Author Topic: Windows Operating System IGMP Protocol "Blocked" entry in FW Events  (Read 17796 times)

Offline Ronny

  • Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13427
  • Volunteer Moderator
Re: Windows Operating System IGMP Protocol "Blocked" entry in FW Events
« Reply #15 on: February 23, 2009, 07:34:52 AM »
A quote from MS TCP/IP fundementals:

For a Application to receive Multicast traffic it must inform the IP stack that it will receive multicast traffic at a specified address.

For the rest this is not new, there are posts about this 224.0.0.22 from around 2006, but i can't stand the fact that i have not found the answer yet ;-)

RFC 3376                         IGMPv3                     October 2002


4.2.14. IP Destination Addresses for Reports

   Version 3 Reports are sent with an IP destination address of
   224.0.0.22, to which all IGMPv3-capable multicast routers listen.  A
   system that is operating in version 1 or version 2 compatibility
   modes sends version 1 or version 2 Reports to the multicast group
   specified in the Group Address field of the Report.  In addition, a
   system MUST accept and process any version 1 or version 2 Report
   whose IP Destination Address field contains *any* of the addresses
   (unicast or multicast) assigned to the interface on which the Report
   arrives.


So there must be an application that wants to send out IGMP v3 reports, i think we need a packet capture to see what's in it. also a Router running uPNP could trigger some IGMP traffic.
Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline buttoni

  • Comodo Loves me
  • ****
  • Posts: 108
    • Buttoni's Low-Carb Recipes
Re: Windows Operating System IGMP Protocol "Blocked" entry in FW Events
« Reply #16 on: February 23, 2009, 08:52:18 AM »
FWIW I have had the UPnP service disabled in Windows Services for some time now.  I'm having no connectivity issues. 

Sorry, you're over my head on the packet capture.  Pray tell, how would I go about doing that for you?
« Last Edit: February 23, 2009, 11:06:05 AM by buttoni »
HP Pavilion p6-2120T Quad Core; 8 GB ram; 23" HP 2311 monitor; Win7x64 Home Premium; FX 13.0.1; AdBlock+;  DSL 2Wire modem/router; Comodo FW 5.10(D+ & sandbox enabled); MSE; MBAM on demand.

Offline Ronny

  • Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13427
  • Volunteer Moderator
Re: Windows Operating System IGMP Protocol "Blocked" entry in FW Events
« Reply #17 on: February 23, 2009, 08:57:11 AM »
It's not only uPNP on your system, other devices on your local network could also be using uPNP like a router or multimedia streaming servers etc...

I'll look in to if further before we need a packet capture.
Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline Ronny

  • Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13427
  • Volunteer Moderator
Re: Windows Operating System IGMP Protocol "Blocked" entry in FW Events
« Reply #18 on: February 23, 2009, 09:18:04 AM »
I found one in my logging, there is an application asking for uPNP.
Before WOS sends out an IGMP request as per RFC.

See screenshot, and notice the timestamps.

I'll see if i can "force" this with uTorrent or so to see how this behaves.
That it is WOS triggering this is not a real surprise because the app asks the IP Stack to set up Multicast communication.
Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

tmr250z

  • Guest
Re: Windows Operating System IGMP Protocol "Blocked" entry in FW Events
« Reply #19 on: February 23, 2009, 09:36:59 PM »
It's not only uPNP on your system, other devices on your local network could also be using uPNP like a router or multimedia streaming servers etc...

Well, uPNP is disabled on my router, but it is running on my laptop (the only computer on my network). So I'll disable it on my laptop as well and see if the WOS IGMP still shows up in the logs when I restart my computer.

EDIT: OK, since disabling uPNP and its partner, SSDP, the WOS IGMP has disappeared from my logs at startup. Also seeing that  uPNP calls out to port 1900, svchost.exe and explorer.exe have stopped calling out to port 1900 at startup since disabling the 2 services, too. So, it looks like you're right Ronny.
« Last Edit: February 24, 2009, 02:27:46 AM by tmr250z »

Offline Ronny

  • Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13427
  • Volunteer Moderator
Re: Windows Operating System IGMP Protocol "Blocked" entry in FW Events
« Reply #20 on: February 24, 2009, 04:17:10 AM »
I can trigger this by using for example uTorrent, if you have this installed and using uPNP it will trigger this packets to the network.

one call to 224.0.0.22 - IGMP v3 register request to "discover" uPNP routers on the local network.
two calls to 239.255.255.250 udp 1900 uPNP packets.

So it's the application that causes this, in this case you can "untick" uPNP usage from uTorrent. But basically every application that calls for uPNP can cause this :-))

So it's up to you to use it or not, personally i don't like it and have it disabled on my router and hosts.
« Last Edit: February 24, 2009, 04:20:34 AM by Ronny »
Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline buttoni

  • Comodo Loves me
  • ****
  • Posts: 108
    • Buttoni's Low-Carb Recipes
Re: Windows Operating System IGMP Protocol "Blocked" entry in FW Events
« Reply #21 on: February 24, 2009, 02:57:48 PM »
FWIW I have had the UPnP service disabled in Windows Services for some time now. 

OOPS!  My bad.  It hasn't been disabled, merely in "Started" status set to "Manual".  I disabled it to see what would happen.  My Canon Pixma MP180 printer refused a print job of a Microsoft KB article.  The error message said it was off line when it was most assuredly turned on & cabled to the pc as always.  The minute I restarted UPnP to manual in services the print job executed.  Looks like their is a third piece or hardware on my LAN.  Never once thought about my printer.

The MP180 is an all-in-one printer, scanner, copier, photo printer.  It has a slot to insert a memory card so you can print your pictures directly from it without a pc at al (though I've never done so and had forgotten about that capability)  Connected to a pc, as it is, it appears in the display of My Computer, Printers & Scanners.  There used to be a scanner file in auto start called SSBkgupdate (ScanSoft SW).  Maybe it's still calling home for updates and uses IGMP?

Whatever, I don't think the entry is nefarious anymore.   For that, I want to thank everyone for their input.  You may have nailed it Ronny.    You guys are great!    Thanks for being there for folks like me.  Think I'll set up a rule to allow this file "outbound only" and see if that stops the BLOCK by Comodo at boot up.  Would just as soon not be blocking any SW updates.   (:WIN)  I'll post back as to whether my ALLOW rule does the trick.   
HP Pavilion p6-2120T Quad Core; 8 GB ram; 23" HP 2311 monitor; Win7x64 Home Premium; FX 13.0.1; AdBlock+;  DSL 2Wire modem/router; Comodo FW 5.10(D+ & sandbox enabled); MSE; MBAM on demand.

Offline Ronny

  • Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13427
  • Volunteer Moderator
Re: Windows Operating System IGMP Protocol "Blocked" entry in FW Events
« Reply #22 on: February 24, 2009, 03:23:13 PM »
Your welcome, no problem.

Is that printer connected to the network ? or by USB cable ?
From what i have found it uses USB, then it has to have something to do with the printer/driver software depending on it, though it does not make sense for "phone home/check for updates" that would not need uPNP.
uPNP is only needed for "incoming" traffic.

Was it a 224.0.0.22 match or a uPNP call ?
Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline buttoni

  • Comodo Loves me
  • ****
  • Posts: 108
    • Buttoni's Low-Carb Recipes
Re: Windows Operating System IGMP Protocol "Blocked" entry in FW Events
« Reply #23 on: February 24, 2009, 03:32:20 PM »
Somebody whack me up side the head.  Sorry I misstated in my last post.  My eyes are really playing tricks on me these days.  It was my Play and Play service that is set to Started, Manual.  When I disabled THAT service my printer/scanner baulked. 

My UPnP Device Host has been disabled for ages.  Must be my router, then?  I'll go out to the 2Wire website and take a good hard look at all router firewall settings.  I'll be back. 
HP Pavilion p6-2120T Quad Core; 8 GB ram; 23" HP 2311 monitor; Win7x64 Home Premium; FX 13.0.1; AdBlock+;  DSL 2Wire modem/router; Comodo FW 5.10(D+ & sandbox enabled); MSE; MBAM on demand.

Offline Ronny

  • Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13427
  • Volunteer Moderator
Re: Windows Operating System IGMP Protocol "Blocked" entry in FW Events
« Reply #24 on: February 24, 2009, 03:34:07 PM »
That makes sense, stopping "Plug and Pray" and the printer not functioning :-))
Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline buttoni

  • Comodo Loves me
  • ****
  • Posts: 108
    • Buttoni's Low-Carb Recipes
Re: Windows Operating System IGMP Protocol "Blocked" entry in FW Events
« Reply #25 on: February 24, 2009, 08:23:55 PM »
Your welcome, no problem.

Is that printer connected to the network ? or by USB cable ?
From what i have found it uses USB, then it has to have something to do with the printer/driver software depending on it, though it does not make sense for "phone home/check for updates" that would not need UPnP.
uPNP is only needed for "incoming" traffic.

Was it a 224.0.0.22 match or a uPNP call ?

It's USB cabled at the back of the PC.  It's not shared, as I'm the only pc on this "lan", if you can call it a lan.  Maybe we'll get another pc or two and then I'll feel like it really is a lan, LOL. 

I went out to the 2Wire Home Portal website & checked every single page on the site for my modem/router settings.  I saw no reference to UPnP anywhere.   It shows I'm Ethernet=1 and Wireless=0 (no surprise, since as I told the SBC installer I didn't want him to set it up as wireless, but hard-wired to the phone system.), I'm connecting with PPPoE, and the router obtains my IP address automatically and my DNS information automatically.  I know this to be the case as every time I sign on over at BBR DSL Reports forums it tells me I'm a a different IP address on the login screen. 

As to whether the IGMP entry is a "match" or "call" to that IP#, sorry, I don't know what that means. 
HP Pavilion p6-2120T Quad Core; 8 GB ram; 23" HP 2311 monitor; Win7x64 Home Premium; FX 13.0.1; AdBlock+;  DSL 2Wire modem/router; Comodo FW 5.10(D+ & sandbox enabled); MSE; MBAM on demand.

Offline Ronny

  • Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13427
  • Volunteer Moderator
Re: Windows Operating System IGMP Protocol "Blocked" entry in FW Events
« Reply #26 on: February 25, 2009, 07:17:02 AM »
a "match" would be a logged entry of the 224.0.0.22 address.
a uPNP "call" would be a logged entry of the 239.255.255.250 udp 1900 traffic.
Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline buttoni

  • Comodo Loves me
  • ****
  • Posts: 108
    • Buttoni's Low-Carb Recipes
Re: Windows Operating System IGMP Protocol "Blocked" entry in FW Events
« Reply #27 on: February 25, 2009, 08:37:39 AM »
Then it was a "match".  Nothing nothing else on the log but the logged entrying Win Op System OUT using IGMP from my IP to 224.0.0.22 with blanks where source/destination ports are shown.
HP Pavilion p6-2120T Quad Core; 8 GB ram; 23" HP 2311 monitor; Win7x64 Home Premium; FX 13.0.1; AdBlock+;  DSL 2Wire modem/router; Comodo FW 5.10(D+ & sandbox enabled); MSE; MBAM on demand.

Offline ravendawson

  • Newbie
  • *
  • Posts: 1
Re: Windows Operating System IGMP Protocol "Blocked" entry in FW Events
« Reply #28 on: November 28, 2010, 06:14:53 PM »
Protocol IGMP is either enabled by you or your ISP. The default multicast add is 224.0.0.22 and if this is protocol blocked by Comodo, it not really that bad. therefore, I don't think it's a security issue..

Offline diverxl

  • Comodo Family Member
  • ***
  • Posts: 94
Re: Windows Operating System IGMP Protocol "Blocked" entry in FW Events
« Reply #29 on: February 01, 2011, 06:02:34 AM »
Hello

this is an old thread but still people look for igmp  224.0.0.22 related info on the net.

I have also a clean and fresh vanilla Win7 32b running with CIS on it and some outbound cons I marvel on.

This thing describted above might derive from any router that sits before your lan/pc. Some have an option for uPnP support and may depend on this. E.g., my router needs it as far as I am aware of for its fax (software fax on my client pc) to work.

However, I am an absolute beginner and have no real knowledge so please take the above as my assumption only.

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek