Comodo Firewall 2.14.18.184 question

Hi. I am yjsk2100 and I downloaded and installed Comodo firewall 2.14.18.184 about 5 days ago. I wanted to have my HJT log checked since I had my computer formated from XPHome to XPPro and the person reading the log said log was fine except he noticed I didn’t have a firewall on my computer (I was using Microsoft firewall at that time.) He suggested a few firewalls to read about and I liked Comodo the best so installed it.

I am a complete newbie when it comes to firewalls. I read all about what was written on this site and some of it was over my head. It also appears most of the posters here have a general knowledge of Comodo. Yet this was the only forum I found for Comodo firewall and I know absolutely nothing.

When I installed the firewall I opened it up and the main page says the strength is Excellent. I got quite a few pop-ups from Comodo and when I clicked what they were most of them said Safe so I allowed and clicked Remember this decision. Some of them I was unsure of so I sent them to Comodo for reading (not sure what happens when this is done).

I have a few questions if you don’t mind:

1. When I open up Comodo on the main page right under the word Comodo it says…The firewall has logged 12 high security events (and at times it will say 16 and then it may say 0.) I click the 12 and it brings up the logs which has quite a long list. One of them is in RED and it is High but it does not say it was Blocked, just suspicious behavior schost.exe) What is this exactly? Are these programs that have tried to acces my computer and Comodo has blocked? And why do have so many of them?

2. After installation I went to Security and then clicked Scan for Known Applications so that Comodo knew what programs I had installed and would allow them. (Since this was a fresh format of my computer I felt this was okay to do? Was it or did I do something wrong?

3. Also in security I clicked Define a New Trusted Network, and followed the prompts. Was this an okay thing to do also???

That is all I have done so far but I am not sure if there is anything else I need to do to make sure Comodo is fully functional and working for me… I am using Windows XP Professional SP2, IE7, Comodo Firewall, AVG Anti-virus, Spywareblaster, Windows Defender, Tuneup2007, Ad-aware 2007, McAfee Site Advisor, ID-Spyad and WinPatrol. Do you think I have too many installed or do I need more since I keep getting high security events? I thought the reason for a firewall was to have the firewall NOT let anything in…

Sorry this is so long and I am anxiously awaiting for someone to help me with this.

edit: topic unlocked by mod at users request

Hi yjsk2100, welcome to the forums.

Firstly, picking CFP over MS’s Firewall is a very good choice… however, to be fair (or not) Windows Firewall is fairly useless & comparing it to CFP would just not be fair (or not). ;D

1. The alerts… frequent high severity alerts are common when you first install CFP as it learns your system & what you run. CFPs Log (Activity tab) is useful & informative, but might take a bit of getting used to. If you need help with the Log entries (Alerts) or you’d just like to ask questions about them, then it is useful to post examples of the actual Log entries (they contain the most information). CFPs Log can be Exported to an HTML file (right-click on the Log). Open the HTML file with your default browser and use a simple click-drag-select Copy ‘n’ Paste to post example Log entries here.

2. That is fine and is the recommended course of action when first installing CFP. It doesn’t really matter if the OS was freshly installed or not, since CFP has its own internal list of white-listed (trusted) applications/components.

3. Yes, creating a Trusted Zone if the correct thing to do… assuming that you have a local network (multiple PCs) and/or a router (that has its own LAN IP address).

Sufficient applications? You can never have enough of those. I addressed the high level of alerts earlier, assuming that you are responding to the alerts (remembered) then it is just CFP learning what you use & how. CFP pays very careful attention to not only the programs themselves, but also their relationships (what calls what & how). This is important to watch for leaks (unauthorised access). You’re right in the sense that CFP does not allow any unauthorised access (either in or out), but it still needs to learn what is allowed… for instance, AdAware/AVG signature updates & so on.

I hope that helps.

Thanks for getting back to me so quickly. I just tried to post a log here about the alerts but it said it wouldn’t allow me because I had exceeded 40000 something. I think what I am doing is making a mountain out of a molehill. It just scares me because when I installed Comodo I thought it would just run and I wouldn’t have to do a thing. Having to accept or deny makes me wonder if I will deny something I actually need even after reading what it is. I do allow all the ones that say SAFE but there have been others that say Unknown or Invisible and most of them have to do with svchost.exe and I have no idea what these are.

3. Yes, creating a Trusted Zone if the correct thing to do.. assuming that you have a local network (multiple PCs) and/or a router (that has its own LAN IP address).

I am using high speed through my cable company. It has a modem attached to my computer so is that okay for creating a Trusted Zone??? And if not, how do I uncreate the trusted zone???

assuming that you are responding to the alerts (remembered) then it is just CFP learning what you use & how. CFP pays very careful attention to not only the programs themselves, but also their relationships (what calls what & how).

Yes, I do click remember when an alert comes up letting me know if it SAFE.

This is important to watch for leaks (unauthorised access). You're right in the sense that CFP does not allow any unauthorised access (either in or out), but it still needs to learn what is allowed.. for instance, AdAware/AVG signature updates & so on.

I would think Comodo would know if something is bad and is trying to enter my computer without me having to accept or deny. And if there was a leak to watch for I am not sure if I would spot it or not. I do know when I update a program an alert comes up and because it has to do with the update I allow.

Maybe I ought to just let Comodo do it’s thing.

40000? Hmm… that is probably saying that it would not accept a 40,000 character post… which is just as well since it would have been massive post. The operative phrase in my previous post was “example Log entries”, meaning that you should post, say, dozen “examples”. There is no point posting 1,000s of Log entries that are all the same or 100s of duplicates… I’d get the point on the first one. So, try posting some examples.

Trusted Zone: Do you have a LAN network or have 2 PCs (or more) networked together? If you don’t know what this means, then that probably means… no. That being the case you do not need a Trusted Zone. When you created the Trusted Zone that would have created 2 rules in CFPs Network Monitor that mention “zones”. These can be deleted. But, post a screen shot of your Network Monitor (with the screen maximized) if you’re uncertain or just want to be cautious.

Alerts/Safe: OK, I understand. CFP always blocks unauthorised inbound communications & will block anything that you (your system) did not ask for (also called “unsolicited” requests). However, for outbound communications, then CFP does need your direction unless the application is white-listed by CFP. A lot of it is common sense stuff in the sense that if application that has no business using the Internet… then be suspicious if CFP alerts you that it is attempting to get Internet access.

There is also simple guide line with denying something you’re uncertain about… when in doubt always deny not remembered. This way if you block something vital by mistake, then a simple reboot will clear any unremembered denies. In addition, you can also always post here & ask for advice (posting some Log examples will help), there are plenty of people here that will happily help.

40000? Hmm.. that is probably saying that it would not accept a 40,000 character post.. which is just as well since it would have been massive post. The operative phrase in my previous post was "example Log entries", meaning that you should post, say, dozen "examples". There is no point posting 1,000s of Log entries that are all the same or 100s of duplicates.. I'd get the point on the first one. So, try posting some examples.

I saved only 4 logs and then got that message. I guess I will only do one log and see how that goes first. Don't know why 4 logs exceeded the limit. Here is the one that always comes up as HIGH and I have about 10 of them.

Date/Time :2007-07-28 22:04:33Severity :HighReporter :Application MonitorDescription: Suspicious Behaviour (iexplore.exe)Application: C:\Program Files\Internet Explorer\iexplore.exeParent: C:\Program Files\Internet Explorer\iexplore.exeProtocol: UDP OutDestination: 68.87.72.130::dns(53)Details: C:\Program Files\Internet Explorer\iexplore.exe is an invisible application

As for the trusted zone, I only have the one computer and it is not shared with any other computer. I use it at home and I am the only one who uses it as administrator. Never did a screen shot before so hope this comes out. I got it to open in Paint using Print Screen, took and screened off just what I wanted to put here, clicked copy and saved the picture and renamed it network.bmp. Then I came here to paste it but the paste is greyed out. Am I missing a step somewhere???

There is also simple guide line with denying something you're uncertain about.. when in doubt always deny not remembered. This way if you block something vital by mistake, then a simple reboot will clear any unremembered denies. In addition, you can also always post here & ask for advice (posting some Log examples will help), there are plenty of people here that will happily help.

Thanks for this advice. If I am unsure of a program I will deny and not click remember. Then if a problem does arise for other programs not working then I can just reboot and the deny will be gone. And if it pops up again I will come here for help.

Sorry if I sound so stupid but I really want to know this program and how to use it correctly. I am sure I have more questions but for now I just need to know how to do the printscreen to make the network monitor picture be posted here.

Logs: OK, that is strange… it is probably down to a misunderstanding between us. When you say “4 logs” do mean 4 log entries, or something else?

The log entry posted: That is fine, its MSIE (MS Internet Explorer) trying to resolve a URL name into an IP address that it can display. You can Allow that one remembered.

Posting images: OK, you cannot use the paste trick to post images onto the forums. When on the forums post/reply screen you should notice below the box you type into an Additional Options…. Click that & it will expand with… well… additional options. One of these options is Attach:. On that you can browse your PC and attach certain file types, including images. But, you will not see the image type of BMP. This is because BMP images are not compressed & are often very large, they are not really used on the web because of their large size (slow loading times, etc). Save your image(s) as a JPG image (compressed). Note the size restriction. This, I hope, should enable you to post the Network Monitor image.

Don’t worry, you do not sound stupid. You sound like that you do not know & are asking questions. That is how it should be.

Thanks again for the quick reply. As for the log entries when I said 4. What I did was go into Comodo, looked in log section and clicked only 1 high log entry, clicked HTML and then saved as log. I went back and clicked another High log entry and saved it as log1, and so on up to 3 Then I highlighted all 4: log, log1, log 2 and log3 and posted them and got that 40000 message. I went back and read the logs I had saved, found one that read high and then just saved it on the previous post. I am slowly learning something about saving the log anyhow.

I am going to try and see if I got the Network Monitor picture to come out. Followed your instructions and let’s see if I did it correctly.

[attachment deleted by admin]

Ah I see, yep a misunderstanding. OK, when you Export to HTML it doesn’t export the single entry, it exports the whole log. You also need to follow my original instructions to post the log entries (which I’ve expanded a bit)… Open the single exported HTML file with your default browser (the one you’re using now), it should open a new tab in MSIE (unless you’re using a older version of MSIE). Once you have the exported log open in your browser you should see that it is nicely formatted. Now use a simple click-drag-select Copy ‘n’ Paste to post example Log entries here. So, it should look like this (this is from an old log of mine)…

Date/Time :2006-08-17 21:28:48 Severity :High Reporter :Application Behavior Analysis Description: Suspicious Behaviour (IEXPLORE.EXE) Application: C:\Program Files\Internet Explorer\IEXPLORE.EXE Parent: C:\WINDOWS\explorer.exe Protocol: UDP Out Remote: 195.92.195.94:dns(53) Details: D:\Free Download Manager\fdm.exe has tried to use C:\Program Files\Internet Explorer\IEXPLORE.EXE through OLE Automation, which can be used to hijack other applications.

… so, give that a try.

Yep, the image you posted was excellent (when you click on it, the forums expands the image). Just what we need.

Now, the Network Monitor. You can Remove the first 2 entries (the trusted zones), rules 0 and 1.

Here it is 3 days after you answered my post kail. Sorry it took so long. Let’s see…For the past 4 days I have not had an alert appear.

Ah I see, yep a misunderstanding. OK, when you Export to HTML it doesn't export the single entry, it exports the whole log. You also need to follow my original instructions to post the log entries (which I've expanded a bit).. Open the single exported HTML file with your default browser (the one you're using now), it should open a new tab in MSIE (unless you're using a older version of MSIE). Once you have the exported log open in your browser you should see that it is nicely formatted. Now use a simple click-drag-select Copy 'n' Paste to post example Log entries here. So, it should look like this (this is from an old log of mine)..

Quote
Date/Time :2006-08-17 21:28:48
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (IEXPLORE.EXE)
Application: C:\Program Files\Internet Explorer\IEXPLORE.EXE
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Remote: 195.92.195.94:dns(53)
Details: D:\Free Download Manager\fdm.exe has tried to use C:\Program Files\Internet Explorer\IEXPLORE.EXE through OLE Automation, which can be used to hijack other applications.

… so, give that a try.

Just looked at my logs and I have NO High Severity Listed so I can’t get a reading of one until I get one.

Now, the Network Monitor. You can Remove the first 2 entries (the trusted zones), rules 0 and 1.

I removed the first 2 entries (trusted zone) rules 0 and 1 like you said. Thanks.

All in all I like Comodo. It just runs silently until I get an alert. And most of the alerts when I get them are when I am undating a program I haven’t used since Comodo install. Now if I got an alert when I wasn’t doing anything but typing here for example then I would have to really check it out.

Thanks for all your help. Still getting use to Comodo and as I run across something I don’t understand at least I know where I can come to get some help. Once again…Thanks…

Came back using Modify because I noticed a few High Severity listed in the logs. I think I followed your directions and here are 2 of the High Logs. The first one is the only one like that but the 2nd one has 3 just like it.

Date/Time :2007-08-02 18:45:52
Severity :High
Reporter :Network Monitor
Description: TCP Port Scan
Attacker: 209.73.188.78
Ports: 48649, 42505, 42761, 43017, 43273, 43529, 43785, 44041, 44297, 44553, 44809, 45065, 45321, 45577, 45833, 46089, 46345, 46601, 46857, 47113, 47369, 47625, 47881, 48137, 48393, 640, 520, 1, 2, 32, 16384, 0, 256, 0, 2080, 0, 32776, 0, 0, 32770, 18, 0, 260, 0, 145, 0, 2080, 64, 8384, 0
The attacker has been temporarily blocked

Date/Time :2007-08-02 20:31:20
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (iexplore.exe)
Application: C:\Program Files\Internet Explorer\iexplore.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Destination: 204.127.205.8::http(80)
Details: C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe has modified the the User interface of C:\Program Files\Internet Explorer\iexplore.exe by sending special Window messages.

Can you tell me what these are? Seems to me something is trying to get in and I need to know how to stop it dead in it’s tracks… Using Modify so I hope you get this message…

I also have another question. When one opens Commodo under Summary on the right side of the page it says TRAFFIC and NETWORK. When I open NETWORK listed there are TCP, UDP, ICMP and Other. What do these mean? Most of the time I have an orange bar that goes up under the TCP. Today I have only a Blue Bar going up under UDP. Is this okay???

TCP Port Scan: If this is OK, or not, usually depends on who the Attacker is (209.73.188.78)… which seems to be your DNS in this case. Some people have reported port scans from their DNS, but in my case, it has always been provoked by an application running on my system… such as Process Explorer than can easily issue over a 100 DNS requests within a few seconds. In my case, it is the return rate that upsets CFP. The scan amount just needs increasing a little to avoid this.

Suspicious Behavior (iexplore.exe): Yep, that is OK… AdAware does this by update checks & signature definition downloads. So, you can allow that remembered. edit OR if you click on a browser calling link from within AdAware (eg. to visit their web site).

TCP, UDP, ICMP and Other: These are the different types of network protocols being used on your system. You would expect higher TCP if you are browsing or downloading. You get high levels of UDP if you’re ruining P2P applications or something like this. You should only be concerned if you get persistent high levels of ICMP/Other. Otherwise it is informational only & it is OK.

Thanks. Think for now I have some of my questions answered. This morning when I turned on my computer I had an alert from Comodo but it was about my McAfee Site Advisor which apparently is on my start-up and I just allowed it. Other than that, it has just been running silently in the background

You have been most helpful to a newbie using your firewall and I want to give you a HI-FIVE. :BNC

No problem & its returned… :BNC

I’ll close this topic, if you need it opening again just PM any Mod (its faster to PM the ones currently logged on).

Thank you kail and sorry for the 2 PM’s. I have been getting bombarded with HIGH alerts and I am going to post a few here if I can remember how I did it before… Just got another one while I was typing this.

Date/Time :2007-08-14 19:32:16
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 239.255.255.250::upnp-mcast(1900)
Details: C:\WINDOWS\explorer.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications.

(I have about 6 of these) Another one:

Date/Time :2007-08-14 18:31:27
Severity :High
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:239.255.255.250: :upnp-mcast(1900))Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 239.255.255.250::upnp-mcast(1900)

(These look to be somewhat similar but not sure what they are and have about 7of these)

And the last one:

Date/Time :2007-08-14 18:31:36
Severity :High
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:67.177.121.61: :1033)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP InDestination: 67.177.121.61::1033

I do have a High Severity for WinPatrol but I know that program and I also have a High Security for McFee Site Advisor and again that program has worked fine for me. Just don’t understand why all the alerts when I am not doing anything but typing. I haven’t updated or installed anything new. In fact I am done installing programs for now.

Any input from anyone out there would be greatly appreciated. Still learing Comodo firewall…

OK, the first 2 are UPnP multicasts & they’re being caused by the Windows Service upnphost (Universal Plug and Play Device Host). Firstly, don’t worry… CFP didn’t like it & blocked the outgoing attempt. You see SVCHOST.EXE & SERVICES.EXE, since SVCHOST.EXE performs any Net access that a Service needs. The questions is, do you need it… some routers use (need) UPnP to function… and there are probably other hardware devices that use UPnP as well. So, are you aware of any UPnP control devices that you have?

Now the 3rd alert… could be as a result of either CFP or you (depending on how you answered CFPs above alerts) blocking subsequent actions by SVCHOST… it could have been a return to Windows Update (that uses SVCHOST). Are there any blocks listed in the Application/Component Monitors?

All this stuff is happening because of automated background stuff… that’s why it has just jumped up on you. Have you run any Tweaking utilities recently or installed anything new (hardware or software)?

edit: Did the last alert originally specify a Source IP? That would be useful is determining what it is.

Okay, these alerts are getting on my last nerve. I have been informed the program McAfee Site Advisor is a good program and I had it installed. For some reason yesterday it wasn’t working right. Not sure if you know of this program or not. (the icon will be green if the site you are on is safe, it will turn yellow and you know to use caution and red is a NO NO). Since I had this program installed before Comodo and ran it for known applications it accepted Site Advisor. Well I had to unistall and reinstall Site Advisor today and once done all these alerts just kept popping up left and right. Opened Comodo/Security/Logs and I counted about 100 High Security Alerts. And most of them had to do with Site Advisor. Each alert that came up I had it accept and remember but they just kept coming and coming and coming. Is this normal???

Sorry I have to do this again but here are a few more High Security Alerts.

Date/Time :2007-08-16 12:02:39
Severity :High
Reporter :Application Monitor
Description: Suspicious Behaviour (iexplore.exe)
Application: C:\Program Files\Internet Explorer\iexplore.exe
Parent: C:\Documents and Settings\Administrator\Local Settings\Temp\SiteAdv.exe
Protocol: TCP Out
Destination: 204.127.225.14::http(80)
Details: C:\Program Files\Internet Explorer\iexplore.exe is an invisible application

Date/Time :2007-08-16 12:02:34
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (iexplore.exe)
Application: C:\Program Files\Internet Explorer\iexplore.exe
Parent: C:\Documents and Settings\Administrator\Local Settings\Temp\SiteAdv.exe
Protocol: UDP Out
Destination: 68.87.72.130::dns(53)
Details: C:\WINDOWS\explorer.exe has tried to use C:\Program Files\Internet Explorer\iexplore.exe through OLE Automation, which can be used to hijack other applications. Date/Time :2007-08-16 12:02:34

Date/Time :2007-08-16 12:02:34
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (iexplore.exe)
Application: C:\Program Files\Internet Explorer\iexplore.exe
Parent: C:\Documents and Settings\Administrator\Local Settings\Temp\SiteAdv.exe
Protocol: UDP Out
Destination: 68.87.72.130::dns(53)
Details: C:\WINDOWS\explorer.exe has tried to use C:\Program Files\Internet Explorer\iexplore.exe through OLE Automation, which can be used to hijack other applications.

Date/Time :2007-08-16 12:02:34
Severity :High
Reporter :Application Monitor
Description: Suspicious Behaviour (iexplore.exe)
Application: C:\Program Files\Internet Explorer\iexplore.exe
Parent: C:\Documents and Settings\Administrator\Local Settings\Temp\SiteAdv.exe
Protocol: TCP Out
Destination: 63.240.76.72::http(80)
Details: C:\Program Files\Internet Explorer\iexplore.exe is an invisible application

There are more but I only did 4 of them for now. I think the alerts came once I installed a new program but why are they High Alerts if the program is suppose to be safe???

Ah… now that is happening because McAfee Site Advisor (SA) is dynamically creating the EXEs (note the Temp directory) & CFP thinks the EXEs have changed (which technically they have!). Stumped on this one… if SA is actually changing the size of these EXEs, then there is nothing I can suggest. You could try to define these EXEs as Trusted Applications in CFP (Tasks). You should do this for any security type app anyway (not only in CFP… but exclude in AVs, etc…)… there is no point in allowing your security apps to scan/track each other, its a waste of resources & can result in… fights (conflicts).

Thanks for the quick response. Haven’t had any alerts in a while but still have lots of High Securities when I look at the logs and most of them are for Site Advisor. And one of them is even for Comodo BoClean. Imagine that. I should have just left well enough alone and not uninstalled to begin with. But then I would have had a program that wasn’t working.

You could try to define these EXEs as Trusted Applications in CFP (Tasks). You should do this for any security type app anyway (not only in CFP.. but exclude in AVs, etc..).. there is no point in allowing your security apps to scan/track each other, its a waste of resources & can result in.. fights (conflicts).

Could you please tell me how to do this and what steps I need to take? And remember I am a newbie to this okay? I believe Site Advisor is a trusted application but I am just not sure how to go about letting Comodo know it…

Open firewall and click on ‘Security’ and then on ‘Tasks’. Click on the ‘Define a new Trusted Application’ link (see screenshot).

Browse to program files and find the .exe file for the application you want to add. You can also specifiy a parent application. You can have SiteAdv.exe as parent and iexplore.exe as application.

:SMLR

[attachment deleted by admin]

Thanks. I just did this. Only the first time I did it I had them switched because I forgot which one went where. So I just went back and re-entered them again. Was this okay? I now have SiteAdv.exe as parent (originally was as application) and I now have iexplore.exe as application (originally was as parent). Will this mess it up or not??? And how can I tell if it is working or not?

when you said you re-entered them again, did you edit the rule you had created or do you now have two new rules?