Help me tame my Comodo Log!

First of all good morning, spent 3hs or so yesterday reading these boards and indeed some very useful stuff can be extracted. At this point I already configure most (if not all) of my applications accordingly (I still use “Trusted App” for my p2p needs since both uTorrent and Soulseek refuse to work properly no matter how much flexible set of rules I apply… something always goes terribly wrong >< but that is beyond the scope of this post) but no matter how many similar threads I found no one provided me an appropriate answer to my current enquiry thus justifying me bring up this subject again (also trying to avoid post hijacking).

My main issue right now is the Comodo Log and the “well known” occurrence of thousands and thousands (I got well over 3000 last night alone) log entry’s from "Windows Operating System”. From my research I nailed it down to svchost.exe (and perhaps system.exe), most likely UPNP feature (but not sure) and/or communication between him and my modem… but since I am still not that literate on the subject I might be wrong on both assumptions.

Before I continue let me give the brief about my setup: windows vista x64 sp1 (clean install fully updated and malware free) ||| uac, windows defender, windows firewall and security center all turned off for good measure ||| comodo firewall v3.5.57173.439 (w/ D+ but removed the AV during install)||| avira PE (and nothing else). Now on the hardware part: linksys wired modem (no network wired or not) and that’s it, just my computer and the modem. Also worth mentioning I disabled most of the unneeded processes for my system trough Vlite before installation so NETBIOS, remote registry and the likes are all unreachable (some of them where even removed). I did keep UPNP (that is why it’s my best guess right now) since I think it’s a fairly useful feature for my p2p’ing and as far as a security threat goes w/ the rest of my rules tight enough I don’t think it will give me much of a headache.

Now for the good stuff… log’s:

→ log01

http://img8.imageshack.us/img8/4093/untitled1el1.jpg

By nospells at 2009-02-18

→ log02

http://img15.imageshack.us/img15/9969/untitled2yd3.jpg

By nospells at 2009-02-18

→ log03

http://img7.imageshack.us/img7/3673/untitled3fb3.jpg

By nospells at 2009-02-18

->log04 (just so you guys can take the picture… this number was after less the 10hs seeding on my computer)

http://img23.imageshack.us/img23/596/untitled4lz8.jpg

By nospells at 2009-02-18

Anyway, my computer is rock solid and all my gaming, internet, chat, streaming and p2p’ing is working as intended, but this constant logging is making all my refined rules useless since I always have to browse trough countless redundant blocks to reach what I want, and thus the need to make them go away ><

The source IP’s are as random as they get, I can’t even specify a range. And the destination is always me ¬¬

Also, while you guys are at it if you can help me defining some rules for Digsby I would be grateful… this thing is giving me a run for my money and every time I fix something I break another ;p

Thanks a bunch for any insight in the situation.

EDIT: forgot to add some info: I haven’t set ANY global rules except for the default ICMP one / I had a block all outcoming IP traffic but removed it during my tests ||| I already did the proper stealth mode wizard for p2p on peer basis ||| i use cable to connect to the internet ||| i log on my PC as admin and since UAC is off no privilege is denied to applications (god dammit how much I hate UAC ¬¬)

There are a couple of ports that keep returning in the logs: 64366 adn 32122. Are they used by any of your p2p programs or game program? After closing down a p2p client it will take a couple of hours or more for the network to know you have logged off; the traffic will get less then. Basically the firewall is doing it’s job for those two ports.

My guess also the 64366 looks like it has been used by uTorrrent and if you close that and a lot of other computers had active connections with you these messages will appear in the logs, can you check you uTorrent settings and see if you can find it’s port number ?

For allowing incoming uTorrent it’s better to set it fixed to a manually selected port, that’s much easier to firewall.

Tkz for the input.

Firstly, uTorrent is not using that port / oddly enough right now (I set it to pick a new one every program start… as I said its set as Trusted on Comodo so this option don’t interfere) its 32182 (well… was, by the time I am writing this I had to reboot to finish up an install and the port swapped again). And also, even if it was uTorrent is there any particular reason why Comodo would tag it as “Windows Operating System” ?

Well… I did some more experiments that might help out identifying this thing…

1. Closed uTorrent / blocked internet / let it stay that way for a few minutes (around 5 I guess… can’t afford a few hours right now ^^ perhaps during the night). As soon as I allowed internet traffic again the constant process logging resumed (uTorrent still closed). And in a matter of 10 minutes I had again well over 100 alerts (all traffic on the same 32122 port).

2. I decided to take all the svchost processes for a spin. Right now its configured to allow all outgoing traffic so everything related to him from clock sync to windows update is working as intended. It also have a rule to block tcp outgoing but since its not marked for logging I think it shouldn’t cause the massive amount of warnings should it?! I also tried looking for a mention of svchost + the ports I am seeing and haven’t found an specific info regarding any operation that would use this specific port.

3. I can’t confirm that the logging stooped, but removing the rules to block incoming traffic seems to generate a TON of request pop-up’s. Is it UPNP working or what?! The IP addresses are SOOOOO random its hard for me (and my very limited knowledge) to guess.

Thanks again, still waiting for an answer. I hardly doubt this massive amount of logs is hindering my machine in any way but its definitely getting in the way of me analyzing my logs and creating tighter rules for my applications.

It’s showing “Windows Operating System” because it can’t find the application that is listening to that port, so it’s left over to the OS to decide where to “route” this traffic to, this is possible if you uTorrent is closed, or just switched port after reboot, all clients downloading from your pc are still looking for the “old” port because they did not get an update yet on your “changed” port, that’s why i suggested a fixed port for uTorrent.

1. you can allow 1 port on global rules and allow 1 port incoming on uTorrent.
2. you won’t have tons of alerts on closed ports or “previous” opened ports.

well… I toyed a bit with your suggestions and left uTorrent closed over night and got some interesting results.

Firstly, when I changed ports in uTorrent the destination for the incoming requests changed as well (aha!) and even if they are not ALWAYS the exact same port they are all close enough in the range so I guess that is it. Just not sure if its nat-map porting or UPNP working or something else, but regardless that seems to be the reason.

Second, after 12hs the requests calmed down to a less alarming rate (lets say… I used to get 100 requests / minute now its more like 70 or so… but they are still coming (specially from China, over 40% from the IP’s always come from a backbone there ><) so I guess the refresh rate for the network is pretty slow, any idea how long it will take for them to realize I am not “there” anymore?!

Thirdly, now is the tough part. Configuring uTorrent to a single port is not very easy. The tutorials I found proved to be worthless since I always get unconectable and an alarming quantity of requests get blocked by uTorrent so I guess disabling nat PMP and UPNP will be my last resort even thought I don’t see how this could help since I don’t need to forward a port in the first place (I don’t own a router). Some aid here might be necessary.

The closest I got to a working uTorrent w/ static port and tight rules was following this guide: https://forums.comodo.com/frequently_asked_questions_faq_for_comodo_firewall/tutorial_for_utorrent_with_comodo_firewall_3-t15677.0.html . Only changes I made was on rule 4 / allow instead of ASK and HTTP ports instead of just 80. I still get a LOT of UDP failed requests probably outside the port range specified on the tutorial and yet for some reason my conectability suffers, not on ONE of the 5 different trackers I am seeding to I get connectable status.

Anyway, happy to find out what was causing it. I still haven’t tried Soulseek configuration but I am sure it will be easier, just need some guidelines to get my uTorrent started again and I will figure out eventually how to calm down SS as well ¬¬

Thanks again for all your suggestions.

EDIT: forgot to add my new log. 12hs w/out uTorrent running and a system reboot to resttart the Comodo Intrusion counter resulted in 3500 blocks >< BUT it seems to be growing at a slower pace now…

http://img3.imageshack.us/img3/2175/75752460su0.jpg

By nospells at 2009-02-19

It just bumped into my head that uTorrent doesn’t always close its ports upon close down. I remember seeing that until a couple of weeks ago. I don’t know if the latest version behaves any better.

So with that port open you might eventually draw some probing of other sort.

Make sure that all unneeded ports are closed on your router. Port 64366 you can’t seem to account for iirc.

Look on the router web interfacef for forwarded ports and also access the router through the uPnP interface to see if stray ports are open.

Its weird, but seems like its truth, somehow whenever port I choose for uTorrent seems to stays open. What I am trying to do now is create a rule to allow ONLY uTorrent traffic trough that port while blocking the rest but not much luck so far.

I thought created a global rule to block all incoming traffic thinking the uTorrent rule grating it access would supersede it but to no avail, I can’t use uTorrent like that (or any other program that depends on incoming traffic ><) and so I am back to square one (but w/ no redundant log’s at all :D).

Anyway, I don’t have a router so this should be pretty straight forward, but its not. Can anyone gimme a quick way to block all traffic except the ones specified on my rules THAT won’t generate thousands and thousand of unnecessary log because of uTorrent noise?

Also, is it a normal policy of uTorrent to behave like that?! Seems like an enormous security threat on my eyes Oo If so, whatever random port uTorrent picks to allow traffic every time it starts remains opened for life?

Thanks.

You first have to allow the one specific port on the global rules to allow it to enter the system.
After that CIS can inspect the packet and find that it’s used by uTorrent so you also have to allow that traffic incoming to uTorrent.

Also check uTorrent, Options, Preferences, Connection, “port used for incoming connections” → some port number.

Untick uPNP, NAT PMP, Randomize, Add windows firewall exception, press [OK]

This should allow incoming traffic.

This is really getting annoying.

I don’t know a way to fix this… right now the only way around is leave my p2p applications.

I successfully configure both uTorrent and Slsk so they both work perfectly (both w/ upnp disabled since I have no need for it anymore) and since I choose to “block and don’t log unmatching requests” as long as they are up and running I get a “cluster-free” log. As soon as they are shut down I start to read “windows process blablabla” all over my screen again.

If that wasn’t bad enough, I still have requests for ports I don’t use for several days… someone somewhere still thinks I am seeding trough that door and keep sending requests over and over and over and over again… its aggravating (:AGY)

Anyhow, do you have any suggestions to circumvent this Ronny? Perhaps a “magical” global rule I am failing to see? Or some way to make the log understand I don’t need to be alerted of those entries? Or even better… make Comodo realize they belong to uTorrent and actually use uTorrent application rules after its closed?

I made an attempt to create global rules instead of app specific ones but since p2p works on such a broad port range its difficult to not break everything else when doing so.

Tkz.

UPDATE: Almost a year later. A better solution than what follows in this post.
https://forums.comodo.com/install-setup-configuration-help/how-to-stop-logging-blocked-torrent-port-when-client-is-closed-t51399.0.html

psssst here is a magical global rule.

The only draw back is it will act like a manual on/off
I’m a leech with no connectivity switch.

You will have to go into global rules and move it up above your utorrent rule to disable connectivity and logging.
And move it down below your utorrent rule to get connectivity.

So looking at your bottom three Global rules.

uTorrent in rule
uTorrent block and no log rule
Block and log all rule

In the above positions uTorrent works all is normal.
Now, say you end a Torrent session, go to Global rules and select the uTorrent block and no log rule and move up one. Click apply and exit, voila, the port gets blocked and no logging.

So if you have set up uTorrent as has been suggested the magic rule is a clone of your uTorrent Allow in rule, except it is Action Block.

Action = Block * leave logging box unchecked *
Protocol = TCP/UDP
Direction = In
Source IP = Any
Source Port = Any
Destination IP or MAC address = your PC
Destination Port = your one configured listening port for uTorrent.

I checked this out for ya and it works fine. Just be real sure the rules are identical other than block/allow.

Later