win7 64, CIS 2011 PRO, version 5.5.195786.1383, no other defence software installed.
under “Network Security Policies” System, svchost.exe and bittorrent are all listed as “trusted application”. I also set my firewall security level to “custom policy”. to my knowledge all these events should be allowed but they are not. What could be the reason for this?
Also, is it possible for these policies to get changed automatically from trusted to some custom rule-set when I switch to the more free “safe mode”. I seem spot that sometimes.
[attachment deleted by admin]
All of the log entries are IPv6 related, which means you have IPv6 filtering enabled in Firewall Behaviour Settings. Is your ISP xs4all.nl?
If these processes have been set to trusted, I’m not sure, without seeing your Application/Global firewall rules, why these alerts are being generated, unless is due to the hierarchy of the rules.
you are right on both cases. ipv6 filtering is on and my ISP is indeed xs4all.nl
in fact, over the past few hours my log has filled with a nice number of events, all of which are either ipv4 and explainable, or ipv6 and… weird. could it be CIS isn’t actually fully ipv6 compatible?
I’ve included some screenshots that I hope give you more info.
scvhost in that shot is on custom with a rule that says all UDP out is ok. it’s usually on trusted but I was testing stuff.
on global rules the first two are my modem IP adres being allowed to connect to my own IP address and the 2nd is similar but for my entire LAN (superfluous, but I’m still figuring stuff out)
I haven’t really changed the preset policies from their default.
any help is appreciated
[attachment deleted by admin]
Unfortunately, because the Application rules image shows a collapsed view, I can’t see if you’ve enabled logging on the rules for System, Windows System Applications and Bittorrent?
they are listed as trusted app and as I said those templates haven’t been changed.
in short, they aren’t logged. I’ve included another ss without collapse.
Regardless, the initial 3 I complained about aren’t the only ones giving problems. by now browsers and even games have generated alerts because they tried to contact the internet via ipv6 and CIS clearly can’t handle rule checking on these(all ipv4 traffic works according the rules). I’m thinking I should file a bug report. in the meantime, I’ll just use “safe mode” as that works with no issues.
[attachment deleted by admin]
they are listed as trusted app and as I said those templates haven't been changed.
in short, they aren't logged. I've included another ss without collapse.
Thanks for the new image. I appreciate they’re using the generic trusted rule, but it is possible create such a rule with logging enabled, hence the request.
This is really quite curious. I also use IPv6 but I don’t use generic rules, such as ‘Trusted’ or ‘Outgoing only’ and I’m not seeing any log entries of the type you’re experiencing. Right now I’m trying to recreate the scenario but so far I’ve seen nothing similar. What, exactly, do the two Global rules do?
Modem does: Allow any IP from 192.168.178.1(modem) to 192.168.178.26(my ip) both In/Out
LAN does: Allow TCP or UDP from network zone “lan” to network zone “lan” on any port both In/Out
network zone “lan” is the IPv4 range from 192.168.0.1 - 192.168.255.255
I also included a new log. as you can see numerous different kinds of applications “asked” because they were doing ipv6 requests and evidently that doesn’t trigger the existing rules.
you can also see ipv4 requests from 2 apps being logged.
- GoogleUpdate.exe (which I’ve blocked and at that time was still set to be logged) so that’s allright
- windows live mail or wlmail.exe who has “asked” twice. this is because it was set to the “email client” preset policy ruleset. in these rules TCP connections have a limited set of destination ports (as listed under POP3/SMTP Ports under Port Sets) and the number 443 and 80 as listed in the log aren’t among these. therefor it’s alright for this app to generate an alert.
Mind you, I only see this issue when I set the firewall to “Custom Policy” mode. in safe mode neither the alerts nor the logs are made.
I appreciate the time you’ve spent on this thus far.
[attachment deleted by admin]
Are you actually getting alerts for each of these log entries?
wherever the action is listed as “asked” I got a popup. at first I selected “treat as trusted application” or similar option even though I knew it was already listed as such, but it just kept coming back.
If possible, I’d like you to try a small test. I notice you have firefox installed, as that is the browser I’m most familiar with, I’d like you to use that as the test vehicle.
Basically, I’d like you to place the firewall in Custom Policy Mode and set the Alert settings to Very high. Then I’d like you to modify the rule for firefox to:
Action - Allow
Protocol - TCP
Direction - Out
Source Address - ANY
Destination Address - ANY
Source Port - ANY
Destination Port - 80
Action - Allow and Log
Protocol - TCP
Direction - Out
Source Address - ANY
Destination Address - ANY
Source Port - ANY
Destination Port - 443
Action - Allow and Log
Protocol - TCP
Direction - Out
Source Address - ANY
Destination Address - 127.0.0.1
Source Port - ANY
Destination Port - ANY
Action - Block and Log
Protocol - TCP
Direction - Out
Source Address - ANY
Destination Address - ANY
Source Port - ANY
Destination Port - ANY
Now I’d like you to connect to https://addons.mozilla.org/en-US/firefox/i/ which uses IPv6 and see if any alerts are generated.
strange stuff is happening.
I can’t get my browsers (including firefox) to connect to ipv6 servers. the link you sent works but generates no alert or log, but when I go to dedicated ipv6 test sites (like http://test-ipv6.com/) they report I have no ipv6 capability ???
these tests generate no alerts or logs and disabling firewall doesn’t change the results.
My modem did suddenly reboot just before I started testing (as if due powerloss) and I never tried these ipv6 testing sites before so maybe I never could reach them… however, looking at my ipconfig /all report clearly shows ipv6 enabled and so does my modem…
while mucking about however I did get a few alerts and logs like before. one from chrome (but not while testing) and one from a multiple monitor app. also another one from GoogleUpdate.exe. I’ll probably get a lot more if I wait around for a bit more on “custom policy”. it seems about half of the alerts and logs I get are directed at xxx:f80 though, which is my modem.
I’ll probably just have to sit on this for a while longer and observe some more.
try running a ping -6/tracert -6 from a command prompt to something like:
ipv6.google.com
ipv6.he.net
Pinging ipv6.l.google.com [2a00:1450:8005::68] with 32 bytes of data:
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
the address gets resolved but no luck 
disabling FW doesn’t change the result. yet, as you can see in this next log weird stuff is happening.
[attachment deleted by admin]
If your modem/router supports running commands directly, you could try the same test from there.
I don’t think it does. I’ve mucked around with my modem a lot and never noticed a feature like that.
currently I’ve pretty much given up. I disabled ipv6 in windows and disabled ipv6 filtering in CIS. maybe I’ll try again a few updates from now.
thank you for your suggestions.
I’m sorry I wasn’t able to provide a solution, right now I still can’t puzzle out why the alerts are being generated. Let me know if anything changes.
With regard to the modem, some support telnet, so you may be able to use that to get a command interface…