Can't UnBlock Firewall Event

Ok…newb to Comodo.

After installing on my PC I answered many of the Comodo popups about accesses/etc…all has gone fine.

I’m running AVG for anti-virus and all its updates I’m allowed as Trusted Apps. However, I have one Firewall Event each day that gets blocked and I’ve isolated it down to almost exactly when AVG says it went to the to web. If I run AVG updater manually no issues, and the updater even seems to work on its own (I get the downloads)…just gets this below blocked event in Comodo. Anyway, I’ve seen in other posts to go back to Network Security Policy and unblock and allow a blocked event. However, I don’t see this event blocked there. AVG is fine in the Security Policy section and under C:WINDOWS\explorer.exe there are alot of green events and one red blocked which says to “block and log all unmatched requests”…not sure what that means.

So, how/where can I unblock ? I would think I could right click in the Firewall Events and unblock but no such luck.

Blocked Event
C:\Windows\explorer.exe
Blocked
UDP
Desitnation IP 239.255.255.250

That is explorer.exe sending to a broadcast address. You can set explorer.exe to outgoing only. Does that help?

Can you explain more…I’m not sure I understand. I mean I’m pretty PC literate but not sure what you mean explorer is broadcasting ?..why would this be happening ?

Also, where/how to set as you say and is this OK to do ? In Security Policy I have it set as Browser and not sure in editing this how/where to do what you said ?

Thanks !!!

Hi thekochs,

When looking at firewall, don’t confuse windows explorer with iexplorer.

Internet explorer set to Web Browser.
Windows explorer set to Outgoing Only.

The windows explorer connecting has to do with windows search, help and support center etc.
If I correctly recall.

Oh, OK…I changed it to Trusted Application…I’ll see if that makes a difference…the word “Explorer” just makes me think IE.

“the word “Explorer” just makes me think IE”
LOL, you me and more than half the planet when we first run into it. :slight_smile:

I think Outgoing Only would be preferable to Trusted.
But it doesn’t mean it necessarily poses a threat, just personal preference at this point.

I changed to OutGoing…will check over next few days to see if this Event recurs. Thx.

No Problem, Let us know how it goes.

Later.

OK…the outgoing attempt to Desitnation IP 239.255.255.250 was not blocked today but on boot up of the PC my 192.168.1.102 (port 49153) to my 192.168.1.104 (port 1044) was blocked. The 192.168.1.102 is my static IP of my DirecTV DVR Settop and the 192.168.1.104 is the DHCP address of the PC. I have Media sharing enable from my PC to DVR Settop so this is valid access.

I have/should I change in Security Policy to “Trusted App” for explorer.exe ?

You can make your local network a trusted zone.

First create a zone in My Network Zones (Firewall → Common Tasks). Choose Add → A New Network Zone → fill in a name like My local network → Apply. Now select My Local Network Zone → Add → A new address → choose An IP Address Mask → fill in 192.168.1.104 and 255.255.255.0 → Apply. Now check and see the new network defined. Exit using Apply.

Now we are going to use the Stealth Ports Wizard to make your local network a trusted network (Firewall → Common Tasks):
Choose “Define a new trusted network and stealth my ports to EVERYONE else” → Next → choose “I would like to trust an existing My Network Zone” → choose your local network zone from the drop down box at the bottom → Finish.

Now check your Global Rules and see your network added

My CIS already had my network in it called “HOME”…this was IDed at CIS install/re-boot…I recall the CIS popup.

I did as you said above for Stealth Port Wizard and in Global Rules:
Global Rules
Allow all Outgoing Requests if Target is in [HOME]
Allow all InComing Requests if Target is in [HOME]
Block ICMP in from IP…blah…blah.

Some Questions…

  1. Guess the first two lines in the Global Rules was the result of the Stealth Wizard ? I still have explorer.exe assigned as Trusted App which allows it both Incoming and Outgoing requests…is that really bad for both ?..in other words not just Outgoing ?

  2. Since the IP address for my PC is a DHCP address from my Linksys Router, what happens if the 192.168.1.104 changes ? I think unless I change/swap/alter a RJ45 cable on my Linksys Router it would stay the same but not sure.

  3. The local IP address for the Router/Gateway is 192.168.1.1 with subnet mask of 255.255.255.0. I have my DHCP enabled on the router with start address as 192.168.1.104…I use 103 for a static IP on Network Printer and 102 for my DirecTV DVR settop static IP. So should I not be using/establishing the 192.168.1.1 as my zone ? I guess I’m not clear on what a “Zone” is since I’m just IDing in CIS the single 192.168.1.104 DHCP PC ?..seems like I would define more of a local IP range or something ? I did see in the Stealth Wizard for defining a new network zone that it asked for start and ending IP address (or subnet mask)…so perhaps the fact my subnet was already defined in the above DHCP IP was the key ? Sorry for the dumb questions…just not clear.

A couple of answers.

Making the app trusted in the context of the Firewall. Gives it full permission In/Out.
So it could accept incoming traffic ie. act as a server.
But without a corresponding Global rule allowing incoming requests from IP outside your LAN It’s a mute point, none the less it’s just good policy to keep unnecessary permissions to a minimum.
So again Outgoing only is the better option unless an app needs more permissions to function.

  1. & 3. Really tie together.

The rule set you created, thanks Eric. Allows all traffic In/Out for all the IP’s from 192.168.1.1 to 192.168.1.255 so even if your IP changes due to DHCP you will be still in your Zone.

The Zone really is defined by the mask part 255.255.255.0 In very basic terms it means the first three parts of the address have to match exactly, to be considered in the same Zone. And the last part could be any of 1 - 254.
There is where the difference is observed if you wanted to narrow down your Zone you could say a range of IP’s Like 192.168.1.1 - 192.168.1.5 This shouldn’t be an issue unless you were mayby separating a LAN into smaller isolated chunks with different permissions or perhaps narrowing the scope for wireless hardening.

Gotta run.

Need more … Fire away.

Later.

Thanks…let me ask another question to help clarify for me. When I installed CIS on reboot it saw my PC of 192.168.1.104/255.255.255.0 and I allowed as [Home] which it created I guess in My Network Zones. I then used the Stealth Port Wizard to allow this [Home] to be a Trusted Network. My question may not be CIS but how a combo of it and the router. The Router’s local IP is 192.168.1.1/255.255.255.0. I have my DHCP set for 192.168.1.104 for max 8 DHCP IDs. I have two static IPs for DTV Settop and Printer at 192.168.1.102 and 192.168.1.103, resprectively. So, my real “range” I think is 192.168.1.102 to 192.168.1.111. So, finally my question…how does CIS know about the full 192.168.1.1 to 192.168.1.255 range you reference ?..I just don’t quite get how it knows this from the only info I see in CIS My Network Zones of 192.168.1.104/255.255.255.0 for [Home].

Thanks for your patience !!!

The 255.255.255.0 subnet masks tells that 192.168.1.1-192.168.1.255 is all part of the local network.

So by defining one local IP address and adding the mask CIS knows all that it needs to know.

Thanks…out of curiosity…when CIS saw the 192.168.1.104/255.255.255.0 after install/reboot how does the 255.255.255.0 submask inform the starting IP on the Router/Network is 192.168.1.1 ? I can understand how the range is 1-255 but how does it know the 192.168.1.1…since it only saw .104 ?

CIS doesn’t know where in the IP range the router is. But by using the Stealth Ports Wizard to define your trusted local zone all incoming traffic from the local network, including your router, gets accepted.