Trusted file firewall logic

According to this section in Comodo Help - Firewall Behavior Settings, PC Firewall, Firewall Protection | Internet Security v6.2 - trusted files are allowed by firewall without the need for explicit rules. I don’t see this happening. For example, RDP connection from another LAN PC generated an inbound connection alert - even though svchost.exe is already in trusted files. I actually had to create a rule for svchost to be able to use RDP. Why is that?

I also observed the same behaviour with uTorrent - it got inbound connection from my router. The router is in local network which is allowed by global rules. uTorrent application was already in Trusted files.

Can someone please explain to me what is the logic behind that? A trusted file is a trusted file so any inbound connections to that application should be allowed.

Have you made changes to the default configuration? If so what have you changed?

Hello Chiron,

Yes, I followed your guide, omitting the optional steps. Sorry, I should have mentioned that.

So, configuration is Proactive Security, HIPS is disabled, Sandbox is set to Untrusted, Firewall is in Safe mode.

Have you observed this with all files, or just those requiring an inbound connection?

For example, when you click on the update button for a program, such as a browser, did you ever receive a firewall alert?

Only for inbound connections. So far two applications: RDP (svchost) and uTorrent. I did create a global rule for uTorrent port as per Comodo help global rules get processed first for inbound connections which makes sense.
Otherwise everything works perfectly. Windows share inbound connection from LAN don’t cause any alerts or firewall events.

I believe this is likely intended behavior, but am not 100% sure. Hopefully someone who is more confident will comment soon.

Unsolicited incoming traffic first goes through Global Rules and when allowed there to Application Rules.

So, in order to allow incoming traffic for RDP or p2p programs you need to open a port in Global Rules and then make a matching application rule (f.e. using the Trusted Application policy).

Hello EricJH,

I understand the order in which unsolicited traffic gets evaluated and the need for global rule. I did create a global rule for uTorrent. The executable is in the Trusted Files list so there shouldn’t be a need to create an explicit application rule (which is exactly what I had to do). Why is the connection not allowed then? I’m not complaining, just trying to understand. It seems to be that either documentation is wrong or there is something else going on.

My RDP connection was initiated from within LAN and there was a global rule to allow any connection from that subnet. So it wasn’t blocked by a global rule. However, I think I found the explanation for RDP. Svchost.exe probably falls under the default Windows System Applications rule which by default allows only outbound connections. I assume if finds a match for svchost but doesn’t see that it should be allowed so it asks. I was able to prove that by adding a block/log rule at the bottom of Windows System Applications rule. Surely enough, my RDP connection was silently blocked and logged. I then added another entry under Windows System Applications to accept incoming TCP on port 3389. And RDP worked right away without any prompts. So it is indeed the default undocumented rule that caused confusion.

Where can I read about a list of applications included under Windows System Applications, Windows Updater Applications and System default rules?

Also, is there a way to temporarily disable a rule without removing it? That would really help in troubleshooting and understanding how firewall behaves.

Update - I did find where the predefined application groups are configured. Defense+ - HIPS - Protected Objects - Up arrow on the bottom - Groups. And yes, svchost.exe is part of that file group. So that totally explains the behaviour with inbound RDP.

However, I still have no explanation to the fact inbound uTorrent connection wasn’t allowed. The only conclusion I can make is that any inbound connection is not allowed even for trusted files - unless there is an explicit rule allowing it. That’s for better, if you ask me. Inbound connection is not a common thing for a desktop PC so I’d rather have to manually configure stuff that I need and get a pop-up in all other cases.

There is one thing I forgot. When there is a rule in the Firewall Rules called “All Applications” you will have to make sure that the rule for uTorrent is somewhere above the “All Applications” rule.

Rules are read top-down and rules underneath the “All Applications” rule will follow the rule set by the “All Applications” rule no matter what policy is being used.

Is the above applicable to you situation.

I’m afraid you didn’t understand me correctly. uTorrent works just fine after creating Application Rule (yes, I’m aware of the importance of rules order). My question is why do I need a rule for uTorrent in the first place? It is a trusted application.

I get it. A trusted Application is not allowed to receive unsolicited incoming traffic. You need to give a program the Allowed Application rule for this.

Language… Trusted, Allowed etc… what does it mean exactly :-\