Blocked intrusions

Just downloaded and installed Comodo. This is the first time I’m using a non-windows IP and i’m really new to all this. I wouldn’t say i’m completely computer illiterate, but i’m not really an expert either. I looked up some solutions to this problem, but didn’t really understand the answers or if they were specifically the problem I was having.

  1. First of all, I have avira, threatfire, and superantispyware on my computer. So, I decided to completely disable defense +.

  2. I installed comodo and I haven’t really messed around with any setting besides disabling defense +. Basically I noticed that it says “the firewall has blocked 33 intrusion attempts.” When I go to check to see these attempts here is what I see.

Application: System
Action: Blocked
Protocol: UDP
Source IP: XXXX
Source Port: 138
Destination IP: XXXX (diff. IP that the Source IP)
Destinatio Port: 138
Date/Time: XXXX

Basically, what does this mean? What should I do to stop it or fix it?

Oh and my firewall security level is set to safe mode

Thanks in advance.

Hi jd1010, welcome to the forums.

UDP on port 138 is what’s called a “NetBIOS datagram”. It’s usually related to LAN file-sharing, printing and such like. But, it can be exploited if open to the Internet (which would be unusual & unwise)… which is why CFP is blocking them by default.

Quick question first: Are the masked IP addresses LAN (Local Area Network) IPs or are any of them Internet IPs?

edit: Also, do you have a Home Network (LAN)?

I believe they are LAN. It’s a home network through verizon fios and the router they provided. I also use the computer at school, but I’m not really sure what type of network they use.

Also, there are two source ports that are being blocked, 137 and 138

THIS topic may be of some interest to you.


Thanks, am I dumb if all this makes little sense to me? I followed the link Matty R gave me and I didn’t really understand much of what the TC was saying. I also tried to follow his steps, but I have vista so everything is a different.

I would not say “dumb”… merely “unfamiliar” with, that’s all. :slight_smile:

OK… now disabling NetBIOS for the Internet may not be necessary for a couple of reasons. Although I don’t have Vista, I suspect that Vista doesn’t add NetBIOS (XP calls it “File and Printer Sharing for Microsoft Networks”) to external network adapters (modem, routers, etc…) and even if it did… CFP wouldn’t allow it anyway (by default). But, removing it from external adapters is the best (safest) thing to do. Does Vista have a “Network Connections” in the Control Panel? If so, have a look & see what is in there (you’ll probably see entries for your LAN & your modem/router/whatever)… and let us know.

Back to your original post: What CFP is blocking is OK (safe) for an internal LAN (Home Network) and may even be necessary to get full operation from the LAN (sharing, browsing, printing, etc…). That said, CFP by default detects Networks (LANs) & prompts the user if the Network should be shared. Given CFPs Log entries, this implies that either CFP failed to detect the LAN when it was first installed or you said “No” to sharing when it was offered. Basically, it seems that CFP is not aware of the LAN… which it should be. This being the case - open CFP, go to the Firewall tab & run the “Stealth Ports Wizard”. Select the first option. This will re-detect the LAN (which you do want to share) and stealth every else. I think this should solve the blocks in CFPs Log.

Just been reading up on “Verizon FiOS”. I’m not sure, at this point, how this appears on your system… hopefully it’s a separate adapter (device) that can be easily separated by CFP. But, if it is part of the LAN and appears as a internal IP on the LAN… then that might require a bit more consideration. You also mentioned your school… is your LAN and the school linked in any way (asides from via the Internet)?


  1. No, my LAN and school are not linked in anyway. When I’m home I’m using the home network. When I’m at school I am connected to their network. My school requires connecting through Cisco Clean Access Agent. Since I haven’t been there since installing comodo, I don’t know if it’ll cause any conflicts. I guess we’ll see.

  2. Vista has a network sharing center. All your network options are maintained through this screen. All your network sharing and managing of the network is done in this area. I have an option to “manage network connections.” In this screen I have my “Local Area Connection” and my “Wireless Network Connection.”

  3. I just tried your the option of re-detecting my LAN through the “Stealth Port Wizard.” I will report back shortly to see if it fixed the problem.

Hopefully the “Wireless Network Connection” is FiOS. That being the case, you do not want to share that in CFP, only your LAN should be shared in CFP.

Nope, I cannot really tell which is FiOS & which is your LAN. It could be either if you have a Wireless LAN. Whichever it is, it’s your LAN that you’re looking share, not FiOS (as that’s the Internet). Sorry to be repetitive, just trying to make sure that you’re not put at risk.

Thanks Matty
I had forgotten about the WINS was wondering why I was still getting netbois alerts after disabling file sharing extra.
No alerts now thanks ;D
If you still want to stop netbois on the WINS tab instructions below.
I have no problems after disabling netbois to connect via lan to my router on Vista it is a little harder to get to the WINS tab.

Control Panel/ Network and Sharing Centre/ Manage Network Connections/ Local Area Connection (This was mine no wireless connection)
Right click on Local A. C. select properties click
Then select Internet Protocal Version 4(TCP /IPv4) click properties bottom right corner
On the next item that comes up click on advanced then you will see WINS as the last Tab.

Ah someone with Vista! Thanks for your help Dennis. :slight_smile:

Ok, well it worked. I’m not getting any more blocked intrusion attempts. I’ll repeat my exact steps of what I did.

1)I went to the"Stealth Port Wizards." Checked the first box, which is “Define a new trusted network-stealth my ports to everyone else.”

  1. Clicked Next, and checked the box which says “I would like to trust an existing network zone.”

  2. 1st time I picked Local Area Network #1 as the zone I’d like to trust, and it didn’t do anything. I realized I had actually named my network as “Home” the first time Comodo asked me. So I went back and repeated the steps, this time selecting Home as the network I’d like to trust. It worked. Hopefully I didn’t open up any security holes.

Also, the wireless network connection is the signal from my fios router. Thats what I use to connect to the interenet. I’ve actually disabled “local area connection” in “manage wireless networks,” as I never hook up to the network using ethernet wires.

It is a nice in some ways but a real pain to change settings and delete certain files.

So, is what I did safe or should I follow the method Dennis gave of disabling netbios? If I should disable NetBios how do I reverse what I already did?

jd, just to be certain that you’ve not opened any holes, can you open CFP - go to the Firewall tab, select Advanced - Network Security Policy. Then click on the Global Rules tab (upper part of the window), resize the window so that all rules are visible & check to ensure what you think you created (using the Wizard) is there. What you’re looking to ensure is that you have a matching pair of In/Out Allow rules for your LAN (Home) & nothing for the FiOS adapter.

If you need help, just take a screen shot & post it here.

NetBIOS: To be totally safe, you should follow Dennis’ instructions. I’m sure he’ll help further if you need it.

Attached a screenshot of the global rules. I appreciate all the help guys. I truly would have never been able to figure this out on my own.

I followed Dennis’s instructions and I got to the area of where to disable NetBios. However, I thought just leaving it alone would be better since it wasn’t causing problems anymore.

[attachment deleted by admin]

Assuming those “Local Area Network #1” entries are either redundant (duplicates of Home) or FiOS then delete them. You can edit the individual entries to see what IP numbers they are using & if this ties up with your Home LAN (duplicates) or FiOS (potential security risk). But, that’s talking from the stand-point of not knowing how FiOS actually works.

NetBIOS: Personally, I’d disable it (or at least try). But, as above, that is without knowing how FiOS works, it might break FiOS. However, you can always re-enable it if it does.

Ok, well I decided to uninstall and reinstall comodo. I tried deleting the rules I had created so that I could see whether disabling the NetBios would fix the problem. When I did deleted the rules, the blocked intrusions were not coming back. I deleted them from Application Rules and Global Rules, I restarted the computer and the blocked intrusions were still not coming back.

So, I deleted Comodo, reinstalled it and now with a fresh install the blocked intrusions still haven’t come back. I guess I’m satisfied, but it just seems wierd. Maybe this program is a bit too complex for me.

Oh and I also created a few rules before I deleted it so that I could tell if the settings/configurations would be transferred to the new install. They didn’t transfer to the new install.

Too complex? Never! It can never be too complex! The more geeky twiddly bits the better! :wink:

However, you will probably be please to hear that Comodo are working on a much less verbose version (involving “hidden” geeky twiddly bits no doubt ;D). Which, by all indications, shouldn’t be that long in arriving (no firm dates as yet).

Anyway, if you are happy & all the issues are resolved (although in a slightly “weird” manner), then I can close this topic. OK?

You may get it reopened again, if needed, by sending any Mod a PM (Personal Message)… best if you pick one that is on-line at the time (quicker).