This morning I got a connection attempt on lsass.exe from an ip located, I believe, in the US, on port 500. I denied access, of course. But ever since, I keep getting connection attempt which read as follow:
the process is Windows Operating system; most of the attempts are made by ISPs as it seem [I looked them up on whois ip] from germany and saudi arabia, some by 0.0.0.0. made to 255.255.255.255. Also, ever since, the Defense module reads firefox.exe as attempting a DNS/RPC Client Access action on \RPC Control\DNSresolver target. I googled this in vain and can’t find anything similar. Has anyone got an idea?
LSASS.exe is responsible for enforcing the security policy on your system.
Do a complete virus scan to ensure you are not infected by any worms.
That was the first order of business and nothing was found, I did both spyware and virus scans, lsass.exe is clean [I thought of that trojan isass.exe infection] and just in one copy [\system32].
Anyway, these connection attempts just keep pouring in, 2-3 every minute.
How can I make sure in Comodo settings that just my http ports are open and the rest blocked? I can’t find anything about port forwarding or asnything like that.
If your pc has been rootkit(ed), any antivirus/antimalware scan will return negative result. I can say this because I were hit which what I still don’t know, only thing I know for sure is my boot disk’s MBR has been hijacted. If I boot normally into windows nothing happens, but if I boot into Windows Recovery console, the MBR is gone, and the disk is unreadable
The first sign is a Comodo popup similar to your, mine said:
Windows operating system want to connect to the internet: ip 224.0.0.x (which is a reserved broadcast channel) and further, comodo said it cannot locate the process that made the request.
I would suggest that you try some rootkit detection at rootkit.com, however I have not try this (I’m just learn of it in the last few days, and my pc had been infected for more than a month and currently powered down)
I’m currently try to make a windows boot disk from this
hope this help
You can set CIS stealth by using the Stealth Ports Wizard under Firewall → Commom Tasks. Run the wizard and select the bottom choice → Finish.
To open a port follow this:
To open the port TCP 1723
Firewall → Advanced → Network Security policy → Global Rules → Add → fill in the following:
Description: Incoming Port VPM
Are you using an updated version of Windows? To know where an IP is from: http://ws.arin.net/whois/ .
Source address: Any
Destination Address: Choose MAC or Single IP address (only when it is fixed) or Host Name
Source Port: Any
Destination Port: 1723
Then push Apply → Ok.