(Fixed) DCOM Exploit bypassing COMODO. Blocked by !avast

if you have the rule BLOCK IP in any, then it should be closed, without asking you, for ANY unrequested incoming traffic.
to be more sure, erase all rules in firewall ruleset (for programs), who have something with “allow INgoing”. usually you dont need a programm to receive unrequested ingoing traffic.

then retry the leak test sites. i think it should have a better result… if not, there must be a reason.

I’m not sure if i should start a new post for the following problem but i think its related ???

As you can see in the included pix The changes in settings have now caused some I think wanted items to be blocked.

If my cheesy methoud has worked you cant see my IP address

I also got my ISP to reset my IP address ;D

[attachment deleted by admin]

update

since 22:47:06 my firewall has blocked over 180 items :o holy ■■■■ :o that a lot ??? Isn’t it ??? And i think by what im seeing in the logs its my computer talking to its self but my firewall is blocking it ??? this is bad isn’t it ???

Hi Nosnibor,
No this is not bad, it’s only made visible now. Normally you wouldn’t notice if packets where send to a port your pc listens or does not listen for.

Say someone on the internet is scanning the “internet” for SSH servers this would cause packets to be received on your PC on port 22, as Windows doesn’t run a SSH Server the OS would normally send out a “TCP RST” packet, so far you would not notice this, but if you put the Firewall in block incoming mode like you did with the Stealth Ports Wizard then it’s going to show up in the logging as being blocked send to the “Windows Operating System (WOS)”.

And if the packet would be send to your system on a port that it is listening on like on TCP 135, the port would have answered and depending on the fact that you have installed all Security Patches M$ released you could be infected or not, now this traffic to “listening” ports are also blocked.

How to resolve this “counter” issue? Well you could create a new block rule that specifically blocks some traffic you don’t wish to have logged. and place that before the latest “Block IP IN Any Any”.

For example
“Block TCP IN Source=Any, Source Port =Any, Destination=Any, Destination port = 139”
“Block TCP IN Source=Any, Source Port =Any, Destination=Any, Destination port = 445”

Will remove the logging of those ports hitting your counter… Just make sure you have the
Block IP IN Any Any rule below these (this one should be the last rule in the global policy).

ok if i understand “Ronny” corectly – even though comodo is blocking my pc talking to its self the comunication is actualy generated from an outside incoming sorce (posable hacker).

Is that correct?

All rules logged that have “destination” your IP address are from the Internet TO you.
All that have the “source” your IP are send FROM your pc to the internet.

And then there are a few exceptions like 255.255.255.255 that’s a broadcast on the local network.

Normally this is called “Internet Noise” there are so many systems on the net, Infected and/or Hacked and/or active Hackers and/or investigators what ever that are sending loads of packets over the web…

If you have setup your firewall correctly like you did now to block “incoming” traffic then there is nothing to worry about… on that part of your security setup.

Depending on your connection type, i would prefer a hardware firewall in between though, but that’s just my opinion…

ok i think things are becoming more clear now so I’ve turned off logging so i don’t see the huge number of blocked events that were causing me concern.

logging shows you two things:
firewall does its job
and you can know, when the firewall is “guilty” to let something not work

i would not disable logging of blockings. its a usefull feature.

my comodo is jobless now. routers are a fine thing. i let comodo run for outgoing control only. sometimes i think, when the event list is empty now, my firewall doesnt work… :smiley:

I agree. Logging back on.

I would try to filter out some rules you are sure you don’t need block logging from that will make the logging less cluttered… (like is suggested above)…

In that case i assume you don’t want to share your files and printers with any one and just block traffic to TCP 139 and TCP 445 as that are the ports used for Windows File and Printer sharing…

Also have to take an other look at the blocked DHCP traffic, are you on a Cable network?

I’ve just reinstalled “uTorrent” and it seams to be working but…as you can see in the pix Comodo is blocking lots of trafic (but not all) into utorrent. ??? why ???

[attachment deleted by admin]

This is because the global rules now block all unsolicited traffic.
Best thing to do is to set uTorrent to always use the same port, and then allow that specific port in on the global rules…

Allow, TCP or UDP, In, Src=Any, Src Port=Any Dst=Any, Dst Port = single port xxxxxx and put this one at least before the last block IP IN ANY ANY.

After that uTorrent should work as expected.

Ok uTorrens seems to be working fine now.
In the pix below it shows (top line) uTorrent fix, second line shows the fix from 2 days ago but…
isint the third line basicly a repeat of line of the second?
Fourth line is self explanitory.
The last two lines i am unsure about ???

P.S. in about 3 hours my firewall has blocked over 4170 Intrusion Attemps :-TU ;D

[attachment deleted by admin]

Yes in this case you can remove the TCP 135 rule, and i would suggest to put the Block In Any Any rule all the way to the bottom, all incoming allows below it will never match…

sorry, more info pls, i dont understand. What id the differance between “IP in” - “TCP in” - “ICMP in” - and “UDP in”

But…The last two lines i am unsure about. What are ment to do ???

IP exists of a lot of protocols see here for a complete list, in short the protocol numbers used commonly on a PC are:

Nr: 1 = ICMP
Nr: 6 = TCP
Nr: 17 = UDP

This means that if you use a rule that has IP in it it will cover “ALL” IP protocols known from 0-255.
A rule with TCP only filters TCP connections and UDP only filters connections of communications based on UDP traffic.

Now to breakdown your global rules:
1)
Allow and Log, TCP or UDP, IN, any, any, any, dport=50443

This allows only incoming traffic (which means traffic that is started FROM the internet TO you, this has nothing to do with traffic YOU initiated to the internet and that comes back to you because of that).
On TCP and UPD port 50443 to your system.

Block and Log, TCP, IN, any, any, any, dport=135
This only blocks connection requests FROM the internet TO you on IP protocol TCP and port 135.

Block and Log, IP, IN, any, any, any
This blocks ALL IP protocol requests FROM the internet TO you.

Allow, IP, Out, any, any, any
This allows all connection requests FROM you TO the Internet.

Allow, ICMP, In, any, any Fragmentation needed.
ICMP is typically used to help the other protocols, so in this case it’s a diagnostic message telling the PC to send packets that can handle fragmentation…

BUT is a result of previous rule NR#3 this will never match because incoming traffic rules are matched top to bottom, to rule #3 will block before rule #5 could ever match.

Allow, ICMP, In, any, any Time Exceeded.
Also ICMP control traffic telling your system that no router on the path could serve the destination within 30 hops (a hop is a “router that takes the packet from one interface and put’s it on an other interface” to be forwarded on).

Hope this explains a bit.
See also the attached image for rule order handling, taken from the HELP file.

To optimize your global rules, remove the current rule #2 and move #3 to the bottom.

[attachment deleted by admin]

Getting clearer ;D Changes in pic below.
Is this now correct ???

[attachment deleted by admin]

Yes this is a “stealth” setup with Torrent on fixed incoming port setup… :-TU

Thank you very much for all your help ;D For a while i was thinking of dumping comodo firewall but i’m glad i didnt. I think this brings an end to this thread.
If i need help with another matter i will start a new thread.

Again Thank you

Your welcome.