CIS Firewall show 1000's of Active connections, even after programs are closed

comode · November 14, 2008, 4:24am

For example, if I have a program like utorrent open, after I close it, comodo still shows hundreds of active connections, even hours after UT has been closed.
And if I open utorrent again, there is now 2 instances of utorrent.exe under active connections?

Another thing is if I have utorrent set to max global connections of 300, comodo will, after a day or two of running, show over 1000 active connections, even though the stats in utorrent will show something like 70 connections, 3 half-open.

So which one is right? Is comodo wrong with the amount of connections it is showing, and is it affecting my internet in any way?

Citizen_K · November 15, 2008, 2:52am

After closing a p2p client it will take a while for the network to know you got off line. So you will see lot of incoming requests.

comode · November 15, 2008, 3:51pm

and what about the amount of active connections?

So all the active connections listed aren’t really active?

right now it says I have 1600 inbound connections, and 200 outbound, total of 1800 connections.
utorrent reports only 73 connections!

So do I take no notice of comodos active connections list?

And does comodo listing so much connections have any effect on my internet, or how comodo runs?

Citizen_K · November 16, 2008, 1:36am

What processes are are listed for the active connections? Can you post a screenshot? When you say you closed the program are you sure it was not just miinimized to the systray?

comode · November 16, 2008, 12:09pm

no, no, what I mean is, that sometimes, if I close utorrent program(completely exit), “active connections” in comodo sometimes still shows utorrent.exe and all of its connections for a while, and if I reopen utorrent, comodo will then show 2 utorrent.exes and each with it’s own connections, even though I closed utorrent and reopened it (so there is only one instance of utorrent actually running).

That was the first query. My second question was about the Amount of active connections comodo is listing.
When my utorrent is open (unrelated to first question) for a day, the amount of active connections comodo is listing under the utorrent.exe path in the firewalls “active connections” view is, like I said, almost 2000 connections.
So under “utorrent.exe” it will list 2000 active connections, each connection showing what protocol, destinations, source etc…
But in the utorrent program itself, the statistics will show only 70 or so active connections (67 connections, 3 half-open).

I hope that is a clearer explanations?

Kyle142 · November 16, 2008, 1:34pm

The thing with Utorrent is that people on the P2P network will ping other users that are online to see if they have the files they want to download.

As for your massive amount of active connections - Does it show any traffic actively being transferred?
2 Utorrent’s may possibly be a bug.

comode · November 16, 2008, 3:12pm

As for your massive amount of active connections - Does it show any traffic actively being transferred?

Well how can I check, One thing I don’t like about comodo, is that most of their columns cannot be sorted.
Most of the connections are less than 50kB in/out, but if I have to scroll through all 2000 connections, then the ones I pass could change value and be “active”, but I don’t think all are transferring, I think that utorrents stats of around only 70 active connection is right.

But does comodo listing over 2000 connections, including all old inactive connections, slow down the running of comodo in any way, in turn slowing down the internet connection?

2 Utorrent's may possibly be a bug.

Ok, I just exited utorrent.
It is no longer in taskmanager, it is no longer in comodo’s “active process list”.
Utorrent.exe is still under firewall 'active connections" with about 30 connections under it.

I open tcpView, it also shows about 15-30 connections, but all of them are “non existent” as below:

:3684 TCP owner:25000 ip:35067 FIN_WAIT1

now are they really utorrent connections, or are they non-existent because they are used in comodos “active connections”?

I then restarted utorrent, and now there is 2 utorrent.exe under comodo’s “active connections”

its five minutes later and there are still 2 utorrent.exe in comodo with their own connections.
In tcpview, it shows all the current(new) urtorrent connections, but all the “non existent” have gone, but are now replaced by:

[System Process]:0 TCP owner:25000 ip:61809 TIME_WAIT

I’m unable to view their properties, just like the previous non-existent entries. Are these again, referring to comodos “old” utorrent list?

trench3 · November 18, 2008, 12:15pm

On my system, it is very common for the firewall to show a large number of active connections after I shutdown utorrent. It used to bother me, until I noticed that no data was being transferred. Eventually it all settles down to nothing.

If this delayed disconnection really bugs you, go into your router and disable the Port Forwarding to your utorrent port. This kills all those active connections instantly.

comode · November 29, 2008, 8:08pm

Yes, but does that many connection listed in comodo, whether they are cative or not, actually have any negative effect on comodo itself, that is, will a list of thousands of connections slow down or impact the responsiveness of CIS?

[b]If this delayed disconnection really bugs you[/b], go into your router and disable the Port Forwarding to your utorrent port. This kills all those active connections instantly.

But how would that kill these “active” connections, if they aren’t really active. Comodo lists them, but like I said, utorrent stats show less than 100 active connections, compared to comodo’s 1000’s.
So if they aren’t really active, would disabling the port actually clear the list instantly?

AnotherOne · November 29, 2008, 10:15pm

You might just try clicking on “Stop all activities” on the Summary page of CIS - it is in the lower right corner of “Network Defense”. That should shut down the connections and then you can just change it back again.

dulegenda · February 11, 2009, 4:39pm

Hello, I’m having a similar problem here, in my local area connection status I can see that I’m receiving a significant amount of information, something like 16KB per second, constantly. Now, the problem is that CIS firewall shows no connections except svchost, no traffic at all, when I click on stop all activity, it still goes on, TCP view Shows no traffic either, so I tried a wide variety of firewalls and tools, nothing worked. I scanned my system with Commodo antivirus, Avira antivir, Ad aware, Malwarebytes, Spybot, AVG, ZoneAlarm, with newest, updated versions of all of them, several times with each one of them, nothing. Then I used Rootkit revealer, it even goes on after unhooking everything that can be unhooked without getting BSoD. Then I used Greatis software UnHack me and Partizan, software desinged for rootkits and unusual malware, it still goes on. The weird thing is that it completely stops and doesn’t happen for a while after I reboot my router (probably because that changes my IP). I noticed it might have something to do with utorrent, because it doesn’t start until I use it, and when I used it it goes on even after restarting my system, and what is really spooky, even when I switch to my other operating system (I have WinXP SP3 and WinXP64 SP2). And the only thing that stops it is rebooting my router again. Can you help me out with this? Thanking you in advance…

Citizen_K · February 11, 2009, 5:44pm

When stopping a p2p program it will take a couple of hours for the network to know you logged off and you will see incoming traffic afterwards. Is the traffic that comes in (Destination Port) coming in at the uTorrent port?

Can you post a screenshot of the traffic?

dulegenda · February 11, 2009, 6:35pm

Well, that’s the problem, I can’t know that, since TCPview and Commodo show no traffic, the only TCP connection is from svchost at port 1268, which is normal, that’s there when everything is ok too. The only way I see this incoming traffic is via the local area connection status. No firewall or tool I mentioned is capapable of registering anything.

Citizen_K · February 11, 2009, 6:58pm

When rebooting your router stops the traffic then I guess the ports opened with uPnP by Utorrent are closed; I see here it tendx=s to leave one port open after it is closed down.

Next thing to try is to manually close the port(s) left open by uTorrent with the uPnP interface in Windows? You are familiar with this?

dulegenda · February 11, 2009, 7:39pm

Well, now I am, I read the user guide on UPnP Interface, installed it, but I always get the message “The UPnP device did not respond”… Checked the troubleshooting section, says the reason could be my modem’s adress isn’t 192.168.1.1, but it is.
When I use utorrent, I can see clearly what you were talking about, 1000’s of connections stay there, but they are visible, both from commodo and TCPview, they are active for a couple of minutes, sometimes longer but I can close them manually. Here is the list from TCPview (I deleted local and remote adress where it contained my computer’s name)

snmp.exe:1336 UDP :
svchost.exe:1268 TCP LISTENING
System:4 TCP LISTENING
System:4 TCP LISTENING
System:4 UDP :
System:4 UDP :
System:4 UDP :

I’ve seen that activity from utorrent after it’s closed on other computers, but it’s far from 16KB/s, it can always be seen with TCPview, and it stops with computer restart.

Copy_right · February 12, 2009, 1:13am

Try lower TCP timeout to 120.

I’m on 32 myself IIRC - people are telling me it is too low, but I never have these proplems. When I turn off my favorite copyviolation program peers disconnect pretty fast.