Author Topic: Popup for Multicast 224.0.0.252 for every application  (Read 4328 times)

Offline guti

  • Newbie
  • *
  • Posts: 20
Popup for Multicast 224.0.0.252 for every application
« on: February 20, 2013, 11:54:27 AM »
Hi habe the same problem that has already been mentioned in this forum before: Since an update a few months ago, I very frequently get alerts of applications, that have nothing to do with the Internet at all, trying to access 224.0.0.252 over ICMP. I get this for almost every single program in Windows. I know that this is a multicast address, and I don't care about allowing or blocking it, but what I do want is
- stop being bugged by alerts for this address all the time
- not have entries for every single program in my network security policy (because this screen is not sortable and becomes a big mess the more application-specific rules you have, this should really be improved).

So of course I tried to create a global rule:
ALLOW ICMP IN/OUT from SOURCE=ANY to DESTINATION=224.0.0.252
and another
ALLOW ICMP IN/OUT from SOURCE=224.0.0.252 to DESTINATION=ANY

But I keep getting these alerts! What am I doing wrong? Shouldn't the global rule allow this traffic? Why do I stell get alerts asking me to block or allow?

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
Re: Popup for Multicast 224.0.0.252 for every application
« Reply #1 on: February 20, 2013, 06:03:28 PM »
Hi habe the same problem that has already been mentioned in this forum before: Since an update a few months ago, I very frequently get alerts of applications, that have nothing to do with the Internet at all, trying to access 224.0.0.252 over ICMP.

The 224.0.0.252 multicast address is used for LLMNR (Link Local Multicast Name Resolution) which actually uses UDP. Basically, it's like a local DNS and is part of Windows network Discovery.

Quote
I get this for almost every single program in Windows. I know that this is a multicast address, and I don't care about allowing or blocking it, but what I do want is
- stop being bugged by alerts for this address all the time
- not have entries for every single program in my network security policy (because this screen is not sortable and becomes a big mess the more application-specific rules you have, this should really be improved).

Unfortunately, this is a bug in CIS. Strictly speaking only svchost should make these queries.

Quote
So of course I tried to create a global rule:
ALLOW ICMP IN/OUT from SOURCE=ANY to DESTINATION=224.0.0.252
and another
ALLOW ICMP IN/OUT from SOURCE=224.0.0.252 to DESTINATION=ANY

But I keep getting these alerts! What am I doing wrong? Shouldn't the global rule allow this traffic? Why do I stell get alerts asking me to block or allow?

The rule is probably failing because LLMNR uses different source and destination addresses/ports and, as mentioned earlier, UDP not ICMP.

What may be easier then trying to block these connections is disabling LLMNR. You could disable Network Discovery in Network and sharing but it's likely you'll still see these alerts. better would be to disable it with the group policy editor.

1. Win Administrator privileges open Start/Run and type gpedit.msc
2. In the right side window navigate to

Local Computer Policy/Computer Configuration/Administrative Templates/Network/DNS Client

3. In the left side window select Turn off Multicast Name Resolution
4. In the settings windows select Enabled.
5. Reboot

If you have other devices/PCs on your network, you may need to perform similar tasks if LLMNR is supported.

If you don't want to disable the service, create a firewall Application rule for the All Applications group that allows: (This is what I do)

Application Name - All Applications File Group
Action - Allow
Protocol - UDP
Direction - Out
Source Address - ANY
Destination Address - 224.0.0.252
Source Port - ANY
Destination Port - 5355

Place the rule at the top of the Application rules list.

Edit: Just a thought. If you have one of the 'Home' designated versions of Windows, you can make the change via the registry:

1. Navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient

2. Set EnableMulticast to 0
« Last Edit: February 20, 2013, 06:07:28 PM by Radaghast »
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

Offline guti

  • Newbie
  • *
  • Posts: 20
Re: Popup for Multicast 224.0.0.252 for every application
« Reply #2 on: February 21, 2013, 06:45:28 AM »
Thanks for the reply.

Quote
Unfortunately, this is a bug in CIS. Strictly speaking only svchost should make these queries.

I don't understand why they don't get this fixed, this has been bugging me and others for a while now.

Quote
What may be easier then trying to block these connections is disabling LLMNR. You could disable Network Discovery in Network and sharing but it's likely you'll still see these alerts. better would be to disable it with the group policy editor.

I'd rather not change any of the Windows settings for this, as I'm unsure about the side effects. Also, I don't have control over all computers on the local network.

Quote
If you don't want to disable the service, create a firewall Application rule for the All Applications group that allows: (This is what I do)

That's what I just did and I'll report back if I see the popup again.

What's interesting is that if I click on allow/remember on one of these alerts, I get an entry in the application rules that looks like this:
Action: Allow
Protocol: IP
Direction: OUT
SOURCE: ANY
DEST: 224.0.0.252
IP DETAILS: IP PROTOCOL: IGMP


By the way, the application rules list is just horrible to deal with, and hasn't changed for ages. They do all kinds of redesign (which actually makes CIS less usable, since it's harder to get to the important screens), but don't improve handling of application rules. I have more than hundred applications in this list, they appear to be not sorted by anothing, just moving the new rule from bottom to top takes more than a hundred clicks! If you want to find a single application there is not even a search function anymore (the one that used to be there was crappy, as you couldn't just search for the name of the exe, but had to enter the whole path. But instead of improving it they completely removed it!)

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
Re: Popup for Multicast 224.0.0.252 for every application
« Reply #3 on: February 21, 2013, 07:22:54 AM »
Thanks for the reply.

I don't understand why they don't get this fixed, this has been bugging me and others for a while now.

I'd rather not change any of the Windows settings for this, as I'm unsure about the side effects. Also, I don't have control over all computers on the local network.

That's what I just did and I'll report back if I see the popup again.

What's interesting is that if I click on allow/remember on one of these alerts, I get an entry in the application rules that looks like this:
Action: Allow
Protocol: IP
Direction: OUT
SOURCE: ANY
DEST: 224.0.0.252
IP DETAILS: IP PROTOCOL: IGMP

Yes, it does that. Unfortunately, it's not quite correct.


Quote
By the way, the application rules list is just horrible to deal with, and hasn't changed for ages. They do all kinds of redesign (which actually makes CIS less usable, since it's harder to get to the important screens), but don't improve handling of application rules. I have more than hundred applications in this list, they appear to be not sorted by anothing, just moving the new rule from bottom to top takes more than a hundred clicks! If you want to find a single application there is not even a search function anymore (the one that used to be there was crappy, as you couldn't just search for the name of the exe, but had to enter the whole path. But instead of improving it they completely removed it!)

I completely agree. If you look around the forums, you'll find many others feel the same way.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

Offline guti

  • Newbie
  • *
  • Posts: 20
Re: Popup for Multicast 224.0.0.252 for every application
« Reply #4 on: February 21, 2013, 10:50:09 AM »
Quote
If you don't want to disable the service, create a firewall Application rule for the All Applications group that allows: (This is what I do)

The popup still appears for these Multicast requests... :-(

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
Re: Popup for Multicast 224.0.0.252 for every application
« Reply #5 on: February 21, 2013, 05:45:05 PM »
The popup still appears for these Multicast requests... :-(

I guess you need to post details of the rule(s) you've created. Screen shots of the expanded rule(s) will do.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek