Xcitium Client Security Firewall being paranoid?

Product Discussions XCS - Xcitium Client Security
1

I have set up exceptions in the Firewall (in the Global Whitelisting) but it won’t stop blocking them all, even more than 24 hours after the change. It seems like it accepts SOME, and others it blocks.
I also don’t understand that according to the firewall event log, ALL traffic are local. That I KNOW isn’t right.
I also don’t understand why it apparently blocks spotify, chrome and msedge (amongst other things).
Another thing is, that if the log is to be believed, than svchost is a bad thing as it blocks traffic to/from it ALL the time.
part of the log:

2024/07/03 11:00:33 AM,C:\Windows\System32\svchost.exe,Block,IN,TCP,192.168.1.57,51060,192.168.1.43,7680,1
2024/07/03 10:59:15 AM,C:\Windows\System32\svchost.exe,Block,IN,TCP,192.168.1.29,50874,192.168.1.43,7680,1
2024/07/03 10:58:38 AM,C:\Windows\System32\svchost.exe,Block,IN,TCP,192.168.1.29,50851,192.168.1.57,7680,1
2024/07/03 10:57:57 AM,C:\Windows\System32\svchost.exe,Block,IN,TCP,192.168.1.29,50830,192.168.1.41,7680,1
2024/07/03 10:54:13 AM,C:\Windows\System32\svchost.exe,Block,IN,TCP,192.168.1.48,57621,192.168.1.43,7680,1
2024/07/03 10:53:13 AM,C:\Windows\System32\svchost.exe,Block,IN,UDP,192.168.1.1,49367,192.168.1.31,62665,1
2024/07/03 10:53:10 AM,C:\Windows\System32\svchost.exe,Block,IN,UDP,192.168.1.1,50098,192.168.1.31,62665,1
2024/07/03 10:53:07 AM,C:\Windows\System32\svchost.exe,Block,IN,UDP,192.168.1.1,54913,192.168.1.31,62665,1
2024/07/03 10:51:27 AM,C:\Windows\System32\svchost.exe,Block,IN,TCP,192.168.1.57,50995,192.168.1.43,7680,1
2024/07/03 10:50:52 AM,C:\Windows\System32\svchost.exe,Block,IN,TCP,192.168.1.57,50992,192.168.1.48,7680,1
2024/07/03 10:50:50 AM,C:\Windows\System32\svchost.exe,Block,IN,TCP,192.168.1.57,50993,192.168.1.41,7680,1

and

2024/07/02 08:06:41 PM,C:\Program Files (x86)\Google\Chrome\Application\chrome.exe,Block,IN,UDP,192.168.1.73,38901,192.168.1.71,64405,1
2024/07/02 08:06:39 PM,C:\Program Files (x86)\Google\Chrome\Application\chrome.exe,Block,IN,UDP,192.168.1.73,42999,192.168.1.71,64405,1
2024/07/02 08:05:55 PM,C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe,Block,IN,UDP,192.168.1.73,56239,192.168.1.71,64189,1
2024/07/02 08:05:53 PM,C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe,Block,IN,UDP,192.168.1.73,51902,192.168.1.71,64189,1
2024/07/02 08:05:49 PM,C:\Users\<user>\AppData\Roaming\Spotify\Spotify.exe,Block,IN,UDP,192.168.1.73,46744,192.168.1.71,52082,1
2024/07/02 08:05:46 PM,C:\Users\<user>\AppData\Roaming\Spotify\Spotify.exe,Block,IN,UDP,192.168.1.73,53675,192.168.1.71,52082,1

I even tried adding THIS to the whitelist: “C:\Program Files (x86)*|” and it STILL blocks things in that folder.
Is it just broken?

2

hi @JimmyK

We realize that you are facing issues with Firewall even after exclusions and whitelisting. We are sorry for the inconvenience caused.

Please share with us the following information to our support email address support@xcitium.com , so that our specialist team could investigate the issue further.

  1. Device name
  2. Account admin email address
  3. CIS Report logs from the affected device

To further investigate the reported issue, we need the local logs from one of the affected endpoints.

  • If you wish us to collect the endpoint logs from our side, please let us know the name of the affected device and make sure Remote Access Support is enabled under Management > Account > Remote Access Support ( Xcitium Remote Access Support, Xcitium, Xcitium ). You may also find the necessary steps listed in the attached document. After this option is enabled, provide us with the name of the affected device on Endpoint Manager portal.

  • If you do not wish to provide us with remote access, and if the device communicates with the Xcitium Platform, run the the predefined procedure “Collect Comodo One logs using new CIS report tool” on the affected device - do not forget to provide us with the name of the device so we can identify the output on our side. However, if the device does not communicate with the Xcitium Platform, please download and run the following report tool on the affected device: https://download.comodo.com/cis/download/installs/cisreporttool/cisreporttool.exe . The tool collects both XCC & XCS logs and attempts to upload them to our SFTP (Device name is included in the name of the output). To be able to to identify the logs on our side, please provide us with the local name of the device.