A. THE BUG/ISSUE (Varies from issue to issue)
[ol]- Summary - Give a clear summary in the topic title, NOT here.
Can U reproduce the problem & if so how reliably?: yes, 100%
If U can, exact steps to reproduce. If not, exactly what U did & what happened:
Application: any app which can make multiple connections to different IPs (browser, WinSCP)
application is in “Trusted Files”
application does not have firewall rules
firewall is in custom rules mode
firewall alert frequency: very high
firewall create rules for safe apps: disabled
firewall do not show alerts mode: disabled
Start application and let it make connections to the same port to different IPs:
browser: open few http (80) & https (443) pages
WinSCP: ssh (22) to few servers
Allow any alert (update to clear few things: leave “remember” unchecked).
On the first connection attempt there is an alert - for example IP1:80, however on further connections (IP2-IPx) to *:80 there won’t be a single alert. So if we allow browser to connect to :80 even once, then all connections become allowed (over the same port).
However if we make *:port connection over TCP and allow it, then connection to *:port over UDP - we will get two alerts (but no more) (it seems to be port+proto driven).
Looks like alert frequency setting is broken. Also if we block connection, then application is permanently blocked for *:port.
There is single exempt: if more connections are made while popup is still displayed then it will show up again even for the same port/proto.
In 5.x we got alert for every connection attempt.
If not obvious, what U expected to happen: There should be an alert for each connection.
If a software compatibility problem have U tried the conflict FAQ?:
Any software except CIS/OS involved? If so - name, & exact version:
Any other information, eg your guess at the cause, how U tried to fix it etc:
B. YOUR SETUP (Likely the same for each issue, so you can copy forward)
[ol]- CIS version & configuration: 6.0.260739.2674, own config
Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV: all
Have U made any other changes to the default config? (egs here.): sure
Have U updated (without uninstall) from a previous version of CIS: no
[li]if so, have U tried a a clean reinstall - if not please do?: no
[/li]- Have U imported a config from a previous version of CIS: no
[li]if so, have U tried a standard config - if not please do: no
[/li]- OS version, SP, 32/64 bit, UAC setting, account type, & VM used: XP Pro, SP3, 32b, admin
Other security/sandbox software a) currently installed b) installed since OS: none
Files attached inc diagnostics, config, processes - PM for pwd.
Thank you very much for your bug report in standard format. We very much appreciate the effort you have made to document this bug.
We are sorry to trouble you further but there are some items of information missing or unclear in your post:
A.8 Always attach - Diagnostics file, Killswitch processes list
The reasons we need these items of information, though they may not seem directly relevant to the issue are explained here.
We would be very grateful if you would add these items of information so we can forward this post to the format verified board, where it is more likely to get fixed. You can find assistance using red links in the Format and here. If you need further help please ask a mod. If you do not add the information after a week we will forward this post to the non-format board. If this happens we will tell you how to rectify this if you wish to.
In the current process we will normally leave it up to you whether you want to make a report which includes all necessary information or not. We may remind you if we think a bug of particular importance.
WinSCP - I made connection, got alert, allowed it, then I connected to other servers (TCP/22) - no further alerts → all connections were allowed.
Then I tested Opera. Opened new tab and entered a site. Here I got two alerts for :80 (check my report about connections made while popup is displayed) and one for :443. All allowed. Since then we can browse any website and no more alerts. Seems that firewall checks only port+proto, while IP is ignored, when once allowed/blocked then there are no further alerts (of course until we restart app).
Unfortunately, I can’t confirm this behaviour. if I open a browser and make a connection with the settings described above, I get a new alert/log entry/rule for each unique connection (ip address) the same is true when using WinSCP.
Ech… All the IPs you’ve showed on the screen belong to *.mozilla.com and *.google.com. Probably you have a google start page. That’s why they showed almost at the same time. So that’s why I use blank page, to not confuse logs. Yes, when I start Firefox it asks me sometimes a few times about :80 and :443 (it uses some at-start checks), but then whenever I go - no more alerts.
Try to close all tabs and start Fx with blank tab (speed dial) (well, that’s why I used Opera as it does not make connections at start), and only then connect through http & https sites. After first alerts there should not be any more. But try few sites, not only 1 or 2. Also note what I’ve said in my report - when connections are made while popup is on screen then they will also be asked for - so entering a first site could trigger a few successive :80/443 alerts. This way using uTorrent I still get a burst of alerts due to a swarm.
It actually doesn’t make any difference. The log above shows what happens when starting firefox for the first time, without any firewall rules. If I delete those rules and simply open several tabs to unique sites, I receive as many alerts/log entries/individual rules as it takes to load those sites fully. It also makes no difference if an alert exists on the screen or not, when an new connection is found.
Why do you have app rules on screen? I have set custom rules policy and disabled creating rules for safe applications (as I wrote in report) so it should not make auto-rules. Maybe you enabled “remember” for each alert? If yes then I’m sorry, but you are not following my steps or using different settings. When I select “remember” it seems to ask for every connection made (to be honest I was not aware of that, because I have still not fully configured firewall - found more bugs, will report them soon and didn’t even started checking HIPS…). However if I click allow even once without selecting “remember”, then it won’t ask more for new sites. Please try again just simply clicking “allow” (don’t do anything I didn’t wrote about).
Unfortunately, this is on Win7 but after changing the Firewall settings to the same as your report, I seem to get a new and unique request for each connection attempt; no rules are being made and “remember” is not being click / checked on each request.
This reminds me of a problem that existed a few years ago, I forget which version, but it was something similar. Basically, if one didn’t select remember, the firewall would only alert for the first instance of a protocol and port combination. It didn’t matter how many unique IP addresses were involved. I’m sure there was a bug for it. I guess if it’s still happening, it’s just one more thing that hasn’t been fixed or has broken again.
I’ll spend some more time playing with things.
Edit: The bug was only single session, as soon as the program in question was closed and reopened, alerts would resume, but again only for the parameters outlined above.
“In firewall custom mode with alerts on high frequency, after allowing alerts to an IP for an application, subsequent connections for that application to different IPs on the same port may be allowed without alert”
Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.
Developers may or may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.