Firewall showing 0 Connections

Two days ago I installed Modern Warfare 3. I had problems with it showing up as a Moderate NAT type in the game and not connecting to “Online Services”. In the end the issue was that I was missing 1 port in my port forwarding on my router. However, do to previous issues with the Windows Firewall blocking traffic (despite being turned off) I unchecked my Internet facing interface from the Windows Firewall >> Advanced settings >> Windows Firewall Properties >> (Active) Public Profile >> Protected network connections [Customize]. This was the same fix I applied months ago when I was not able to communicate with my Virtual (GNS3) network without any problems.

After my game started working, I wanted to ensure this change did not affect Comodo in anyway so I set it to Block All Traffic and that is when I found out it was not working. I undid the changes I made and even reset Windows Firewall to the default settings. I turned it off again and still Comodo will not recognize that traffic is passing (let alone block it).

Comodo “View Connections” is showing 0 inbound/outbound connections despite any amount of traffic. The only connections it seems to see are ones for a virtual interface I made for GNS3 months ago for a CISCO lab and VirtualBox (all this traffic however is very minute). Further, selecting “Block All” will only block this traffic and nothing Internet bound is stopped. Its as if the Comodo driver is not installed on the Internet facing adapter (which is not the case). I have tried uninstalling, restarting, and reinstalling Comodo. Diagnostics does not detect any problems. I even disabled and uninstalled the Comodo driver from my Internet facing adapter. Upon restart, Comodo recognized that it was missing and prompted me to fix it. I clicked fix and restarted. Comodo showed everything was normal but the same thing is happening. I have tried working with GeekBuddy but they were unable to fix it too.

Defense+ is set to Paranoid, Firewall Stealth Port wizard has been set to Alert, and there are no custom rules setup in Comodo (this is a fresh install). The only thing I have changed on this install is I untrusted all software but Comodo and all the Comodo derivatives. But once again, I do not believe this is a issue with Firewall rules; rather the issue is that Comodo is not seeing the traffic.

Additional info… when I unistalled Comodo, I ensured that Windows Firewall could and did block traffic before reinstalling Comodo. Once again I have turned off Windows Firewall. Spybot S&D and MS Security Essentials are only other security software that run in background and I have disabled them to ensure there was no conflict (did not fix the problem).

Just to summarise and make sure I understand:

  1. View Active Connections shows no activity for any process at any time?
  2. Selecting ‘Block All’ has no effect on preventing connections to/from the Internet?
  3. You’re not running Comodo firewall and Windows firewall simultaneously?
  4. Do you have Firewall/Firewall Behaviour Settings/Do not show popup alerts checked?
  1. View Active Connections shows no activity for any process at any time? There are some connections that will show up… For example GNS3 virtual network connections (but these are all taking place over a loopback adapter). “View Connections” can see this traffic and Comodo will block it if set too. As for any Internet bound connection you are correct. Steam, Ventrilo, Firefox, or anything else… Active Connections shows nothing. Just to be clear, this is not an issue of the connections showing up as local connections due to a third part proxy such as Avast Web-Shield. This is a case of Comodo absolutely not seeing any Internet bound traffic.
  2. Selecting ‘Block All’ has no effect on preventing connections to/from the Internet? Correct
  3. You’re not running Comodo firewall and Windows firewall simultaneously? Correct
  4. Do you have Firewall/Firewall Behaviour Settings/Do not show popup alerts checked? No, it should be alerting (and I believe would if it could see the traffic).

Have you bridged your adapters?

I have 3 adapters total: LAN (Internet intf), MS Loopback (Used for GNS3), and VirtualBox (Interface for VirtualBox).

None of them are bridged.

Curious! CIS is not going to discriminate between adapters unless the driver is not being loaded for a specific interface. So the fact it’s showing ‘some’ traffic, seems to suggest it is working, hence the bridging question. I guess you haven’t connected your GNS3 topology to your physical network, or if you have, by what method?

I assume you’ve tried disabling the MLA and VBox adapters and you’ve checked the CIS driver is being loaded on the ‘real’ NIC? have you also checked the Windows System logs for any clues?

Just to reiterate, this is a standard install of CIS, you’ve made no changes to any component and you’ve installed and have active all components?

Thats what I believe - that the problem is somewhere between the CIS driver and binding to the adapter. Ill verify that none of the adapters got accidentally bridged (not at home atm). The GNS3 is all virtual, no physical connections.

I have not tried disabling MLA or VBox adapters yet but will give that a shot also. I did uninstall the CIS driver from the Real NIC and Comodo reinstalled when it prompted me to Fix it. I also tried uninstalling and reinstalling the Real NIC drivers. Will also check the system logs (I thought to do it but didnt have time cause I was already running late for work).

Ive tried standard install (no change) and tried again using the highest settings possible to include protocol analysis and monitoring NDIS protocols, opting out of all the “‘Do not show pop up alerts” as well as unchecking the boxes to make create rules for me.

:o

Solved… So lock away mr. mod. Since someone in the future may have something like this happen I will give all the steps I did to fix it (as I am not sure which was the exact fix and I also believe their were several problems). As promised I will also post relevant System Events at the end of this post.

  1. So for starters, I completely uninstalled MS Security Essentials, Spybot S&D, Comodo, and VirtualBox.
  2. I set Windows Firewall back to defaults. Went back into advanced settings and told it not to protect any of my interfaces again (what I was doing when I noticed the problem).
  3. Disabled Interactive Services Detection service (a fix someone provided for errors relating to last event I put below).
  4. Restarted in safe mode and uninstalled MS Loopback Adapter, NDIS driver (have to select show all and go to the Unplug and Play area), and my Lan adapter drivers with option checked to delete all software it came with.
  5. Restarted Windows and Windows auto reinstalled my Lan adapter.
  6. Reinstalled my MS Loopback Adapter.
  7. Went back into Windows firewall and again told it not to protect my adapters.
  8. Ran CClean to clean up my registry.
  9. Reinstalled Comodo
  10. Had a celebratory ■■■■ as Comodo was not recognizing all traffic once again.
  11. Got 2 hours of sleep before returning to work.
  12. Planning on reinstalling the rest of my software and it has not been a problem until 2 days ago (so hopefully I will not have anymore issues).

Also, all the events below seem to have stopped.

SYSTEM EVENTS

[APPLICATION]

I get this multiple times.

Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-2170379085-3502468393-2493012268-1000:
Process 2664 (\Device\HarddiskVolume2\Program Files\COMODO\COMODO Internet Security\cmdagent.exe) has opened key \REGISTRY\USER\S-1-5-21-2170379085-3502468393-2493012268-1000

==============================================================

I am also getting multiple for various files and pids (believe this is some issue with DCOM):

Application ‘**********.exe’ (pid ####) cannot be restarted - Application SID does not match Conductor SID…

==============================================================

At one point, I got this (However most were successful gave no error code):

Windows Installer reconfigured the product. Product Name: COMODO Internet Security Premium. Product Version: 5.8.16726.2131. Product Language: 1033. Manufacturer: COMODO Security Solutions Inc… Reconfiguration success or error status: 1602.

==============================================================

I believe this is the point where everything went to hell…

Faulting application name: cmdagent.exe, version: 5.5.64714.1382, time stamp: 0x4e0c32b7
Faulting module name: cmdagent.exe, version: 5.5.64714.1382, time stamp: 0x4e0c32b7
Exception code: 0x40000015
Fault offset: 0x000000000004fa22
Faulting process id: 0x390
Faulting application start time: 0x01cc9cb7b6970402
Faulting application path: C:\Program Files\COMODO\Internet Security 2010\COMODO\COMODO Internet Security\cmdagent.exe
Faulting module path: C:\Program Files\COMODO\Internet Security 2010\COMODO\COMODO Internet Security\cmdagent.exe
Report Id: 35c3c128-0976-11e1-b806-080027000cb8

==============================================================

Fault bucket , type 0
Event Name: NetworkDiagnosticsFrameworkV3
Response: Not available
Cab Id: 0

Problem signature:
P1: Microsoft
P2: NdisHC [2.0]
P3: 2
P4: 0
P5: {00000000-0000-0000-0000-000000000000}
P6: NdisHC [2.0]
P7: {46EC1E49-CA70-4561-9AB7-009F6B1B3709}
P8: rt64win7.sys
P9: 7.2.1127.2008 13/07/2009
P10:

Attached files:
C:\Windows\System32\NDF{D4A8B8B1-9DB2-4516-B906-DACC22B44793}-WER-11042011-2049.etl

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_Microsoft_85e8da744ddc50bd873e78bfe07c66cdb5f4313_cab_05193a4b

Analysis symbol:
Rechecking for solution: 0
Report Id: 73cf2b43-0750-11e1-ad1b-cd19b18fbb40
Report Status: 2

===================================================================
[SECURITY]

Nothing significant.

===================================================================
[SYSTEM]

The following boot-start or system-start driver(s) failed to load:
inspect

===================================================================

The COMODO Internet Security Helper Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

I would imagine that inspect.sys failing to load would be the main issue. If I remember correctly, it’s one of the essential kernel mode drivers.

Just did a little Googling on it and it appears to be a Comodo driver which could of had something to do with it but that only showed up a few times. I honestly do not believe that the issue was all Comodo though. IMO there were probably some Windows instabilities issues combined that Comodo just could not deal with. Or in other words, multiple issues.