Comodo&MSN Live Messenger

ingro · December 19, 2006, 3:39pm

Hello! I use CPF from 2 weeks and I have configure it in the right way for some programs like Emule and Utorrent but I can’t find a right solution for MSN Live Messenger. I got big problem with file transfer, they go really slow, it takes many minutes to transfer a small files, both in upload and download. Is there anyone that know the right rule to apply for make the file transfer works right? Thanks for the help!

Little_Mac · December 19, 2006, 4:47pm

Welcome to the forums, ingro!

I’m sorry you are having trouble; hopefully we can get it resolved.

First, do you have a Rule in the Application Monitor to Allow MSN Live Messenger to connect? If not, please Add a Rule. Put the executable for MSN Live Messenger in the Application line, set the Parent to “Learn.”

In the Activity Log, do you see any alerts from the Application Monitor regarding Messenger? Are there any Network Monitor alerts for blocked activity?

Live Messenger apparently has some new settings that aren’t very obvious, when working behind a firewall. These possibly include specific ports, etc. I read somewhere (I think) that it also requires UPNP as part of its connection. You may need to adjust your Rule for it a bit, to find a balance that works. For instance, you could (Miscellaneous tab) “Skip advanced security checks” or “Allow invisible connections”; you could also set the Rule to “Allow all activities…” rather than “Apply the following criteria.” If you do any of these, only do one at a time, to see what works.

One user notes that they worked around this issue by turning off items #3 and 4 in Application Behavior Analysis (which are to allow special Windows messages, and COM/OLE connection attempts); however, that would be better accomplished by changes to the App Rule rather than disabling security in general.

Hopefully this helps. Be sure to post your results.

LM

fedex-bermu · December 19, 2006, 9:32pm

I have the same problem… when someone tries to give me a file it goes really sloooooooowww and appears a message saying I’m having low transfer speed

AOwL · December 19, 2006, 9:55pm

You should have UPnP on your router enabled.
Sometimes it helpes to open port 1863.

fedex-bermu · December 19, 2006, 9:56pm

I dont have router… cable-modem direct to my pc…

AOwL · December 19, 2006, 9:57pm

Does your log show any blocks?

fedex-bermu · December 19, 2006, 10:20pm

yeah… lots! most of them are Inbound Policy Violation, but there are some suspicious behaviour and Outbound Policy Violation, some application access denied

ingro · February 7, 2007, 1:44pm

Hello! I’m here again! I’ve not used COMODO for a while due to the problem with MSN Live! Now i’m trying again to make it work cause I didn’t find any other Firewall that I like as Comodo…

I’ve tried all your solution but no one work, when I try to transfer a file (or receive) the transfer goes very very bad… it go fast as it should go for 2 seconds then it stop for 5-6 seconds and starts again for 2 seconds like it has the hiccup…

I’m using a cable modem so router isn’t the problem for me… I’ve noticed that for file transfer is used the port 1863, I’ve made this rule but seems not to help:

ALLOW TCP/UDP
Direction: In/Out
Source IP: Any
Destination IP: Any
Source Port: Any
Destination Port: 1863

Do you have any other ideas? Thanks for your help and sorry for my bad english, I hope is at least understadable!

Little_Mac · February 7, 2007, 3:00pm

Welcome back, ingro! Good to see you again!

Will you do the following three things:

With MSN Live Msngr transferring a file (once it slows down on you), go to Activity/Logs (in CFP), right-click an entry, and select “Export to HTML.” Save the file and reopen it. Then copy/paste the text into your post; you can edit any IP addresses and personal info that you don’t want to post (just leave us enough of IP addresses to show a match where needed).

Also, in CFP, go to Application Monitor, open to full screen. Click on your rule for MSN Live Msngr (so that the “details” are shown at the bottom). Capture a screenshot, and save it as an image file (like a .jpeg). Attach that to your post under Additional Options.

Third, in CFP, go to Network Monitor, open to full screen. Capture a screenshot, save as .jpeg, and attach to your post.

That will give us a better idea of what is happening.

Tnx,

LM

ingro · February 7, 2007, 3:10pm

Thanks for your fast reply, i’ll post the log, isn’t the full version but otherwise it will be too long,those are only the last message:

Date/Time :2007-02-07 16:04:22 Severity :Medium Reporter :Network Monitor Description: Inbound Policy Violation (Access Denied, IP = 82.61.72.128, Port = ms-rpc(135)) Protocol: TCP Incoming Source: 82.61.72.128:4407 Destination: 82.57.178.2:ms-rpc(135) TCP Flags: SYN Reason: Network Control Rule ID = 9
Date/Time :2007-02-07 16:04:17
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 82.61.72.128, Port = ms-rpc(135))
Protocol: TCP Incoming
Source: 82.61.72.128:4407
Destination: 82.57.178.2:ms-rpc(135)
TCP Flags: SYN
Reason: Network Control Rule ID = 9

Date/Time :2007-02-07 16:04:07
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 82.57.26.243, Port = ms-rpc(135))
Protocol: TCP Incoming
Source: 82.57.26.243:4178
Destination: 82.57.178.2:ms-rpc(135)
TCP Flags: SYN
Reason: Network Control Rule ID = 9

Date/Time :2007-02-07 16:04:02
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 82.57.26.243, Port = ms-rpc(135))
Protocol: TCP Incoming
Source: 82.57.26.243:4178
Destination: 82.57.178.2:ms-rpc(135)
TCP Flags: SYN
Reason: Network Control Rule ID = 9

Date/Time :2007-02-07 16:03:57
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 82.57.75.252, Port = MS-ds(445))
Protocol: TCP Incoming
Source: 82.57.75.252:1375
Destination: 82.57.178.2:MS-ds(445)
TCP Flags: SYN
Reason: Network Control Rule ID = 9

Date/Time :2007-02-07 16:03:42
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 82.57.182.87, Port = ms-rpc(135))
Protocol: TCP Incoming
Source: 82.57.182.87:4897
Destination: 82.57.178.2:ms-rpc(135)
TCP Flags: SYN
Reason: Network Control Rule ID = 9

Date/Time :2007-02-07 16:03:42
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 82.57.136.159, Port = ms-rpc(135))
Protocol: TCP Incoming
Source: 82.57.136.159:2366
Destination: 82.57.178.2:ms-rpc(135)
TCP Flags: SYN
Reason: Network Control Rule ID = 9

Date/Time :2007-02-07 16:03:37
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 82.57.136.159, Port = ms-rpc(135))
Protocol: TCP Incoming
Source: 82.57.136.159:2366
Destination: 82.57.178.2:ms-rpc(135)
TCP Flags: SYN
Reason: Network Control Rule ID = 9

Date/Time :2007-02-07 16:03:37
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, Protocol = IGMP)
Protocol:IGMP Incoming
Source: 192.168.100.1
Destination: 224.0.0.1
Reason: Network Control Rule ID = 9

Date/Time :2007-02-07 16:03:37
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 82.57.182.87, Port = ms-rpc(135))
Protocol: TCP Incoming
Source: 82.57.182.87:3495
Destination: 82.57.178.2:ms-rpc(135)
TCP Flags: SYN
Reason: Network Control Rule ID = 9

The images are here too, thanks in advice!

[attachment deleted by admin]

ingro · February 7, 2007, 3:17pm

I also noticed a thing: for some users (dunno why) when transfering a file it will send it on the direct IP number of the receiver on the ports 1076, and when it happens it goes fine. But for almost all the users it will send the file on an IP that begin with 207.46 followed by random numbers on port 1853, in this way it goes bad…

Little_Mac · February 7, 2007, 4:26pm

ingro

82.56.0.0 to 82.59.255.255 belong to Telecom Italia, as an ISP. Based on the IP addresses in your log, I’m guessing this is your ISP? However, your log indicates that these relate to the Remote Procedure Call service, and I haven’t been able to verify that being used by MSN Messenger Live. Thus, I wouldn’t allow them by default.

Also, are you using a router? If so, and the router uses NAT (network address translation) you may need to define that as a trusted zone in your network rules.

Three things to check (and I’ll do some more research)…

In CFP, run the Application Wizard (Security/Tasks/Scan for Known Applications). Follow the prompts. Reboot when finished.
In Messenger Live, (the application) can you specify a certain Port to be used? If so, pick a port and set it, add that to your Messenger Application Rule, and your Network Monitor.
When you open Messenger Live (without transferring anything just yet), what IP does it connect to? Go to Activity/Connections (in CFP), and make a note of the IP address.

LM

ingro · February 7, 2007, 4:54pm

Hello LM.

Yes Telecom Italia is my ISP. As I said above I have not a router, I just have a normal ADSL modem…

I’ve already done the scan for known applications, and, as I can see, there isn’t options in MSN live to specify a certain port, there is only an adavanced option to define a SOCKS or something like it but honestly I didn’t know what is…

I’ve tried to open MSN but it starts multiple connections, now I’ve it in idle and the only connection active is on 207.46.107.67:1863… hope it can help, thanks for your effort

Little_Mac · February 7, 2007, 5:50pm

Okay, thanks for reminding me you don’t have a router (sorry I forgot…).

The 207.x.x.x address is Microsoft. It probably has to do with the file storage. I’m gathering that Messenger Live stores your stuff on a server, so that the other users can access the shared files, even when you’re offline.

What version of MSN Messenger Live do you have?

What version of CFP?

Do you have any other security software installed (antivirus, HIPS, etc)?

LM

ingro · February 7, 2007, 6:14pm

I have the latest versions of both programs I think, 8.1 (build 8.1.0178.00) for MSN Live and 2.4.17.183 for CPF.

Dunno how file transfert works, there is an option on MSN Live to use Shared Folders for file transfer but I’ve it disabled, otherwise, as I told before, for some users the file transfer go directly on the IP of the other user without passing by Microsoft’s one, I’ve not tried with enough people at the moment but seems that the file transfer goes well for the people with my same ISP and got problem with people that use a different ISP…

I didn’t have any other security software installed, I had another firewall before but I’ve uninstalled it, and anyway CPF was the first firewall that I had installed on this PC after last format and the problem was present from the first install on the clean system…

Little_Mac · February 7, 2007, 7:24pm

I’ve just installed Windows Live Messenger 8.1 so I could better see what’s going on with it. I’m not keeping, it tho! As a rule I don’t use these sorts of apps as they are (IMO) security problems just waiting to happen.

A few things to note: You must have Universal Plug N Play service enabled on autostart in Windows in order for it to work properly. You have to have a UPNP-compliant router (if one is used). Windows states that if you use a firewall (of any sort) you may not be able to use Live Messenger. If your ISP uses NAT (network address translation) or firewalls on their hardware, you may not be able to use Live Messenger. (Basically, all this says you can’t have security, or you may not be able to use Live Messenger). They also said to clear all the items from the SOCKS fields if you’re having transfer problems; so if you’ve got Port 1080 showing, you might clear that out (the SOCKS is a proxy setting).

I also see that you have a single Application Monitor Rule for Messenger; after running it and allowing all the popups (there seemed to be a million of them), I ended up with three. See attached screenshot. It may be beneficial to separate the rules out like this, and even specify ports in the rules.

Here’s a couple things to try, based on activity that I’m seeing.

You may want to create two new zones for Microsoft Live (in CFP - Security/Tasks/Add a Zone):
65.52.0.0 - 65.55.255.255 (MS Zone 1)
207.46.0.0 - 207.46.255.255 (MS Zone 2)

Then use those Zones with the Network Wizard (Security/Tasks/Define a New Trusted Network) to and from your computer. Make sure the rules end up at the top of your Network Monitor (it should create 4 rules; two for each (one In, one Out). If you go back in to edit the Outbound rules, you can change the Protocol from “IP” to “TCP/UDP”, and define a Set of Ports (destination) of 53, 80, 1863, 7001. Obviously this will replace your existing rule for port 1863.

For the file transfer versus file sharing; it seems the file transfer goes straight to your contact. File sharing uploads through the Live servers.

I note that in the Connections of Messenger Live, you can run a troubleshooter on the connection (if there’s a problem). Under the Advanced Settings, you can test the TCP, and HTTP settings as well.

I realize that’s not much help; hopefully it will provide you with something, though. I’ve got to uninstall this thing quickly; I don’t trust it… ;D

LM

[attachment deleted by admin]

ingro · February 7, 2007, 7:59pm

Ehehe thanks… I’ve tried to clear the SOCKS field, I’ve runned the Connection Troubleshooter but nothing happens… so I’ve created the two trusted zone as you suggested (I’ve made a screenshot so you can check if I’ve made the things allright) but nothing change… I’ve tried to send files to other people and, if they have my same ISP no problem, otherwise the connection will go so sloooow!

[attachment deleted by admin]

Little_Mac · February 7, 2007, 8:33pm

It looks like you’ve done exactly as I suggested, ingro. I wasn’t sure if that would work or not, but I saw that connections were generated and held there, so it was worth a try… Since that didn’t help, you can remove those if you want, and replace with the single Outbound rule TCP/UDP for port 1863. Or you can leave them; they’re not loose rules - if you allow (by any means) Outbound, you’re authorizing the connected IP address to return an Inbound response anyway. (that’s how you can surf the net…)

If you set CFP’s Security Level to Allow All, does the transfer work the way it should?

If not, you may want to watch the process with a packet sniffer, to see if that will help identify where your connection is slowing down (it might be through your ISP…)
EtherSnoop Light is a free program; you can get it from MajorGeeks.com. Port Explorer is a paid program from DiamondCS, but has a free trial period. I haven’t used EtherSnoop, but I have used Port Explorer a little; it does quite a bit.

Also of note: Windows also said that if you are transferring files directly, you should shut down all other running applications, or you may experience transfer problems. Seems like they’re just full of advice… ;D

LM

hilmi · February 8, 2007, 11:48am

I am using windows live messenger for audio/video conferencing and file transfers as well.
I have UPNP disabled on my computer and only two rules for messenger.
One in app mon: tcp/udp in/out,any,any
One in net mon: tcp/udp out,any,any,any,any

and no problems

Since you have those rules, problem must be somewhere else not with the rules.

Hilmi

Little_Mac · February 8, 2007, 3:08pm

So for the NetMon, that’s one of the default rules… thus, you only have had to create one rule (AppMon) to be able to use Windows Live Messenger. And you’re doing the direct file transfer that ingro’s talking about, rather than the file sharing?

LM