Wrong automatic rule creation


I run Webserver on my host ( Global rule allows incoming traffic on TCP/80. No application rule for webserver.exe exists and Firewall alert frequency level is set to “Very high” - all checkboxes checked except “This is an…ICS Server”.

Now I connect from client Alert pops up saying “ - TCP, Port 80 wants to connect to webserver.exe” and I click “Allow this request” and tick “remember my answer”. CIS auto-creates an IP MASK rule for - so from that point on, all subsequent connects from other hosts in that network (e.g. are automatically allowed. In my opinion that is a wrong behavior since frequency level is set to “Very high” CIS should alert every new connection and create a rule for “Single IP”, right?

When I don’t tick “remember my answer” CIS acts the same way (all subsequent inbound connections to TCP/80 are automatically allowed) - it just does not create a rule.

Am I doing something wrong or is this a bug that must/should be fixed?


CPU: Intel Core 2 T7200 [at] 2.00GHz, 2000 Mhz
System: Notebook HP Compaq nc6400, 4 GB RAM
OS: Windows 7 Enterprise English, 32Bit Version 6.1 (Build 7600), all MS-Security patches installed
Running security apps: CIS 4.1.150349.920 installed as “Firewall Only”. Defense+ disabled (not perm.),

Sandbox disabled. No AV solution on the System. Windows Firewall service is disabled.
Firewall mode: Custom Policy mode

My account is member of the local Administrators group and I have UAC disabled.

This is a known issue. Not sure when it will be fixed though…

An issue?

Cis always does that, whatever the rule to be set is.

The solution is of course to allow the rule, and then soforth to edit it as to correct it according to your needs.

I thought it to be a general (wrong) behavior, not a “known issue to be fixed”, as this behavior already exists in cis 3.

“Knowing the issue” and not resolving it for all this time is not serious, and leads the firewall to be a real threat if unexperienced users (a large majority of them, as attested from recent post, don’t even know what
255.x is) are not aware of the said behavior and overconfident in its rules.

brucine: I fully agree. Just tested latest v5 RC (build 1120) and that bug is still there. Didn’t know it exists since v3, though. Now that I know it I find it ignorant and unprofessional to leave that bug unfixed for years.

And yes, it is a bug, no matter if it’s in their sourcecodes or their design and I already ran into trouble because of that bug - thanks Comodo for letting everybody and his brother in my subnet access resources on my machine without notifying me.

I will drop CIS and switch back to Outpost or OA as long as that bug isn’t fixed.