3 ports open, CIS does not close, TCP NULL test resulting in non-stealth

[Guest]

[Turrican]

Dear Comodo team,

since a week I encounter problems. I use CIS and have set up the firewall to protect me - ingoing rules are blocked via global rules, only certain programs may access internet. I use Windows 7 normally and sometimes Windows Vista also (installed both on one laptop), both 32bit. Windows7 is protected by CIS and Avast, Vista by GData Internet security. I use a router (wireless).

It started with svchost.exe trying to access internet via several ports, asking again and again. People from the German CIS forum told me this should not be, so I stopped it from the access. I downloaded a port scanner, Advanced Port Scanner 1.3 and it keeps telling me, ports 135, 139 and 1025 are opened. I tried to close those ports, still open. No firewall seems to work.

Also with pcflank.com I have made a stealth test and this one resulted in TCP NULL is not stealthed - both on Vista as well on 7 and also on the XP computer of my girlfriend.

Never mind what I try, CIS seems not to close the ports. I am about to get mad and hope somebody can help me... I definitely fear to be under attack with opened ports. Funny thing: when scanning with an external port scanner, the ports are displayed to be closed, but why tells the port scanner those ones are opened? And why do I still fail with the TCP NULL test?

Best regards
Turrican

[EricJH]

My first thoughts after checking the used scanners.

When there is a router present in your network the scanner from pcflank will probe the router and not your computer. In order to test your computer you need to make it Exposed Host or put it in the Demilitarized Zone (DMZ); these two things need to be set in your router.

With Advanced Ports Scanner I am still testing. I also keep getting three open ports. I will have to look further into it.

[Michael Withstand]

I just used advanced ports scanner too and it tells me that one port is opened

[EricJH]

There is something odd about APS. It does not generate any Firewall alerts here with CIS v4 beta with sand boxing disabled. I am in Proactive Mode with Firewall set to Custom Policy Mode and Alert Settings on high.

Does anybody know how this program work? Can anybody with 3.13 with tell what alerts the Firewall produces.

[Michael Withstand]

Yea I came to the conclusion that port scanner was a dubious software  . . . Tested my ports online and I got none opened. Have since uninstalled it. I hope it didn't leave any trojan or malware that was undetected.

[Turrican]

Dear people,

thank you for the analysis. Well, I also hope the scanner is no malware, but I got it from a trustworthy German download page (pc-welt.de, a famous computer magazine's internet page), so I estimate it is nothing really bad. It still tells me certain ports stay open, but external port scans present those as closed totally. So I estimate the scanner does not work properly...

By the way, I plugged in cable internet connection instead of WLAN and the TCP NULL scan is stealth right now, that means my router firewall is failing with this test. But I ask myself why does the software firewall not help? Or maybe the TCP NULL attack receives an answer from the router, but inside the router the request is vanishing? I remember somebody telling me a router may behave like this: an attack may enter the router, but inside the router, the attack cannot be redirected to the connected computer and is so running into a dead end. Could this be the explanation?

Thanks in advance for your support
Turrican

[EricJH]

It's unfortunate I cannot figure how the APS tool works.

Glad to hear you tested the stealth test from PC Flank without your router. Then you are probing CIS on your computer. And it shows CIS is stealth.

Apparently the router responds to the "trick" requests that are being used. These trick requests are designed to see if ports are open or not. These tricks are not actual hack attacks.

Or maybe the TCP NULL attack receives an answer from the router, but inside the router the request is vanishing? I remember somebody telling me a router may behave like this: an attack may enter the router, but inside the router, the attack cannot be redirected to the connected computer and is so running into a dead end. Could this be the explanation?

I am not quite sure in what context this was told. In general a router will only let traffic in that is a response to a request from the local network. As a consequence when an unsolicited request  comes in it will drop that request as it is not in response to a request from within the network. So, it works as a firewall for incoming traffic.

[Tags:]