A lot more blocked intrusion attempts with CIS 310...531

[Guest]

[donnyd]

I'm getting a lot more network blocked intrusion attempts with CIS 310 all coming from application Windows Operating System. The protocol is UDP and the destination port and source port all seem to be either 137 or 138. Is there something I need to tweak or is this a true intrusion? I'm running Windows XP media center SP4 and only CIS for security. 

[bluesjunior]

I am getting the same but mine is mostly from ports 445 and to a lesser extent 135. From what I understand ports 137 and 138 are all linked. My daughters boyfriend said something about these ports and NetBios but his explanation was a bit too techy for me to comprehend and I would like to find out a bit more about the subject before I go switching off NetBios if this is indeed the solution to this problem.

[Dch48]

I'm getting a lot more network blocked intrusion attempts with CIS 310 all coming from application Windows Operating System. The protocol is UDP and the destination port and source port all seem to be either 137 or 138. Is there something I need to tweak or is this a true intrusion? I'm running Windows XP media center SP4 and only CIS for security. 

SP4?  where did you get that?

[jay2007tech]

The protocol is UDP and the destination port and source port all seem to be either 137 or 138

I usually have over 1,000 intrusion attempts in a day (I know what and where the intrusions are coming from and there not really intrusions.  It's almost all microsoft and certain software that want's to phone home

I wouldn't worry about it.  You'll generally get that feeling, if your being attacked

For windows 7, vista, and xp  that I'm using. I'm blocking microsoft to the best of my ability.  I'm blocking 137, 138, 139, 1900, 3544, 63351, 58226, 67, 68, 55945, 3702, and quite a bit more.

I'm also block outbound connection for windows update (I have another way to update HeHeHeHe), system, svchost(partially), WMP, explorer, ie explorer, and much more

Either way, your probally fine   If your still worried, download "hijack this" from download.com.  Copy and paste the logs at the appropriate section in the forums and someone here will let you know if your good to go

[Jim__]

This is most likely broadcast messages rather that something directed to a specific IP address.

Since this traffic is being blocked anyway, you could set up a rule to block the traffic but not log it. I created a port set (137,138,139,445) and then created a rule to block incoming TCP and UDP with those ports as a destination without logging.

[Xman]

I am getting the same but mine is mostly from ports 445 and to a lesser extent 135. From what I understand ports 137 and 138 are all linked. My daughters boyfriend said something about these ports and NetBios but his explanation was a bit too techy for me to comprehend and I would like to find out a bit more about the subject before I go switching off NetBios if this is indeed the solution to this problem.

Hi Bluesjunior, run The first 3 tests at Shields up here: https://www.grc.com/x/ne.dll?bh0bkyd2
when you'll finish the all service ports scan click on a port ex: 135, 139, 445 & especially 137 for in depth info on their origin and use, you'll get all the info you need.
Regards & cheers
Xman

[bluesjunior]

Thanks for the link Xman, I already knew about GRC and knew I was completely stealthed and passed all the tests but not that you could click on a port number for additional info. If I were to  set a rule to block but not log for Ports 135,137,138,139 and 445 would this reduce the size of my logs. Could someone walk me through that with a step by step on how to set such a rule or is there a better solution?.

[SiberLynx]

Hi Guys,

Donnyd and Bluesjunior,

Regarding the site referred by Xman

There is not only the test there but explanations about ports  and free utilities
http://www.grc.com/freepopular.htm

For example, info about port 135 is here: http://www.grc.com/freeware/dcom.htm

Info about Ports 137, 138,139, 445 is here http://www.grc.com/port_137.htm

Briefly about the letter ports – you can just disable NetBIOS over TCP/IP if your have standalone computer

Just Google “disabling NetBIOS” and you find tons of advices here is MS page

http://support.microsoft.com/kb/313314

In addition Search this forum using requested ports as keywords and there are many threads here as well

Hope this helps

My regards

[donnyd]

SP4?  where did you get that?

Sorry!  Type-0, it's SP3....................

[bluesjunior]

Thanks for the reply SiberLynx,
                                                My PC operating system is Windows XP Home Edition SP3, up to date using Windows Update. It is a standalone PC on a Cable Broadband account with Virgin Media here in the UK with no router and accessed by a Fast Ethernet Connection modem and is shared between me and my grown up daughter ie two accounts both with administrative authority.
             I did some reading on the links and advise offered in your previous reply and have come up with two options of which I am unsure which is the best way to proceed. I would ideally like to reduce the number of  intrusion attempts being recorded by Comodo CIS. Could someone have a look at the two options below and advise me on the best procedure in order to achieve the above mentioned result.

Disable NetBIOS on the DHCP server
To disable NetBIOS on the DHCP server, follow these steps:
1.Click Start, point to Programs, point to Administrative Tools, and then click DHCP.
2.In the navigation pane, expand the server_name, expand Scope, right-click Scope Options, and then click Configure Options.

Note In this step, the server_name placeholder specifies the name of the DHCP server.
3.Click the Advanced tab, and then click Microsoft Windows 2000 Options in the Vendor class list.
4.Make sure that Default User Class is selected in the User class list.
5.Click to select the 001 Microsoft Disable Netbios Option check box, under the Available Options column.
6.In the Data entry area, type 0x2 in the Long box, and then click OK.
Configure the DHCP client to enable the DHCP server to determine NetBIOS behavior
For Windows XP, Windows Server 2003, and Windows 2000
1.On the desktop, right-click My Network Places, and then click Properties.
2.Right-click Local Area Connection, and then click Properties
3.In the Components checked are used by this connection list, double-click Internet Protocol (TCP/IP), click Advanced, and then click the WINS tab.

Note In Windows XP and in Windows Server 2003, you must double-click Internet Protocol (TCP/IP) in the This connection uses the following items list.
4.Click Use NetBIOS setting from the DHCP server, and then click OK three times.

How to disable NetBIOS over TCP/IP?
In Windows 2000/XP/2003 you have the possibility to disable NetBIOS over TCP/IP. You do this by right-clicking on My Network Places and selecting Properties. Then right-click on the appropriate Local Area Connection icon, and select Properties.

Next, click on Internet Protocol (TCP/IP) and Properties.

Now click Advanced, and select the WINS tab.

There you can enable or disable NetBIOS over TCP/IP.

The changes take effect immediately without rebooting the system.
You will get an event in your event log if you do not also disable the TCP/IP NetBIOS Helper Service service. You can Disable this service in Control Panel > Administrative Tools > Services if desired.

I also downloaded a program from the GRC link called DECOMBOB which I also haven't used until I find out if it is a good idea to use it or not.

[SilentMusic7]

I have cable internet, and I too get hundreds of intrusion attempts a day from my neighbors' computers.  My understanding is that most computer users are victims of viruses that listen to the network and attempt to spread themselves.

I recommend that high-speed internet users install a hardware router, with NAT and stateful packet inspection (SPI) features, for the following reasons:
1. Allows software firewall to log all blocked intrusions
2. Less loading on the computer
3. Hardware firewalls are more secure than software firewalls for attacks from neighbors
4. Allows multiple computers to share a printer without allowing infections to spread to each other
5. For times when the software firewall is disabled - during firewall upgrade, Windows installation

See other threads where Comodo CIS users complain about how CIS installation hangs without internet access, which is a case where a hardware firewall provides the only intrusion protection.

[Toggie]

I recommend that high-speed internet users install a hardware router, with NAT and stateful packet inspection (SPI) features, for the following reasons:
1. Allows software firewall to log all blocked intrusions

I'd recommend a good router too. Not sure I really understand the rest of that?

2. Less loading on the computer

I've seen no difference in 'load' on my PC since my router died.

3. Hardware firewalls are more secure than software firewalls for attacks from neighbors;

Highly debatable.

Allows multiple computers to share a printer without allowing infections to spread to each other

so does CIS?

5. For times when the software firewall is disabled - during firewall upgrade, Windows installation

Is it too hard to unplug your network cable?

See other threads where Comodo CIS users complain about how CIS installation hangs without internet access, which is a case where a hardware firewall provides the only intrusion protection.

See the many threads where people are happy and have no such problems.

[donnyd]

Thanks for the reply SiberLynx,
                                                My PC operating system is Windows XP Home Edition SP3, up to date using Windows Update. It is a standalone PC on a Cable Broadband account with Virgin Media here in the UK with no router and accessed by a Fast Ethernet Connection modem and is shared between me and my grown up daughter ie two accounts both with administrative authority.
             I did some reading on the links and advise offered in your previous reply and have come up with two options of which I am unsure which is the best way to proceed. I would ideally like to reduce the number of  intrusion attempts being recorded by Comodo CIS. Could someone have a look at the two options below and advise me on the best procedure in order to achieve the above mentioned result.
I also downloaded a program from the GRC link called DECOMBOB which I also haven't used until I find out if it is a good idea to use it or not.

I read your post and went ahead and set my PC to the latter of the two mentioned and since then I have not received any logged intrusion attempts related to NetBIOS and ports 137,138 :
How to disable NetBIOS over TCP/IP?
In Windows 2000/XP/2003 you have the possibility to disable NetBIOS over TCP/IP. You do this by right-clicking on My Network Places and selecting Properties. Then right-click on the appropriate Local Area Connection icon, and select Properties.

Next, click on Internet Protocol (TCP/IP) and Properties.

Now click Advanced, and select the WINS tab.

There you can enable or disable NetBIOS over TCP/IP.

The changes take effect immediately without rebooting the system.
You will get an event in your event log if you do not also disable the TCP/IP NetBIOS Helper Service service. You can Disable this service in Control Panel > Administrative Tools > Services if desired.

[SiberLynx]

See other threads where Comodo CIS users complain about how CIS installation hangs without internet access

See the many threads where people are happy and have no such problems

that is true, Toggie.
 
SilentMusic7, I am not saying that such threads don't exist, I just never came across those.

But I must say I did many clean reinstalls being completely disconnected. Only few small online updates were done when I am “in the mood”

That is one of the greatest thing in Comodo Firewall that you can do installation being disconnected and I hope the will not change. I always disconnecting; properly shutting down all other security (not just from “sysTray right-click”) … no services , no startups etc. Then I am rebooting; unistalling; checking the registry and cleaning if necessary (using my preferred set of Search Tools and Cleaners); then installing the new one.

I never had a problem and conflicts except one old case where there was a bug in uninstaller and the device was left behind, which I missed at first (rather overlooked). That was fixed now.

So, installations without connection and other security around is the most preferable way in my opinion.
Sure I am talking about Firewall only, I don't know whether Antivirus requires the connection being alive.

Cheers!

[Tags:]