Trusted app blocked by firewall without alerts and logs

A. THE BUG
Can you reproduce the problem & if so how reliably?:
Yes. On my computers its solid and not disapper during tests.
If you can, exact steps to reproduce. If not, exactly what you did & what happened:
1:Use fully updated Windows 10 (my is x64 Home)
2:Download AnyDesk(https://download.anydesk.com/AnyDesk.exe) programm (other programms are affected too, but not all. I see this issue with Veeam backup also.)
3:Use fresh installed CIS with firewall safe mode enabled, not create rules for AnyDesk
4:disable Firewall Do not show popup alerts
5:add upper rule in firewall global rules to allow all (not neccessary just for prevent blocking by global rules)
6:Disable Auto-containment
7:run AnyDesk (it recognized as trusted app by CIS)
8:see that AnyDesk generates some traffic and AnyDesk UI show that it is connected to AnyDesk network (online)
9:try to connect from other PC to this. AnyDesk window to which trying to connect doing nothing during some time. After that when Anydesk from other PC(which is connecting) stops trying to connect, Anydesk on PC with CIS very fast show that it is lost connection AnyDesk network, connecting, connected to network (online), but there is no popup with incoming conection, other PC can not connect to this.
Disable CIS firewall, try again, all works.
See logs. There is nothing.
I have no alerts with firewall asks to allow traffic.
One or two sentences explaining what actually happened:
Traffic of trusted app is blocked without logs and firewall alerts. No unrecognized entries in CIS trust files list.
One or two sentences explaining what you expected to happen:
Traffic is not blocking, or firewall show alert with question allow/reject, or I see entries in firewall log (better with explanation why its blocked but its different story).
If a software compatibility problem have you tried the advice to make programs work with CIS?:
Yes.
Any software except CIS/OS involved? If so - name, & exact version:
AnyDesk 5.4.2 free (https://download.anydesk.com/AnyDesk.exe)
Any other information, eg your guess at the cause, how you tried to fix it etc:
I have tried also with last beta. It also has no log entries and alerts, but if add firewall rule for AnyDesk “treat as allowed app” then it work well. BUT if create rule “allow all ip in/out” and next to it(below) “deny and log ip in/out” then traffic will be blocked without log.
Without custom rule latest beta works like current 12.1.0.6914 (traffic blocked without logs and alerts).
This issue affects not only AnyDesk. I see also Veeam Backup affected. But some other programms works well (teamviewer for example) in the same config.

B. YOUR SETUP
Exact CIS version & configuration:
12.1.0.6914 internet security
Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
Enabled: Firewall safe mode, AV, Files Rating.
Disabled: Autosandbox, HIPS, Content filter, VirusScope(apply only for sandboxed)
Have you made any other changes to the default config? (egs here.):
Firewall Global rules allow all
Firewall disable Do not show popup alerts

Have you updated (without uninstall) from CIS 5, 6 or 7?:
No
if so, have you tried a a a clean reinstall - if not please do?:
yes
Have you imported a config from a previous version of CIS:
No
if so, have you tried a standard config - if not please do:
.
OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Windows 10 Home x64 fully updated, account user with admin privelegies, uac disabled and standard level, VM not used
Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
a=no b=no (maybe I forget)

C. ATTACH REQUIRED FILES (delete this section (section C) after attaching required files)
On this version I cannot install KillSwitch to generate processes list. Found this in already reported bugs.

this is not exactly a bug, but a standard behavior that protects us from direct remote connections;
The program identifies the machine and does not connect, as the connection at the system level does not;
Wait for someone from the development to speak staff comodo :-TU

Thank you for reply. Comodo CIS behaviour is not clear for me now even with your explanation.
Please clarify some things.

  1. I see no blocking rules in firewall application rules for System or System apps. And upper global rule is set to allow all in/out. Why is the connection at the system level blocked as you say without alert and logs? I see nothing logs for system too (only igmp. its generated by my ip camera and no related to AnyDesk)

  2. Why teamviewer (the same purpose and behaviour programm) works in the same circumstances?

  3. What should I do to properly configure it to work? I have tried to add “allow all ip in/out” and “treat as allowed” rules for AnyDesk and “allow all ip in/out” for “windows operating system”(I said that have igmp packets blocked so click in blocked apps on the system->unblock firewall. This creates rule “allow all ip in/out” for “windows operating system”). No result.

Anydesk is listening at port 7070 (TCP). So you need to open that port in CIS. CIS will not do that automatically.

Go to Global Rules and add the following rule:
Action: Allow
Protocol: TCP
Direction: In
Description: Anydesk

Source Address: Any Address
Destination Address: Any Address (easiest) or MAC address of the NIC
Source Port: Any
Destination Port: 7070

Once it is in place make sure it somewhere above the block rule(s). Block rule(s) have a red icon.

You may have to do that on all computers with CIS and Anydesk.

Edit. I forgot to add that you also need to make a rule for Anydesk application in Application Rules. The easiest is to give Anydesk the Trusted Application policy. The other option is to make a rule as you did in Global Rules (and described in the above).

Unsolicited incoming traffic first goes through Global Rules and then through Application Rules. In both Global Rules and Application Rules you need to allow the unsolicited incoming traffic. I hope that clears up things for you.

  1. ports blocked not logs in setting default (in case port 7070 anydesk)
  2. teamviewer add in setting applications trust and use ports 80 or 443 (default ports web)
  3. Ericjh, answered you first…

sorry my english!

Thank you for help and answers.

  1. I have tried EricJH instruction (latest edited version). Still not working. And I wonder if it will because I have already added global rule “allow ip in/out” and place it to top (5th item in my reproduce todo). I am testing this comodo behaviour for some days and read comodo faq, still possible that I do something wrong but I doubt. Any ideas?
  2. Why is it neccessary to add app rule for app that recognized as trusted by cloud analysis(comodo file rating)? I have added it for testing but won`t trustedd up excluded from checking by firewall? Why then teamviewer works without rule in Application rules? (AnyDesk and Teamviewer treated as trusted both)
  3. Why I see no logs for blocking? I understand that by default it is disabled. In Global Rules I have one blocking rule at the end of list. I change it to enable log for it. After that rule I have added “block and log all in/out”. In Application Rules see no blocking rules. And still no logs and alerts.

Can you help?

Could you show me screenshots of your Global Rules and Application Rules?

I want to take a look at your Global Rules first. Having that rule on top will allow all outgoing and unsolicited incoming traffic which disables the firewall . But I rather wait for your screenshots before commenting further.

2. Why is it neccessary to add app rule for app that recognized as trusted by cloud analysis(comodo file rating)? I have added it for testing but won`t trustedd up excluded from checking by firewall? Why then teamviewer works without rule in Application rules? (AnyDesk and Teamviewer treated as trusted both) 3. Why I see no logs for blocking? I understand that by default it is disabled. In Global Rules I have one blocking rule at the end of list. I change it to enable log for it. After that rule I have added "block and log all in/out". In Application Rules see no blocking rules. And still no logs and alerts.

Can you help?

I will answer those questions after having seen the screenshots.

Of course. I tried to set english but part of rules after that still displayed in russian so send in rus, sorry.
разрешить = allow
запретить = reject
зарегистрировать = log
входящие = in
исходящие = out
любой = any

Dont be confused by the lack of an icon on AnyDesk in app rules. I have exported configuration from the computer at work(on which I tested all of these) and import on my home PC just to provide screenshots. There is no rule that you said I should add but I have tried it. Have no access to work PC as there is 10PM here now.

First and last global rules were added for testing.

Thank you for posting. Apparently the Russian translation of the UI is not complete.

I have translated your Global Rules for as far as I could but I couldn’t translate all:
Allow IP In and Out from MAC Any to Mac Any, Protocol Any
Allow IP Out from MAC Any to MAC Any, Protocol Any,
Allow ICMPv4 In B [LAN] to MAC Any
Allow UDP IN B [LAN] to MAC Any, Port… 137 to Port … 137
Allow UDP IN B [LAN] to MAC Any, Port… 138 to Port … 138
Allow TCP IN B [LAN] to MAC Any, Port… 137 to Port … 445
Allow TCP … UDP Out from MAC Any yo MAC Any, … Port… : Any Port … B [my_opened_ports]
Allow ICMPv4 In from MAC Any to MAC Any, … ICMP …
Allow ICMPv4 In from MAC Any to MAC Any, … ICMP …
Block and log IP Out from MAC Any to MAC Any, … Protocol Any
Block and log IP In and Out from MAC Any to MAC Any, … Protocol Any

Could you fill in the blanks for me? Could you also describe what B points? LAN probably points to your local network, correct?

Also could you write out the rule you made for Anydesk?

The rule on top “Allow IP In and Out from MAC Any to Mac Any, Protocol Any” disables the Firewall. You have no protection from attacks on your LAN and the only protection you have against attacks from the internet is your router (assuming there is a router).

You have been tinkering with the Global Rules and that got you further in trouble. Those two rules will block most traffic:

Block and log IP Out from MAC Any to MAC Any, .. Protocol Any Block and log IP In and Out from MAC Any to MAC Any, ... Protocol Any

I want you to start with a clean Proactive Profile. Import it from the CIS installation folder. Give a new name like for example Proactive Security Test and activate it. Then disable HIPS and Auto Sandbox.

Next step is to set the Firewall to block incoming connections because that seems to be the profile where you started from. Go to Stealth Your Computer Ports and follow the instructions to change the Global Rules to “Block incoming connections”. Your Global Rules should look as in the attached image. You can edit the block rule at the bottom to log blocking. Don’t make an application rule for Anydesk yet.

The next step is to make a Global Rule as I described in the above to open the necessary port. Do that on your home and work computer. Then try again. When needed add an application rule for Any Desk in Application Rules giving it the Allowed Application policy. That is easiest for testing. Once things are up and running you can always tighten the Application Rule.

There is a whole topic about getting anydesk working with the firewall that provides the rules needed for anydesk to accept incoming connections.

Thanks.
oh this behaviour known from 2018.

Have read topic sended by futuretech. Have no upnp on router. EricJH has already advised to open 7070 port.

Apparently the Russian translation of the UI is not complete.
there was description field in rules filled with rus. Cleaned it and it started to display english)
Could you fill in the blanks for me?
Yes. But should not first rule allow all and made all of the rest meaningless?

Allow IP In and Out from MAC Any to Mac Any, Protocol Any
Allow IP Out from MAC Any to MAC Any, Protocol Any,
Allow ICMPv4 In from [LAN] to MAC Any where ICMP type echo
Allow UDP IN from [LAN] to MAC Any, source port 137 to dest port 137
Allow UDP IN from [LAN] to MAC Any, source port 138 to dest port 138
Allow TCP IN from [LAN] to MAC Any, source port any to dest port 445
Allow TCP or(and) UDP IN from MAC Any to MAC Any, source port Any and dest port in [my_opened_ports]
Allow ICMPv4 In from MAC Any to MAC Any, where ICMP type fragmentation needed
Allow ICMPv4 In from MAC Any to MAC Any, where ICMP type timeout
Block and log IP Out from MAC Any to MAC Any, where Protocol Any
Block and log IP In and Out from MAC Any to MAC Any, where Protocol Any

Could you also describe what B points?
"В" is preposition. means "in"(source is [i]in[/i] specified network zone).
LAN probably points to your local network, correct?
yep)
Also could you write out the rule you made for Anydesk?
Treat as trusted app(policy): allow all in and out requests
You have no protection from attacks on your LAN
I understand. I wrote that these rules is set to testing AnyDesk and Comodo behaviour. To exclude blocking by global rules with first rule.
You have been tinkering with the Global Rules and that got you further in trouble. Those two rules will block most traffic
I understand. These rules there for blocking all that not allowed by upper and watching all blocks in the logs. But even with that rules there is no log entries for AnyDesk. Probably because first rule should allow all.

Have followed EricJH instruction. Still not working. Without logs and alerts. Screenshot with global rules attached. There is no difference allowed all ip or just opened 7070 tcp in global rules. There is no difference marked AnyDesk as allowed or not in app rules.

But I found strange thing:
in situation when for connection use two PC. One physical other on VM on that physical with bridged network connection. Try to connect no matter from whcih to which between these two. If spam the connect button and cancel connect button then after some tries connection will be established. and if stop established connection and just after that connect again the connection will established without errors from first attempt. But if wait 5min then you need agan connect-cancel-coonect-canel-…
There is no difference opened 7070 port or not.
With physical PC in different networks connection is not establishing at all. Even with such tricks.

It will be very good if there will be popup alert or logs where I can see what blocked and should be opened to work. And of course it will be great if trusted app (by comodo file rating) with created firewall application rule for it to allow all and with created global firewall rule allow all ip in/out will not blocked by firewall. Is it expected behaviour? Disable firewall and it starts to work.

Guys I really like COMODO CIS. Its a great security product. But with such unexpected/implicit behavior its not that good and even little dangerous.Is there any hope that this will be fixed/changed or someone will try to dig into this strange behaviour?

I have other app with similar problems and symptoms Veeam Backup. How can I determine why it not works and how to make it works. Disabling firewall make it works. No logs. No alerts. Allowing rules are set. If in future I found another app then again I should go here and asking you.

If you want to see things getting logged change the Global Rule that opens port 7070 to Ask all IP in From MAC Any to Mac Any with Source Port Any to Destination Port 7070. Then you should see the traffic coming in.

If you see traffic coming in but the program is still not working change the application rule for AnyDesk to the rule you made in Global Rules: “Ask all IP in From MAC Any to Mac Any with Source Port Any to Destination Port 7070”.

Does the problem only occur if you try to make a connection between host and guest when using a vm? Or does it also happen when you try to make a connection between your system and that of a friend?

Do you have other security program installed alongside CIS? Or have had other security program installed in the past?

this is not safe as it can expose you and your computer
; Erase all rules in global rules and try acess remote

Sorry my intromission :-\

@ddosed. Please disregard this advice.

@liosant. This is a useless advice. It has already been established that disabling the firewall either by adding a Global Rule or manually disabling the firewall will enable remote access. I am investigating in more detail what might be the cause.

liosant, thank you for trying to help.

change the Global Rule that opens port 7070 to Ask all IP in From MAC Any to Mac Any with Source Port Any to Destination Port 7070
Have no option Ask in global rules. There are only allow and block options. Can set checkbox enable logging. Have set it enabled. Also can not specify port if protocol is IP. Have set it to TCP or UDP (because you said TCP before) then can specify port. After these changes nothing has changed with anydesk. no logs, no alerts, no connection. If change rule "allowing and logging incoming TCP or UDP at 7070port" to incoming AND OUTGOING then in moment of trying connect TO this PC in logs appear OUTGOING traffic to 7070 port allowed. but not incoming.
but the program is still not working change the application rule for AnyDesk to the rule you made in Global Rules:
Also can not specify port if IP is selected. Have created for TCP or UPD. Ask and Log. Has no effect. no logs, no alerts, no connection.

On PC FROM which I trying to connect I always disable firewall to exclude its influence.

Does the problem only occur if you try to make a connection between host and guest when using a vm? Or does it also happen when you try to make a connection between your system and that of a friend?
I wrote:
But I found strange thing: ... on VM ... With physical PC in different networks connection is not establishing at all. Even with such tricks.
Have problem on host-guest with bridged network and with both physical hosts PC from different networks. With VM host-guest I just can connect after some retries. On two physical PC can not at all.
Do you have other security program installed alongside CIS?
Have 3 physical PC and one vm guest. Have no other security programm on each of them.
Or have had other security program installed in the past?
On one of physical PC was installed CryptoPro (programm that is not actually antivirus/firewall but maybe can conflict somewhow) on two other - no. On vm guest - definitely no. Maybe I forget but think there was no another security program.

Usually I test your instruction on physical-physical and physical-vm_guest.

Can it be just a bug? Is it reproducable? Maybe its more efficient to reproduce it if possible and analyze. I dont know how in COMODO work with such situations, maybe you do not want do that maybe its need to report to dev or testing team.

I did a test with my desktop and netbook computer connected to my LAN and I could make remote connections between desktop and netbook and vice versa.

I installed AnyDesk on both and on both made Global Rule to allow incoming traffic at port 7070 TCP. I also made a custom rule in Application Rules to allow incoming traffic at port 7070 TCP. That made it work. Then I removed the application rule and rebooted both systems. And again it worked; the white listing of AnyDesk allowed incoming traffic.

That leads me to the conclusion that there are factor(s) in your set up(s) interfering with how CIS works. We now need to focus on one scenario that we will investigate. I prefer to start with connecting two computers on a LAN which is relatively simple (I don’t want to start with communication between VM and host or between computers on two different networks and locations).

Can you make such a test set up?

You wrote you have also used other remote access tools like f.e. Team Viewer. Could you uninstall all other remote access tools for testing?

Could you on your VM guest make sure there are no traces left of previously installed security programs? You can do that by either using removal/clean up tool for those programs. A list with such tools can be found here: https://support.eset.com/en/kb146-uninstallers-removal-tools-for-common-windows-antivirus-software . Or if you’re experienced you could use Autoruns tool and look for left over drivers or services of security programs that are no longer installed and disable them from starting with Windows.

What type of program is CryptoPro? What does it do? Does it install a driver? Could you uninstall it for testing?

Thank you for testing.

What version of CIS you used for test? I have tested all your recomendation and my tests on 12.1.0.6914 latest non beta.

I prefer to start with connecting two computers on a LAN .. Can you make such a test set up?
Yes. Have notebook with linux mint and PC with updated win 10 x64. Had teamviewer, deleted it. Set lan to trusted in CIS, created rules global and for app. Connecting from notebook to PC. Behaviour is same as vm host-guest. No logs, no alerts, if click connect-cancel-connect-cancel-... after some retries it will connect. Disabling firewall makes it possible to connect from first attempt.

I thought that problem can be in my router on which the lan is build. (On work I have the same router) Then I disconnected testing PC and notebook from that router and used my android phone to tether 4G to PC and nout (using wifi access point). And test it. Same behaviour, see no changes.

Could you on your VM guest make sure there are no traces left of previously installed security programs?
Its not old vm I remeber all soft installed. But to make things clear I just have made new guest with only windows and CIS (even without vm tools). No changes. Same behaviour.
What type of program is CryptoPro? What does it do? Does it install a driver? Could you uninstall it for testing?
I had CryptoProCSP only on one PC and deleted it week ago. Its for signing data with crypto keys and safe transferring documents. It can install drivers. It was installed on work PC. All tests I made on that PC I have repeated on my home PC without that programm ever installed.

===

Sometimes when connection is not established I see error “anynet_unknown”. I have googled it and found workaround. If on PC FROM which I try to connect disable “Allow direct connections” in AnyDesk settings(screenshot attached) then it starts working correct. Enabling it causes known issue. This allow me to use AnyDesk but my problem is that I see not expected behaviour in CIS. Each time I run in truobles with allowing connection for some app spending so many time for finding reason and workaround is not good. I understand that maybe there is a bug in AnyDesk but CIS should show something in logs or make popup alert I think. And how to explain that disabling firewall makes things to work.

I have hypothesis that you have different CIS version in your test or you have different internet connection. Because if we have the same test conditions why then I have such behaviour on clear vm guest and some other different computers.
My internet connection is 4g usb dongle in router behind provider NAT at home and wire connection behind provider NAT at work (But I also tested with wifi access point from android phone). CIS version 12.1.0.6914.

Have tested on latest 12.2.2.7036 RC. Same issues.

Thank you for your extensive testing. I am using two different versions of CIS for testing. The netbook is still on 6818 and the desktop is on 7036 RC build.

This has me stumped. I have this setting enabled on both systems. It might indicate a problem with Anydesk?

This allow me to use AnyDesk but my problem is that I see not expected behaviour in CIS. Each time I run in truobles with allowing connection for some app spending so many time for finding reason and workaround is not good. I understand that maybe there is a bug in AnyDesk but CIS should show something in logs or make popup alert I think. And how to explain that disabling firewall makes things to work.
I have hypothesis that you have different CIS version in your test or you have different internet connection. Because if we have the same test conditions why then I have such behaviour on clear vm guest and some other different computers. My internet connection is 4g usb dongle in router behind provider NAT at home and wire connection behind provider NAT at work (But I also tested with wifi access point from android phone). CIS version 12.1.0.6914.
This is all very puzzling. I will let my head go over it but don't hold your breath over it. :-\
It might indicate a problem with Anydesk?
I understand that maybe there is a bug in AnyDesk but CIS should show something in logs or make popup alert I think. And how to explain that disabling firewall makes things to work.

If COMODO team will need I can give access to vm with this issue for testing.

Thank you for help.