Defense+ Kills Internet Connection. V.3.0.22, 32 bit, Windows XP Home edition

I was on-line and having created a lengthy post to a forum, I was doing a “Preview” when Defense+ popped up to advise that Thunderbird was trying to do something, and asked if I trusted it. This happened 3 times in quick succession, and each time I allowed but refrained from “remember”. I did notice at least one explanation that Thunderbird wanted to do something to a registry key, but my memory fails me for anything longer than an 8.3 format file name !!!

Thunderbiird has never done this sort of thing before, but I was not worried because :-
until two weeks ago I was still using 3.0.14, so new experiences are part of the upgrade experience;
earlier in the day a pop-up recommended that I upgrade Thunderbird to 2.0.0.14, which I declined, and I thought Thunderbird might be making a note to itself to ask again tomorrow.
I was quite happy that Defense+ was doing its job.

After this I was able to complete my “Preview”, and then I clicked on Submit, and Firefox could no longer find the server. After several desperate “Try Again” clicks I looked at the Modem diagnostics, and found the internet had been disconnected.
Server Lost, Internet Lost, MY FORUM POST LOST !!!.
Not quite so happy about the way that Defence+ did its job.

Alan

Check D+/advanced/computer security policy and see if anything there shows up as blocked. Also check TB permissions there and for the firewall. Are you using the default web browser policy. Does anything show up in the firewall log or D+ log? What mode do you have FW and D+ in? Are you using an AV or AS that acts as a proxy?

Hi

Computer security policy shows too many applications to count - taking just over 3 screen displays. Under “Treat As” most are set as “Custom Policy”, quite a few are “Installer or Updater”, and only Windows System Applications is set as windows System Application. Nothing is shown as blocked. I hope that answers your first question - I really do not want to edit each and every custom policy to see if any application has a default action of Block against Access name.

Both Thunderbird and Firefox have “Allow” against 4 items - all the rest are “Ask”
Comodo Firewall has “Ask” against Run as Executable - all the others are “Allow”

Under “Predefined Security Policies” I see nothing that looks like a default web browser.

Under “Predefined Firewall Policies” I see “Web Browser” which allows Loopback, and outgoing HTTP. FTP, FTP-PASV, and DNS requests, with Block and Log all Unmatching requests.

Under Network Security I find no use of “Web Browser”.
I have Global Rules, as set by Stealth Wizard
I have Application Rules - “Treat As” :-
Comodo “Outgoing Only”
Everything else is Custom, Thunderbird and Firefox and most others are "Allow IP Out from IP any to IP any Protocl Any
The only exception is svchost has “Allow IP IN from Any to Any protocol Any”, but I assume my Global Rules protect me from that.

The last 3 items in my Defense+ Log for this month show

10/05/2008 20:39:12 C:\Program Files\Internet Explorer\iexplore.exe Install Hook C:\WINDOWS\system32\mshtml.dll
12/05/2008 12:30:25 C:\Program Files\Brother Technology\AptDiff\aptdiff.exe DNS/RPC Client Access \RPC Control\DNSResolver
13/05/2008 17:06:04 C:\WINDOWS\system32\drwtsn32.exe Access Memory C:\Program Files\COMODO\Firewall\cmdagent.exe

The Firewall Log has many Blocked items, which are
svchost on Ports 135 and 139,
System on port 445
Windows Operating System Pings
These 3 applications were the only things listed for yesterday,
but a few other things were blocked, such as 75.71.74.46 which at about 1 hour intervals chose a different source port number to use for 6 off TCP at 3 Second intervals, each time aiming at my port 23317.

Network Defense is set to Custom Policy Mode
Proactive Defense is set to Safe Mode.

Apart from Comodo 3.0.22.349, my only security is ESET NOD32 2.70.39 which waits inside the Firewall for Internet traffic to Firefox etc. I briefly tried the later series which went out and collected the traffic in such a way that the Firewall no longer identified the traffic with Firefox, but always identified as ESET NOD32 regardless of what actually processed / required the data. I am not sure of the definition of “proxy”, but I guess the latest version was a sort of proxy, and what I have reverted to is NOT a proxy. I also use obsolete Adaware which eliminates “tracking cookies”, but this is only scan on demand - I tried their latest version with Adwatch or whatever, but this was far to intrusive with real-time “protection” I never wanted, and every time I stopped the process it came back to life again shortly after.

Regards
Alan

Hi

Supplementary questions that arose whilst I researched the above. I am posting separately in case you wish to move it to a different forum.

Several times a week when a log on with yet another random dynamic IP Address, the Firewall has cause to block things aiming at just one of my ports. Sometimes it is just one stranger such as the above 75.71.74.46 aiming at my port 23317, making perhaps a dozen attempts an hour, and sometimes it seems like all the IP addresses in the world are trying to talk to me at such a rate that logging is difficult - so bad that when previously with Comodo 2.4 it would go into 95% + CPU usage. What does it mean? Am I under attack, or is it a consequence of being allocated a dynamic IP address that was previously being used by a P2P file-sharer with something every-one wants ?

When the whole world is aiming at exactly one of my ports, the event log is flooded with blocked events, and when I review the log it is difficult to see anything else. Under Attack Detection Settings a “suspicious host” host can be automatically blocked for a chosen time. Is it possible to also configure that large numbers of attempts, possibly by non-repeating different IP addresses, will be blocked BUT NOT LOGGED if the are all aiming at the same port number on my PC. ? If it is not possible, could this be added to a wish list please ?

When I was busy at something else, my son upgraded me from 3.0.14 to 3.0.18. There was no warning that this was by default a downgrade, and that a new “Stealth Ports Wizard” was available and had to be used to restore my accustomed “stealth” protection.
After a few days I received a spam Messenger pop-up which rang alarm bells, so I went to “Shields Up!” which confirmed my worst fears, that my Shield was actually down !!!
I downloaded and ran RootKit and Virus detectors and found nothing untoward, but just incase I restored a partition image I created two weeks earlier - it put me back to 3.0.14 with full stealth, and ensured removal of anything that might have evaded the Rootkey and Virus Detectors.
Just in-case it could happen ever again I went into Services and disabled the Messenger service.
I have recently upgraded from 3.0.14 to 3.0.22

I now see svchost has “Allow IP IN from Any to Any protocol Any”. I assume this was involved in the spam messenger pop-up.
The messenger service remains disabled, and my Global Rules prevent IP in so I assume svchost should be unable to cause harm. Would I improve the extent of my protection if I either removed the entire svchost rule, or changed it from Custom policy to “Blocked Application” ?

Regards
Alan

Will try to answer a few of your questions first.

1. If you are not behind a NAT router, you seem to be getting the usual internet noise by zombies looking for vulnerable computers. And CFP3 is blocking as intended. But to cut down the log clutter, change the block all inbound global rule to not log. Or buy a NAT router.
2. Pretty much the same as 1. You should block inbound unless you add an exception above the final global rule to allow selected inbound.
3. svchost generally doesn’t need inbound, but does need outbound so don’t block it completely.

So: Suggestions on what to do besides changing your logging:
Under network security policy:
Change the rules for TB to the default email client rules
Delete the rules for NOD32
Under D+:
Delete the rules for both TB and NOD 32
Change the modes of both FW and D+ to training. You can change them back later after you have had CFP3 make rules for your most commonly used programs.

This should allow CFP3 to make the necessary rules for you when you use Thunderbird, and clear the log enough so we can see if anything directly attributable is happening.

Hi

Thank you for that, I will try it.

n.b. Yesterday was a really bad day for me. After Defense+ queried whether Thunderbird should change the registry, and then the Internet and my extensive forum message was lost, I had Notepad lock up and did not want to close, then Task Manager found dumpreg process was running, and from bitter past experience I knew that. like the fabled Hydra, chop one head off and two spring up in its place, so instead of just killing that process I killed its process tree and that worked, and notepad then disappeared. Later on I found Drwatson process was running, so I killed that as well. Then whilst replying to you and within preview I switched to Comodo to ensure accuracy, and when I switched back to you Firefox had gone, along with all my reply. Previously I lost the Internet but still had Firefox, this time the Internet was still connected, but Firefox had gone. After switching between a few other applications I suddenly discovered that xplorer2 had gone. I think a bit later something else went AWOL. I decided this must be Windows way of telling me it wanted a REBOOT, so I decided I would also go to bed and try a reply today.

After a good night sleep, I now recognise that when I was switching between active windows, their task bar icons were being highlighted, and when something got lost it was always one of the important ones that I launch at the start of the day. I think that when Windows killed something it could have always been the icon on the extreme left that “fell over the edge” !!!

I am pleased to say that today has been a much better day.

Alan