Why should system be set as outgoing only?

I’ve seen many suggestions to do so. Why is that? I’m a home user and don’t know much. Is this safer?

It is safer as System will reply to incoming traffic. However it may get in the way of sharing files and folders on your local network between computers.

What do you mean that it will reply to incoming traffic?

Sharing files on local network like connecting to printers connected to other computers? If I want to share files, should I set system as custom?

Ouch… I messed up here. Let me rephrase.

It is safer as System will not reply to incoming traffic when it is set to Outgoing only. However it may get in the way of sharing files and folders on your local network between computers.

The reason for advising Outgoing only is probably twofold. Safety first and convenience. I guess not many people share files across their local network, so most people only need outgoing only.

Okay. Thanks.

Are there any other settings that should be done so that it could be safer?

There is a similar rule of thumb that sets svchost.exe to outgoing only as well.

Eric, I have one confusion here. CIS has and had always been by default set as ‘outgoing only’ under Network Security Policy but CIS antivirus has always been able to update (I mean receive data) without giving any incoming alerts. I was always under the impression that it is a by design CIS configuration to update antivirus through seamless integration.

But, when I installed IE8 some days back, I have seen that the installer was able to receive updates through svhost or system (there was no separate outgoing connection of IE or IE8 installer) like malicious software update or IE8 update something like that, even though my system and svhost rule is ‘outgoing only’ and my CIS Firewall configuration is ‘Custom Policy Mode’. (I also don’t have any rule even for Internet Explorer in my Network Security Policy).

Of course, I don’t get any incoming connection alerts when I set it as ‘outgoing only’ for system or svhost. Do you have any idea about this scenario?

Is svchost.exe supposed to be in network defense policy? I don’t think I see it there though so how do I set it as outgoing? How is this different from system set out outgoing?

If I remember correctly the default firewall rules include an Outgoing only for Comodo Internet Security and a Custom Allow TCP and UDP out for Windows Updater Applications. Both of these rules refer to groups defined in Defence+’

The former rule allows updates to CIS, including AV and the latter includes svchost. Please check your D+ Compter security for details of other processes included in these default rules. Personally I always delete these groups and rulesm, as I prefer to have control over any data that wishes to leave my PC. They do, however, make it easier for those that don’t wish to create rules.

So if I remove all groups in defense policy I would have to block or allow every process manually?

If you were to remove the default firewall rules, then you would need to provide your own, to allow which ever applications you feel need access.