Serious problem with Firewall in the new Comodo4

Hello,

I think I’ve found out a serious problem concerning the Firewall of the new
Comodo 4 security suite:

The firewall allows now all outgoing connections by default and also it does not
warn anything, independently whether the connections are allowed or not in Global Rules.

Some facts of the bug:

  1. It happens in both: Windows XP SP3 (32bits, virtual machine) and Vista SP2 (64 bits, real).
  2. It also happens whether Comodo 4 Internet security suite is running alone or
    with Avira Antivir.
  3. Not matter if the Windows firewall is set to on or off.
  4. The Defense+ settings seem not to affect it, as it happens the same thing
    regarding the Firewall behaviour whether the Defense+ is set to CleanPC mode or
    Safe Mode.
  5. The specific info and steps to reproduce the bug, it are described in the chat
    I just had with the Live Support operator:

Thomas (03/13/10 11:57:15): Hello
Subscriber (03/13/10 11:57:35): Hi, I think the new Comodo Internet Security
suite has a serious problem
Subscriber (03/13/10 11:57:57): I am writing this from a Windows XP SP3 virtual
machine into Virtualbox
Thomas (03/13/10 11:58:06): Could you be more specific ?
Subscriber (03/13/10 11:58:12): yes
Subscriber (03/13/10 11:58:17): It has to do with Firewall
lSubscriber (03/13/10 11:58:37): Not balloons nor any warnings are given but all
outgoing connections are allowed
Subscriber (03/13/10 11:58:43): by default
Thomas (03/13/10 11:59:07): Do you have this issue on a real machine to ?
Subscriber (03/13/10 11:59:10): The “old” version 3.14 of Comodo works fine
Subscriber (03/13/10 11:59:16): Yes i have too
Subscriber (03/13/10 11:59:35): I firstly tried the new version 4 in my real
Vista SP2
Subscriber (03/13/10 11:59:38): same problem
Thomas (03/13/10 12:00:02): Did you set the Firewall on Safe mode ?
Thomas (03/13/10 12:00:12): Do you have on that computer any other security
suite installed ?
Thomas (03/13/10 12:00:20): Is the windows firewall set to off ?
Subscriber (03/13/10 12:00:31): I have 2 virtual machines open and running right
now the same Windows XP SP3, but one with Comodo3 and the another running Comodo4
Subscriber (03/13/10 12:00:43): Yes set to safe mode too
Subscriber (03/13/10 12:01:12): even if set to custom policy mode
Subscriber (03/13/10 12:01:19): not any warning message
Subscriber (03/13/10 12:01:25): just all connections are allowed
Subscriber (03/13/10 12:02:00): I compared the global rules in both versions of
the suite
Subscriber (03/13/10 12:02:29): In the new comodo 4 version are all allowed by
default (unlike the previous Comodo3 in which all are blocked by default
Subscriber (03/13/10 12:03:05): NO I did not have any other security suite
installed on the real Vista SP2
Subscriber (03/13/10 12:04:05): And not, I do not have in the virtual machine
running Comodo 4, but yes I have Avira Antivirus (not another firewall at all) in
the virtual machine running WinXP SP3 (on which Comodo3 works just OK).
Subscriber (03/13/10 12:05:41): Right now I have the firewall set to off
because… I copied the Global rules from Comodo3 and … I couldn’t make any
connections! yet any warnings are displayed
Thomas (03/13/10 12:07:06): Please report this issue to our forums section here
https://forums.comodo.com/bug-report-cis-b132.0/
Subscriber (03/13/10 12:07:43): Yet another question I am concerned with: In
Application Rules there is by default an “All Applications” rule… allowing
absolutely everything outgoing
Subscriber (03/13/10 12:07:58): Ok I am going to report it at once
Thomas (03/13/10 12:08:11): Please do.
Subscriber (03/13/10 12:08:16): k

Rgds.,
Victor

Subscriber (03/13/10 12:07:43): Yet another question I am concerned with: In Application Rules there is by default an "All Applications" rule.. allowing absolutely everything outgoing Subscriber (03/13/10 12:07:58): Ok I am going to report it at once

LOL I think they need to train their staff, it’s apparently by design, supposed to be so the technically incapable and my gran can use it without getting a popup or 3. Personally I think its an insult to my grans intelligence.

It you switch to proactive security it’s supposed to remove the idiot rule.

Supposed to maybe, but it doesn’t.

Hi,
The quoted problem was caused because CIS4 comes by default with an “All Applications” rule at Network Security Policy… Allowing all outgoing requests. :smiley:

This is not a bug properly said, but I think just a mistake included in the cisfree_installer file (and not in the cfwfree_installer file, which does not come with such rule).

So, the first thing I do now it is to ERASE that allow All Applications rule.

The second thing it is to put the Firewall Security Level into Firewall Behavior Settings from Safe Mode to Custom Policy Mode, in order to be able to decide which programs connect to Internet, as now CIS4 gives most not pop alerts in Safe Mode but it learns automatically the traffic initiated by what CIS considers safe applications.

With these 2 things done, CIS4 warns again, every time something likes to connect the Internet.

I think Comodo Internet Security is the best and more comprehensive internet security out there, with the best firewall (paid or free), plus an incredible HIPS and now also with a quite better-than-you-thought (and most at the same level than the best reputated) antivirus, antispyware, antirootkits, etc.

This is so recognized here: Best firewall and antivirus softwarte - Norton, McAfee and more or here: http://www.matousec.com/projects/proactive-security-challenge/results.php just to put 2 examples.

But this fourth version it has yet to be polished a bit or two, also regarding the new sandbox feature.

Vic64,
I just did what you suggested (removed the allow all rule) and now i cannot update CIS.

Was figuring like what the hell. yeah, can confirm there is no such rule on the firewall only and seems to actually work pretty flawless. Although, you’ll have to put all security to maximum to even reach minimum level of decent security and accepting connections. hell, they even fixed port directions from v3.xx, heh.

Anyway, I can say pretty happy where we are at now minus defence+ minus anti-virus and comodo get my vote for the firewall alone.

Are there other programs also not functioning? Or is it just CIS update? If it is only CIS update do you mean the av update or the program update?

Vic64 is referring to the All Applications rule in Network Security Policy → Applications. That is what needs to be removed.

Initially, i went to:
CIS>firewall>advanced>predefined firewall policies>outgoing only.

in the outgoing only option I removed the default let everything in/out. CIS could not update and that is all i tried. Immediately after that I changed it to ask.

now it seems to work, but obviously everthing connecting to the web asks for permission.

You removed the wrong thing. The all applications rule as stated above is the thing to remove as well as the one in Global rules if it is there.

oh, that one was not there. weird.

I would suggest not to change Predefined Policies unless you really know what you are doing.

Please edit the Outgoing Only rule to

Action: Allow
Protocol: IP
Direction: Out
Description: Allow all outgoing requests

Source Address: Any
Destination Address: Any
IP Details: Any

This will make your Comodo updater work again.

What is the problem you were trying to fix? Or what type of behaviour were you trying to establish? What were the reasons you wanted the change? Let us know so we can help work it out.

I wanted to fix this “problem”.
I removed the rule to allow any and all outgoing info (predefined firewall policies>outgoing only) and that is when CIS would not update. I did replace the rule with “ask” instead of “allow all” and it is now working but obviously i get asked before anything is sent.

I believe the original rule was:
allow IP out from IP any to IP any where protocol is any

The rule I replaced it with is
ask IP out from IP any to IP any where protocol is any

I would like to suggest to follow my advice to restore the original outgoing only rule and start working from there.

ok. i assume you know more about this than i do so ill take your advise, but wouldnt it be safer to have programs ask for permission than blindly allowing everything to send data?

this is the correct original rule right?
allow IP out from IP any to IP any where protocol is any

Let me elaborate a bit on the basics of Global and Application rules with CIS.

The basic idea is that a firewall will block all unsolicited incoming alerts and will allow programs to connect to the web.

In practice this means that for incoming traffic they will first see Global Rules and then meet Application Rules; unsolicited incoming traffic will get blocked by Global Rules.

Outgoing traffic will first meet Application Rules and then Global rules. So, outgoing traffic will go through Application Rules first. Outgoing traffic gets blocked or allowed by Application Rules not by Global Rules.

You want to ask program permission to access the internet. Comodo’s safe list and Trusted Vendors list will allow internet access without user interaction. I assume Comodo is trustworthy in making these lists.

With the default settings all trusted programs are allowed to access the web. To get back to the suggestion made earlier in this topic. Go to Firewall → Advanced → Network Security Policy → Application Rules → now remove the All Applications rule.

That’s the suggested solution. Switching to Proactive Security will do the same. This can be done under More → Manage My Configurations.