Blocked traffic

Hi,
I have a communications program that is being blocked by Comodo. If I turn of application monitoring everything seems ok.

I am wondering if there is any way to see why the traffic is blocked. The log file doesn’t show register of the traffic trying to be sent.

I started with auto learn turned on, I answered all of the Allow/Deny questions with allow. Once I turn App monitoring on, communications from this app stops.

I have also tried to add a rule by hand using learn parent, Allow all activity for this application, etc.

Thanks,
gini

gini,

A few things;

1. Have you rebooted and tried again? Wait until you’ve gone thru these items.

2. What is the application (it may help to know specifics)?

3. Got to Security/Advanced/Miscellaneous, make sure the top box, “enable alerts” is checked.

4. Go to Activity/Logs. Right-click, select Log Events From, and make sure Application Monitor is checked.

LM

Hi,

Thanks for your quick response.

1. Have you rebooted and tried again? Wait until you’ve gone thru these items.

Yes. I have installed, uninstalled, reinstalled with reboots several times over the last few days.

2. What is the application (it may help to know specifics)?

nokLINK

3. Got to Security/Advanced/Miscellaneous, make sure the top box, “enable alerts” is checked.

Checked

4. Go to Activity/Logs. Right-click, select Log Events From, and make sure Application Monitor is checked.

Also, checked.

Thanks,
gini

Okay, let’s see if we can kick this thing a bit…

Looks like nokLINK works over TCP. So, let’s give this a shot.

In Network Monitor, find the rule to Allow TCP/UDP Out Any IP/Port. Open to Edit, click the box “Create an alert if this rule is fired.” OK and close.

Then go to Activity/Logs. Right-click and select “Clear all logs.”

Do this with the Application Monitor turned off. This should allow us to capture all traffic generated by nokLINK.

Close and then run nokLINK.

As soon as you’re connected and working, go back to Activity/Logs.

Right-click and select “Export to HTML.” Save the file and reopen it.

Highlight the entries, and Copy. Then Paste into your next post here.

We’ll go from there.

LM

Hi,

Okay, let’s see if we can kick this thing a bit…
Looks like nokLINK works over TCP. So, let’s give this a shot.

Correct, all communications will be outbound on port 14015/tcp

In Network Monitor, find the rule to Allow TCP/UDP Out Any IP/Port. Open to Edit, click the box “Create an alert if this rule is fired.” OK and close.

Done.

Then go to Activity/Logs. Right-click and select “Clear all logs.”
Do this with the Application Monitor turned off. This should allow us to capture all traffic generated by nokLINK.

ok

Close and then run nokLINK.

nokLINK can’t be turned off but the traffic is already appearing.

As soon as you’re connected and working, go back to Activity/Logs.
Right-click and select “Export to HTML.” Save the file and reopen it.

Highlight the entries, and Copy. Then Paste into your next post here.

We’ll go from there.

Great.

As you can see from the following, communication works without a hitch when the application monitor is turned off. I also tested the program itself just to make sure.

Thanks,
gini

Date/Time :2007-04-18 18:42:17
Severity :Low
Reporter :Network Monitor
Description: Information (Access Granted, IP = 1.1.1.1, Port = 14015)
Protocol: TCP Outgoing
Source: 192.168.200.111:3000 
Destination: 1.1.1.1:14015 
TCP Flags: SYN 
Reason: Network Control Rule ID = 0

Date/Time :2007-04-18 18:42:17
Severity :Low
Reporter :Network Monitor
Description: Information (Access Granted, IP = 192.168.0.138, Port = 14015)
Protocol: TCP Outgoing
Source: 192.168.200.111:2999 
Destination: 192.168.0.138:14015 
TCP Flags: SYN 
Reason: Network Control Rule ID = 0

Date/Time :2007-04-18 18:42:17
Severity :Low
Reporter :Network Monitor
Description: Information (Access Granted, IP = 1.1.1.1, Port = 14015)
Protocol: TCP Outgoing
Source: 192.168.200.111:2997 
Destination: 1.1.1.1:14015 
TCP Flags: SYN 
Reason: Network Control Rule ID = 0

Date/Time :2007-04-18 18:42:17
Severity :Low
Reporter :Network Monitor
Description: Information (Access Granted, IP = 192.168.0.138, Port = 14015)
Protocol: TCP Outgoing
Source: 192.168.200.111:2996 
Destination: 192.168.0.138:14015 
TCP Flags: SYN 
Reason: Network Control Rule ID = 0

Okay. Now clear the logs again, turn Application Monitor back on, and see what we get. I know you said there aren’t any entries for it, but I’d like to see and compare what we do get.

Re-copy & paste the logs (same method as b4).

also, if you would , open Application Monitor to full-screen size; make sure all rules for nokLINK (and any other parts of the suite - if the suite is used) are visible. If you have multiple entries, highlight each one (so the Details show at the bottom), capture a screenshot, save it as an image file (jpg, gif, png) and attach to your post under Additional Options.

LM

It looks like you will need an Application Monitor rule to allow nokLINK out on TCP port 14015:

nokLINK - ANY (or a specific range of IP addresses) - 14014 - TCP Out - Allow

Make sure there are no other rules for nokLINK in AM before you create that rule.

Toggie

Okay. Now clear the logs again, turn Application Monitor back on, and see what we get. I know you said there aren’t any entries for it, but I’d like to see and compare what we do get.

Re-copy & paste the logs (same method as b4).

also, if you would , open Application Monitor to full-screen size; make sure all rules for nokLINK (and any other parts of the suite - if the suite is used) are visible. If you have multiple entries, highlight each one (so the Details show at the bottom), capture a screenshot, save it as an image file (jpg, gif, png) and attach to your post under Additional Options.

Re. Logs, nothing showed up in the traffic logs.

Re. screenshot, This is where it gets complicated. nokLINK itself doesn’t ever appear in the system as itself. The closest thing that I could add for the application is svchost.exe (which nokLINK emulates occasionally). This is highlighted in the screenshot. In theory nokLINK shouldn’t appear any differently than a windows system function.

Thanks again,
gini

[attachment deleted by admin]

gini

How do you launch nokLINK?

Hi,

How do you launch nokLINK?

Just by turning on the PC.

gini

One thing you could try:

Go to Advanced/Misc and set the Alert Frequency to Very High. Make sure you are capturing events from both Network Monitor and Application Monitor in the log file.

Once done, run nokLINK and see what events are generated.

It’s likely you will receive prompts from CFP for other applications, just allow without remember for the test period.

Toggie

Hello again,

One thing you could try:

Go to Advanced/Misc and set the Alert Frequency to Very High. Make sure you are capturing events from both Network Monitor and Application Monitor in the log file.

Once done, run nokLINK and see what events are generated.

It’s likely you will receive prompts from CFP for other applications, just allow without remember for the test period.

Toggie

I booted again with the above suggestion in place.

There are one or two entries stating that svchost is acting suspiciously.
I’m not sure if there are other dlls that svchost uses to function correctly.

The applications remains silent.

Is there anyway to configure a rule stating basically - ANY app OUT to ANY ip, port 14015?

Thanks again,
gini

App Mon rules are specific for each application, so we will need to identify exactly how nokLINK is communicating.

I would be interested in seeing the svchost entries you mentioned above. If they are related to nokLINK, we may be on our way to an answer.

Toggie

I know nokLINK is supposed to be very secure (whew!) but it’s also supposed to be firewall-friendly. In fact, they say no configuration is needed. That said, it obviously is needed in this scenario. If the system can’t even show that nokLINK is running…

Check Task Manager (or an alternative like Process Explorer) under Processes, to find executables, then add those manually to Application Monitor. Set the Parent to Learn. Under Miscellaneous, check “Skip Advanced” and “Allow Invisible.”

If you can’t find any executables that way, you may have to contact nokLINK support to find out how to configure a layered firewall like Comodo. Network Rules have priority, then Application Rules within that context.

Hopefully, though, Task Manager will help. I wonder, no as I think about it, if nokLINK was running when CFP was installed, if it conflicted in some way with the install.

LM

Hi,

Thanks a lot for your help. I will look into the program you indicated and see what I can see.

I know nokLINK is supposed to be very secure (whew!) but it’s also supposed to be firewall-friendly. In fact, they say no configuration is needed. That said, it obviously is needed in this scenario. If the system can’t even show that nokLINK is running…

Check Task Manager (or an alternative like Process Explorer) under Processes, to find executables, then add those manually to Application Monitor. Set the Parent to Learn. Under Miscellaneous, check “Skip Advanced” and “Allow Invisible.”

If you can’t find any executables that way, you may have to contact nokLINK support to find out how to configure a layered firewall like Comodo. Network Rules have priority, then Application Rules within that context.

Hopefully, though, Task Manager will help. I wonder, no as I think about it, if nokLINK was running when CFP was installed, if it conflicted in some way with the install.

gini