Problem:
I run Webserver on my host (10.1.1.1/24:80). Global rule allows incoming traffic on TCP/80. No application rule for webserver.exe exists and Firewall alert frequency level is set to “Very high” - all checkboxes checked except “This is an…ICS Server”.
Now I connect from client 10.1.1.2. Alert pops up saying “10.1.1.2 - TCP, Port 80 wants to connect to webserver.exe” and I click “Allow this request” and tick “remember my answer”. CIS auto-creates an IP MASK rule for 10.1.1.2/255.255.255.0 - so from that point on, all subsequent connects from other hosts in that network (e.g. 10.1.1.3/24) are automatically allowed. In my opinion that is a wrong behavior since frequency level is set to “Very high” CIS should alert every new connection and create a rule for “Single IP”, right?
When I don’t tick “remember my answer” CIS acts the same way (all subsequent inbound connections to TCP/80 are automatically allowed) - it just does not create a rule.
Am I doing something wrong or is this a bug that must/should be fixed?
Information:
CPU: Intel Core 2 T7200 [at] 2.00GHz, 2000 Mhz
System: Notebook HP Compaq nc6400, 4 GB RAM
OS: Windows 7 Enterprise English, 32Bit Version 6.1 (Build 7600), all MS-Security patches installed
Running security apps: CIS 4.1.150349.920 installed as “Firewall Only”. Defense+ disabled (not perm.),
Sandbox disabled. No AV solution on the System. Windows Firewall service is disabled.
Firewall mode: Custom Policy mode
My account is member of the local Administrators group and I have UAC disabled.