I think that I am making progress. Would you be able to help me with some miscellaneous queries:
In Firewall events I have two traffic records:
i) UDP in from 192.168.1.1 (the router) to 239.255.255.250
ii) UDP in from 192.168.1.1 (the router) to 224.0.0.1
Can you explain what sort of traffic this is??
What/where are the 2 IP addresses - 239.255.255.250 and 224.0.0.1??
Are these 2 IP addresses on the PC??
What sort of traffic is broadcast?multicast?? Do I need this capability on PC1??
Do you know a freeware utility I could put on to PC that would give me traffic information as is produced by Comodo in its firewall events??
When, if not using a switch, you are sending some information to a specific computer on a lan, the system has no way to know which is the destination computer; it actually sends the data to the whole lan, and the destination computer picks the relevant information: it is broadcasting.
Broadcasting is strictly local, and uses the broadcasting adress and mask (192.168.0.255/255.255.255.x).
Multicast achieves the same on whatever group the computer has (voluntarily) joined, including wan, but is is very theoric as most isp do not support multicast contents, and the use is practically restricted to intranets.
Even in the multicast range, 239.x adresses are strictly local, whereas 224.x are not.
Some windows services automatically run such ports (not local to your computer, but by definition lan shared): mostly upnp, ssdp, rdp…
All of them should be disabled in the general situation.
Nevertheless, i keep myself such a rule invoking the bootstrap protocol:
svchost, allow udp out to 255.255.255.255 where dest port is 67
without which i am unable to connect to the lan.
The general rule is always the same: disable whatever unneeded service, block whatever unneeded communications.
Speaking of a utility logging the communication events, of course they exist, but are a real pain for common usage.
It is far better to learn yourself about communications when permissions are asked, remembering that, still in common usage, needed ports and protocols are very few.
You didn’t even tell me if you succeeded blocking “pc2”?
As for the last question, i am no specialist.
Examples of such softwares are winpcap, tcpview, ethereal…: seach for “packet capture”, “logging windows connextions” or something similar.
Even Windows, and altough no one wants anymore to know that NT systems do not have real mode Dos, but Dos emulation, has such a command line utility as far as TCP/IP in concerned: http://ss64.com/nt/netstat.html
Why a pain?
Because, gui or not, these softwares won’t tell you what software connects to what, but only what ip connects to what other, with what protocol and ports: not a decisive progress as compared to cis firewall log itself.
Furthermore, adressing a remote computer adds to the pain:
I don’t know the way of exporting cis log, and you would have either to run random remote control, either to write a script so as to export the log of the connexions, while the said script wouldn’t of course be “dynamic”, but only a picture of what happened in the logging interval.
With your help I feel confident that the issue of blocking PC2 seeing/accessing PC1 can be resolved.
The issue that is giving me real concern is the need to tick the ICS Server box even though my PC is not an ICS server. It is also now clear to me that by ticking the box I am not getting the WOS alerts because Comodo is allowing the access automatically because it associates the requests with the PC being an ICS Server. Hence I think that Comodo is allowing all processes on my PC to access the internet.
I need to determine the underlying cause of the WOS alerts if the ICS box is not ticked. I have uninstalled and reinstalled Comodo at least 3 times with the same outcome each time.
If I cannot resolve this issue then Comodo is not for me.
Altough you could customize WOS itself in the way i said so as to monitor every connection of it, i don’t know: the normal behavior, at least in xp, is alerts for scvhost and system.
There’s no reason whatsoever for you to tick ICS, leading Comodo to think that some connections are safe whereas every connection by definition is not until you exactly know what it wants.
I tried adding Application Rules that allowed outgoing access for svchost.exe and System (and other System32 programs such as spoolsv, services, lsass, smss, csrss etc etc) but I still got the WOS alerts and could not get internet access unless I allowed the WOS alert. The alert from Comodo which states that it is unable to determine the underlying cause of the WOS alert means that there are no clues as to why it is happening.
I could “customize WOS itself” by, for example, restricting it to UDP. However, that does not help because I still would not know what I am allowing as I still do not know the underlying cause of the WOS. Did you have anything else in mind??
If I do not either (i) tick ICS; or (ii) allow the WOS alert if ICS is not ticked; I cannot access the internet!!! I think that ticking ICS effectively grants the same permissions as allowing the WOS alert, so there is no real difference between these 2 options. Both are bad!! I need to determine the underlying cause. The PC is definitely not an ICS - I have checked and rechecked.
As far as i understand, WOS confers the needed rules:
-(Your Browser):
Allow, TCP out, to http ports 80 and 443
-svchost:
Allow, TCP or UDP out to your isp ip, port 53
Added to bootstrap rule in some circumstances:
Allow, UDP out to 255.255.255.255, port 67.
But i don’t know anything else about WOS that what i have read:
i don’t have such an item, is it version dependent (i use cis v3), does it appear only under peculiar circumstances?
I only suggested that customizing WOS (if possible, and not widely extended, i am not thinking a single second of allowing, e.g., even relatively innocuous UDP out globally for a single second) would maybe allow you to monitor exactly what connections it asks for (application or service, protocol, direction, port).
One thing is nevertheless sure, you must NOT, as you did in your trials, allow whatever windows service but, on the opposite, only allow what is strictly needed and disable the unneeded services.
As the first example i can think of, lsass allows remembering passwords on ntfs partitions, but automatically loads rpc: convenient, but dangerous.
my rule is:
E:\Firefox\Firefox.exe (custom)
Allow TCP from ip any to ip any, source ports any, dest ports (http ports).
In order for your browser to connect, you must allow TCP protocol for http (port 80) and https (port 443).
cis has a default “my ports” item, with a zone for http.
This zone by default has ports other than 80 and 443 for peculiar situations (proxies…); if not, you should delete whatever but 80 and 443.
If you prefer, you can state the dest ports not as “http ports”, but explicitely specify ports 80 and 443.
yes to the second question.
They are brought to you with your isp documentation.
If not, search on the web for something like “isp dns”.
Sorry, i can’t help you, the only such link i can think of is like me (french).
Also answering question 2): scvhost for dest port 53 should only be allowed, as dest ip, to the dns of your isp.
You won’t need this last rule, as i said, in the general situation.
But you won’t be able to connect in some routers configuration if the booting process does not launch a bootstrap protocol.
In such conditions, this bootstrap process, port 67, has to broadcast over the lan: it uses dor this the general broadcasting adress (255.255.255.255), of which i observed before it is strictly unroutable (i.e., remains on the lan).
Your rules will not work. As I said in earlier post:
Internet Explorer was allowed as a “white listed” application.
I tried adding Application Rules that allowed outgoing access for svchost.exe and System (and other System32 programs such as spoolsv, services, lsass, smss, csrss etc etc). Outgoing access was any IP, any port any protocol - much broader than your suggestion + I had given outgoing permission to other O/S applications…
With these rules I still got the WOS alerts and could not get internet access unless I allowed the WOS alert (but once the WOS alert was allowed nothing else was needed).
The WOS alert from Comodo states that it is unable to determine the underlying cause of the WOS alert. Hence there are no clues as to why it is happening.
The problem is that nobody seems to know what WOS does and the underlying cause for its appearance. The only thing that I can think of now is to find some kind of traffic monitor that reports in greater detail than Comodo’s Firewall Events - that might give me a clue as to the underlying cause of the WOS alert. Any suggestions for a traffic monitor?? Otherwise I will search the web and see what I can find.
But i have no whitelist or trusted vendor and these (quite restrictive) rules definitely work for me.
I see that you can delete the vendors (other than Comodo) from the Trusted Software Vendors list. But I do not see how you can eliminate Comodo’s “White List”. I have been told that the “White List” is not accessible by the user??
Excepting the av itself (i don’t use it), and outside of comodo you have no other choice but to trust as a vendor, cis 3 set as proactive, firewall custom, defense+ paranoid, does not trust anything and asks for everything not explicitly allowed as long as you don’t set yourself some application in a trusted application group: even if a whitelist still exists, i don’t know about that, it has in these conditions no effect whatsoever.
