Concern Over Firewall Blocking Capability

Specs. XP SP3 Comodo ver. 3.12.111745.560.

A while back I opened a thread about Flash connects to port 1935 from IE8. As I indicated in the post, I was and still are using Comodo’s default web browser rule which I have attached. That issue was never resolved other than admission by the moderators that the issue was able to be duplicated by them.

Yesterday I had another instance of a connection to port 8000 that I am very concerned about.

10/27/2009 7:02:14 PM C:\Program Files\Internet Explorer\iexplore.exe Allowed 2053 8000 TCP

This destination IP is a known porn server among other things in Amsterdam.

Now the default Comodo rule is only supposed to allow destination ports 80, 8080, and 443. So why is Comodo allowing this connection?

[attachment deleted by admin]

Well, this issue took on a whole new much more sinister dimension yesterday evening. Reviewing of the firewall log showed two TCP connections to 2000 series ports from rtvscan.exe. This was at a time when the PC was idle.

Rtvscan.exe is Symantec’s real time virus scanner. I have never seen it connect to the Internet in the 6 years I have been using Symantec’s Corp AV/Endpoint products. This indicated to me that something real bad was lurking in my PC regardless of the recent nornal mode clean scan results I had received using Symantec’s AV, Anti-malwarebytes, and A2-Squared.

I rebooted in safe mode and after some fanagling completed a full AV scan. Well, found was not one, or two, but three stinking rootkits! It appeared to be all the same rootkit - Hacktool.Rootkit. It infected two system restore Axxxxxxx.sys files and one IE temp file which I assumed was a spawn of one of the system restore infected files.

Took me a while but got all the rootkits removed and in the process lost all my system restore files - such is life in hackerland.

I won’t get into it but these rootkits do explain a lot of strange behavior the PC has been experiencing lately.

I am getting concerned about Comodo however. Ever since I have running Comod’s firewall, I have been getting nailed by a lot of strange stuff. This might just be coincidence or it might be something else. I will be monitoring Comodo’s firewall behavior very very closely in the near future.

Web Browser policy contain also rules to support FTP transfers.

To limit Outbound connection to the HTTP port set such FTP related rules ought to be removed:

  • Allow Outgoing FTP Requests rule which allow outbound connections to dest port 21 (start FTP transfer)
  • Allow Outgoing FTP-PASV Requests rule which allow outbound connections to dest port range 1024-65535 (carry FTP transfer)

Application Network Access Control dialog provide a Custom policy option and a Copy from dropdown button which could be used to copy and thereafter customize an existing policy.

Don’t understand what the defaullt FTP rules have to do with problem.

The regular FTP rule is TCP outbound only to dest port 21. The FTP-PASV rule is TCP outbound only to dest privledged ports 0 - 1023.

Neither of these rules are logged so anything that triggered them would not have showed in the firewall log.

My issue was an iexplore.exe TCP connection outbound to port 8000 that showed in the firewall log. The only thing that would have generated that is the HTTP default rule. This rule and the DNS rule are the only ones I log.

FTP-PASV rule will allow outbound connections whose dest port is not a privileged one [0-1023].

This mean that FTP-PASV rule contained in the default Comodo Webbrowser policy will allow outbound connections to dest port range 1024-65535 which would also include outbound connections to port 8000 whereas AFAIK logging could have been triggered also by some custom global rule active at the time.

Oops! You are indeed correct. I did not see that the exclude box was checked on the FTP-PASV rule. It is very easy to miss that exclude option. I will just remove the FTP-PASV rule. Is that rule not a extemely dangerous one to include in a predefined rule?

If you don’t mind to disable ftp support in your web browser removing FTP-PASV would greatly narrow down the outbound connection portrange.

Whereas it is not uncommon for webpages to have ftp:// links the default Web browser policy is seemingly meant to support that web-browser feature as well.

Have any ideas for a rule for Flash now that port 1935 is being blocked? I could just allow outbound TCP port 1935 that is, add port 1935 to the HTTP rule ports. Think that is secure enough?

Hi DonZ, i`ve just been looking at this today while watching the Grand Prix qualie in Abu Dhabi and during i noticed that the flash was going through port 1935.
MMMM, i thought and then i read this and it all adds up 88)
While i think the inclusion of the FTP-PASV rule is a somewhat mute point if it allows your browser to connect with any port not in privelaged port set, but that is a differant thing.

Anyway i removed the FTP-PASV rule from the web browser policy and whatever your watching seems to then default to port 80 (at least it did for me). I have now added port 1935 to my http port set and when connecting to the same IPlayer it comes through port 1935.

Glad we got to the bottom of it, Nice 1 Endy :-TU


I love when I don’t understand what people are talking about.

Does this mean predefined browser policy has a flaw?

I did some more research on FTP yesterday and there are instances where someone might require FTP that the FTP-PASV rule would support. I also saw multiple comments that this type of firewall rule should only be allowed when needed. Therefore, my recommendation would be to keep the rule in the Comodo predefined web browser rule set but move it under the existing block rule. That way it’s available if someone needs it and all they have to do is move it above the block rule to activate it.

One feature I would like to see added to Comodo firewall is a checkbox capability like the Symantec Endpoint aka old Sygate firewall has. By removing the checkmark, the rule would not be active but would remain in place in the ruleset. It’s a great feature for testing and retains the rule’s positional relationship in the ruleset.

Pertining to Flash and port 1935, Adobe states that Flash uses an imbedded RTMP tunneling protocol within TCP to stream video. I have yet to find any firewall that knows how to handle it …
As Matty indicated, the preferred port for Flash is 1935 but it will default to port 80 then 443 if port 1935 is not available.