high severity events - can I ignore the logs? [Resolved]

Hi,

I’m currently running Comodo version 2.3.6.81. I went back to this version after trying 2.4 and experiencing a few issues and it works well for me. I run a single computer behind a router and use utorrent quite a lot for downloading and uploading.

My question is a general one and relates to the logs called “high severity events”. I need not go into details because most of these events are similar to those dealt with in detail in this thread
https://forums.comodo.com/index.php/topic,6058.0/topicseen.html

What I want to know is given that I get these events every day, but I never download any viruses and spyware is this really a problem? (I know I’m not downloading nasties because I scan everything after downloading with AVG antispyware and NOD32 anti virus, and often run general scans with these two excellent anti-malware products). Put another way, is the fact that comodo is logging these events a sign that it is blocking the things logged from entering my system? If this is the case, then the mere fact that I have lots of them isn’t a worry, is it?

Any responses welcome, especially if I’m doing something wrong and ignoring issues that are potentially serious.

Hey please somebody!! I would really like to know what to do because I keep getting these high severity logs but nothing bad is happening to my computer. Do I just note the logs and do nothing, or should I do something?

Surely, somebody who knows about the concept of “high severity logs” can answer my question. I wouldn’t have a clue what they are and the concept is not explained in the manual or on this forum…so please somebody, even a moderator, help!

G’day,

Logs, as a rule, are a record of what the firewall has done and do not necessarily require action or investigation. They are an indication that your firewall is working.

The details of the logs show specifics of what the firewall has logged, protocol, IP, ports etc., and these details can be used to tighten the firewalls defences. How you do this varies depending upon the nature of the details in the logs.

Hope this helps,
Ewen :slight_smile:

Thanks Ewen. That eases my concern somewhat.

But I guess I’d like to know what makes ‘an event’ a ‘high severity event’? It makes it sound as though my computer is under imminent threat, about to be invaded. I realise that running utorrent, even if the torrent community one is operating in is reputable (in my case a classical music board) opens up one’s computer in such a way that a good firewall is going to log activity. Buy comodo’s language of ‘high severity’ is pretty scary and I feel what makes an event ‘highly severe’ versus say ‘medium’ ought to be explained somewhere, either in the PDF manual or somewhere on this board.

If you check the help files they are listed with a brief explanation. According to the help file, severe alerts are caused by a serious incoming connection attempt or a port scan or similar. According to the help file it causes the firewall to go into emergency mode, but I’ve never noticed any degradation in performance when I’ve had severe alerts.

< From the help files >

Columns Description:
The First Column (Severity) represents the threat level of an attack: High, Medium and Low. High severity alerts are very serious security risks like DOS and Port Scan attacks and the firewall goes into emergency to temporarily block incoming traffic. Medium and Low severity alerts are not so serious and are caused by transgression of one or more Network Control rules.

Hope this helps,
Ewen :slight_smile:

Hey, chopinhauer,

I just added something to the thread you linked… it might be of help to you as well.

LM

Thanks for the help Ewen and LM. It is all becoming a bit clearer now.

LM, I will try and add the rule you mention, but I have two questions.

First, I basically know how to create rules since I’ve done this for utorrent and emule. But looking at the rule wizard in the network monitor, I don’t know how to create the rule you mention: “Allow Out ICMP Port Unreachable”. It just doesn’t seem to be one of the variables in the wizard.

Second, where would such a rule go? Above or below utorrent rules?

Placement of the rule shouldn’t matter; as long as it is before the bottom “block & Log all” rule (which is what is stopping it…).

So you could right-click that bottom rule, select Add/Add Before. The rule will look like this:

Action: Allow
Protocol: ICMP
Direction: Out
Source: Any
Destination: Any
ICMP Details: ICMP Port Unreachable.

Click OK. Reboot.

I attached a screenshot of the rule-creation window, so you can see what it looks like.

LM

[attachment deleted by admin]

Thanks LM. So quick and so helpful. I’m keen to see if this eases the number o high severity alerts I receive, cause these alerts scare me, although nothing to seems to come of them (according to my numerous spyware and virus scans).

Don’t let the alerts scare you; let them comfort you! You can look in the details of the alert (the part in parentheses)… it will say “Access Denied.” That’s the part that is a comfort; that means CFP stopped it dead in its tracks, just like its supposed to.

But yes, that should help reduce them, following closing the p2p app.

LM

LM’s right ((:WIN)). Think of each high severity alert as a hug from CFP protecting you from the bad guys.

OK I’m scared no more. The firewall is doing what it so evidently seems to do well, keep things out.

One thing though, I note from the screenshot that you didn’t tick the box “create an alert if this rule is fired”. If I do tick it, will this create a lot of logs?

I can take over from here. That depends on your net usage. The most you’ll ever see port unreachables is with p2p because of many blocked connections and replies/requests. How frequently? I’d average a few to several every odd minute. Now, although LM’s screenshot was just an example, I agree that there’s no need to log it other than maybe for troubleshooting purposes.

OK, I’ll log it for a while, and then I won’t log it and compare what happens.

Many thanks to you all. I won’t be bugging you about this issue for a while now.

Bug if you need to, it’s not a problem… :wink:

For now, I’ll mark this topic Resolved and close it. If you need to “bug” us some more about it, just PM one of the Mods with a link and request it be reopened. We’ll be glad to do so.

LM