I have little LAN at home, about 4 computers. Siince yesterday firewall has been noticing me about application SYSTEM on port 137 protocol UDP from computer in ma local network who wants connect with me. What is it ? As long as i blocked it.
If the requesting computer is trusted then I would allow it for your local network.
“UDP 137 is used for browsing, logon sequence, pass-thru validations, printing support, trust support, WinNT Secure Channel, and WINS registration.Security Concerns: Key target in auth & DOS attacks.” UDP 137 - Port Protocol Information and Warning!
Hey. I got the same action. System UDP with Destination port 137. Source is my router.
I disabled NetBios at WINS tab and also put registry keys RestrictAnonymous and RestrictAnonymousSAM on 1. What do you think it could be?
One more Q: My friend has blocked Windows Operating System ICMP where Source port and Destination port are Type(3) and Windows Operating System UDP where both ports are 1900 and Source IP is second computer plugged in router and destination is 239.255.255.250
UPDATE There were 6 diferent malware files like this: UnclassifiedMalware@61255541 C:\System Volume Information_restore{D3C40D3E-D804-4D36-80E7-E403C4D27F57}\RP161\A0053998.exe Five files were *.exe and one was *.dll I deleted them and turned off system restore and restart system.
Brief description of bug which appears here.
When Firewall alerts about incoming connection TCP port 139, UDP port 137 or 138 AND action followed is “allow and remember” then rule for System is added allow tcp (or udp, depends) in ip any source port any dest port any (!) INSTEAD of 137/138/139.
This was already reported previously for v3.хх (3.14 iirc).
XP home sp3 x86, Comodo Firewall/Defence+ in proactive config and Safe modes.
Make sure the firewall alert level is set to high to create rules on a per-port basis, then see if the bug still happens.
Already checked that before wrote here.
Btw afaik it doesn’t matter whether “high” or “low” because… for incoming connections rules are created with protocol and port defined even if alert frequency level is “low”.
For application defined as “System”, of course. For other applications all works fine.
Still happens here with v5.0…1135 :-\ Staff/QA/? , please check this.
SS26 is right with this permanent bug.
To come back on topic, netbios should of course be allowed on the lan (and only on the lan).
Broadcasting requests on port 1900 are due to network discovery by upnp/ssdp services.
They are perfectly useless in common use, and you can disable these services, thus not being alerted anymore; if you don’t want to, block this broadcasting request on port 1900.