Author Topic: D+ alerts are recieved after disabling it  (Read 11311 times)

Offline aditya_dmj

  • Comodo Loves me
  • ****
  • Posts: 160
D+ alerts are recieved after disabling it
« on: September 27, 2008, 10:13:13 AM »
hello to all

win xp sp3(x86)
cfp 3.025.378

my first install of cfp was without D+ but with recommended leak protection.

after checking the stealth port on grc.com port 0,1 were not found stealth.

understood it can not stealth your port ( I had reprted this appx 3-4 month back in another version)

so no point in having leak protectio so I uninstalled it and reinstalled it witout D+ and leak protection

after reboot I recieved surprisingly few Defense + alert.

after that i moved the slider to disabled now i am not recieving them ,even when slider is moved to paranoid mode

( why it happened?)

2- guard32.dll is present in every loded application, although D+ and leak protection is not installed.

it is also present registry in appinit_dll = gurd32.dll

should these be removed manually

diagnostic does not detect any error

Regards

adi

Offline DaRtH VaDeR.

  • Usability Study Member
  • Comodo's Hero
  • *****
  • Posts: 1782
  • Everything in life comes to an end, exept life
Re: D+ alerts are recieved after disabling it
« Reply #1 on: September 27, 2008, 11:01:22 AM »
Good Day!

As far as I know, when you install the firewall you have the option to install the firewall with the HIPS fully enabled or the firewall with the HIPS partly enabled... This means the files of the HIPS application will be present even if you disable it manually.... there is no need to delete the pointed files manually, because the HIPS is set to sleep basically...

That you found some  not stealth ed ports is a bit weird in my opinion, if you use the standard configuration you should be well protected.... You can always tighten up the security by changing the sliders and you can use the stealth port wizard to tighten up your security...

Let me know if things worked out for you!

have a nice day!

(V)
DaRtH VaDeR says: "The path of success and progress is not to be reached by the things you have done, but by the things you will do, so think before you act,the voice of your history will confirm this fact.."

DaRtH VaDeR says: "Your system is as secure as the weakest link in your entire security"

Offline aditya_dmj

  • Comodo Loves me
  • ****
  • Posts: 160
Re: D+ alerts are recieved after disabling it
« Reply #2 on: September 28, 2008, 04:33:37 AM »
actually my english is poor.

In fact I installed
Quote
Firewall ('Leak Protection' option NOT checked)-  This option is only recommended for experienced firewall users that have alternative Host Intrusion Prevention software installed on their systems.  Choosing this option will install ONLY the packeting filtering network and will not offer leak protection - essential for blocking malicious software (like worms and trojans) from making outgoing connection attempts. This isn't to say this option is an unwise choice (the network firewall is one of the strongest available - offering highly effective and configurable inbound and outbound protection) but it is important to realise that, on it's own, it does not offer the leak protection afforded by Defense+.

regarding some ports ( especially port 0,1 ) which are not stealth but are closed I am not much concerned as the ports are in close state= SAFE. ( so nothing to worry much).

but since as I had run the stealth port wizard they(ports) should have been in stealth mode.

As they(ports) were not, so i thought something is wrong with the basic working of program and decided to post here , so that dev. can look into the problem.

regarding removing the entries for guard32.dll from registry or renaming it, I am not going to do it, as i am not the coder , so i really dont know what it does.

after reading in some post i came to know it should not be present in registry if basic firewall is installed only.

diagonastic iresult sre ok

I was in doubt about this particular entry( guard32) so posted here to get the correct answer and work around.

let me very specific are my settings in registry about guard32.dll are correct.

HKLM\SW\MS\WINNT\WINDOWS\appinit=guard32.dll these are my settings

post has become long because of poor english  please bear with me.

Thanks and regards

adi

Offline gibran

  • Average User
  • Comodo's Hero
  • *****
  • Posts: 5056
  • A bad workman always blames his tools
Re: D+ alerts are recieved after disabling it
« Reply #3 on: September 28, 2008, 06:56:48 AM »
Leak protection and port stealthing are two different things.
Leak protection is meant to protect against application hijacking that could result in malware gaining internet access without your consent.

Port stealthing is intended to prevent anyone who attempt to portscan your host from internet to know what ports are opened/closed on you PC.

I canot possibly know the reason why Port 0-1 are not stealthed on your PC nor I know for sure if port stealthing can be archieved in all cases (eg if there is a service that listen on ports 0-1).

It could prove useful to post a specific bugreport about port stealthing and add some related infos about your PC configuration (eg if you are behind a NATted LAN or if you use a bridged modem. a netstat -noa output).



« Last Edit: September 29, 2008, 02:00:48 AM by gibran »
"In the beginning the Universe was created. This has made a lot of people very angry and has been widely regarded as a bad move."- Douglas Adams

Offline aditya_dmj

  • Comodo Loves me
  • ****
  • Posts: 160
Re: D+ alerts are recieved after disabling it
« Reply #4 on: September 28, 2008, 09:21:16 AM »
hello to all

My pc configuration is
 Core2duo E6300 1.8Ghz
Ram 1 Gb DDR2 533MHz
MB Intel original 946GZIS

I am not behind any nat, router except the adsl broadband mdem with built in nat and firewall

I am posting the results

Same modem (No configuratin change made) windows firewall test status = passed
same modem(-do-)         Comodo Fw with recomended D+ installed  TEST status = Passed

same modem (-do-)   Comodo Fw without D+ (leak protection there)  Test status = failed on port 0,1

However firwall clears the test if you add this in global rules before stop all

aloww TCP/UDP src any srcport any destany dest port 2-65535

same modem(-do-) comodo Fw without D+(i.e basic firewall only) Test status = failed on port 0,1

same modem checked on my vista laptop home prem with in built firewall test status = passed

To be specific firewall is failing this test only if you are not installing D+ and these results are  reproducible on difrent machines ( tested on neighober machines)

I have attached the output of CFP script

Regards

Adi

Offline gibran

  • Average User
  • Comodo's Hero
  • *****
  • Posts: 5056
  • A bad workman always blames his tools
Re: D+ alerts are recieved after disabling it
« Reply #5 on: September 28, 2008, 10:01:01 AM »
Thanks for providing the additional infos although it would have prove useful to crete a different topic about the 0-1 non stealthed port issue.

My system specs are:
P4 HT 3 GHz and over 1gb ram available and XP sp3 32bit, HW  DEP Optout.
Other apps: Comodo Safesurf, Unlocker assistant, Speedfan, Daemon tools, COMODO Vulnerability Analyzer  1.1.3.29, Comodo Disk Shield 1.0.1.18, Logitech Setpoint 4.60.122

My pc is located behind a router and NAT is enabled

I specifially installed CFP 3.0.25 Firewall only mode without leak protection.

Shieldup All Service ports test resulted in ThruShealth rating (all ports stealthed).
I did not receive any Defense+ altert either after reboot.


As far I know if there is no port forwarding or uPNP rule in the router settings CFP cannot possibly handle inbound connections originated by grc.com shieldsup.
"In the beginning the Universe was created. This has made a lot of people very angry and has been widely regarded as a bad move."- Douglas Adams

Offline panic

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11465
  • Linux is free only if your time is worthless.;-)
Re: D+ alerts are recieved after disabling it
« Reply #6 on: September 28, 2008, 06:31:38 PM »
I believe that guard32.dll is there to prevent the firewalls processes being terminated.

Ewen :-)
As your mums would say, "If you can't play nice with all the other kiddies, go home".
All users are asked to please read and abide by the  Comodo Forum Policy.
If you can't conform, don't use the forum.

Offline aditya_dmj

  • Comodo Loves me
  • ****
  • Posts: 160
Re: D+ alerts are recieved after disabling it
« Reply #7 on: September 29, 2008, 12:18:32 PM »
hello sir,

sorry for posting incomplete info.

here i am uploading the results of msinfo32.exe , which is having all the details of signed drives, system drivers and loaded modules.

general configuration of my system is

Avast Av 4.8 Home (Only one security suite)

No games
Cfp 3.025.378

all other common every day use software.


Regards

Adi

edit : systeminfo deleted at users request - panic
« Last Edit: September 29, 2008, 05:03:17 PM by panic »

Offline panic

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11465
  • Linux is free only if your time is worthless.;-)
Re: D+ alerts are recieved after disabling it
« Reply #8 on: September 29, 2008, 06:04:16 PM »
Hi adi,

This is really odd!

Logically, if you're behind a routing type device, when you run the GRC ShieldsUp test, they are basically sending a series of pings to ports of your publicly assigned address. This public IP is assigned to you by your ISP and is attached to the outward facing side of your router device. When you run the GRC test, your request contains your public IP address, as your private IP address (the 192.168.X.X one) is non-routable.

When the GRC server starts the test, the only IP address it knows about, in relation to you, is the public one, which is your router, not your PC. Consequently, the results reflect the answers GRC received from your modem, not from your PC.

I can't explain why you're getting different results when trialling different modes of CFP, as CFP cannot alter the configuration of your modem and the GRC tests never actually get to your software firewall (unless you have specifically forwarded ports).

Odd. I'll keep my eye on this thread.

Cheers,
Ewen :-)
As your mums would say, "If you can't play nice with all the other kiddies, go home".
All users are asked to please read and abide by the  Comodo Forum Policy.
If you can't conform, don't use the forum.

Offline aditya_dmj

  • Comodo Loves me
  • ****
  • Posts: 160
Re: D+ alerts are recieved after disabling it
« Reply #9 on: September 30, 2008, 04:17:17 AM »
first i would like to thank you panic for accepting the request i made to you.

ya I also cannot understand these results

however when i test my laptop running vista with the same adsl router modem ,using vista inbuilt firewall tests are passed.

it appears that nat and firewall feature of my modem is either not working.
Oh i forgot to mention one thing my subnet is 255.255.255.0

this means the nat and router on my adsl modem does not acts on my computer alone but on the other hand it provides nat and firewall services to all ISP subscriber falling in subnet.

i think this is the job of ADSl router.

The only problem is these results were reproduced on Acer S series comuter running xp(an old m/c of my neighbour)

any  way i am eagerly waiting for new update of CFP

till then as usual   (L)

regards

adi

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek