show alerts mode: disabled
  1. Start application and let it make connections to the same port to different IPs:
  • browser: open few http (80) & https (443) pages
  • WinSCP: ssh (22) to few servers
  1. Allow any alert (update to clear few things: leave “remember” unchecked).

What happens:

On the first connection attempt there is an alert - for example IP1:80, however on further connections (IP2-IPx) to *:80 there won’t be a single alert. So if we allow browser to connect to :80 even once, then all connections become allowed (over the same port).

However if we make *:port connection over TCP and allow it, then connection to *:port over UDP - we will get two alerts (but no more) (it seems to be port+proto driven).

Looks like alert frequency setting is broken. Also if we block connection, then application is permanently blocked for *:port.

There is single exempt: if more connections are made while popup is still displayed then it will show up again even for the same port/proto.

In 5.x we got alert for every connection attempt.

  • If not obvious, what U expected to happen: There should be an alert for each connection.
  • If a software compatibility problem have U tried the conflict FAQ?:
  • Any software except CIS/OS involved? If so - name, & exact version:
  • Any other information, eg your guess at the cause, how U tried to fix it etc:
  • Always attach - Diagnostics file, Killswitch processes list, dump (if freeze/crash). If complex - CIS logs & config, screenshots, video, zipped program (not m’ware)
    [/ol]

B. YOUR SETUP (Likely the same for each issue, so you can copy forward)
[ol]- CIS version & configuration: 6.0.260739.2674, own config

  • Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV: all
  • Have U made any other changes to the default config? (egs here.): sure
  • Have U updated (without uninstall) from a previous version of CIS: no
    [li]if so, have U tried a a clean reinstall - if not please do?: no
    [/li]- Have U imported a config from a previous version of CIS: no
    [li]if so, have U tried a standard config - if not please do: no
    [/li]- OS version, SP, 32/64 bit, UAC setting, account type, & VM used: XP Pro, SP3, 32b, admin
  • Other security/sandbox software a) currently installed b) installed since OS: none
    [/ol]

Files attached inc diagnostics, config, processes - PM for pwd.

[attachment deleted by admin]

Apologies, I’m not sure I fully understand the problem. Are you saying?

In Custom Policy Mode with Alert Frequency on Very High and no prior firewall rules:

  1. Open a browser
  2. Connect to any site - TCP/80
  3. Receive and alert
  4. Open a new tab/window
  5. connect to different any site TCP/80
  6. No further alerts

Thank you very much for your bug report in standard format. We very much appreciate the effort you have made to document this bug.

We are sorry to trouble you further but there are some items of information missing or unclear in your post:

A.8 Always attach - Diagnostics file, Killswitch processes list

The reasons we need these items of information, though they may not seem directly relevant to the issue are explained here.

We would be very grateful if you would add these items of information so we can forward this post to the format verified board, where it is more likely to get fixed. You can find assistance using red links in the Format and here. If you need further help please ask a mod. If you do not add the information after a week we will forward this post to the non-format board. If this happens we will tell you how to rectify this if you wish to.

In the current process we will normally leave it up to you whether you want to make a report which includes all necessary information or not. We may remind you if we think a bug of particular importance.

Many thanks again

Mouse

Exactly. I don’t get any further alerts.

Steps were quite descriptive, however I’ve attached screenshots. I don’t use killswitch yet (I’m in a process of recreating my config from good old 5.12).

My settings: http://i48.tinypic.com/vyj5f.jpg


WinSCP - I made connection, got alert, allowed it, then I connected to other servers (TCP/22) - no further alerts → all connections were allowed.
Then I tested Opera. Opened new tab and entered a site. Here I got two alerts for :80 (check my report about connections made while popup is displayed) and one for :443. All allowed. Since then we can browse any website and no more alerts. Seems that firewall checks only port+proto, while IP is ignored, when once allowed/blocked then there are no further alerts (of course until we restart app).

Related alert events: http://i46.tinypic.com/33kr8mb.jpg

Unfortunately, I can’t confirm this behaviour. if I open a browser and make a connection with the settings described above, I get a new alert/log entry/rule for each unique connection (ip address) the same is true when using WinSCP.

[attachment deleted by admin]

Ech… All the IPs you’ve showed on the screen belong to *.mozilla.com and *.google.com. Probably you have a google start page. That’s why they showed almost at the same time. So that’s why I use blank page, to not confuse logs. Yes, when I start Firefox it asks me sometimes a few times about :80 and :443 (it uses some at-start checks), but then whenever I go - no more alerts.

Try to close all tabs and start Fx with blank tab (speed dial) (well, that’s why I used Opera as it does not make connections at start), and only then connect through http & https sites. After first alerts there should not be any more. But try few sites, not only 1 or 2. Also note what I’ve said in my report - when connections are made while popup is on screen then they will also be asked for - so entering a first site could trigger a few successive :80/443 alerts. This way using uTorrent I still get a burst of alerts due to a swarm.

It actually doesn’t make any difference. The log above shows what happens when starting firefox for the first time, without any firewall rules. If I delete those rules and simply open several tabs to unique sites, I receive as many alerts/log entries/individual rules as it takes to load those sites fully. It also makes no difference if an alert exists on the screen or not, when an new connection is found.

Do you use the same OS version?

Here is XP SP3, Opera 12.12 and CIS 6:

[attachment deleted by admin]

What configuration (Firewall, Internet or Proactive)? Or makes no difference?

The type of configuration has no effect on firewall settings. In fact, the only change made to the firewall is with Internet Security, which changes Global rules to stealth settings.

Why do you have app rules on screen? I have set custom rules policy and disabled creating rules for safe applications (as I wrote in report) so it should not make auto-rules. Maybe you enabled “remember” for each alert? If yes then I’m sorry, but you are not following my steps or using different settings. When I select “remember” it seems to ask for every connection made (to be honest I was not aware of that, because I have still not fully configured firewall - found more bugs, will report them soon and didn’t even started checking HIPS…). However if I click allow even once without selecting “remember”, then it won’t ask more for new sites. Please try again just simply clicking “allow” (don’t do anything I didn’t wrote about).

Unfortunately, this is on Win7 but after changing the Firewall settings to the same as your report, I seem to get a new and unique request for each connection attempt; no rules are being made and “remember” is not being click / checked on each request.

CIS6, Opera 12.12, Win7 Ult SP1 32b

[attachment deleted by admin]

Yes I select remember, but it makes no difference to the number of alerts, it just doesn’t create rules.

Hmm, 2:1. I will attempt more tests and either reinstall CIS or I have to revert to fine working 5.12…

If I could ask any of you to check one more thing. As I see on your logs there are only a few seconds between connections. Please try:

  1. Enter site A.
  2. Allow any alerts (without “remember”).
  3. Wait 30 seconds.
  4. Enter site B.

This reminds me of a problem that existed a few years ago, I forget which version, but it was something similar. Basically, if one didn’t select remember, the firewall would only alert for the first instance of a protocol and port combination. It didn’t matter how many unique IP addresses were involved. I’m sure there was a bug for it. I guess if it’s still happening, it’s just one more thing that hasn’t been fixed or has broken again.

I’ll spend some more time playing with things.

Edit: The bug was only single session, as soon as the program in question was closed and reopened, alerts would resume, but again only for the parameters outlined above.

I’ll see if I can find the bug

Yes, and this is exactly how it happens for me now. After app is restarted it asks again until we click “allow”.

PM sent

This is complex. My summary in the tracker is:

“In firewall custom mode with alerts on high frequency, after allowing alerts to an IP for an application, subsequent connections for that application to different IPs on the same port may be allowed without alert”

Is that a reasonable summary?

Best wishes

Mouse

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again

Mouse