I use Comodo Firewall many years but now CF suddenly flags that explorer.exe wants to connect to Internet ???
what is going on?
It’s not unusual for explorer to request Internet access, in fact, any time you run a digitally signed installation file, explorer will try to verify the signature with the certificate authority responsible - see image, the ipddress is verisign.
What you need to do is provide some detail regarding the connection, so we can determine what may be happening in this case.
You can also take a look through - Why is explorer.exe trying to connect to an external ip?
[attachment deleted by admin]
Ideal moment to make a block rule.
And look if the logs get filled, or if it just happened.
As allways: Block everything that does not need a connection.
And look if the logs get filled, or if it just happened.what does this mean?
[at]Radaghast
I will make a screenshot when Im home
But I ask myself why I havent have such flags about explorer.exe till now? I fact, before getting this alerts from CF I was “playing” with right click on the CIS installers—>Properties---->Details Tab but not with Digital Signatures Tab
If you can find the remote IP address of the connection, it may provide a clue. As for why now, really can’t answer that until we have more information. Out of interest, what are your firewall settings?
Out of interest, what are your firewall settings?custom mode, or do you mean something else?
When explorer.exe tries to connect to to the internet does it list the ip address of what it is trying to connect to?
or when you block the connection does it show what address was blocked in the logs?
If you look above an example comodo popup was given so you can look for your self. it should be in the logs.
once you have the ip address google whois this ip or look for a whois sevrer in google to determine where the ip address is. I have comodo 6/win 8 x64/proactive with sandbox on restircted. I have not once had explorer.exe try to connect to the internet.
That’s what I was after. What do you have Alert Frequency set to?
Low alert frequency with ICS Server, TCP, UPD, ICMP and loopback requests enabled.
here is the screensshot of the CF lof for explorer-exe. Destination IP is 239.255.255.250
[attachment deleted by admin]
NetRange 224.0.0.0 - 239.255.255.255
CIDR 224.0.0.0/4
Name MCAST-NET
Handle NET-224-0-0-0-1
Parent
Net Type IANA Special Use
Origin AS
Organization Internet Assigned Numbers Authority (IANA)
Registration Date 1991-05-22
Last Updated 2002-09-16
Comments This block is reserved for special purposes.
Please see RFC 3171 for additional information.
RESTful Link http://whois.arin.net/rest/net/NET-224-0-0-0-1
See Also Related POC records.
See Also Related organization’s POC records.
See Also Related delegations.
hard to say what in the world explorer.exe is trying to talk to.
hm :-
it is intersting that other apps as Firefox, FlashPluginPlayer are trying to connect to the same IP ???
This is the tool i have used since 2002 to look up info like this
What you’re seeing are IGMP multicast connection requests, most of which are local in scope. A number of people have said they’re seeing an increased number of these connections, which seem to have started in 5.12 and continued in to version 6. Take a look at:
IGMP alerts after upgrading to 5.12
IGMP protocol pop up through RtWLan.exe
exactly the same strange apps I saw in the URLs you gave me, and thanks for this, because so it clarifies that this behavior is Comodo issue.
What is the rule to block these IGPM notifications?
Personally, I’d work on an application by application basis, as some of them, for example those for media player, may, depending on your environment, be useful. However, if you simply don’t want to be bothered, you could create a rule that either allows of blocks, depending on your preference.
For an Application rule:
Application Name - File Group\All Applications
Action - Allow or Block
Protocol - IP
Direction - Out
Source Address - ANY
Destination Address - ANY
IP Details - IGMP
It would probably also work as a Global rule, just without the Application Name.
Once you’ve created the rules, place them at the top of either Application or Global rules
Sorry , I dont have expirience using/changing Global/Group rules
For an Application rule:Application Name - File Group\All Applications
Action - Allow or Block
Protocol - IP
Direction - Out
Source Address - ANY
Destination Address - ANY
IP Details - IGMP
where is this rule to be set up? I mean can you give me the “path” where to click in Comodo. Also, I think it is possible to choose if the flags will get logged, right or not?
It would probably also work as a Global rule, just without the Application Name.would you here also explain by giving me the "path".
This is standard Application rule. See image below.
would you here also explain by giving me the "path".
Global rules don’t define a specific application, so you don’t need to specify ‘All Applications’ as it’s already implied.
[attachment deleted by admin]
creating this rule causes that a lot of other Windows processes (System, svchost) and even private applications such avastsvc.exe and Comodo’s cfw.exe are getting blocked.
Is it possible to adapt somehow this rule or maybe the rules of the affected system and security applications?
Did you select IGMP for the protocol?
yes, and the flags in the lof were all IGMP but for system and security applications