Access to the Internet

Many thanks for your responses.

I will do the various checks and report back. But in the meantime:

1. Could you advise how I check whether PC1 is set to be an ICS gateway??

2. The fact that PC2 can see/access PC1 means that Comodo is not working as it should. Hence, while this testing is going on, I do have the worry as to whether the Comodo Firewall is protecting me from the external internet (ie beyond the home network) - ie is Comodo failing to work in other areas. Do you think that this is something I should be concerned about.?? Is there a simple way to test the effectiveness of the Comodo Firewall against the external internet??

After all if Comodo is not performing as it should in one regard it seems that there is a risk that other things are not working properly but the failure is less obvious

3. Should there be a firewall event that records the connection from PC2 to PC1?? What is the protocol for this type of connection??

Thanks again for your help.

1. See attached image.

2. In the unfortunate case where the firewall would not be functioning properly with regard to incoming traffic the router would still protect you from unsollicited incoming traffic from the web and hopefully your other pc is free of malware. As long as there are no open ports in your router forwarded to PC1 you have little or nothing to fear from the web.

3. If you change the block rule at the bottom of the Global Rules to block and log you should see PC2 connecting and getting blocked. It may help to set Alert Settings to High.

[attachment deleted by admin]

1. Thanks for image. I will complete tests and report back.

2. I understand the protection provided by the router. But if the Comodo firewall not working what is the point of having Comodo installed??

3. What I really want is a log event of PC2 connecting to PC1 (which it is). Is there any way to find this information??

Many thanks.

Only a small contribution to this thread, as i don’t have the same configuration (xp pro sp3, cis v3, only ethernet wired LAN).

I have never been able to get a firewall global rule (i only have blocking ones for various icmp protocols), as i belive that, in “advanced” situations, the precedence of outbound/inbound connexions between the global and individual rules, most often assorted with “negation” conditionnal rules when wanting to exclude something results in a real mess.

Once said i have (cis v3?) no WOS item but only a “system” item, my idea about such a situation is:

-set cis to proactive, firewall to custom (and defense+, altough not concerned here, to paranoid, checking everything in the normal image execution settings).
-delete every safe vendor of its list (excepting comodo, you can’t).
-uncheck dhcp in every of your computers, and set a private ip 192.168.1.n in the same workgroup for every of your computers, stating the gateway to your router lan ip (e.g. 192.168.1.1, check for it) and set the dns as the 2 dns of your provider.
BEWARE: if your wireless computer has BOTH wireless and ethernet abilities, you need to set a separate ip for each.
-don’t, in your particular situation, set a trusted network as 192.168.1.1-192.168.1.255: you don’t want pc2 to be trusted.

Now, cis shall ask for what you want to do, and the rules are (as far as xp is concerned and only speaking of the relevant ones):
-browser rule:
allow, tcp out, from any ip to any ip, from any port to http ports

-svchost:
allow, tcp or udp out, from ip any to ip=“those of your isp”, from any port to port 53

-system:
in order to access your lan through netbios, you have to write:
allow udp out from ip any to ip=“lan zone”, from any ports to ports 135-139

If no mistake from me, your trouble is in this last rule: you don’t want pc2 to see pc1:
writing the same blocking rule in pc2 should be enough to keep it from seeing pc1, while you still would be able to see pc2 from pc1 keeping this rule allowed in pc1.

Other applications (e.g. explorer) might ask you permissions if you try to access pc2 from pc1: you should then of course allow them only from pc1 to pc2, and set the same blocking rules in pc2 from pc2 to pc1 if needed.

Please give me your feedback: again, i am using cis v3 and xp, and my “pc2” (a wired laptop) is not connected at the time speaking, but i can plug it so as to check the said rules.

Outcomes of various tests as follows:

1. I have disconnected the printer completely. Not attached to router; not attached to PC. No changes to previous described problems – WOS alerts if ICS box is unticked and PC2 is able to see/access PC1.

2. On PC1 opened “Network Connections”, right clicked on Network and selected Properties. There was no sharing tab. This confirms that PC1 is not set to be an ICS gateway.

3. Previous firewall on PC1 was Zone Alarm Security Suite. ZASS has a specific tool to achieve complete removal – “cpes_clean.exe” (more complete than Windows uninstall). ZASS was removed with this tool. From ZASS instructions for a manual removal, I did a manual check (including the Registry) to confirm that everything had been removed. After ZASS removal, I did a Registry scan with CCleaner and removed any entries that CCleaner flagged up (none were ZASS related).

4. On PC1, I went to Control Panel → Device Manager → View → Show Hidden Devices. Looked under Non Plug and Play Drivers – there was nothing relating to ZASS.

5. Downloaded Autoruns and ran on PC1. Chose to Hide Windows and Microsoft Entries and to Include Empty Locations then refreshed. There were no entries relating to ZASS.

6. I switched on logging for the Global Rules and I changed Firewall Behaviour Settings → Alert Settings to Very High. There were entries under Firewall Events where Comodo had blocked traffic from PC2 (Note that PC1 is 192.168.1.100 and PC2 is 192.168.1.101). Some examples (there may be others) of these entries are (WOS = “Windows Operating System):

WOS - Blocked – UDP -192.168.1.101 - 68 - 255.255.255.255 - 67
WOS - Blocked – UDP -192.168.1.101 - 138 - 192.168.1.255 - 138
WOS - Blocked – UDP -192.168.1.101 - 137 - 192.168.1.255 - 137
WOS - Blocked – UDP -192.168.1.101 - 58840 - 224.0.0.252 - 5355
WOS - Blocked – UDP -192.168.1.101 - 64385 - 224.0.0.252 - 5355
WOS - Blocked – UDP -192.168.1.101 - 65034 - 224.0.0.252 - 5355
WOS - Blocked – UDP -192.168.1.101 - 56786 - 224.0.0.252 - 5355
WOS - Blocked – UDP -192.168.1.101 - 51623 - 239.255.255.250 - 1900
WOS - Blocked – UDP -192.168.1.101 - 57172 - 239.255.255.250 – 1900
WOS - Blocked – UDP -192.168.1.101 - 58034 - 239.255.255.250 - 1900
WOS - Blocked – UDP -192.168.1.101 - 58435 - 239.255.255.250 - 1900
WOS - Blocked – UDP -192.168.1.101 - 59045 - 192.168.1.100 - 80
WOS - Blocked – IGMP -192.168.1.101 - - 239.255.255.250 -
WOS - Blocked – IGMP -192.168.1.101 - - 224.0.0.252 -
WOS - Blocked – ICMP -192.168.1.101 - Type(8) - 192.168.1.100 - Code(0)

These are not in order. I have just grouped like entries together. Some entries kept recurring, for others I only found one example.

Not sure what the IP addresses 192.168.1.255, 224.0.0.252, 255.255.255.255 and 239.255.255.250 represent??

What is the differences between the different protocols – UDP, IGMP and ICMP. What would be the protocol used for file sharing actions between the PC’s??

Clearly some blocking of traffic from PC2 is occurring. As far as I could see all incoming traffic (from whatever source eg: from the router [192.168.1.1]) had been blocked (yet PC2 could see/access PC1!!!). The only allowed traffic was outgoing.

However, there is a connection in from PC2 – why does this not show under Firewall Events??

I expected to get a lot of alerts (based on Help File information with the alerts setting on Very High) but I in fact got no firewall alerts. I also tried the alerts setting on Very High on PC2 with same result – no firewall alerts. All the enable alert boxes were ticked on both PC’s. Based on the Help File I expected to get an alert for each firewall event with the setting on Very High.

7. I tried adding the IP address of PC2 (192.168.1.101) to My Blocked Network Zones. I then rebooted PC2. PC2 was still able to see/access PC1. To test the functionality of Blocked Network Zones I added the IP address of 65.55.21.250 (Microsoft) to My Blocked Network Zones. With this blocked zone added Internet Explorer reported “cannot display the web page” when trying to access http//:65.55.21.250. With no blocked zone the Microsoft page displayed normally in Internet Explorer. So, as for the stealth function, Blocked Network Zones is not able to block PC2 yet Blocked Network Zones is working for sites on the external internet.

8] On PC2: (i) I deleted the Network 192.168.1.101 and (ii) went to Firewall → Common Tasks → Stealth Ports Wizard and selected “Block all incoming connections and make my ports stealth for everyone”. On PC2, I deleted the residual System entry under Application Rules (there was nothing there under System as I had deleted the network) and I checked that the Global Rule for in/out to the network had been removed. I then rebooted PC2. When Comodo on PC2 identified network again on start up I did not tick box for “I would like to be fully accessible to other PC’s on this network”. BUT from PC1 I was still able to see/access PC2. Thus PC2 which has not had any of the problems of PC1 is behaving exactly like PC1 in this regard.

I will wait for your responses/further suggestions.

Many thanks for your help.

Somehow repeating what i said before, you are making very difficult what is fairly simple.

Let’s talk, if you want to, of technical details and protocols later, when you shall have succeeded blocking your computers.

I made the test plugging my second computer, and confirming what i said: you only need to block Netbios, period.

As there might be some differences, i report my configuration for what it is relevant.

-PC1 is a desktop running xp pro sp3 with cis v3.
cis is set to proactive, firewall to custom, maximal alerts, everything checked excepting ICS, no global rules excepting blocking icmp rules (thus here not relevant).
defense+ is not relevant, but it is set to paranoid, normal image execution settings, with there everything checked, no trusted application, no trusted vendor.
Ports are stealthed in firewall.
All of the unneeded services have been disabled by os options (e.g. remote control, security center…), standard services, or autoruns.
As far as i remember, websites like black viper or equivalent also list the services to be closed in Vista.

-PC2 is a very small netbook, running win 2K sp4 as a gain of diskspace and not able to run cis 3 or even cis 2.x for the same diskspace reasons, added to the very small screen size factor: the firewall is old kerio 2.1.5.

Both computers are ethernet wired to the same router.
DHCP is disabled, it is a prerequisite if you want “fine” lan settings: PC1 is 192.168.0.20, PC2 is 192.168.0.30.
The network mask is standard 255.255.255.0, the gateway is the ip of the router (192.168.0.1), the dns those of my isp (215.27.40.240-212.27.40.241) and of course both computers are in the same workgroup.
PC1 has no shared partitition (total of 2 harddisks and 6 partitions) whereas PC2 has as only “harddisk” a small flashdrive with 3 partitions, of which only 2 are shared.
Remember, last, the “remanence” of windows sharing: until you reboot from both sides, you always see the same thing in the network favorites.

Of course, without even speaking of whatever firewall, if you NEVER want PC1 to see PC2 AND PC2 to see PC1, set 2 different workgroups, and let’s speak of something else: we therefore assume that PC2 is not allowed to see PC1, but that PC1 is allowed to see PC2, lets’ plug both computers.

-Total interdiction:
As soon as booting (and for technical reasons we might talk of later), and before i set whatever in the firewall, cis asks for 192.168.0.255 permissions: it is a broadcast request, the os is aware that “something” is connected, and searches where it could find it.
If now i try to open network favorites and open PC2 from PC1 or PC1 from PC2, i shall be asked for permissions for 192.168.0.20 or 192.168.0.30 on the same netbios ports.
If i deny, the only difference is that PC1 is totally invisible from PC2 (PC1 has no shared partition) whereas PC2 from PC1 shows the name of the 2 shared partitions, but that i am totally unable to open them.
The rules are very simple:
-Block, UDP out, from ip any to 192.168.0.255 where source port is any and destination ports 137-139
(no more broadcasting at boot time in order to automatically discover the lan)
-Block, TCP or UDP, in and out, from 192.168.0.30 to 192.168.0.20 where source port is any and destination is any (replacing “any” by “137-139” is enough)
-Same as before, inverse 192.168.0.30 and 192.168.0.20

-Partial interdiction: PC1 is allowed to see PC2, but PC2 is not allowed to see PC1 (amend as needed on PC2, i don’t have cis on PC2).
Delete the 3 rules supra, and replace them by the 3 following:
-Allow TCP or UDP out, from 192.168.0.20 to 192.168.0.30, from any ports to ports 137-139
-Allow UDP in from 192.168.0.30 to 192.168.0.20, where source ports is any and destination ports 137-139
-Allow UDP out from 192.168.0.20 to 192.168.0.255 where source ports is any and destination ports 137-139.

Done (note that “system” in cis 3/xp, where the said rules take place, might be replaced by “WOS” in cis 4 or 5 and vista, but it has no importance whatsoever as cis takes the decision for you, and you only have afterwards to modify it as said).

Neeedless to say, these Netbios rules MUST be followed by a general blocking rule denying everything (tcp, udp, in, out, any ip source and destination) for the netbios ports 137-139.

Brucine – I am grateful for your input into this thread.

But as a new user of Comodo you are not dealing with my fundamental issues.

I understand that I may well be able to achieve what I want with some specifically designed Application Rules/Global Rules. But my issue is that these specially designed rules should not be necessary if Comodo is working in the way that it should.

While Comodo’s Defense+ seems to be working correctly, the Comodo firewall is not working correctly in two respects:

1. The requirement for a tick in the box “This computer is an internet connection gateway (ie an ICS Server)” to avoid the WOS alerts when the PC is not an ICS Server.

2. The fact that PC2 can see/access PC1 even though PC1 has been configured to “Block all incoming connections and make my ports stealth for everyone”.

If there is something in Comodo’s Firewall that is not working correctly I need to understand why/resolve the issues rather than customising rules to correct an issue that should not exist.

So what I need is help to understand/resolve the two issues that I have identified.

Many thanks.

You seem to come from the “ZA world”, definitely not a good idea, where nothing ever warns you, and the new CIS versions are “sold” to make one believe that such a behavior could be achieved.

This might maybe be true with the “lambda user”, but there are so many LAN configurations that some LAN user, particularly when he wants to allow X and block Y, is not “mr lambda”, and won’t be able to escape his own custom settings.

On another side, this thread is becoming quite long, and you diverge in many directions: you won’t be able to achieve whatever if trying X on mondays and Y on tuesdays.

Some intervention, i don’t remember whose (probably ErichJH) had very good arguments.

-You don’t run ICS, and should not check it, period: ICS might allow “wrong rules” when making the system think that some connections should not be alerted because thought to be part of this process.
-You should not allow dhcp.
-If you don’t want WOS to say whatever, you should not made whatever applications/services, including your browser, set as safe.
-i don’t know if it is a bug or a feature, but cis only blocks wan ip, not lan ip, particularly if setting ics:
blocking a non-routable zone (192.168, 10.0…) is of no effect but could be achieved through windows hosts file: enough to redirect these ip to a fake ip, the best example being the localhost (127.0.0.1).
The same goes with port stealthing: you can’t stealth yourself.

To illustrate your examples:
-if you don’t allow scvhost, udp/tcp out, your isp ip, port 53, you most certainly won’t connect: in your particular situation, scvhost is included in a “garbage” wos, probably because of ics and your safe applications: if you don’t, and you are right, want to globally allow WOS not even knowing what it talks about, you have no other choice then to write the rules i suggested.
-Most of your other firewall requests:

WOS - Blocked – UDP -192.168.1.101 - 68 - 255.255.255.255 - 67 WOS - Blocked – UDP -192.168.1.101 - 138 - 192.168.1.255 - 138 WOS - Blocked – UDP -192.168.1.101 - 137 - 192.168.1.255 - 137 WOS - Blocked – UDP -192.168.1.101 - 58840 - 224.0.0.252 - 5355 WOS - Blocked – UDP -192.168.1.101 - 64385 - 224.0.0.252 - 5355 WOS - Blocked – UDP -192.168.1.101 - 65034 - 224.0.0.252 - 5355 WOS - Blocked – UDP -192.168.1.101 - 56786 - 224.0.0.252 - 5355 WOS - Blocked – UDP -192.168.1.101 - 51623 - 239.255.255.250 - 1900 WOS - Blocked – UDP -192.168.1.101 - 57172 - 239.255.255.250 – 1900 WOS - Blocked – UDP -192.168.1.101 - 58034 - 239.255.255.250 - 1900 WOS - Blocked – UDP -192.168.1.101 - 58435 - 239.255.255.250 - 1900 WOS - Blocked – UDP -192.168.1.101 - 59045 - 192.168.1.100 - 80 WOS - Blocked – IGMP -192.168.1.101 - - 239.255.255.250 - WOS - Blocked – IGMP -192.168.1.101 - - 224.0.0.252 - WOS - Blocked – ICMP -192.168.1.101 - Type(Cool - 192.168.1.100 - Code(0)

also involve scvhost, altough some ones invoke other services (if you don’t want port 1900 requests, close upnp and ssdp services) or are indeed dubious (multicast requests 224 or 239 using high ports, definitely should be blocked if you don’t know what uses them).

I see, in your particular situation, and more generally speaking in the situation of whatever user wanting to customize his LAN, no other solution then to customize the firewall in order to do so.

Bucine - again I am grateful for your input but I do not think that you can have read the whole thread. The thread has not diverged at all. It has moved on logically as I have responded to queries from EricJH.

Some particular responses to your last post:

1. You state “You don’t run ICS, and should not check it”. If I do not check ICS, I keep getting these WOS alerts and I cannot access the internet without allowing the WOS request. To allow such a request is very bad as it allows everything on the PC to access the internet. If I check ICS (even though PC is not ICS) I do not get the WOS alerts. This illogicality is the first of the two problems I am trying to resolve!!

2. You state “cis only blocks wan ip, not lan ip, particularly if setting ics”. If CIS does not block LAN then choice under “Stealth Ports Wizard” to “Block all incoming connections and make my ports stealth for everyone” is a nonsense. This is the second of the problems that I am trying to resolve.

A very basic question. On PC1 I have a Global Rule which is “Block And Log IP In From IP Any To IP Any Where Protocol Is Any”. Why does this Global Rule not block traffic in from PC2 to PC1 and thus prevent PC2 seeing/accessing PC1??

I have just found another Comodo Forum Thread that reports this same problem re Comodo not blocking access from PC2 to PC1, see:https://forums.comodo.com/empty-t55493.0.html. I am not alone!!!

It would be very helpful if you could expand on your statement that “CIS does not block LAN”. What is the basis of this statement?? Is it documented somewhere or is it based on your usage??

Your help is much appreciated.

Many thanks.

1. in my opinion, you can: wos only reports “unknown” connections.
   If you customize the firewall, and say that not wos, but scvhost is connecting tcp/udp out to your isp port 53, and soforth, i suppose that wos won’t alert anymore as the connection shall be known.

2. it is not a nonsense: it is only underlying that the “stealth port” item is only making your computer (but not your router…) invisible from the wan.
   Lan won’t use the same requests as to connect you to what is seen as “yourself”, and the primary goal of such an item is to succeed to grc tests and alike, indeed using wan protocols.
   The only firewall able to “hide you” not from an application (utterly stupid, you don’t want to block your browser as a whole, but only to block whatever ports, protocols and ip it should not use) is a port firewall (partially allow x application for port y, but block it for port z).
   cis is not (like kerio 2.1.5) a “pure” port firewall, particularly if you set global rules and/or trusted vendors or softwares: if you want it to become so, you must customize it so it asks for every invoked port.

Same (but as you suggested, relying only on my personnal experience, i am not a comodo developper) with global rules and lan permissions.
As i said before, global rules for other things then general icmp rules is lousy, because they are not absolute and not efficient in lan (or even wan) advanced administration.
Not absolute of course because the precedence of global and individual is opposite depending if the connection is outbound or inbound, going in the general (and false) feeling that a firewall should allow whatever as long as it is outbound.
Totally unefficient (still from my own experience and the one of some other people), because in relatively more complex situations as lan administration, you would need to write conditionnal global rules.
I have personnally never have been able to get any at work (and so do you at the time speaking…)
So, if global rules do not work, what else then setting your own individual rules?

I shall try, when i have some spare time, to set such global rules or stealthing ports as to block lan access, but i don’t believe a word of it: my opinion is that either speficic wan (and not lan) packets and protocols, either cis hardcoding itself (special permissions for unroutable ip classes) make what you wish unachievable.

To repeat:

On PC1 I have a Global Rule which is “Block And Log IP In From IP Any To IP Any Where Protocol Is Any”. This rule should block all incoming traffic to the PC whatever the source. Hence, why does this Global Rule not block traffic in from PC2 to PC1 and thus prevent PC2 seeing/accessing PC1??

If this does not work why should I believe that any other part of Comodo works??

A simple answer to a simple question please.

Many thanks.

To repeat:

I am also repeating myself for at least the second time, and there's no straightforward "yes" or "no" answer: my feeling is that what i said needed to be explained as to be understood, and not written as a mere cooking recipe, and tested, at least from my own experience.

Hence, why does this Global Rule not block traffic in from PC2 to PC1 and thus prevent PC2 seeing/accessing PC1??

I said i formally don't know, but suspect both the...global failure of global rules and application of whatever general rules (port stealthing...) to be only relevant to wan connections. On an experimental point of view, i fail and you fail, only meaning maybe that cis help is very insufficient not saying so, and altough it now tries to look like it, that cis is definitely not ZA, making people believe that security feeling should be conferred by only clicking 2 or 3 buttons, and next saying that you are safe because you don't see any alert.

If this does not work why should I believe that any other part of Comodo works??

Believe what you want, i am no CIS fan, and i wrote more then once my irritation to undocumented comments like "Comodo is the best" (Glory Halleluiah...). But (i also repeat myself still again), it DOES work, as i have demonstrated in my precedent post (did you even try the procedure?), but not in default settings for non-default situations: YOU are the one knowing your needs, softwares, os..., and no one but you (i.e. no software in the world) is in the end able to take every decision for you and know the appropriate behavior for everything in the world.

A simple answer to a simple question please.

I spent a lot of time trying to explain why there's none. cis is not ZA. It most certainly is, altough not perfect, one of the most powerful security softwares if you write the proper settings for your peculiar situation, but it does not from 2 clicks. As far as i remember, i gave you the tested and working solution (at least under xp, but i don't see why it should not, amended to specific services and executables if any, work under vista). In my opinion, the game is to achieve some working solution, not mattering how you get it if it's not over difficult, and here, it is not (only 3 rules to write).

I really don’t understand what you are trying to say or to prove?

I may not sound it but I am grateful for your help.

I did try what I thought you were suggesting but I did get confused by your posts. Could you just tell me again the three rules you think that I need. No discussion just the 3 rules.

Many thanks.

With your settings PC2 should not be able to see PC1’s shared folders. Not sure if I asked in the process but make sure that the rule for System in PC1 does not allow the local network to connect.

Other than that I think I covered all bases I can think of.

It seems to me there is something not right with the set up of CIS on your system. I did some testing with v4.1 on both Vista and XP (triple boot system) with the ICS setting and that did never conjure up alert saying WOS wants to connect to DNS server. It always was svchost.exe that tries to connect to DNS server.

The WOS alert says that CIS cannot see what process is asking to connect to the web. Assuming that’s a lead I can only assume something on your system is blocking view for CIS.

Given the fact that CIS does not block incoming traffic of PC2 I think your security is at large. Luckily you are behind a router.

For now I will advice to do a clean install of CIS and see if that helps. Follows is an instruction on how to manually remove traces of CIS. When you feel that is too much uninstall, reboot and run this unofficial clean up tool. Remember to export you old configuration in case you want to keep it.

Start with exporting your configuration to a folder that is not part of the Comodo folder under Program Files. This way you can restore your configuration after the reinstall.

Uninstall CIS and reboot. Then run [url=http://system-cleaner.comodo.com/]Comodo System Cleaner[/url] to get rid off registry keys.

Then delete the Comodo folders under Program Files, Program Files\Common Files, C:\Documents and Settings\All Users\Application Data\ .
For Vista/Win7
Users%username%\appdata\local, Users%username%\appdata\roaming\ and \Users%username%\appdata\local\virtual store

To be even more thorough open Device Manager and set it to show hidden devices under menu option View. Then see if there are Comodo driver(s) left in non Plug and Play drivers. If so select the driver → click right → uninstall and reboot.

Now delete the following:
C:\boot.ini.comodofirewall (this file may not exist).
WARNING: Do not mistakenly remove the original “boot.ini”.
C:\WINDOWS\system32\drivers\cmdGuard.sys
C:\WINDOWS\system32\drivers\cmdhlp.sys
C:\WINDOWS\system32\drivers\inspect.sys
C:\WINDOWS\system32\drivers\cmderd.sys
C:\WINDOWS\system32\guard32.dl
C:\WINDOWS\system32\drivers\sfi.dat (this file belongs to stateful inspection of the AV )

a. HKEY_CURRENT_USER\Software\ComodoGroup\CFP and HKEY_CURRENT_USER\Software\ComodoGroup\Comodo Internet Security
b. HKEY_LOCAL_MACHINE\SOFTWARE\ComodoGroup\CDI\1 *
*(If you have other Comodo products installed, delete only the values
for CFP)
c. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\cmdAgent
d. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\cmdGuard
e. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdHlp
f. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Inspect
fi. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\cmderd
g. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services
\cmdAgent
h. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services
\cmdGuard
i. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdHlp
j. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Inspect
ji. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services
\cmderd
k. KEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services
\cmdAgent
l. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services
\cmdGuard
m. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdHlp
n. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Inspect
ni. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services
\cmderd
o. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdAgent
p. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdGuard
q. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdHlp
r. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\Inspect
ri. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\cmderd
s. HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro
t. HKEY_USERS\S-1-5-21-1202660629-746137067-2145843811-1003\Software\ComodoGroup\CFP
u. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDAGENT *
v. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDGUARD *
w. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDHLP *
x. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_INSPECT *
xi. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDERD *
y. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDAGENT *
z. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDGUARD *
aa. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDHLP *
bb. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_INSPECT *
bbi. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDERD *
cc. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDAGENT *
dd. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDGUARD *
ee. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDHLP *
ff. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_INSPECT *
ffi. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDERD *
gg. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDAGENT *
hh. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDGUARD *
ii. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDHLP *
jj. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_INSPECT *
jji. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDERD
kk. HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\CFP_Setup_3.0.14.276_XP_Vista_x32
ll. HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\CFP_Setup_3.0.14.276_XP_Vista_x64
mm. HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\CFPLog
nn. HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\CPFFileSubmission
oo. HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro

*Note: It may not be possible to remove these “LEGACY” keys. If you cannot delete them, leave them in the registry. However, I have subsequently found that you MAY be able to remove these keys in Safe Mode by using a third-party registry tool. To permanently remove them may also require modifying the Permissions for each key. See: https://forums.comodo.com/help_for_v3/comprehensive_instructions_for_completely_removing_comodo_firewall_pro_info-t17220.0.html;msg119226#msg119226

How to uninstall the CIS firewall driver when it stays present after following this or using the clean up tool? Look up the properties of the network connection, select the Comodo Firewall driver and uninstall it. See the attached image.

Now reboot back into Windows and CIS should be gone and you should be able to install it again. You can run a couple of registry cleaners you trust to see if there any Comodo left overs.

Now you should be good to go. Let us know how things go.

Thanks for all that - let me have a think!!

Some more tests to report.

I removed the router and connected my PC directly to the Virgin Modem. Then 2 results:

1. From Comodo Firewall Events all incoming traffic was blocked.
2. I went to Gibson Shields up site GRC | ShieldsUP! — Internet Vulnerability Profiling  . The PC passed all the tests 100%.

Conclusions - Comodo is doing something despite the problems I am having.

Did you see thread where somebody else reported the exact same problem with PC2 seeing/accessing PC1:
https://forums.comodo.com/guides-cis/firewall-blocking-internet-access-whilst-allowing-intranet-access-t30440.0.html. I am not alone!!

Any of this prompt further thoughts??

Many thanks for your time and effort.

i don’t know anything about vista.
ericjh might be right when stating that you have an installation problem, due to the observation that the alert should come from svchost and not from wos, altough the rules i am talking of are written in system (and not svchost).

Pasting the 3 rules i used to make it work as you wish (of course, replace the ip with your own):

-Partial interdiction: PC1 is allowed to see PC2, but PC2 is not allowed to see PC1 (amend as needed on PC2, i don't have cis on PC2). Delete the 3 rules supra, and replace them by the 3 following: -Allow TCP or UDP out, from 192.168.0.20 to 192.168.0.30, from any ports to ports 137-139 -Allow UDP in from 192.168.0.30 to 192.168.0.20, where source ports is any and destination ports 137-139 -Allow UDP out from 192.168.0.20 to 192.168.0.255 where source ports is any and destination ports 137-139.

The lack of the same ip inversed rules keeps pc2 to access pc1.
But as you probably run cis on pc2 (not me), you shall probably need to write cis rules on pc2 so as to allow tcp and udp in from pc1.

1. These are Global Rules on PC1??
2. Which is PC1 - 192.168.0.20 or 192.168.0.30??
   3 As I understand it from your previous posts Global Rules only enforce what they specifically state and the absence of a global rule to block effectively allows. Hence I cannot see which of the 3 global rules would prevent PC2 seeing/accessing PC1??

Many thanks.

1. and 3): they are not global rules, but network application rules for “system”.

2. PC1 is 192.168.0.20

As a said, i don’t use cis on pc2.
The 2 first rules might lead cis on pc2 to ask for tcp and udp in from 192.168.0.20 and udp out also from 192.168.0.20.
Be careful to only allow only as strictly needed, as allowing tcp out in the first rule would probably allow pc2 to see pc1.

OK. So your 3 rules are Application Rules for “System” and are as follows:

1. Allow TCP or UDP out from PC1 to PC2 (from any ports to ports 137-139)
2. Allow UDP in from PC2 to PC1 (from any ports to ports 137-139)
3. allow UDP out from PC1 to 192.168.0.255 (from any ports to ports 137-139)

Then:
A) Why rule (2) - surely I want to block all traffic from PC2 to PC1??
B) What is 192.168.0.255??

As a further comment - how can a rule on PC2 grant access for PC2 to PC1??

Just trying to understand what these rules are designed to do before implementing them?

Again, many thanks for your help.

A) The protocol needed to “see” something on a LAN is Netbios on TCP/IP.
But before using whatever protocol, packets must be send or received between the sender and the destination.
The UDP requests (http://www.networksorcery.com/enp/protocol/udp.htm)
ensure these packets exchange, without which no protocol can be used.
But the actual transaction is achieved from TCP on the netbios ports (137-139).
Blocking TCP for 137-139 is the way to block one computer accessing the other, but you can’t achieve it if no communication at all (not even sending UDP packets) tries to launch the TCP process (even to deny it).
There’s of course no threat from only UDP requests on a LAN, but you should definitely block these same Netbios ports on the WAN, and more generally block on the WAN whatever unneeded TCP or UDP requests (the latter mostly for privacy concerns).
Note in this regard that you observed yourself that you won’t be able to connect anymore if you block SVCHOST UDP requests port 53 to your ISP ip.

B) For a class C LAN unroutable ip range (192.168.0.x), the standard mask is 255.255.255.0, the starting adress 192.168.0.0 is reserved and unusable, 192.168.0.255 is also a reserved adress, used to broadcast the information within the LAN.
It is a full part of the RFC specification for TCP protocol, and you can’t help it.
If unusable, and as demonstrated by rule 3), your computer is not able to “search on the LAN where its requests should be adressed”, and these requests thus fail.
The only way to overcome this situation (maybe?) woud be to connect both pc1 and pc2 to a switch itself connected to the router, but i don’t see the point of it for what we are concerned with.

As a further comment - how can a rule on PC2 grant access for PC2 to PC1??

It cannot alone. In the situation we are speaking of, there's no "central" firewall (coming from a router, or a third computer only connected to the router and serving the 2 others), but a standalone firewall on PC1 and PC2. In order for PC2 to access PC1, you must not have firewall rules in PC1 blocking it (the ones i wrote). But you would achieve the same result with no rules in PC1 and blocking rules (not exactly the same) in PC2), and you could perfectly be redundant by writing such rules on both sides. The only situation where PC2 is able to access PC1 is the lack of firewall rules on both sides (and, even if so, the lack of administrative or user privileges password protected for the network shares)