No Firewall Alert for Interpreters with Outbound Only Set to "Ask"

Hello,

Background: Some malicious scripts will use interpreters, e.g. wscript.exe, cscript.exe, cmd.exe, etc to perform hidden downloads. To increase security it is not a bad idea to establish an “Ask” - Outbound connects firewall rule so as to have the firewall alert when an outbound connect is made.

Create following firewall rule for interpreter, e.g. cmd.exe:

  1. Outbound only (Rule set - pre-defined from drop-down menu)

  2. Ask

When cmd.exe makes outbound connection, there is no firewall alert.

NOTE:

I verified that interpreters are not included in a file group with a generic “Allow” firewall rule, but it is possible there is something else in the configuration that is preventing firewall alerts for interpreters.


Can someone confirm this on their system?

Easy test for cmd.exe.

ping comodo.com -t

Above command should generate outbound firewall alert if firewall is working correctly.

(use CTRL + C to terminate ping)


If someone could give me feedback on this issue I would greatly appreciate it.

Best Regards,

HJLBX

Custom Policy mode ftw & Alert frequency to High. :P0l

I tried set Comodo firewall:

  1. Custom Ruleset

  2. High alert frequency

Still, no firewall alerts for interpreters.

Unfortunately, those settings do not correct issue.

Best Regards,

HJLBX

I don’t understand, didn’t you say that you added a “outgoing only” to the rule? Shouldn’t that allow the outgoing traffic?

Also, when you do the ping command from the command prompt the actual process that does the ping is ping.exe which by CIS is usually (sometimes not) packed into the “System” file group, although it isn’t an actual file group so hence you can’t see it in the file group list, it’s more like a single item that represents other files on the system. I can’t remember exactly why CIS does this, perhaps “usability” or it’s unable to see the actual process doing the connection, I don’t know, but it’s what it does sometimes.

cmd.exe firewall rule =

  1. Outgoing only

  2. Ask

If apply same firewall rule to ping.exe, it generates no firewall alert.

The actual process that does the connect is cmd.exe.

The issue is not that the traffic is blocked; it is allowed.

The issue is that any outbound connects made by cmd.exe (and other interpreters) generate no firewall alert.

Best Regards,

HJLBX

So you mean the rules are “Allow All Outgoing Requests” and then under that is “Ask For All Unmatching Requests”? That would allow the outgoing traffic from cmd.exe and alerting for incoming traffic.

Because CIS usually doesn’t see “ping.exe” it sees “System” so go to your firewall application rules and find “System” in the list, if it doesn’t exist then create it (without quotation-marks) then set it to “Blocked application” then try to use CMD to ping something, you will see that it is blocked.

It doesn’t really matter if it’s ping.exe or cmd.exe that does the connection, because whichever process it is, CIS sees it as “System” - It doesn’t see the actual process and hence trying to block the actual process will yield no result whatsoever.

Make sure that you have no global rules that say “Allow all outgoing traffic” or similar, and make sure that the applications in question doesn’t have any “Allow all outgoing traffic” rules, as it will do just that, allow all the outgoing traffic, if you want it to alert about the outgoing traffic then make an Ask rule for the outgoing traffic instead.

cmd.exe outgoing connects are set to “Ask” - so there should be a firewall alert every time cmd.exe attempts to make an outbound connection.

System file group is set to “Allow” only for remote IP addresses within the Local Area Network; so if cmd.exe pings Comodo.com that is not within the LAN - and a firewall alert should appear.

I think there is a bug.

If the user selects “Create rules for trusted applications” - all network connections for interpreters are blocked.

Can you show screenshot of the “System” application rule and global rules?

According to Comodo support cmd.exe is not assigned to System.

To confirm…

I set System IN\OUT rules to “Ask” and still no alert for cmd.exe.

I set System IN\OUT rules to “Block” and cmd.exe is not blocked.

cmd.exe is not pre-assigned to any firewall file group by Comodo.

The user should be able to define whatever rule they wish for interpreters.

According to support this behavior should not be occurring.

If you think that this is a bug then please report it in the bug section.

I hope this bug is quickly addressed, as it seems a major security issue. If I understand this correctly, if “create rules for trusted applications” is checked, then this is no longer a problem because System (or interpreter, if not part of system) is not a trusted application? Is this in Custom mode or safe-mode? Should all previous rules me deleted? I am trying to test it out now, but have such a customized and altered set-up at this point, not sure what is important aspect of this.

Thanks for the information and pointing this out.

CIS processes rules in order from top to bottom until a rule matches an action, in which case all other rules will be ignored after the first matching rule. If you have an allow out rule above an ask rule then that outgoing rule will have priority over any rules below it. Also, cmd.exe doen’t not have the ability to communicate over a network, therefore you can not prove that CIS is failing to block cmd.exe. Their is no bug here.