you may also need to install the appropriate printer software on your PC to handle the UPnP connections.
It was. Although in fairness this printer has been giving me some problems even prior to Comodo.
Not really. All unsolicited inbound traffic will generate alerts and if an alert is not answered the packet is discarded.
This was not really what I wanted though. Two examples spring to mind. First, say a hacker tries to attack my pc, but someone else other than me is sitting at PC, like wife or child or something. I’d rather not risk them saying Allow to the alert. Secondly what happens if the remote emule clients try to still keep connecting to me (as happens with emule) long after the emule application has been closed. I don’t want to have to constantly keep clicking the deny button. Ie what is the mechanism if a global rule allows something inbound but the app concerned isn’t running but another rule lower down the appl. list accepts the connection? Isn’t this a recipe for abuse?
It would appear you're also behind a router?
Yep, but to confound my problems it sometimes plays up too though a reboot always fixes it.
As I suggested, it's a conflict with AVG and the temporary files created. Which components of CIS are you using?
OK, using the Firewall and Defense+. How did you view the log in that format?
First, they’d have to get through your router/NAT device/hardware firewall, which, if correctly configured, will prevent all but the most determined ‘hacker’ that’s assuming they know your PC is even on the network, which won’t be that easy if your router ports are stealthed. Second, unless there’s a Global rule that allows them ingress, they won’t get very far.
Ideally, you should be able to configure your firewall with rules that allow any inbound connections for ‘server’ applications you have running. Once done, you can place a Global block IP In rule, with logging, so that you will still have the necessary information regarding inbound connection attempts, but for those occasions when someone else is using the PC, you’re covered.
Yep, but to confound my problems it sometimes plays up too though a reboot always fixes it.
It might just need a firmware upgrade…
OK, using the Firewall and Defense+. How did you view the log in that format?
Second, unless there's a Global rule that allows them ingress, they won't get very far.
Yes but there would be. If I have to have Global Inbound rules to open ports for the server programs and the likes of Emule or whatever then all a hacker may have to do is a port scan or something to find the open ports.
Ideally, you should be able to configure your firewall with rules that allow any inbound connections for 'server' applications you have running. Once done, you can place a Global block IP In rule, with logging, so that you will still have the necessary information regarding inbound connection attempts, but for those occasions when someone else is using the PC, you're covered.
Exactly. Hence the need for the global block rule at the bottom. I knew you'd see it my way eventually :-)
It might just need a firmware upgrade...
Yes but it already has the latest firmware available from the manufacturer, though that was released ages ago. I think it is just old and needs replacing.
[url=http://sqlitebrowser.sourceforge.net/]SQLite Database Browser[/url], which was linked to in the thread about log file problems.
Ah, I'll have to look into that, thanks. Begs the question though, how come a 3rd party app can view Comodo's logs with no problems, but Comodo can't view Comodo's logs?
Yes but there would be. If I have to have Global Inbound rules to open ports for the server programs and the likes of Emule or whatever then all a hacker may have to do is a port scan or something to find the open ports.
Even if there is an open port, there still has to be an exploit for it, simply being open does not make it an immediate security threat.
I forgot to answer a question from earlier:
Secondly what happens if the remote emule clients try to still keep connecting to me (as happens with emule) long after the emule application has been closed.
Strangely enough, this is one of those occasions where you might want to create a rule for WOS. Virtually all p2p applications behave the same way once the application has been closed, that is, connection attempts keep arriving simply because they’re not informed immediately that the connection has been closed. To prevent your logs filling up with discarded connection attempts, create an Application rule(s) for WOS that blocks TCP or UDP In on the emule ports.
Exactly. Hence the need for the global block rule at the bottom. I knew you'd see it my way eventually :-)
It’s what I do.
Yes but it already has the latest firmware available from the manufacturer, though that was released ages ago. I think it is just old and needs replacing.
Depending on the make and model you may be able to replace the firmware with something like Tomato or dd wrt There are others.
Ah, I'll have to look into that, thanks. Begs the question though, how come a 3rd party app can view Comodo's logs with no problems, but Comodo can't view Comodo's logs?
Good question, unfortunately I don’t have a good answer, maybe someone else knows…
Oh ok right. I understand a little better now and I suppose feel a bit less vulnerable knowing that.
Strangely enough, this is one of those occasions where you might want to create a rule for WOS. Virtually all p2p applications behave the same way once the application has been closed, that is, connection attempts keep arriving simply because they're not informed immediately that the connection has been closed. To prevent your logs filling up with discarded connection attempts, create an Application rule(s) for WOS that blocks TCP or UDP In on the emule ports.
OK done that now. Yes I did see the emule ports appearing a lot in the logs though I didn't mind because I could see it was doing what it should (ie block them because emule wasn't running). However now I know it's doing what it should then you are right, there is no need to fill up my logs with those entries.
...make and model you may be able to replace the firmware with something like [url=http://tomatousb.org/]Tomato[/url] or [url=http://www.dd-wrt.com/]dd wrt[/url] There are others.
Don't think they do for my router but I'll check again.
Good question, unfortunately I don't have a good answer, maybe someone else knows...
Yes well, thanks to you good people there I think I'm happier now with Comodo. It seems to be working how I want it now and doing what it should...with the exception of this serious logging problem. Not sure if I want to have to remember to delete the log files every few days to free up a few Gb. The alternative is to have them deleted which will mean I can't view them.
So having added the Comodo folder to my AVG exceptions list is there nothing else I can do to cure this?
I think the key to this is ensuring that your AV and D+ don’t both scan the temp folder simultaneously. As I don’t use ‘real-time’ AV or D+, it’s probably better if someone else can help. However, If I get time I’ll take a look.
I’ve been playing around with excluding certain folders and it seems to be behaving itself much better now. I’ll keep an eye on it. Thanks for your help.
EDIT - No, spoke too soon, it’s still not behaving right. But evrything else seems OK, it’s just the logging problems now.
EDIT 2 - No, not even that…it’s still not doing what I ask as per the original topic title. See the screenshots, shot1 shows that it is blocking Port 5000 from within my network zone, but shot2 shows the application rule allowing svchost to accept it. (UPnp is a set of ports including 5000. I also have a Global rule allowing inbound traffic to those ports). Why is this not working?
Oh forgot to add, my logs still aren’t showing any events for the times when I am logged off the PC (with the PC still running) even in the saved logs from the …More dialog. As well as my points in the post above (in EDIT2) could someone also assure me that my PC is still protected during these logged off times, and how I can be sure of this? I would expect to see some events.
Thanks.
The firewall is doing exactly what it should be doing, blocking unsolicited inbound connections. As I said earlier, these appear to be connections from your printer, if so, no amount of rule making for svchost will stop them being rejected by WOS. The first thing I suggest you do is install the HP Printer software and, with the appropriate rules, see if it makes a difference. Failing that, disable the function on the printer.
Oh forgot to add, my logs still aren't showing any events for the times when I am logged off the PC (with the PC still running) even in the saved logs from the ...More dialog. As well as my points in the post above (in EDIT2) could someone also assure me that my PC is still protected during these logged off times, and how I can be sure of this? I would expect to see some events.
Thanks.
The security suite doesn’t ‘turn itself off’ just because you happen to be elsewhere. What state is your PC in, awake, sleeping, hibernating? have you actually confirmed there’s activity when you’re away?
Not exactly, the address given in the logs is that of the router. I read on some topic a while ago that the source ip address in the log is where the traffic originated ie the router. And the ip address is part of my Home 1 zone so why do you say “no amount of rule making for svchost will stop them being rejected”? Surely this is the whole point of having rules. So now you are telling me that I am correct…the firewall is not doing what I ask, but purposely??? Sorry but that is not the kind of firewall I want. I came to Comodo so I could gain control, not lose it.
Incidentally I do already have the HP software installed for my printer.
The security suite doesn't 'turn itself off' just because you happen to be elsewhere. What state is your PC in, awake, sleeping, hibernating? have you actually confirmed there's activity when you're away?
Awake, but with no user logged in, ie at the login screen. Regards the activity, well all the blocked events you see in the screenshot where access to Port 5000 is blocked happen 2 or 3 times per minute throughout the time I am logged in the PC and they show in the logs, but there is nothing at all, not a single event, for the time period when I am logged off. I know it shouldn't 'turn itself off' when I'm elsewhere but does it????
Not exactly, the address given in the logs is that of the router. I read on some topic a while ago that the source ip address in the log is where the traffic originated ie the router.
You said earlier:
Now you’re saying they’re not coming from the printer, but from the router? Can you please confirm which it is.
And the ip address is part of my Home 1 zone so why do you say "no amount of rule making for svchost will stop them being
You need to try and understand how stateful firewalls work. Basically, when a connection is received it’s checked against the state table and if it’s found to be a response to a previously generated request, it’s passed to the application that generated the request. Alternatively, if, for example, you’re running a web server and a request comes in on port 80, you’ll have created a rule for the web server software to deal with this. However, if the connection is unsolicited, i.e. it just arrives and there are no rules able to process the request and it’s not in the state table, it will be blocked. These connections, wherever they’re originating, seem to be of this type. What you need to do is find out where they’re coming from and what’s causing them.
rejected"? Surely this is the whole point of having rules. So now you are telling me that I am correct...the firewall is not doing what I ask, but purposely?Huh? Sorry but that is not the kind of firewall I want. I came to Comodo so I could gain control, not lose it.
No, I’m telling you you need to find out what’s generating these requests and then deal with them appropriately. Creating rules for a process that may or may not be involved is not the right course of action. Generally svchost deals with OS generated UPnP/SSDP request/response connections, if these connections are related to that, then svchost is the right process, if not, then you need to look elsewhere, such as you router or printer etc.
Incidentally I do already have the HP software installed for my printer
But now you’re not sure it’s the printer? However, if it is, what rules have you created for the printer software?
Awake, but with no user logged in, ie at the login screen. Regards the activity, well all the blocked events you see in the screenshot where access to Port 5000 is blocked happen 2 or 3 times per minute throughout the time I am logged in the PC and they show in the logs, but there is nothing at all, not a single event, for the time period when I am logged off. I know it shouldn't 'turn itself off' when I'm elsewhere but does it
I’m guessing it doesn’t log when you’re not logged in may be because logging is a user mode process, but I’d need to confirm that.
Hi Radaghast, thanks again for your response. I’m sorry to be such a pain in the ****. I’m still trying to figure out all the intricacies of this, and get everything just right.
Yes well I’m confused myself really. The IP address shown as the source is DEFINITELY the router. But the only reason I could think for any UPnp activity on my network is the printer. Hope that makes sense. TBH I don’t really know much about how UPnp works. The printer is of course connected to the router.
You need to try and understand how stateful firewalls work. Basically, when a connection is received it's checked against the state table and if it's found to be a response to a previously generated request, it's passed to the application that generated the request. Alternatively, if, for example, you're running a web server and a request comes in on port 80, you'll have created a rule for the web server software to deal with this. However, if the connection is unsolicited, i.e. it just arrives and there are no rules able to process the request and it's not in the state table, it will be blocked. These connections, wherever they're originating, seem to be of this type. What you need to do is find out where they're coming from and what's causing them........No, I'm telling you you need to find out what's generating these requests and then deal with them appropriately. Creating rules for a process that may or may not be involved is not the right course of action. Generally svchost deals with OS generated UPnP/SSDP request/response connections, if these connections are related to that, then svchost is the right process, if not, then you need to look elsewhere,
So you're saying that UPnP is not always handled by svchost then? And maybe these requests need to be handled by another application instead, for which there isn't a rule set up? I think I understand that but I have no idea what application that would be.
However, if it is, what rules have you created for the printer software?
The only thing I can see is as per the screenshot. Nothing has "Ask"ed else it would have been allowed.
I'm guessing it doesn't log when you're not logged in may be because logging is a user mode process, but I'd need to confirm that.
Oh that's not what I was expecting. Surely the logging function should be non-user-dependent. It's even more necessary to see activity logs for the period when you weren't sat in front of the monitor. Please can you confirm this? At least I know it's not because the firewall turns itself off when I log off, phew. You are certain that's not happening aren't you?
If it’s a network printer it should have it’s own IP address. That said, routers also make use of UPnP, so I’d check the settings there, too.
So you're saying that UPnP is not always handled by svchost then? And maybe these requests need to be handled by another application instead, for which there isn't a rule set up? I think I understand that but I have no idea what application that would be.
If, whatever is generating these connection requests, has some specific control software, then yes.
The only thing I can see is as per the screenshot. Nothing has "Ask"ed else it would have been allowed.
The best thing to do is isolate where they’re coming from. Disable UPnP on the printer, check. Disable UPnP on the router, check.
Oh that's not what I was expecting. Surely the logging function should be non-user-dependent. It's even more necessary to see activity logs for the period when you weren't sat in front of the monitor. Please can you confirm this? At least I know it's not because the firewall turns itself off when I log off, phew. You are certain that's not happening aren't you?
I’ve not had time to make further queries on this, I’ll do so later today and let you know here.
The printer does have its own network address but that isn’t showing in the logs. The router does have UPnP so I’m pretty sure it’s coming from the router. How should that be handled in terms of rules?
I've not had time to make further queries on this, I'll do so later today and let you know here.
As these connections are coming from your router, there’s no specific control software for intercepting them. So, unless you’re using Windows XP SP1 or earlier, I’d try and find some way to turn them off. Basically, in XP SP2 and later port 5000 has been depreciated and port 2869 is used instead.
With regard to the logging, it’s as I explained. Logging is currently handled by cfp.exe, which is a user mode process. This may change in the future.