Hello CIS developers and all,
I am unsure whether these symptoms are caused by bugs of the CIS Pro 2013 nor tampered by the system rootkit that resides in my Windows 7 Professional 64 bit system. Since I have been facing a denial of the service for the online activation of Kaspersky Internet Security 2013 for 3 years use— the source server (or decoy or exploited a DNS server) sends RST/ACK packets when the installed program does not request to receive it, interfered with an online purchasing transaction (hosted by Akamai CDN servers) for ZoneAlarm Pro 2013, when the transaction completed, then it keeps detecting many bogus incoming port scans. I consider that CIS Pro 2013 would hopefully be in the last resort.
Firewall Global Rules and Rulesets GUI panes on the version 6.0.264710.2708 display a blank screen unless stretching out lower the right corner with a mouse pointer.
On the current and older versions of CIS Pro 2013, HIPS Rules with File Protection definitions never work on my PC to prevent from stealth-modifications that no pre-notification made by the system or CIS program was given to my eyes.
ICMP Type 3 Code 9, 10 and 13 cannot hold ‘Message: Custom’ of their definition (type and code) on ICMP Details pane. These personalized set are often replaced ALL with ‘ICMP Echo Request’ I notice this symptom occurs mostly when I import a Firewall Configuration ruleset I stored-- This could be tampered with a subset of the rootkit. Otherwise, ‘Type’ and ‘Code’ for ‘ICMP Details’ display with a blank window.
When version 6.0.264710.2708 detects a blocking result in Destination Unreachable, ‘Firewall Events’ of ‘View Logs’ shows merely “Destination Unreachable” on Source Port and Destination Port despite that I configure the seven of Destination Unreachable for outgoing precisely with the types and codes number.
Part of added ICMP filtering definitions have been strangely disappearing or modified in the Registry entries for CIS Pro 2013. I configure these to prevent from a host/s discovery sophisticated scanning.
(1) Block ICMP (Out) Type 3, Code 3 … Destination unreachable / Destination network administratively prohibited.
HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\3\Firewall\Policy\Global Rules\3
IcmpCode REG_DWORD 3 —> 0
IcmpType REG_DWORD 3 —> 0
(2) Block ICMP (Out) Type 3, Code 13 … Destination unreachable / Communication Administratively Prohibited by Filtering.
HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\3\Firewall\Policy\Global Rules\6
IcmpCode REG_DWORD 13 —> 13 | 0 
IcmpType REG_DWORD 3 —> 9 | 0 
(3) HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\3\Firewall\Policy\Global Rules\13
(4) HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\3\Firewall\Policy\Global Rules\14
[*]… The result from uninstalling ver. 6.0.264710.2708, then installing ver. 6.0.260739.2674.
I uninstalled this version and install the first version of CIS Pro 2013 yet once more to find any good developments on ICMP issues.
- Today, I reformatted my boot drive with a DOD level, restored my OS and reinstalled CIS Pro 2013 the first version. When I launched ‘Killswitch’ added on to use as a built-in fashion. Surprisingly it sends HTTP packets to the following IP addresses.
220.127.116.11 … This is a Microsoft’s URL such as for KBxxxxxxx information and download.
18.104.22.168 … This belongs to Akamai Technologies.
To block this behavior, I added a filtering rule to Firewall Global Rules. Well, this causes my PC being unable to read or download KBxxxxxx update files. To avoid this inconvenience, I installed a standalone a CCE set of Comodo. This resolved this new issue.
Shortly before it, I downloaded nearly 10 Windows Update standalone to maintain a secure state of my PC (a newly restored) to not compromise with the ones being installed by all different file sizes in the same name updates listed in the Control Panel’s Windows Update auto detection— This has frequently been happening to me.
I hope a future version of CIS Pro will implement a good self-defense feature resistible to any malicious modifications.