(Fixed) DCOM Exploit bypassing COMODO. Blocked by !avast

Hello. I have COMODO firewall W D+ and avast anti virus. I have been getting a lot of “DCOM Exploit” attacks for the last week which are by passing COMODO but thankfully avast is blocking the attack.

What and who may be attacking my computer and why isn’t COMODO blocking it?

P.S. If it helps us all figure this out i also posted on !avast forum about this problem linking the 2 together. Here is the link (Solution Found) DCOM Exploit getting through COMODO Firewall. Blocked by !avast

Please tell us more details.

1.What is your D+ mode and setting?
(screen shots would be nice)

2.Did you update all of latest Windows Updates?
(You have DCOM vulnerability including the other vulnerabilities if you didn’t)

3.Can show us any logs, screen shots from Avast, CIS?

why is it always avast, who is involved in detecting DCOM EXPLOITS ? (look in other forums)
when i look at the results of avasts internet suite (3%), i think it cries so loud for catching an “exploit” to show the customer how good it works.
in the comodo event list its not saying “wow exploit was blocked”, it just says “tcp in was blocked”. thats the only difference.

----if you use an antivirus with “webguard” or something, maybe your traffic will be lead through its proxy. then you would bypass your regular firewall YOURSELF.--------

all people who dont use avast are in danger? i think not :wink:

use avast as an antivirus and switch off its “firewall” part. one firewall at a time is better then 2.
sometimes 2 firewalls at a time can be more worse, than to have no firewall at all. see above.
and look if you have set comodo to block IP IN ANY, which means, that comodo would block all unrequested ingoing connection attempts. under global rules.
use the stealth port wizard to reach easily this goal. “hide me from everyone”, setting 3.

As per your request here are 6 screen shots. If they are not what you need, just ask being more spasific as what you need to see. As for any avast log recording the DCOM Exploit none exist ???

Last night i reinstalled the OS on my lap top doing ALL Microsoft, comodo & avast updates. These DCOM attacks started before i did the reinstall.

Reason for reinstall-------system incompatability caused by New User Sindrom 88)

[attachment deleted by admin]

look in the event list of comodo if comodo has blocked this ip in that moment too (unspectular: blocked protocoll TCP in, source adress … , destination adress “your ip”.) the avast notification is too much spectaculum, for such an normal blocking event. i would be sceptic.

i give an example: if spybot search&destroy finds a trojan, it could happen that your antivirus says: I FOUND A VIRUS, location spybot quarantine folder :smiley: . i think thats the same situation in a way.

and look if avast uses proxy technologie to “be a webshield” antivirus program.

As per this screen shot shows, nothing is listed in COMODO firewall events

[attachment deleted by admin]

Does your CIS detect network traffic?

Go to
Firewall>View Active connections.

Is there any active connection?

well, then there is something wrong.
i would really suggest to use only ONE firewall, and NOT a webshield antivirus.

in the comodo settings make sure that you have a “block ip in any” rule in global rules. then will any unrequested connecting be blocked.
use the stealth port wizard under firewall----common. choose setting 3 , the last one there. this will generate a similar ruleset in global rules…

avast is your antivirus, let “a firewall” be your firewall :slight_smile:

avasts results as firewall are very bad! if it uses the proxyversion to “protect” you, you made a bad choose, because comodo cant work for you like it could. (3% contra 100% test results)

I assume you are not “behind” a router.

If you run the Stealth Port Wizard and choose to Stealth my ports to everyone.

That should create a Block Rule at the bottom of your Global Rules like in pic.

Try if that stops this internet noise, that is making the Avast Shield think you are under attack.

post back if works or not please.


[attachment deleted by admin]

yes there are active connections

Another strong point the others have hit on.
Are you using the thirty day trial of Avast, with Firewall.
The 2 Firewall thing is not good.

Did you remember to Disable Windows Firewall during all of this?


??? now my COMODO firewall has crashed >:-D see pix below

[attachment deleted by admin]

Not using Tryal version. Using Full free version ov avast. Windows firewall has been turned off yes.

“It is able to monitor and filter all HTTP traffic coming from the Web sites on the Internet. It’s implemented as a HTTP proxy running on your PC.
Connections from your Web browser are redirected to the Web Shield module.”

dont use it together with a firewall.

It’s the Network Shield making the alerts, not the Web Shield.

The Web Shield just proxy’s the browser traffic, I believe.

PS: Did you check your Global Rules situation? re. my earlier post.
Have you rebooted, or sorted out the “crash”.

ok, then it is even more a “2 firewalls at one time problem”
while one of the two firewalls is a really bad one… like matousec tests said

(sorry for double posts, bug)

Here is a tool, to learn about, check if your OS is vulnerable, and if it is then make it not so to the DCOM vulnerability.

If your system isn’t vulnerable, these attacks are just noise.

No, I don’t see a need for it.

It was just to give the OP some peace of mind.

I believe the Network Shield is alerting to connection attempts that the firewall on it’s own would otherwise just block/drop.

IMO Solution - Set up Firewall properly, Run Stealth ports Wizard.
Disable File sharing in your Internet Connection properties.
Check that the firewall is blocking strangers from unsolicited connections/working.


PS: I’m trying to make this happen on a 32bit XP Pro box and the CIS Firewall seems to work fine with the Avast Network Shield enabled. So no obvious problem between them.
Double Triple check your Firewall rules.
Check for open ports. At GRC. GRC | Gibson Research Corporation Home Page   Select Services > Shields Up.
I’ll stay on this box for a while and see if I can get any sort of Avast alert.

[b]clockwork:[/b] why is it always avast, who is involved in detecting DCOM EXPLOITS ?
Well, some Windows viruses (Blaster/Sasser) use DCOM/LSASS exploits to get into your system, that's why avast! antivirus (not firewall) detects these exploits. Not all our users use firewall.
[b]Nosnibor:[/b] I have been getting a lot of "DCOM Exploit" attacks for the last week which are by passing COMODO but thankfully avast is blocking the attack.
It depends which product is installed sooner. Each packet is proceed by all network drivers - one after another. If the first driver blocks the packet (avast or comodo) then the 2nd driver (avast or comodo) won't receive it. That's why this DCOM exploit will be blocked either avast or comodo driver, but not both.

??? sigh – I’m so confused. I’ve recieved ALOT of info here and because of my lack of PC experance i’m NOT sure how to procede.

After COMODO crashed i rebooted and now my screen has changed (shrink) 1.5 inch smaller both sides