I understand that automatic firewall mode means all outgoing allowed; all inbound blocked, unless a response to an outbound communication. Works somewhat well in an office situation where end-users are not prepared to be pestered for every networked app. Also, the fact that you would want to lock-down the AV with an admin password would mean having to enter the password at every new rule. I have that set on all the pushed SS BE clients in my office. But, what if I want to allow inbound defaults? For example, for Spiceworks I need to allow inbound ICMP, inbound TCP 135, 445 and 1024-2000 for WMI on TCP, and inbound 137 on UDP. Can I open these ports while the firewall is set to automatic? From what I can tell, no.