Does Comodo monitor all ports?

Hi all, this is a comment from a post at avast forum.Please notice his signature.

Here is a quote from his post:

My friend - a big guru in IPS - says he won't recommend COMODO anymore. :) The reason is as follows (from his words): COMODO doesn't process connections at high-number ports from 65000 to 65535. :)

and here is his signature:

Nick Golovko Anti-Virus & General Security Advisor Kaspersky Labs Forum

Hi Guys,

In Comodo Firewall’s context, there is no high or low numbered ports. All of them are equal. The poster of that message, recommends Kerio to be fully secure. If someoone says this, all I can think is that he is hardly an expert but a casual long time firewall user. Because this would not be a feedback from somebody who is aware of modern malware techniques. The guys at are good hackers and are reviewing many AV and personal firewall software. I recommend everybody to check their site and vote so that they can review CFW too.

To see if CFW secures the ports or not, all you need to do is to go to or obtain a port scanner, and attack CFW. Thats it.

If he is a security expert, he could easily use nmap hacker tool at, and test. And because we are dealing with an expert, he could easily tell us how to reproduce such a behavior with detailed analysis like an expert would prepare. If there is something wrong, we will immediately fix unlike the most of the other vendors.

I have been seeing at least hundreds of people trying to stand against Comodo Firewall and trying to find something wrong. If it were really such a weak firewall, only one person would be enough to prove so.

We, AFAIK, are the only security software vendor, who has a dedicated section in our forums about how to find new techniques to bypass our firewall. This is to improve our free product as many ways as we could find so that desktop users have the maximum protection strength available.

In short, i hope he is not one of those hundreds of people but a really good reviewer who found a bug and will follow the ethical way of kindly reporting us the issue so that we can immediately fix and protect our users.

Egemen Tas

Thanks Egemen for your reply!
Of course i didn’t believe him/them, I just posted a quote, and certainly since he didn’t have any proof…
They must be security experts in a kindergarten sandbox… ;D
I have of course tested CPF with everything possible, including advanced port scans, without any problems with the latest version.

2 egeman:

The nmap hacker tool is not going to reveal the problem we are talking about here. If you want evidence, I will tell you how to reproduce the behavior:
The download link is down the page.

After clean install, or if you are still using the default rules, first set your Network Monitor rule TCP/UDP Out Any to LOG and you will see the problem: all you get is an alert for remote port 21, but not for the remote 64000-65535 range. I don’t think a detailed analysis is necessary here: the logs will speak for themselves. The high remote port range is silently allowed without any alert popping up. COMODO does not warn, even though I set it to Very High Security. For a detailed analysis of the implications remote port redirecting tricks might have I refer you to your friends at :slight_smile:

P.S. (1):Nothing on my computer is trusted, so the “Don’t check certified application-stuff” was DISABLED.

P.S. (2): I am very sorry that NickGolovko put a message that was meant to be personal on the AVAST forum. I know how to report a shortcoming and my intention was to keep this off any forum, especially this one, because the people here trust the firewall. More than one person in the COMODO staff had been informed about this and the reply I received was unsatisfactory, so I removed the product from my computer.

Kind regards,

Paul Wynant
Moscow, Russia

If you do a port scan on those high port’s. shouldn’t it show in that if the ports are open as you say??

2 AOwL:

Do you think DrWeb will like it if I scan them? :wink:

I’m not talking about MY ports. They are all closed even without firewall. No problem here. The allowed local port range is 1024-4999. It’s THEIR ports 64000-65535 I’m connecting to WITHOUT WARNING FROM COMODO. Now with firewalls like Jetico and Sygate you get a warning whenever your computer tries to connect to a remote (destination) port THAT HAS NOT YET BEEN DEFINED BY THE USER.

Firefox (my default browser) has the following rules:

  1. Firefox.exe
    Destination: 127.0.01
    Port: 1024-4999
    Protocol: TCP In/Out

  2. Firefox.exe
    Destination: RANGE: – (my 2 DNS servers)
    Port: 53
    Protocol: UPD Out
    (Local Ports were restricted by the Netmonitor rules to 1024-4999)

  3. Firefox.exe
    Destination: [Any]
    Port: 80,90,443
    Protocol: TCP Out
    (Local Ports were restricted by the Netmonitor rules to 1024-4999)

When you go to that site and you start the download, you get a warning from COMODO about Firefox connecting to remote port 21 (which you allow) and the download starts, although it SHOULDN’T start before you allowed one of the random remote ports between 64000-65535.

Paul Wynant
Moscow, Russia

Sorry if i misunderstood you. ;D
I will try that later on, to see what happens.


Now what you mean is clear. What I get from the public message was about inbound defense.

What you refer is stateful FTP inspection. When you FTP to a site, if in passive mode, your host will initiate another connection with such high numbered ports. Since CPF does stateful FTP inspection, this will be allowed statefully(Whether we should do so or not can be discussed).
Try to use a simple utility to see if it monitors or not. You are trying to test with FTP protocol for which CPF applies many state keepings for the best user experience.

Hope this helps,

Hi guys, I guess a short disclaimer from my side is of a need also. At least I hope that I will be heard though you associate me with Kaspersky Labs :smiley: Especially in the situation with such interesting way to understand basic English that you present. Please be sure that I didn’t suppose to ‘report the bug’. It was already reported. I simply used the fact in my persuasion, nothing more…

More detailed description to this thread can be found at,3687.msg27994.html#msg27994