Hi Guys.
this subject has been posted by another guy, but comodo moderator’s did not respond to it. I have the same impression.
While on CIS 3, the Network Defense would block hundreds of intrusion attempts per day. this is not figurative. HUNDREDS for REAL !!! No matter if I am browsing or not. Whenever I connect to internet it started to block intrusion attempts.
In CIS 4, Network Defense tells me that 0 intrusion attempts have been blocked. No matter how long I stay online, no matter “nothing” !!! It simply never blocks anything.!!! (settings were set to just the same of CIS 3)
Please Comodo Moderators, take a look at this, will you?
Let’s assume it is working but not displaying the intrusion attempts as it should. Then what is that field on the summary page for? It really doesn’t make sense at all.
If I remember correctly the firewall Global rules changed somewhere between 3 and 4. If, previously you had a global rule that said something like [Block IP IN All], as the last rule, any traffic picked up by your network card will be displayed in the logs.
I don’t doubt for one minute that the ‘intrusions’ you were seeing previously, were actually not intrusions, they were simply noise. If you are on a cable network without a router, you can expect to see a lot of background traffic.
Check your Global rules under the firewall network security tab and see what you have.
I have 2 computers, (1 desktop, and 1 notebook) one with DSL ( not router, just modem ) and the other with 3G
both had CIS 3, now I upgraded both to CIS 4, both systems windows original, all up up to date.
CIS 3: It always blocked incoming intrusion attempts on both systems,
CIS 4: it always displays: “the firewall has blocked 0 intrusion attemps so far” on both systems
I repeat: It’s not a windows issue, since nothing except CIS Version changed, and it is not a router matter, since there is no router.
it doesn’t seem to be blocking anything!!! And it is just “noise” as you said. Some might be, but most are retardeds with nothing better to do than trying to fu… everyone’s computers, or thieves tryng to hack your systems to steal info. I am tired of tracing these bastards, now I have given up, won’t trace and send info to their ISP anymore. But I need to lock it all, and doing it manually is such a pain in the …
try selecting stealth ports wizard and using the “block all parts and make ports stealth to everyone setting”, that will make your computer stealth, and it should be ok after that.
That was the first thing I did when I installed CIS 4. Same I used to do with CIS 3,
but unfortunately that is not the case, the problem is somewhere else…
Funny I should see a topic like this because same thing happen to me only this was the case with the last update for version 3. Like you I have my ports stealth to everyone. I have yet to see a single notice of intrusion blocked. Only thing is back then there was one thing different and that is that I got a new modem/router. So I am wondering if by any chance it could be that because of the new modem why I don’t get all these notices.
Hi there lostcause;
No, that is not the case, as I stated before, same hardware, same systems, same configs. One moment I had CIS 3 working alright, the next, right after upgrading it simply stoped displaying the count of blocked intrusion attempts, as well as logging it. It’s something else.
I really hope someone finds out what is going on cause I am not the only one that noticed it.
You did state that before your problem you would see hundreds of intrusion attempts blocked. Back in the day I only saw maybe 15 or so blocked per day.
I was behind a speedtouch router then and now I am behind a zhone router. This much I know is that my current router’s firewall by default will block all incoming traffic so I am wondering if this would be a reason why I don’t see any intrusion detection. My old router had a firewall too but it was old and honestly it was my isp that had configured it for me so truth be told while I know it had a firewall I was unsure if the firewall was even enabled because I did not check.
Not sure but I think somewhere I read on this forum that some routers (because of their address) may probably cause this increase of intrusions being blocked.
Edit: There was only one time I actually saw Comodo show blocked intrusion attempts and unfortunately at that time when I did see those notifications I was unable to browse or do anything online. In otherwords I was able to connect to the net but unable to do anything at that time. I rebooted and I was able to surf the web again but no more notices came from Comodo.
Lostcause: I will repeat: My DSL moden is not a router, neither it has firewall built in. So, it is not that.
Besides, my notebook, that has been showing the same behaviour as I said before, uses 3G usb modem, and it doesn’t have a built in firewall either.
Ok, now the good news:
I went to the firewall tab > network policy settings > and manually added to Global Rules, a block rule to any IP trying to connect ( IN ) to my computers. I also set the firewall alerts to medium, and now both my computers started to register all the incoming intrusion attempts, from many. repeat, many different IPs… And inbound connections = 0 ( now this should always be 0, unless you give someone permission to it, such as Remote desktop, Remote assistance, etc… Otherwise it should always say 0 inbound connections.) Set firewall to safe mode, and stealh ports to everyone
try this as I did Lostcause.
I guess that solved my matter to both my systems, the desktop and the notebook.
But I would like to make a statement here. Comodo, has been well known for after instalation being able to protect people’s systems with the default settings, so the average / new user gets protected without having to perform any tweaks to the CIS system.
As of what I noticed, CIS 4 failed on the “easy of use” feature, that it previously had on CIS 3. I really hope that in the next update this issue will be corrected since most users wouldn’t know how to tweak it, since it is too much technical stuff for them. Take a look at this, will you Comodo fellows ? the community would appreciate it.
I will be watching this toppic for the next few days, if anybody else gets in trouble with this issue.
melg I had always set comodo to proactive mode, always had firewall alerts at medium, always had stealth ports wizard set to the 3rd option stealthing all ports.
I do not see how manually adding a global rule to block any IP trying to connect (IN) will make a difference for me as by selecting the stealth ports to everyone in the stealth ports wizard already has done that. Only thing I did different from you is that in global rules i simply edited the last rule to allow it to log the event if it occurs. So far I have not yet seen any notice of an intrusion attempt although I have not been online all of yesterday and only just coming online since my previous response in this thread.
Hi there.
Please anybody correct me if I am wrong !!!
As far as I understand about networking, any connection attempt from outside to IN your computer, unless expected by you, is an intrusion attempt. Stealthing ports, just “hide” their existance, but there they still are. I believe that blocking any connection attempt from outside to inside AND stealthing ports are much safer than one or other. instead of having one security measure, you get two, and that is much stronger than only one.
Since you havent seen any blocking of intrusion attempts, give it a try, block anything from out to in, from any IP, and you will start to see that number going up.
Besides that, why would you not want to block any IP IN ? If ever you need an outide connection to your system, you can make an exception rule whenever you need, as many as you need.
I too would like to someone more qualified to answer this dilemma. Because from what you are saying I assume when you choose the 3rd option in stealth ports wizard it does both in that it blocks all incoming and stealth all ports. So in my case then it would be more a matter of me simply making Comodo log those incoming events.
Also, remember I have my router’s firewall which is set to block all incoming connections so I too have that extra layer of defense.
When you install comodo the default global rules only block ICMP (no logging). When you run the stealth port (third option) wizard it changes the global rules to allow certain ICMP types IN, as well as adding an IP OUT and a Block IP IN (no logging) Unless you enable logging on the Block IP IN rule, you will see very little, if anything in the logs.
If you are behind a router with NAT/firewall, the majority of inbound traffic will be dropped, i.e. will never reach your software firewall, unless you have configured it to so (port forwarding, port triggering or WAN/LAN filters) There is a possibility you may see traffic generated by your router but that will also depend on the configuration of the router firmware.
With regard to this traffic being ‘Intrusion attempts’ as I mentioned in my earlier post, for the most part, it’s quite unlikely. concerted Intrusion attempts will be fairly obvious, with repeated attempts against a known vulnerability or a port scan etc.
To stealth a port means to hide it from casual view, also when a port-scanning program encounters a stealth port, no reply is received in response to requests for connection. A closed port, by contrast, will respond to a scan.
Another factor to consider is the nature the attacks using these methods. For an attack to be successful there has to be a vulnerability to exploit and not all services have an exploitable vulnerability. So even if a given service port is open, it doesn’t automatically make it a problem. However, good security should only allow ports that need to be open, such as web servers or p2p applications.
First off: CIS team really has done a ■■■■ up job AFAIC; read the release notes to see what they did since 29 Dec 09.
Secondly, the alerts are mostly tied into global rules. Read the ‘rules’ for the Comodo Firewall game to find out where, when and how rules impact stuff. Succinctly:
Global rules impact first inbound
App rules impact AFTER global rules - applicable by app - dropped w/out notification if unitiated by host
Global rules impact AFTER app initiates outbound event
CIS team did a ■■■■-up job with everything up to Apr 2010 release; the ‘sandbox’ truly stunned me. Recommendation: until you get your brain around how CIS operates, and you’re certain that your system is clean do not turn ‘sandbox’ on; if you’re in ‘isys-nstallation out-of-the-box’ mode’ disable the CIS ‘sandbox’. Once you’re ‘up an running’ don’t forget to enable the sanbos. YOU DEFINITELY WANT HTIS THING ENABLED. It IS worth the trouble. You have to figure out how to configure it and work iwth it (not against it).
I greatly prefer the second option in the Stealth ports wizard. I think a block all incoming rule is definitely not the way to go, especially for those who use P2P apps or play online games. The second option alerts you to incoming connection attempts and lets you decide whether to allow them or not. To me, this is definitely the way to go.
Secondly,V4 has a global block all incoming rule by default. It is only removed if you run the second option in the stealth ports wizard. So the fact that you had to add one is strange. I personally deleted that rule and feel that it is a mistake to have it there by default. If you have a global block all incoming connections rule, you have to manually add rules to allow incoming in specific circumstances. For most people, that is far too bothersome.
I never see any intrusion attempts blocked but I am behind a NAT router. When I check the incoming router logs, there are numerous incoming attempts that were blocked, most of them originating from various points in China.
I have configured the Comodo Firewall to treat incoming pretty much like the Windows Firewall does, block all, but alert and allow exceptions. V4 also has a default global rule to allow all outgoing connections. I deleted that one too. I have gone back to using the v3.14 Firewall because I find it much simpler. I have also abandoned any use of D+, I just got tired of seeing alerts for things that are perfectly safe.
Das pretty much addressed what I was trying to say in that I behind a router with firewall and thus that in itself would firstly block most if not all inbound traffic before it reaches my software firewall. I like how he also mentioned how sometimes traffic coming from the router itself may be reported as intrusion attempts when infact they are not since it depends on the the firmware. I think that may have been one of the reasons why when on my old router I would see such notices. Also he again explained that by not enabling logging is also a reason that would eliminate if not lessen the amount of intrusion attempt notices by the firewall.
I mean Das’ reply practically echoes what I was trying to explain in my situation.
Edit: Okay, finally I start seeing logs of intrusion attempts. All that had to be done was to enable logging for the block IP in rule.
Secondly,V4 has a global block all incoming rule by default.
No it doesn’t! If you look at the two images I posted you will see what the Global rules are for a default install with Proactive Security. The first is the default and the second is after running stealth ports.
There really aren’t many inbound rules that a ‘normal’ user would need to create. So if creating a single rule to allow inbound P2P traffic is “too bothersome” you must be a very busy man!
V4 also has a default global rule to allow all outgoing connections.
No it doesn’t! See images. However, if you use the Internet security configuration, it creates an Application rule that allows all outbound traffic and it also changes the Global rules to be the same as those set by choosing the third option in the stealth ports wiz.
It will also use this configuration if you install the AV component.
Exactly–If you install the full package of CIS and don’t change anything and do not run the ports wizard, you have an allow all outgoing global rule and a block all incoming global rule in the Internet Security Configuration which is the default. You have to change things to not have those rules. I would much rather choose the second option in the ports wizard or even simpler, just delete the 2 global rules and then allow incoming and outgoing on a per case basis from the alerts that come up. I do not want to ever have to manually make or edit any rules and I don’t want to have to do anything for known safe applications.