Access to the Internet

I have installed Comodo Firewall (not Anti virus) v4.1.150349.920

On installation Comodo found my home network 192.168.1.100/255.255.255.0
I named this network but made my PC not accessible to other PC’s on the network. Also no tick in box for “Do not automatically detect new networks”

When I try to access the internet via Internet Explorer I cannot do so unless I grant internet access for the “Windows Operating System”; further this permission must be general rather than the predefined policy of Web Browser.

How do I find out which applications are covered by “Windows Operating System” - I cannot find a definition of the precise term?? Is it the applications listed under “Windows System Applications” if you go to Defense+ → My Protected Files → Groups??

Obviously this is a very broad grouping, do you know which specific components of the operating system need access to the internet for browsers, mail and skype type applications to function correctly??

On another PC when I installed Comodo I made this second PC accessible to other PC’s on the home network. This created a firewall permission for access to/from the home network. On this second PC Internet Explorer can access the internet without any firewall permisions for the Windows Operating System.

I would appreciate help in understanding these various positions and why they are different??

Many thanks.

Would be very grateful for any help on this topic.

Many thanks.

What OS are you on? Can you show a screenshot of your Global Rules?

I would also like to see screenshot of Application Rules so I can see rules for System and Svchost.

From original post call main PC “PC1” and second PC is “PC2”

For PC1 my O/S is Vista Ultimate - screen shots of Global Rules and Application Rules for PC1 follows:

http://a.imageshack.us/img5/8499/globalrulespc1.jpg

http://a.imageshack.us/img199/5793/applicationrulespc1.jpg

For PC2 my O/S is Vista Home Premium - screen shots of Global Rules and Application Rules for PC2 follows:

http://a.imageshack.us/img820/2733/globalrulespc2.jpg

http://a.imageshack.us/img580/53/applicationrulespc2.jpg

PC1 is set up as “Block all incoming connections and make my ports stealth for everyone”.
PC2 has a Trusted Network that includes the IP address of PC1. PC2 is set up as “Define a new trusted network and make my ports invisible for everyone else”.

PC1 can see PC2 but not vice-versa (as it should be).

Many thanks for your help.

For PC1 add a rule for svchost.exe and set it to outgoing only. Push the Add button → choose from a running process → look up svchost.exe, add it and set it to Outgoing Only. That should give you back internet access.

On PC1 you will need to define your local network as a trusted network by using the Stealth Ports Wizard.

First we need to do some groundwork by defining your local network. That is done under Firewall → Common Tasks → My Network Zones.

Usually you will find it defined by the automatic detection of new private networks. You will see a network defined with an IP address/mask like 192.168.1.x/255.255.255.0. Select and Edit it and give it a proper name like My Home Network.

In case it is not there we will define it. Choose Add → A New Network Zone → enter the name: My Home Network → Apply.
Now select My Home Network → Add → A New Address → choose An IP Address Mask → fill in your local IP address in the first part (192.168.1.x; with x being a number) and 255.255.255.0 in the second part.

Now open the Stealth Ports Wizard → select “Define a new trusted network - stealth my ports for everyone else” → Next → select “I would like to like to trust from a network zone previously defined” → from the drop down menu below choose My Home Network → Finish.

Now we are done. You can see the newly added rules under Firewall → Advanced → Network Security Policy → Global Rules.

Let us know if this helped.

Thanks for your help.But I am afraid that I have not explained my query properly.

At the moment both PC1 and PC2 have internet access with their respective Comodo settings.

I want PC2 to be accessible from PC1 but PC1 not accessible to anyone. I have done this successfully by the following Comodo settings:
PC1 is set up as “Block all incoming connections and make my ports stealth for everyone”. PC2 has a Trusted Network that includes the IP address of PC1. PC2 is set up as “Define a new trusted network and make my ports invisible for everyone else”.

Although everything is actually working I think that the permissions are too broad for PC1 and I do not understand the differences between the settings for PC1 and PC2.

My queries relate to the different Comodo firewall settings that I currently have under Firewall → Advanced → Network Security Policies (principally the Applications Rules tab). These are:

1. On PC1 in order to access the internet via Internet Explorer I had to give internet access for the “Windows Operating System”; further this permission must be general rather than the predefined policy of Web Browser. You can see this in the image for Applications Rules for PC1.

How do I find out which applications are covered by “Windows Operating System” - I cannot find a definition of the precise term?? Is it the applications listed under “Windows System Applications” if you go to Defense+ → My Protected Files → Groups?? But these are differently named Groups. If I look at running processes there is a group called Windows Operating system but this every running proceess; if this is the definition the rule is allowing ALL applications to access the internet which would be very worrying???

Obviously Windows Operating System is a very broad grouping, can you advise which specific components of the operating system need access to the internet for browsers, mail and Skype type applications to function correctly??

I have also noted that if I delete the Application Rule for the Windows Operating System I get a Comodo alert that is trying to reinstate this rule before I even try to access the internet through Explorer. It is as if the PC itself is trying to access the internet??The Comodo alert is:

http://a.imageshack.us/img185/9768/comodoalert.jpg

The IP address: 194.168.8.100 is described as cach2.service.virginmedia.net (my ISP is VirginMedia). This is a Virgin Media DNS server. Sometimes the alert shows the IP 192.168.1.50 which is a printer attached to a home network.

If I delete the Applications Rule for Windows Operating System and then add a rule for svchost.exe as described in your post this is not sufficient to give me internet acces via Internet Explorer.

2. On PC2 when I installed Comodo I made this second PC accessible to other PC’s on the home network. This created a firewall permission for access to/from the home network (under the Group name “System”). On this second PC Internet Explorer can access the internet without any firewall permissions for the Windows Operating System. In fact there does not seem to be any permissions (within Application Rules) for PC2 to access the internet beyond the home network. How is PC2 able to access the wider network without any alerts??

In Application Rules for PC2 there is a Group called “System” but again I cannot find any definition as to what applications this Group includes?? This Group seems to have been added as part of making PC2 accessible to PC’s on the home network.

I would appreciate your help in understanding these various queries.

Many thanks.

I am very anxious to resolve this issue - please help.

1. Still wrapping my around it. First question. What is your network set up? Are on ADSL or cable? Is there a router present? Is one of the two computers acting as access to the web for the other computer (Internet Connection Server; ICS)?

2)System handles with sharing file, folders and printers over the local network (NETBIOS) to put it shortly. When running the Stealth Ports Wizard to open up to the local network it will add rules for that in System and Global Rules. Although using v5 RC application rules shows similar to yours. Not sure what the logic behind it is; I am too much used to using Proactive Security… :-X

Many thanks for your help.

To answer your questions:

1. I use cable - Virgin Media in UK.
2. No ICS. I use a Linksys router which connects to the cable modem. PC1 (192.168.1.100) has a wired connection to the router. PC2 (192.168.1.101) has a wireless connection to the router.
3. Under More → Manage My Configurations - My Configurations I have:
   COMODO - Proactive Security Active

Apart from Comodo not behaving as expected, it then seems very strange/very worrying that under Firewall → Advanced → Network Security Policy → Application Rules Comodo has created an Applications Rule for the “Windows Operating System” that allows all outgoing traffic??

Comodo would not let me access the internet without creating that rule from an alert!!!

The only source for a definition of “Windows Operating System” is from Active Processes which seems to mean that Windows Operating System is everything running on the PC. Hence the rule means that every process on the PC is allowed through the firewall (outgoing only). Very worrying - cannot be right!!!

Many thanks for your help.

Let me first answer a pending question. You were wondering why you don’t see a rule being made for IE and a difference in the amount of rules in Network Security Policy → Application Rules.

In the default settings CIS will not make rules for safe applications. There will be a standard rule applied but that will not be in Application Rules. That’s why you don’t see any rules for IE and other programs; only unknown program will have rules in Application Rules.

You can enable CIS to make rules for safe applications under Firewall → Advanced → Firewall Behaviour Settings by ticking “Create Rules for safe applications”.

Also make sure that “This computer is an Internet connection gateway (i.e. an ICS server)” is disabled under Firewall → Advanced → Firewall Behaviour Settings → Advanced.

To wrap my head more around PC1 I want you to do the following. Remove the rule for Windows Operating System (WOS after this) and make the rule for svchost.exe again setting it to outgoing only. Then post a screenshot of your firewall logs. They are under Firewall → Common Tasks → View Firewall Events. I

The WOS alert you show says CIS cannot tell what process is listening to the the incoming DNS traffic. May be there is another security program interfering. Do you have other security program(s) running in the background? Or another program that interfere with networking like Net Limiter or others. Try disabling them.

Did you recently move to CIS? If so what firewall were you using before CIS?

Understood.

You can enable CIS to make rules for safe applications under Firewall --> Advanced --> Firewall Behaviour Settings by ticking "Create Rules for safe applications".

Also understood. From looking at other posts I had reached the conclusion that while I could do this it was probably better not to do so. Hence no tick to create rules for safe applications.

Also make sure that "This computer is an Internet connection gateway (i.e. an ICS server)" is disabled under Firewall --> Advanced --> Firewall Behaviour Settings --> Advanced.

Understood. I had already disabled ICS Server.

To wrap my head more around PC1 I want you to do the following. Remove the rule for Windows Operating System (WOS after this) and make the rule for svchost.exe again setting it to outgoing only. Then post a screenshot of your firewall logs. They are under Firewall --> Common Tasks --> View Firewall Events. I

I had already tried removing the WOS rule and adding a rule for svchost.exe (outgoing only). I could not connect to the internet and I got the WOS alert again. I have also tried deleting the WOS rule and adding a rule for svchost.exe, services.exe,lsass.exe and spoolsv.exe (outgoing only); same result - I could not connect to the internet and I got the WOS alert.

The WOS alert you show says CIS cannot tell what process is listening to the the incoming DNS traffic. May be there is another security program interfering. Do you have other security program(s) running in the background? Or another program that interfere with networking like Net Limiter or others. Try disabling them.

The only other security program I have running in the backgroud is Avira AntiVir Personal. I also have Sandboxie installed on my PC (the Comodo “sandbox” is disabled); the WOS alert appeared without anything being sandboxed in the Sandboxie sandbox. From other forums many people seem to use Comodo firewall, Avira and Sandboxie without any problems. I have only the Comodo firewall installed (not the Comodo anti virus). Nothing like Net Limiter is installed.

Did you recently move to CIS? If so what firewall were you using before CIS?

Before I installed CIS I was using Zone Alarm Security Suite (ZASS) - this is a combination of firewall + antivirus/antispyware. Before installing Comodo I uninstalled ZASS with a ZASS tool (cpes_clean) which is designed to completely remove ZASS. With ZASS no problems analogous to WOS.

Your help is much appreciated. Many thanks.

I am running out of ideas for the moment. I asked the other mods to come and take a look.

OK. Thanks. I will wait for further thoughts.

2 quick questions:

1. The rule on PC1 for WOS. WOS is not a defined Comodo Group. What are the files within the WOS category for the purposes of Application Rules?? If I look under Running Processes there is WOS but that is everything running on the PC. If this is the meaning of WOS then the WOS rule is effectively giving everything on PC1 access to the internet (outgoing only)!!!??? Not a happy situation.

2. The rule on PC2 for System. Again System is not a defined Comodo Group. What are the files within the System category for the purposes of Application Rules?? If I look under Running Processes there is a category called System. At the time I looked there was only one item under System - smss.exe. Is this the definition for System in Application Rules??

Many thanks.

Grossly speaking System handles sharing files, folders and printers over the local network also known as NETBIOS over TCP/IP. I can’t tell what files are in that group. NETBIOS uses ports 137-139.

Let’s stay focused on the WOS alerts for now. The alert says something is obscuring the view for CIS and mentions VPN client or packet filter. With the latter think about program like Wire Shark or ZenMap; they will both use PC Cap sniffer to build upon. Does this ring a bell? Do you have a VPN client running on your computer?

Isn’t it a concern that there is a rule (WOS) where we do not know what it does because we cannot determine which files it applies to??

And even “System” is not precisely defined??

No VPN Client or packet filter on PC. Never heard of Wire Shark or ZenMap.

Thanks again.

Any more thoughts??

Should I try an email to Comodo support??

Many thanks.

Please read the alert it gave. WOS is a pseudo process and the name is used when CIS cannot see a program listening (in case of incoming traffic) or what program is trying to establish a connection

And even "System" is not precisely defined??

Nothing to add what I already stated.

No VPN Client or packet filter on PC. Never heard of Wire Shark or ZenMap.

Thanks again.

To take a different angle. I want you to run a clean Proactive profile and see what happens. Go to Manage My Configurations → Import → navigate to the CIS installation folder and import the Proactive Security and name it Proactive Security Test (or so). Now activate the profile and see what happens. Does the same thing happen?

I understand that the WOS alert is because CIS does not know what program is listening/trying to establish connection.

BUT when WOS Applications Rule is made that gives outgoing permission, this rule must apply to all the files in the WOS category. If the WOS from Running Processes is the same then WOS is everything on the PC. Therefore the WOS Applications Rule gives outgoing access to everything on the PC. Do you agree??

There is a logic to this in that if CIS cannot determine which program is causing the alert the only solution for CIS is to create a rule that allows everything. Does this make seense to you??

Many thanks.

PS: When I downloaded CIS to install I downloaded “32-bit Windows 7/Vista/XP SP2”. There is also a “Universal Windows Web Installer”. Do you think that the Web Installer might be better??
I presume the Web Installer is just installing direct from the Comodo servers rhather than downloading an Installer Package??

Progress!!!

I was going to give up on Comodo and go back to ZASS. But, I thought that this was defeatist, so I decided to uninstall Comodo and reinstall as one last attempt.

After installation I was going through the various settings changes and I noticed that the WOS alerts appeared after I removed the tick from “This computer is an internet connection gateway (ie an ICS Server)” under Firewall → Advanced → Firewall Behaviour Settings → Alert Settings. If I put the tick back in (and restarted my PC – I had to restart the PC for the change to be effective) then I no longer got the WOS alerts and I could access the internet with no problems. I have checked this several times and it is definitely the cause of the WOS alerts.

The conundrum is that my PC is definitely not an ICS Server. My PC (PC1) is connected (via a wired connection) to the internet through a Linsys router to the Virgin modem. The second PC (PC2) on my home network is connected (via a wireless connection) to the Linksys router. There is also a printer on the home network; the printer is connected (via a wired connection) to the Linksys router. The printer is also directly connected to my PC (PC1) via a USB connection.

In the Comodo settings for my second PC (PC2) I removed the tick from “This computer is an internet connection gateway (ie an ICS Server)” under Firewall → Advanced → Firewall Behaviour Settings → Alert Settings. PC2 accesses the internet without any problems. I have never had the WOS alert on PC2.

When the PC was restarted with the tick removed a new network was detected: 169.254.160.75/255.255.0.0?? I think that this is another symptom of the same problem.

I have uploaded the contents of the Firewall Events that occurred when I was getting the WOS alerts (after I removed the tick as above). There are 4 images so you can see all the alerts – but there is a lot of repetition (I thought that links would be easier than images as images might make the post more difficult to read).

http://a.imageshack.us/img830/8170/firewallevents1.jpg
http://a.imageshack.us/img267/1183/firewallevents2.jpg
http://a.imageshack.us/img826/6969/firewallevents3.jpg
http://a.imageshack.us/img828/7627/firewallevents4.jpg

Hence my queries are:

1. Why is this happening – it clearly isn’t the intended behaviour of Comodo??
2. Are there any downsides/risks in leaving the tick in “This computer is an internet connection gateway (ie an ICS Server)” even though my PC is not an ICS Server??

Could I add one other query:

When PC was first restarted after Comodo install, Comodo detected private network 192.168.1.100/255.255.255.0 – I named the network and left NO ticks in both “I would like to be fully accessible to other PC’s in this network” and “Do not automatically detect new networks” (ie both boxes were unticked).

For PC1 I went to Firewall → Common Tasks → Stealth Ports Wizard and selected “Block all incoming connections and make my ports stealth for everyone. I got the message “Your firewall has been configured accordingly”. The Global Rules under Network Security Policy are as below.

http://a.imageshack.us/img5/8499/globalrulespc1.jpg

However from PC2 I can see PC1 and access shared files on PC1. I cannot understand how this is possible. Surely the Global Rule “Block IP In from IP Any to IP Any Where Protocol is Any” on PC1 should block the incoming connection from PC2.

With the selection under Stealth Ports Wizard PC2 should clearly not be able to access files on PC1 and I thought that stealth meant that PC2 would not even be able to see PC1 (ie PC1 would not show on the Network as viewed from PC2)??

Under view Firewall Events there is no event to show the connection of PC2 to PC1 – would you expect to see one??

Can you explain to me why this is happening?? And explain how to resolve this issue.

Is it possible that PC2 is connecting in to PC1 via one of the two Global Rules (i) Allow ICMP in when ICMP message is FRAGMENTATION NEEDED; or (ii) Allow ICMP in when ICMP message is TIME EXCEEDED?? Sounds very unlikely to me. But if not why is Comodo not blocking the incoming communication from PC2 due to the application of Global Rule = “Block IP In From IP Any To IP Any When IP Protocol Is Any”??

Overall Comodo looks good but it is very disconcerting when Comodo does not behave as it clearly should!!

Many thanks for all your help.

May be having the printer connected both via the network and USB port at the same time is playing a role. Try disconnecting the printer from the USB port and see what happens. Then hook it up to PC2 and see what happens.

When the PC was restarted with the tick removed a new network was detected: 169.254.160.75/255.255.0.0?? I think that this is another symptom of the same problem.

This means the computer does not see a DHCP server. The latter can have various causes so I would not jump to a far reaching conclusion as yours. This can be caused by problem with wire, NIC driver, router being temporarily unavailable (spontaneous reboot) or the firewall not having released the network connection during boot.

I have uploaded the contents of the Firewall Events that occurred when I was getting the WOS alerts (after I removed the tick as above). There are 4 images so you can see all the alerts – but there is a lot of repetition (I thought that links would be easier than images as images might make the post more difficult to read).

http://a.imageshack.us/img830/8170/firewallevents1.jpg
http://a.imageshack.us/img267/1183/firewallevents2.jpg
http://a.imageshack.us/img826/6969/firewallevents3.jpg
http://a.imageshack.us/img828/7627/firewallevents4.jpg

Hence my queries are:

1. Why is this happening – it clearly isn’t the intended behaviour of Comodo??

We are still investigating so I have no definitive answer.

2) Are there any downsides/risks in leaving the tick in “This computer is an internet connection gateway (ie an ICS Server)” even though my PC is not an ICS Server??

There is no risk if you make sure no unknown internet capable devices are connected to your computer (read; disable Bluetooth if you have that).

May be you PC1 is set to be an ICS gateway.Can you check

Could I add one other query:

When PC was first restarted after Comodo install, Comodo detected private network 192.168.1.100/255.255.255.0 – I named the network and left NO ticks in both “I would like to be fully accessible to other PC’s in this network” and “Do not automatically detect new networks” (ie both boxes were unticked).

For PC1 I went to Firewall → Common Tasks → Stealth Ports Wizard and selected “Block all incoming connections and make my ports stealth for everyone. I got the message “Your firewall has been configured accordingly”. The Global Rules under Network Security Policy are as below.

http://a.imageshack.us/img5/8499/globalrulespc1.jpg

However from PC2 I can see PC1 and access shared files on PC1. I cannot understand how this is possible. Surely the Global Rule “Block IP In from IP Any to IP Any Where Protocol is Any” on PC1 should block the incoming connection from PC2.

With the selection under Stealth Ports Wizard PC2 should clearly not be able to access files on PC1 and I thought that stealth meant that PC2 would not even be able to see PC1 (ie PC1 would not show on the Network as viewed from PC2)??

Under view Firewall Events there is no event to show the connection of PC2 to PC1 – would you expect to see one??

Can you explain to me why this is happening?? And explain how to resolve this issue.

Overall Comodo looks good but it is very disconcerting when Comodo does not behave as it clearly should!!

Many thanks for all your help.

I am starting to play with the thought that there is something not quite right on PC1 as it will allow PC2 to see shared folders.

What was the previous firewall you used on PC1? It may not have been uninstalled properly. Following is a tutorial on how to manually find driver left overs from a previously uninstalled firewall.

We are gonna take a look to see if there are some old drivers of your previously uninstalled security programs are still around. Go to Device Manager → View → show hidden devices → now look under Non Plug and Play drivers → when you see a driver that belongs to your previous security programs click right → uninstall —> reboot your computer.

When the problem persists make sure there are no auto starts from your previous security programs. Download Autoruns and run it.

This program finds about all auto starts in Windows. This tool can therefore seriously damage Windows when not handled properly. After starting push Escape and go to Options and choose to hide Windows and Microsoft entries, to include empty locations and then push F5 to refresh.

Now check all entries to see if there are references to your previous security program. When you find them untick them. After unticking reboot your computer and see what happens.