Actiontec modem shows up as Upnp device in My Network Places

Comodo Internet Security - CIS Firewall Help - CIS
#1

Modem: Actiontec GT701.

This device is showing up as an Upnp device in My Network Places. CIS 2011 Firewall Free is displaying numerous intrusions that are blocked, all pointing to this device. At present I am showing 28 intrusions. All packets originate from 168.192.0.1 and destination 168.192.0.2, TCP ports are variable.

I set CIS to automatically block both explorer.exe and svhost.exe from connecting to the internet. Thus, I have the packet intrusions detected by CIS firewall. Even though both executables are blocked for outgoing, I still will see the modem in My Network Places. Just opening the folder for network places and closing it (when the Upnp device is displayed) will result in the window not opening the next time I check. Using Start/My Network Places does not work either. So, invoking or opening or closing the window will result on failure on the next check. If there is no device listed, I can open and close this window w/o fail.

Let me be clear: the Upnp device does not show immediately; it is only after a few minutes does it show.

Explorer.exe would fail to close on reboot before I set CIS to automatically block it; I used manual block instead. This resulted in the computer hanging unless I used force quit.

I must point out I did not see this behavior when I ran CIS V4. This showed up only after upgrading to V5.

I have seen this before when I ran Zone Alarm Free, but not after switching to CIS V4 Firewall Free.

Running Win XP Home, SP3, CIS V5 (stable), Avast Home Edition Free, v. 5.644. CIS is set to Safe, Safe (firewall and defense +) so I am pretty certain the modem is the problem, not CIS or the computer settings.

What can I do about this, and how to fix?

Thanks,

mchain

UPDATE: CFP.exe now does not load or show in notification area on boot or logon unless I click ‘Cancel’ or enter password. See attached .jpg pictures for clarification. This behavior was not there on first install, and the window for ‘New Network Found’ always appeared when modem was connected until I changed settings for explorer.exe and svhost.exe.

192.168.0.2 is the internal DHCP IP address of my computer.

UPDATE: Here is a picture of My Network Places.

UPDATE: Update at 1352 hrs, 10/8/2010; Firewall logs.

Yet Another Update: See .jpg below for picture of Network Gateway.

Any response to this out there?

[attachment deleted by admin]

#2

I can see some are reading this post.

Please, any assistance will be appreciated.

All .jpg files posted over time as I thought to document this.

mchain

#3

The target port is always 2869. That is for uPnP discovery. That is regular traffic for a uPnP enabled modem/router.

I set CIS to automatically block both explorer.exe and svhost.exe from connecting to the internet. Thus, I have the packet intrusions detected by CIS firewall. Even though both executables are blocked for outgoing, I still will see the modem in My Network Places.
Can you state the rules you made for svchost.exe and explorer.exe in the following fashion: Action: Protocol: Direction:

Source Address:
Destination Address:
Source Port:
Destination Port:

Just opening the folder for network places and closing it (when the Upnp device is displayed) will result in the window not opening the next time I check. Using Start/My Network Places does not work either. So, invoking or opening or closing the window will result on failure on the next check. If there is no device listed, I can open and close this window w/o fail.

Let me be clear: the Upnp device does not show immediately; it is only after a few minutes does it show.

Explorer.exe would fail to close on reboot before I set CIS to automatically block it; I used manual block instead. This resulted in the computer hanging unless I used force quit.

I must point out I did not see this behavior when I ran CIS V4. This showed up only after upgrading to V5.

I have seen this before when I ran Zone Alarm Free, but not after switching to CIS V4 Firewall Free.

Running Win XP Home, SP3, CIS V5 (stable), Avast Home Edition Free, v. 5.644. CIS is set to Safe, Safe (firewall and defense +) so I am pretty certain the modem is the problem, not CIS or the computer settings.

What can I do about this, and how to fix?

Thanks,

mchain

I don’t think the modem is the problem as it has not just started doing the uPnP broadcasting after updating to v5.

Could you also show a screenshot of your Global Rules?

[b]UPDATE:[/b] CFP.exe now does not load or show in notification area on boot or logon unless I click 'Cancel' or enter password. See attached .jpg pictures for clarification.
The password dialogue normally only shows up when you have parental controls enabled. Do you have parental controls enabled? When did you enable them?
This behavior was not there on first install, and the window for 'New Network Found' always appeared when modem was connected until I changed settings for explorer.exe and svhost.exe.
Did the problem with the freezing also arise after you changed these rules?
192.168.0.2 is the internal DHCP IP address of my computer.

UPDATE: Here is a picture of My Network Places.

UPDATE: Update at 1352 hrs, 10/8/2010; Firewall logs.

Yet Another Update: See .jpg below for picture of Network Gateway.

Any response to this out there?

Waiting for your answers

#4

EricJH,

Thanks for your reply. I will post an update soon, have been away from my computer for the last few days.

You will see more .jpg files illustrating the information you require, as well as specific rules for svhost.exe and explorer.exe.

I will need a little more time to post this.

Thanks.

mchain

#5

Keep us posted. I will see when you posted because I always check for new posts for topics I am involved in.

#6

EricJH,

Thanks for your reply.

As I have found out, doing this work sometimes takes quite a bit of time to do it right. I am sure the same is true for you.

Several .jpg files will be posted at the bottom of this post, as well as a .txt file. I tried earlier to post with a .rtf file with the same content, only to find the forum rules forbid posting a .rtf file. Sorry 'bout that. This resulted in the entire post being lost when posted, but here goes…

I will answer your questions in the order you posted them.

1.) Am I correct in understanding a uPnP device always is discovered and the target port is always 2869? Why, then, are different ports noted when the three rules for explorer.exe, svhost.exe are fired?

2.) See the attached .txt file for the information you require.

3.) There is additional information you need to know re the modem. About a year or so ago, it completely crashed while online, and it sat unused until March of this year. I deduced I needed to get and install a firmware recovery update from Qwest. I downloaded that (never did that before) and ran it, got the modem running again. I made sure that the firmware settings were protected by a password, unlike the first time. In addition, when you look at the Global rules, you will see that I have inserted a new rule for Trojan, File Nail, port 4567, both UDP and TCP. The reason I did that is because both GRC and Firewall Test, Web Tools, Free Internet Security web sites both reported this port to be open. I do realize neither site actually test CIS, rather the test is to the modem, as the internal DHCP cannot be seen. Only the modem is visible to the internet.

4.) See Global Rules.jpg.

5.) For the password dialog box appearing before .cfp.exe loads in the notification area, this behavior did not occur before I enabled the rules for explorer.exe and svhost.exe. CIS saw these two applications asking for internet access and the dialog box asked me what to do. I chose to allow at first, without remembering the setting, then deny when CIS kept asking, with remember applied at that time.

6.) It is possible the open port 4567 came with the firmware recovery; before the crash no open ports were detected; 4567 was detected as stealth at that time.

Here are the files attached below:

Thanks,

mchain

[attachment deleted by admin]

#7

EricJH,

Here are some more .jpg files. Should be self-explanatory.

Thanks,

mchain

???

And here are some more .jpg’s

[attachment deleted by admin]

#8
#9

Thanks for reporting back.

About the Internet Gateway message you get. As far as I understand the alert your computer is set to be Internet Connection Sharing. In this mode your computer can connect, act as a gateway, to the net for other computers. If you are not doing such thing you can disable it in the Properties of your network connector.

  1. The target port is always 2869 but the source port varies. If you want to make a block rule for incoming traffic at port 2869 change the source port to ANY. Destination Port would be 2869.

The problem with not showing up the CIS icon in the systray that’s a Windows XP problem. Read more about it here: How To: Fix Missing System Tray Icons at Windows XP startup .

Let me know how things go and where you still have problems or questions? There are more than just a few that makes it hard to keep track of them… :wink:

#10

EricJH,

From what I have seen, you are a bit busy at times on the forum (and elsewhere, I am sure).

To answer the ICS sharing question, the last time I looked, even though I was running as admin, the properties section under Advance showed greyed-out. I could not uncheck\check that box even if I wanted to. As best as I remember, the box was checked, though I am positive I never checked it off as this is a standalone computer. The only network connection is to the modem.

Since I disabled UPnP and SSDS services, (see post just before your reply, don’t know yet how to selectively quote a post as you do) in the quote posted in bold, I now can see ICS, and it is now unchecked, but not by me.

When the modem went down, the firmware repair program required I manually set the adapter to 192.168.0.99 in order to run the program. I tried to reset the IP address to a different one using the same program I used to set to 192.168.0.99 by using Local Network Status dialog, but this did not work.

It is interesting that it seems to have reset all on its own to a new DHCP address, not 192.168.0.99.

I do not know of any programs I run on this computer that require UPnP functionality anyway. So, disabling it is possibly a good idea, given this was a known security issue on XP some years ago.

As for the password dialog box, the workaround for that is to simply click “Cancel”. However, this was not the initial behavior when CIS V5 was first installed.

Let me be clear about this: cfp.exe icon does not show in systray until I click “Cancel”. Odd!

Any help in fixing this problem would be appreciated. You should know that unchecking the ‘hide inactive icons’ does not affect the password box behavior.

Thanks.

mchain

#11

EricJH,

Well, I gave up, uninstalled and re-installed, and now the problem is gone. No more problems with an UPnP device in Network Places.

Main setting change was to disable UPnP functionality. Really don’t need it anyway. This was a known security vulnerability a few years back.

Everything is back to the way it was, except I have also disabled fast index searching as well. On a XP system, the indexing service can run and slow the computer down as well as cfp.exe when both are running, so the net impact is to speed my system up a significant amount.

When will the bug for cfp.exe be fixed?

mchain

#12

EricJH,

At least the UPnP device is gone for some time now.

Why it showed up I still do not know.

I have made some changes to my system related to the UPnP device to further speed up my system and reduce the frequency of logfile deletions (which happen several times a day).

I made MsMpEng.exe a trusted/installer to prevent Defense + from scanning it repeatedly.

I made suggested changes that I found in Metalfyre’s thread which ended a few weeks back.
Note that Metalfyre reverted to V4 and is waiting for an update to V5 before updating again.

I believe in what Comodo is trying to do, hence the extensive troubleshooting I have done on my XP system. I understand Comodo would prefer users use their antivirus in combination with their firewall for best performance, but I think the bug issue of Avast! and Comodo firewall still needs to be addressed.

As of right now, log files have been running for two days now since I made the change to Windows Defender. No automatic deletion when the file size reaches more than 20 MB for two days now, since the logfile has not grown to be that big yet.

Thanks.

mchain