Comodo groups everything under the Windows Operating System header!

I’m using Comodo (x64) on Windows Vista Ultimate x64 and Comodo is grouping all my traffic (as far as I can tell) under the “Windows Operating System” header and does not seem to recognize individual applications. I’ve done multiple re-installs (yes, I tried the sticky uninstallation guide too) but the problem persists.

I first thought this was a problem specific to uTorrent because that’s where I first noticed it, but I’ve come to the conclusion that it’s way bigger than that. The original thread can be found here but I’ll sum it up quickly:

I couldn’t get the uTorrent checkmark to turn green no matter what I tried, until I realized connections to uTorrent were still being blocked by Comodo, but under the “Windows Operating System” header and not the “uTorrent” header. Applying the uTorrent rules to the WOS process allowed me to get the green mark.

Then I tried sending a file through mIRC and ran into the same problem, trusting mIRC didn’t help and adding an allow entry for the mIRC port to the WOS rules solved the problem.

Today I tried playing Age of Mythology on LAN. Same problem, same solution.

Comodo grouping everything into one pseudo-category is of course a big problem as it makes it virtually useless or at least dramatically unhandy. I have no idea why it’s acting this way. I’m also not sure if this is a problem that came along recently or if it’s been there from the start (this PC is only two months old). I’ve used Comodo 3 on XP in the past and never had any problems.

What I’ve tried so far:

  • resetting all settings
  • uninstalling and reinstalling.
  • uninstalling using the sticky uninstall guide to make sure no trace was left and reinstalling
  • turning off UAC
  • using the sticky guide to make Comodo behave with UAC

So far nothing has worked. Even on a clean slate traffic coming from uTorrent, mIRC and even Firefox are getting detected as Windows Operating System traffic.

Any help would be greatly appreciated as Comodo is virtually useless to me as it is. I’m even better off using Vista’s built-in firewall…

What do your global rules look like at this point? I don’t use global rules because of the confusion they can cause. Just erase them for now to help understand what is happening. Do you actually have any WOS rules, or “all applications” rules near the front of the application rules? I attached a copy of the rules I use before getting in to individual applications for comparison. Take the rules for Firefox, if it is one of the applications still showing up as blocked in WOS, and move them to the top of the Policy rulesets. Use the default rules for Web Browser for Firefox. See if the problem persists, and if anything shows up in the log when you use Firefox. I am not using MIRC or P2P, but without global rules or preceding system rules your Firefox application rules should be the first thing processed, since Policies are all just read top to bottom for each succeeding application. Or if it is easier for you, you can use one of your other applications like MIRC the same way. Do include a block and log all as the last rule of whatever policy(s) you choose so we can see what is not being satisfied, though. Also, putting Firewall and D+ in training mode and looking for popups may further illuminate things. Please post your logs.

[attachment deleted by admin]

Go to miscellaneous → diagnostics and tell us the results.

Which security products are you using?

Already been down this road with him. His global rules don’t make sense. See his reply #16.

They do make sense, Vettetech. As I told YOU countless times, I tried clearing out the rules and it made no difference whatsoever. Using the P2P or the block all version in the stealth wizard does not help, all the traffic gets recognized as WOS in any case. Screenshots of two different configurations attached. Neither works.
In any case, these exact same settings work on my old PC with XP. Actually, I don’t even need a uTorrent global rule there. But like I said, this is no longer a uTorrent-only issue…

The Diagnostics tool came up with nothing.

As for other software I’m running:
Avast! Antivirus Free
Windows Defender (because it’s installed by default in Vista)
I disabled Defense+ because I don’t like it much.
And that’s pretty much it except for on-demand scanners like AVG Anti-Spyware (resident protection is switched off, so is auto-start) and Spybot S&D.

[attachment deleted by admin]

How did you set your WOS to which includes svchost,system and explorer? Look at sded’s screen shot.

Coren, can you post your logs like you did your rules? Obviously there is something going on we don’t understand.

You shouldn’t have to disable D+. When did this all happen? After you port forwarded your modem?

Could it be something as simple as the user accidentally selecting the predefined policy “Windows System Application” when the Defense+ alert came up the very first time he ran uTorrent?

Just a thought,
Ewen :slight_smile:

Do you have some app/service which acts like proxy, i. e. this app/service processes traffic from every app through itself (e. g. resident antivirus with ‘scan http traffic’ option turned on)?

Hi, first … sorry for my english if I`ll write some crapy sentense.

OK, I have uninstalled Archlinux from my comp (ASUS A6M-but it doesnt matter) with vision that Ill install WindowsXP and Archlinux on this notebook because I need use one application which is running (running well) under WinXP only (Solidworks is that application). So I have formated my disk and installed WinXP (1 day ago) and consequentlly COMODO Firewall PRO. Than I installed “utorrent” and have done some rules for it in COMODO.

Than I started utorrent and do some “watch” for any suspicious behaviour. NOTHING - all was going very well - with some “fired” rules (correct ones). BUT when I closed utorrent → application header in “View Firewall Events” immediately change to “Windows Operating System” and started to BLOCK all INCOMING traffic directed on my utorrent port! even if that rule for utorrent wouldn`t be fired if utorrent is running because that rule ALLOW that traffic to utorrent. So in my opinion utorrent clients “doing some persistent connection tryings to IP address which was in connection with this client recently” and because utorrent proccess is not running any more that packets are handle with COMODO under header “Windows Operating System” but because correct rule for allowing this packet is made for “utorrent application” (which is not running) therefore COMODO ACTION is BLOCKED.

In my opinion this must be question of some time after utorrents clients of other peers stop trying my address…Ill see tommorow :) ... Ill keep in touch and tommorow i`ll report result.

OK, have a nice firewalling… :■■■■

Ou, sorry…only one more information…
If you start utorrent → immediately this problem is solved and nothing previously BLOCK actions is appearing in “Firewall Events” and everything is OK…

Of course until you again closed utorrent :slight_smile:

Okay, sorry I took a while to respond but I had other things on my mind. In the meantime, I also replaced my router because it was crapping out (I went from a Speedtouch 706WL to a Linksys WAG200G) but this hasn’t changed anything in the Comodo department.

So I confirm again that traffic that is obviously related to uTorrent is being grouped under the “Windows Operating System” name. Check the screenshot.

Yuriy, your suggestion makes a lot of sense but sadly that doesn’t appear to be it. I’m using Avast! and while it does have a “web scanner” option, it only appears to be scanning stuff on port 80. Regardless, disabling my antivirus didn’t help. :frowning: Thanks for taking me seriously, though.

As for Defense+, panic, I disabled it so that’s not it. Vettetech, I disabled it because I wanted to. It bugs the frack out of me with all its confirmation dialogs. I have other ways of keeping spyware at bay.

This is how I solved my problem so far: since WOS is usually “outgoing only”, I created a set of rules allowing all outgoing connections, but I also added a rule allowing TCP and UDP In to the uTorrent port.

Also, making a global rule for the incoming connections on the uTorrent port makes the alerts disappear from the log, but the connections are still getting blocked according to the uTorrent portchecker. When I use the above rules for WOS, though, everything’s fine.

[attachment deleted by admin]

I asked you this before but have you fully strealthed your router? What happens when you completely uninstall Comodo? Have you tried to make uTorrent connect on a higher port that they tell you to use?

Try out what happens if you stop manually all the active torrents and only after you are disconnected from all peers close the application. Is the WOS (unsolicited) traffic still there?

Eyeballing that most recent log, it’s showing TCP and UDP traffic inbound to your machine on port 34188. My first question is to ask what is running on port 34188? You can find out by running “netstat -anob” from a command prompt.

The reason why all the “Windows Operating System” is that the inbound traffic is being blocked before being handed off to whatever application is running. Not knowing what the application is, it is being reported as blocked by your machine (the “Windows Operating System”). Technically correct, but misleading information in this instance.