(Fixed) DCOM Exploit bypassing COMODO. Blocked by !avast

This would be Webshield, the alert is caused by Network Shield…

Problem is this, you have a firewall active (CIS FW) and a NIPS (Network Intrusion Prevention System) Avast Network shield.

So what do those two do and where’s the difference?

  • A firewall only checks IP/TCP/UDP numbers and ports.
  • NIPS inspects the data packets to see what’s “In” it and if there is malicious code in it, like in this case a DCOM exploit attack it alerts.

This is the reason you are seeing alerts, depending on your Global rules if you block incoming request to in this case TCP 135, and the program that filters first (Avast or FW) the alerts can vary.

If Avast network shield inspects before CIS FW you would get the Dcom alert even if you blocked incoming TCP 135.

If CIS FW comes first, and you have blocked TCP 135 global, you should not be seeing these alerts from Avast.

Screen fixed. Cable connecting TV and laptop was still connected when i rebooted. PC got confused. My bad lol.

@ “Ronny” I think i understand in that COMODO is my firewall but avast is also acting like a firewall using “Web Shield”

Is this correct ???

Well technically they are different.

You have CIS firewall
You have Avast Network Shield
You have Avast Webshield

A firewall controls “What is allowed where” the packet header containing Source and Destination.
It does not inspect what’s in the data portion of the packet, it can be HTTP traffic of you browsing the web but it can also be SMTP traffic from you sending out an email.

In both cases you can control from/to which ip’s and ports in these cases 80 for HTTP and 25 for SMTP, but that still doesn’t give you control about what’s “Inside” the packet.

[Source IP+Port][Destination IP+Port][Some Data HTTP/SMTP etc]

So the firewall only inspects the portion that is used to transport the data over the internet.

The Avast Network shield inspects the [Some Data] part of the packet to see if the data that is in there is “real” data or malicious code. It could contain ‘HTTP 200 OK’ from some web server but in your case it will contain a certain amount of data that will cause a DCOM security issue on TCP 135, it’s not the “port” that is attacked but the “process” behind it (svchost.exe) in this case.

Next to that you also have the Avast Webshield active, that’s not inspecting “All” data packets like the Network shield does, but it will only inspect HTTP traffic, and it works differently.

The Network shield “listens” to traffic on the same level as the CIS firewall does.
The Web shield acts like a transparent proxy on your PC, so it will intercept all traffic that it’s configured for to intercept, for instance TCP 80 (HTTP) traffic.

This means your traffic flow is changing from:

[Browser]–>[Firewall Inspection]–>[Network card]–>Internet


[Browser]–>[Avast Web Shield]–>[Firewall Inspection]–>Internet

So the process sits between your browser and your firewall to scan all HTTP traffic for malicious code.
In this case it will scan much more then the Network Shield because that will only intercept known “worm” attacks, that is malware that only spreads over the network without user intervention (like a browser) and if your port is open and the process that’s listening to it is vulnerable you can be exploited, that’s where the Network Shield protects you, so it only inspects “incoming” traffic.

[Hacker/Infected PC]–>[Internet]–>[Firewall Inspection]–>[Network Shield]–>Real Process behind port X

So Network Shield can “kill” a network connection based on the data inside the packet, and a firewall can only block a connection based on where it came from an/or where it goes to.

Hope this helps :wink:

Now let’s see if we can get rid of those Avast Alerts.

Please open CIS firewall, Advanced, Network Policy and switch to “Global Rules”.

Add, Block, TCP, In, Source = Any, Source Port = Any, Destination = Any, Destination Port = 135

Now apply this rule and use “Move Up” to position it as the first rule on the Global rules tab, this way we make sure it’s the first rule that it get’s inspected and blocked on.

Now reboot and see if this takes away your Avast Network DCOM alert. If not it is very likely that the Avast Network shield is inspecting the traffic before CIS firewall is able to “interfere”.

I what order did you install First Avast and then CIS or vice versa ?

@ Ronny – Now let’s see if we can get rid of those Avast Alerts.

I’ve included a before and after pix.
Order of install – COMODO first, Avast second.
Now rebooting bbl

[attachment deleted by admin]

So far things look good but maybe too early to tell lol

Maybe it would be a good option to turn on “logging” for this specific rule for a day or 2 to see how things are going…

k logging on
Also look at the pix i included. Is it set right? All i use is comodo for firewall.
Should it be changed to “COMODO - Firewall Security” ???

[attachment deleted by admin]

i read on your topic on avast site. one of them told, we would say BS about two firewalls.
the intention here was to help someone with a firewall problem, and it CAN be a problem when a proxy webshield or network shield is interferencing with (another) firewall.
its coincidence that it was about avast in this case.
it would be BS, if we would not think in many directions.
who would be helped with saying BS? this was no topic about “companies”, it is a topic about a problem.
when i see a problem with comodo i would say it the same way.

After examining my firewall log it shows that it is blocking the threat and no more avast alerts have occured. I did an IP Trace on the IP address and i think the attack was comming right from my internet service provider. I would put a pic of it here but i think it shows too much info to put on a foum

Also from the avast foum i went to GRC | ShieldsUP! — Internet Vulnerability Profiling   and the results were not good Acording to the site my PC failed hardcore :o Is this test site acurate?

your results should be good. on every test site i have been, my results were always “closed, or stealthed”.

Dont make rules for INgoing traffic, Just make rules for OUTgoing traffic!
use the stealth port wizard “hide me from everyone”.
that should do the work!

i am using proactive policy, and the firewall is close though. look in your firewall rule set, NO INgoing rule should be there for any program. in global rules there should be a “block ip in any” rule. (as it was told, use the stealthport wizard ONE time).

your configuration picture is not readable…

Did you get lot’s of firewall alerts during this test, and if so did you allow them?

one thing about the leak test sites:
it is possible to get good results even if you use “a firewall from 2001” with no updates. it is only related to your settings! (i used one of those for a long time)
if you get bad results with a modern firewall, then your setting is bad! (apart from the interferrence problematic)

@ clockwork – My config is set to “COMODO - Proactive Security”

@ Ronny – testing not finished. Doing LOTS of reading lol

proactive means, that the defense+ is looking for more things.

i saw in a screenshot that you have set the firewall to safe mode. in custom mode you have to define the ruleset.
thats what i meant with settings. if you have only outgoing rules, and a block for ip in any, then the firewall is closed! only requested packets (whatever they contain) can pass the firewall then.
have you used the stealth port wizard? hide me to everyone?

have you used the stealth port wizard? hide me to everyone? Yes i have. As to the rest of your last post ??? it looks like Greek to me lol There is so much about this firewall i dont understand

After doing the recomended changes (stealth port wizard hide me to everyone) and (CIS firewall, Advanced, Network Policy and switch to “Global Rules”.
Add, Block, TCP, In, Source = Any, Source Port = Any, Destination = Any, Destination Port = 135
comodo has blocked about 15-20 attack pre HOUR

After doing a little digging this is what i found - IP in Russia, Novokuznetsk - Comments and Complaints This was just one of many IP addresses that has tryed getting into my pc iover the last 2 weeks. I hope none got in. After doing a lot of reading and snooping insied my own pc and my memory 88) what i relised was this all started after a answered 3 Windows Live Instant Messages from unknown people. I traced the 3 messager address back to Russa

Things that make you go ??? hmmmm ??? I could express my thoughts about these people a little stronger here >:-D %!$% !*$ !%& >:-D but that wouldnt be alowed here :a0