Allow/Block?

TCPView by SysInternals would probably be the easiest. You actually don’t even have to install it; just download and run it from there (a lot of SysInternal’s stuff doesn’t have to install). However, the results it gives are not as complete, and you can’t kill/terminate connections with it.

What’s Running is probably the best balance overall. It gives the most amount of information, yet installs and runs very simply. If you want to track down details of the connection, it will provide you pretty much every piece of information you could ever want to know You simply open the IP Connections tab, then highlight your item of interest. All the details then show in a viewing pane to the side.

Ultimate simplicity = TCPView, but loses some ground on the information side
Ease of use = What’s Running (available www.whatsrunning.net)

LM

PS: If you’re getting application alerts for Inbound access, that’s not the same as an unsolicited Inbound connection (which would be stopped at Network Monitor). This would mean that an app needs to be able to accept a returning Inbound connection, but is not allowed to do so by its defined rule. The various automation aspects just add another layer of complexity to it…

Alright I got what’s running running, ugh this is starting to seem like a lot of work for legit programs. So basically, I just compare the local portname with the port and connection address on pop ups and see what uses it in process name?

Also, will this work while Comodo is holding the connection (no action on pop up) or will I need to allow it to see what’s going on. Deny I figure just kills, as I don’t see any UDP connection with the port numbers that have been popping up.

Yeah, in order to find out more about the connection, you’ll have to allow it (without remember, so as not to create a rule). Blocking w/CFP will of course stop the whole thing…

And yes, it can seem like a lot of work at times. Some don’t care to go to that effort; that’s why I said “If you’d like to know” - not everyone does! :wink:

On the other side of the coin, if you find that there’s illegitimate activity going on, then it’s all worth it in my book.

LM

Heh, well with your help I found out I didn’t need ALG so that freed up some room, so it’s not like this has been a complete waste for me in looking. I don’t think there’s anything illegitimate going but I guess I can never be sure, plus I might stumble on something I don’t need and can get rid of which is always a plus.

I think I’m just going to go make a rule to block out the outbound to 239… port 1900 to save me some trouble.

I got another hit with 1031, I think the in just switches between the 1027 and 1031, with the majority being 1027. Wonder what makes these two so special after ALG was disabled?

I’ll do a couple of restarts with allow and see what shows, heck I need to test out the new outbound rule anyways.

As always, thanks for all your lovely assistance and insight.

edit: Okay I see nothing with either ports in IP connections, and so far it seems 1031 has been catching up with 1027 in start up. On the bright side, the new rule for outbound works.

You will probably end up seeing that there is a whole lot of “chatter” with computers running Windows. Especially if you’re on cable, or a LAN. It’s pretty amazing. I have created a number of those Block rules in Network Monitor, for certain ports and IPs on my network here. The only contact I allow is for the DHCP & DNS servers. Yet there’s all kinds of activity for (as far as I can tell) absolutely no reason whatsoever!

I have Linux at home, and it’s absolutely quiet when I’m not running an application on the net. The only activity is for my ISP… That’s a dual-boot system with XP on the other side. So the connection is identical; extraneous Services are disabled, and nothing is allowed to connect except in certain ways. And there’s constant activity from seemingly everywhere! Most of it’s just “invisible” Windows junk… Uggh!

LM

I see what you mean, I have cable and there sure is alot of junk running abouts in connections.

Anyways, I didn’t realize that you could simply block it from network monitor, show’s how slow I am. I guess I’ll block the inbound from 1024-1031 as well, do you think that’ll cause any problems?

Oh so I have to pretty much set the rules for the applications as well, otherwise there’s a pop up.

Yep, Network Monitor is the way to go for those pernicious connection attempts that just don’t seem to go away - especially by “System.” Block, but don’t log. You won’t get alerts for NetMon incidents…

As for the applicatin-related alerts, I have two questions:

  1. Are these all “hijacking” type alerts, rather than just straight application alerts?

  2. Where is your Alert Frequency level set?

Once you define a NetMon rule to block a port permanently, you should not need to make any changes to rules in AppMon, due to the way CFP filters through the various monitors, since NetMon doesn’t give popups. If you get popups from an Application, it most likely is a hijacking type of alert (OLE, dll-injection, etc). If you see continued hijacking type alerts from one application in particular, you can create a rule in AppMon for that offending application, set it to Block everything for that application, with the parent set to Skip or Learn.

LM

  1. Yeah they’re all OLE automation hijacking alerts.

  2. Default Low

NetMon rule set with UDP out, source: any, destination: 239.255…, criteria: sourc port any with destination port 1900. There’s a pop up for svchost/services with this setting for an outbound with the said destination and port, blah blah blah explorer.exe blah OLE automation blah hijacking.

Wait, in this case the offender is Svchost, don’t I need that (kinda ■■■■■■■ avast up blocking it, but then again that was with a parent).

You’re not wanting to block svchost, that’s the vicitm, not the offending app.

The offending app is explorer.exe, which is the windows shell. It should not need to connect to the web in any way, for any reason I’m aware of. Just create an AppMon block rule for it.

Application: c:\windows\explorer.exe
Parent: c:\windows\explorer.exe (or learn, or skip - but setting the parent to itself is probably a good bet)
Action: Block
Protocol: IP
Direction: In/Out

Then I’d suggest a reboot to make sure memory is cleared out and the rules reset.

LM

By IP, do you mean the “TCP or UDP” option, because I only have tcp, udp, and tcp or udp options under protocol?

edit: No go with those specs-
Application: c:\windows\explorer.exe
Parent: c:\windows\explorer.exe
Action: Block
Protocol: TCP or UDP
Direction: In/Out

Still getting a pop-up OLE hijack attempt.

Sorry, yeah TCP/UDP for the IP Protocol.

Ah okay, well didn’t work.

I set the rule, then deleted the other two rules in App. Mon along with the rules in net. mon. Then restarted and up came the two pop-ups.

Can you get me a screenshot of each of those popups, and attach to your post?

Maybe I’ll see something in there that will give us a better result.

LM

They’re pretty much the same as the second pop up on page 1 of this thread, but here goes:

[attachment deleted by admin]

Two new ones appeared after I installed BOclean. Technically I ran the “Scan for known applications” from CFP, then I disabled my internet connection and closed CFP, restarted it and enabled my connection again, then both hit. The 19 hit first then after I declined it the 255 occured, and I lost my internet. On a shut down and boot up, both occurred again and I denied, and I didn’t have any internet. I did another scan with CFP and then restarted this time, neither occurred and I had internet, leading me to believe that one, if not both, of them controls my internet connection and wondering if somehow the CFP scan had something to do with this occurrence?

I’ve tried looking both the addresses and found something in regards to the 255 from microsoft, but I can’t really make sense of it. I also currently see the 255 connection currently running in the connections log in CFP.

[attachment deleted by admin]

Those two latest ones relate to your IP connection being established, it would appear… DHCP on ports 67, 68. Run by svchost.exe/services.exe.

So I’m wondering, what is your application rule for svchost? You should have one, especially since running the Scan… Are you utilizing the Safelist? Security/Advanced/Miscellaneous/Do not show alerts for applications certified by Comodo…

Also, let’s change the explorer.exe Block rule Parent to either Learn, or Skip. Explorer should not be hijacking svchost like this; it’s quite odd (which is why I wonder about your svchost rule).

LM

Do not show alerts is/was checked and I changed the parent of explorer.exe to learn. I will now delete the svchost rules and test them now.

Edit1: No go with learn, the automation continues will now try skip. I’m feeling this won’t work either though.

edit2: No go with skip either.

edit3: I assume you mean running automation for my IP connection, which I just got hit with again, as from what I read the OLE automation with explorer, svchost/services and 239 is quite common, not entirely sure of the inflow with said applications though. What the he** did microsoft do to my computer with these last updates wink.

[attachment deleted by admin]

Sorry to jump in mate but I to have been getting lots of svchost.exe prompts and I was unsure what to do as it only happened after the microsoft updates

It appears that this week’s updates changed the guts of our trusty system sidekick, svchost.exe (and perhaps some other stuff as well), thus prompting alerts. We will have to Allow w/Remember to reset/update our rules.

Hopefully, MS didn’t jack with 'em so much that we’ll get constant hijack alerts. (:AGY)

Oriour, I think you mentioned removing your svchost.exe rules. If you get straight popups for svchost.exe w/system as parent, be sure to Allow w/Remember to get the right ruleset back in. If it keeps getting hijacked by explorer.exe, I’m not sure what the heck is going on with it.

LM

Alright, I’ll follow along and will chuck the current blocking rules, which I’ve put back into place, though if I do I think I lose my first defense, the stealth shield, and will have to resort to Comodo and Avast to make sure nothing crazy happens (I removed Boclean to see if it affects explorer and my IP connections).

Meanwhile, at least I got a pop-up that’s somewhat familiar (port 123).

Wait so let me make sure I didn’t misread, basically remember allow the pop-ups for svc/services with the explorer hijack (usually 2, potentially 5 (2 IPs and a system time update)) and wait and see what happens, and report in if I keep getting hijack reports despite remember allow?

[attachment deleted by admin]