Author Topic: [Vista 64, 3.0.24.368] MAJOR Bug: Port 135 is left open by default  (Read 28267 times)

Offline raynor

  • Comodo Family Member
  • ***
  • Posts: 82
Summary:
Even when using a fresh, default Comodo install with 100% unchanged default options (!),
Port 135 is reported as being OPEN by the www.grc.com ShieldsUP! scanner.

The firewall does not trigger an alert window if there is an incoming connection on Port 135,
it is simply left open, no questions asked.


(Please also see this thread:)
http://forums.comodo.com/help_for_v3/vista_64_rpc_port_135_open_after_default_install-t23231.0.html
The abovementioned thread was the first one posted by me, this thread (the one you are
reading now) is the more current one, so please continue any discussion right here.

best regards,
raynor

« Last Edit: May 27, 2008, 09:49:29 AM by raynor »

sded

  • Guest
Re: [Vista 64, 3.0.24.368] MAJOR Bug: Port 135 is left open by default
« Reply #1 on: May 25, 2008, 11:00:33 AM »
Still would liike to see your default application rules posted.  Most of us have modified them and don't know what the current defaults are.  I don't use global rules, but my system related application rules are attached for comparison-and do stealth all the ports.  The default rules for Windows Updater Applications should cause a block and log for incoming on port 135 to svchost.exe.  Could you also go to D+/common tasks/my protected files/groups and verify that svchost.exe is still listed there under Windows Updater Applications?  And that under firewall/common tasks/view active connections that svchost.exe is shown listening on port 135?  Do you show anything in your firewall events log?

[attachment deleted by admin]
« Last Edit: May 25, 2008, 11:10:10 AM by sded »

Offline raynor

  • Comodo Family Member
  • ***
  • Posts: 82
Re: [Vista 64, 3.0.24.368] MAJOR Bug: Port 135 is left open by default
« Reply #2 on: May 25, 2008, 12:44:24 PM »
Quote from: sded
Still would liike to see your default application rules posted.  Most of us have modified them and don't know what the current defaults are.

Now, these are not "my" defaults ;), but these are Comodo's default rules, as I can reproduce
this behaviour with an 100% default installation without having changed any rules.
At the moment I am using a fresh installation with UNCHANGED rules (both Application & Global
rules).


The only added rule is the automatically added one for Firefox (otherwise I could not post this
message ;)

See Screenshots 1 & 2 for these default rules.

Quote from: sded
The default rules for Windows Updater Applications should cause a block and log for incoming on port 135 to svchost.exe.
No, they don't (see screenshot 1). Comodo's default setting does NOT have a
Block and Log rule for the windows updater apps.


Quote from: sded
Could you also go to D+/common tasks/my protected files/groups and verify that svchost.exe is still listed there under Windows Updater Applications?

It is. Not surprisingly, because at the moment I'm testing with a clean, fresh installation of CPF ;)

Quote from: sded
And that under firewall/common tasks/view active connections that svchost.exe is shown listening on port 135?

It Is. This is Vista's default behaviour. Also See Screenshot 3.

Quote from: sded
Do you show anything in your firewall events log?

No. Nothing gets logged. Not surprisingly, too, because there are no block and log rules for svchost.exe.


Again:
The expected behaviour would be that I am asked (via popup firewall alert) when there is
an incoming connection on port 135 (svchost.exe). This is what happens under XP.
There I could then click DENY & Remember, and a deny (block & log) rule for svchost.exe
would be created.
Under Vista 64, The port is simply left open, there is no alert popup, and that is that.



If anyone wants to reproduce the Bug, Please follow exactly these easy ;) steps:

(You need Windows Vista 64 SP1 (the OS I'm using) & Comodo 3.0.24.368 64 Bit)


1) Uninstall your old Comodo
--> reboot

2) Do a clean Comodo install (100% default options, i.e. Firewall and Defense+)
--> reboot

3) Manually disable the Windows Firewall. Important, as the Comodo installer does not
do it
- If the Windows Firewall is still active Port 135 will not be open as it's blocked
by the Windows FW (which seems to do a better job at this  ;D ;D ;D)

4) Do NOT touch ANY options of Comodo Firewall. Just leave it on defaults.

5) Visit www.grc.com, select the ShieldsUP! Scanner, click on "Common Ports"

6) BAM! Port 135 is open, and the firewall does not trigger an alert (i.e. it does not ask)...
 :-X :-X :-X


[attachment deleted by admin]
« Last Edit: May 25, 2008, 02:56:03 PM by raynor »

sded

  • Guest
Re: [Vista 64, 3.0.24.368] MAJOR Bug: Port 135 is left open by default
« Reply #3 on: May 25, 2008, 12:59:23 PM »
Thanks for the info.  Agree on the expected "ask" behavior (and that it is an urgent issue); maybe someone else can explain why it didn't happen in Vista x64.  Checked an earlier version and the block and log was not there, so I must have added it.  Maybe someone else can check it for Vista x32 since you say it works correctly with XP.  :(
« Last Edit: May 25, 2008, 01:02:25 PM by sded »

Offline raynor

  • Comodo Family Member
  • ***
  • Posts: 82
Re: [Vista 64, 3.0.24.368] MAJOR Bug: Port 135 is left open by default
« Reply #4 on: May 25, 2008, 01:02:31 PM »
First of all, other people should please reproduce this with Vista 64.
This will tell me that I'm not crazy (I dont think I am) and that this is indeed
a (major) bug.


For me It's dead easy to reproduce (see steps above). I did it heaps of times...

Tests with Vista 32 would also be welcome to see if it's a 64 Bit issue only.

And yes, under XP, all is well, no problems there :)

Waiting for more reports ....
« Last Edit: May 25, 2008, 03:01:54 PM by raynor »

sded

  • Guest
Re: [Vista 64, 3.0.24.368] MAJOR Bug: Port 135 is left open by default
« Reply #5 on: May 25, 2008, 01:20:16 PM »
OK, verified proper operation with Vista x32.  Bypassed router and plugged directly into the computer.  With the block and log, stealth as expected.  Couldn't log it because of selective CFP3 logging.  Removed the block and log all, and got the expected popup.  Shields Up timed out the response and the port was marked "stealth".   So need further inputs from Vista x64 users, perhaps verification form others.

Offline raynor

  • Comodo Family Member
  • ***
  • Posts: 82
Re: [Vista 64, 3.0.24.368] MAJOR Bug: Port 135 is left open by default
« Reply #6 on: May 27, 2008, 05:59:01 AM »
Come on guys, can someone please try to reproduce this bug
with Vista 64 ? Thank you ;). As I said, for me it is dead easy
to reproduce.


Just use a clean, fresh Comodo install with unchanged default settings,
and run a ShieldsUP!"common ports" scan.
There is NO firewall alert prompt ("Incoming connection on Port 135 for svchost.exe"),
but the port is simply open.

Only the "stealth ports wizard" correctly stealths the port (via the
global rules it creates.)

This  seems like a major bug. That is why it should be investigated further.
Maybe the developers should also have a look at this.


For better troubleshooting, I'm posting my detailed configuration again:

(... which is nothing special by the way ;))

- Vista x64 SP1 English, all Windows Updates installed (As of May 2008)
- Windows Firewall disabled (Service is set to disabled)
- Comodo 3.0.24.368 - a fresh, clean install, installed with installer's standard settings
  (= Firewall and D+ enabled). No options changed in the program itself (i.e. no added rules,
  no stealth ports wizard, no nothing).
- Svchost.exe is Listening to Port 135 (DCOM) - This is Vista's default behaviour
- PPoE Broadband ADSL dialup connection (direct connection, no proxy, no router),
  using Vista's integrated standard PPoE driver. Nothing special.

If anyone needs additional details, or I should run additional test, I'll be happy
to assist.
« Last Edit: May 27, 2008, 06:04:01 AM by raynor »

Offline jtabos

  • Computer Security Testing Group
  • Newbie
  • *****
  • Posts: 12
Re: [Vista 64, 3.0.24.368] MAJOR Bug: Port 135 is left open by default
« Reply #7 on: May 27, 2008, 12:57:39 PM »
I went back to the old version and apparently, everything is working fine now.
Please see this thread:

http://forums.comodo.com/bug_reports/cvtresexe_netframework_99-t23317.0.html;msg164524#msg164524

Cheers
Juan


HP Compaq  Quad Core Q6600 2.40 Ghz -all programs+drivers updated-
W Vista Home Premium Sp1 x32
3 Mb Ram
CMF
CBOClean
Nod32 v3
Defense+ in "Clean Pc mode"

Offline raynor

  • Comodo Family Member
  • ***
  • Posts: 82
Re: [Vista 64, 3.0.24.368] MAJOR Bug: Port 135 is left open by default
« Reply #8 on: May 27, 2008, 03:59:35 PM »
I went back to the old version and apparently, everything is working fine now.
Please see this thread:

http://forums.comodo.com/bug_reports/cvtresexe_netframework_99-t23317.0.html;msg164524#msg164524

I think you posted in the wrong thread. This thread is about a completely different issue.

Offline jtabos

  • Computer Security Testing Group
  • Newbie
  • *****
  • Posts: 12
Re: [Vista 64, 3.0.24.368] MAJOR Bug: Port 135 is left open by default
« Reply #9 on: May 27, 2008, 04:10:09 PM »
It is about svchost.exe is shown listening on port 135 , isn´t it?



....<<<<Today I decided to go back to the old 3.0.21.329 version and so far -3 hours later-, everything is working fine.
Even the port 135 seems to be closed now (at least it´s not listed in the "Active conecctions" window: it was "listening" with the new version). Read this report to see what I mean. http://forums.comodo.com/bug_reports/vista_64_3024368_major_bug_port_135_is_left_open_by_default-t23266.0.html

BTW, I don´t have installed the Safesurf, and the firewall is running with the default config.
Regards
Juan

HP Compaq  Quad Core Q6600 2.40 Ghz -all programs+drivers updated-
W Vista Home Premium Sp1 x32
3 Mb Ram
CMF
CBOClean
Nod32 v3
Defense+ in "Clean Pc mode">>>>>
« Last Edit: May 27, 2008, 04:26:06 PM by jtabos »

Offline Searinox

  • Comodo's Hero
  • *****
  • Posts: 539
  • Do you like fire? I'm full of it.
Re: [Vista 64, 3.0.24.368] MAJOR Bug: Port 135 is left open by default
« Reply #10 on: May 27, 2008, 04:32:04 PM »
I got my rules manually made to avoid that. Nnngh... this is not good for leaktests~

Offline raynor

  • Comodo Family Member
  • ***
  • Posts: 82
Re: [Vista 64, 3.0.24.368] MAJOR Bug: Port 135 is left open by default
« Reply #11 on: May 27, 2008, 04:47:58 PM »
It is about svchost.exe is shown listening on port 135 , isn´t it?

Yes, you're right, but to be more exact, it's about port 135 being open to
the outside world
(in other words: not being shielded / stealthed) by the
firewall. With the default configuration, the firewall should show an
alert window
if there is an incoming connections on port 135),
which it does not, but leaves the post open and unprotected instead.

Svchost.exe is ALWAYS "listening" to port 135, this simply is Windows's
(both Vista and XP) default configuration. This is not the problem. The question
is if the firewall protects (stealthes) this port or not. Currently, with Vista 64 and
Comodo 3.0.24.368 it FAILS to do so.

I got my rules manually made to avoid that. Nnngh... this is not good for leaktests~

This is of course not a solution ;) A proper firewall MUST NOT leave a port open by
default without asking or require manual configuration to be "safe".

This is why I labeled this bug as MAJOR. This is not a little glitch, it is serious business  :P0l.

All the best,
raynor
This
« Last Edit: May 27, 2008, 04:52:25 PM by raynor »

Offline raynor

  • Comodo Family Member
  • ***
  • Posts: 82
Re: [Vista 64, 3.0.24.368] MAJOR Bug: Port 135 is left open by default
« Reply #12 on: June 01, 2008, 11:34:36 AM »
This still isn't fixed in 3.0.25.378.

Any news on this one, anyone ???

As I said above, IMHO this is a serious, major bug  :P0l  :P0l  :P0l
« Last Edit: June 01, 2008, 11:40:40 AM by raynor »

Offline mgcl2ticl4

  • Comodo Member
  • **
  • Posts: 36
Re: [Vista 64, 3.0.24.368] MAJOR Bug: Port 135 is left open by default
« Reply #13 on: June 01, 2008, 11:42:42 PM »
This still isn't fixed in 3.0.25.378.

Any news on this one, anyone ???

As I said above, IMHO this is a serious, major bug  :P0l  :P0l  :P0l


I always check grc after an update and never experienced the problem you describe w/ 135.  I'm running Vista 64 SP1 with all updates and Avast free Antivirus.  I do not mess with any of the firewall and/or antivirus settings - I just leave it at default.  I have updated Comodo to 3.0.25.378.

Maybe you can use an SPI firewall router until Comodo gets to the bottom of your problem.

Offline raynor

  • Comodo Family Member
  • ***
  • Posts: 82
Re: [Vista 64, 3.0.24.368] MAJOR Bug: Port 135 is left open by default
« Reply #14 on: June 02, 2008, 03:49:35 AM »
So you do get prompted by the firewall when there is an incoming connection
on port 135 (or I should say "did" because most likely you klicked on deny&remember
there was an incoming connection for svchost.exe) ?

Could you please do me a favor and delete your firewall rule for svchost.exe
and check if you then get prompted again for incoming connections if you run
a grc ShieldsUP! scan ?

Thx,
raynor

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek