how do i block emule? Please help "I Guess I Will Start With The Gushing....

simmikie · January 29, 2008, 3:29am

i LIKE this firewall! on my system it feels like the rock of Gibralter! so solid and stable!! the interface, while involved, is after navigating for a couple of hours, is actually very simple. there is a whole breadth and depth to it’s functionality. for example, a firewall i have used for awhile now, i could never get svchost.exe under control. hell i couldn’t figure out even what it was doing. with CFP3 i simply went to Network Policy interface, clicked on the svchost.exe policy. clicked on it’s one rule, and enabled logging. i came back to the log 4-5 days later after running my computeer as i normally do, performing nearly all, if not all of the tasks i regularly perform, and tracked what svchost.exe connected out to. it was consistent over that entire time. one ip, one port. i modified the rule to reflect what svchost.exe needed…done. created a block and log all rule, the file has what it needs to work, and i no longer think about it! amazing!

that is just one example of how this firewall, while granular is made simple by that very same granularity!! again…simply amazing!

i informally followed this firewall since Comodo first began releasing info about it. i considered installing the first alpha, but passed. and i resisted my curiosity about it until late December, when i came to the website specifically to download it. i first wanted to get a sense of what end-users where experiencing with it, and discovered the uninstall issues thread, and again decided to pass. btw, that issue is simply inexcusible. no excuse for it, zip, none, nada. if i did not have snapshot and imaging software, this FW would not be on my system today. but i did decide to install CFP3 5-6 days ago on a test snapshot…immediately impressed. it now is on my day to day snap, and included in my twice a day image update (i have a seperate pre-CFP3 image----just in case)

the one question i have at this time is: how do i block emule from occasionally connecting out via IRC. i run Prevx2 (the buggy, wobbly wonder) with it’s network protection enabled (it is not a firewall, but monitors outbound, and compares suspicious behaviors to the community database to mark malicious connections) and it’s Event Noitification window indicates when emule is utilizing IRC. i have set-up specific rules for both inbound and outbound emule connections, and then a deny all that do not match rule to complete the policy. i, however see no rule i can design that restricts IRC protocol. is IRC even considered a protocol?

thanks in advance and again nice job on this firewall, i sincerely could not be more pleased. well yes i can. Comodo get your do-do together and design a competent uninstall routine or at least a developer implemented removal tool! even the wobbly wonder Prevx2 has one of those (and it needs it too).

Mike

simmikie · January 29, 2008, 12:56pm

nobody know? well at least the firewall is worth a st.

goodbrazer · January 29, 2008, 7:48pm

Hi Mike,

Most likely we have specific ports for IRC with TCP and/or UDP protocol in this case. There is no IRC protocol as i know.

Try to find out which ports are used by eMule for IRC connections with protocol TCP and/or UDP.
Unfortunately i don’t have an idea how to track those port numbers, maybe try to google for “eMule IRC ports” or something.

I guess it is better to have only one thing to monitor net activities (e. g. Comodo Firewall) to avoid possible conficts.

Japo · January 29, 2008, 8:25pm

194/TCP IRC (Internet Relay Chat)

http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

There are other related ports, look for “irc” in the full list in the link.

jp10558 · January 29, 2008, 8:40pm

You could use TCPMon or even Comodo itself to view open ports and they should show what program has them open. That should tell you what ports to block, or at least let you narrow it down via trial and error.

simmikie · January 29, 2008, 11:21pm

hey jp,

i have used several tools including Cports and CFP3 to monitor for open ports, none are indicated as open, although there is alot of traffic with emule running. it all is labeled as TCP/UDP, as one would expect with P2P software. thank-you for the suggestion.

simmikie · January 30, 2008, 12:04am

hey goodbrazer,

yeah i did google emule/irc, and basically received topics from those folks that desire to use emule to communicate to other hamsters. not a lot of info for those of us desiring hamster avoidance. emule is complicite in this hamster comms promotion. i attempted to remove the server address to Hamster Central (IRC Server) and every time i clicked ‘Apply’ the server address would return. so i will be engaging them in their forum shortly.

the wobbly wonder Prevx2 needs to have Network Protection enabled to realise the full potential of Prevx protections. they (Prevx) realise it is not a firewall and have designed it to work along side of dedicated packet filters (that is my understanding anyway). while i refer to it as the wobbly wonder, i rely on Prevx2’ behavioral monitoring to cover me for the many “oooppps” i make in allow/deny decisions from HIPS programs. when it’s not trashing itself, Prevx works amazingly well in the role it plays on my system.in fact i just ran DFK Threat Simulator to see CFP3 in action. Prevx2 immediatly jailed the main executible, which i then told Prevx2 to allow it to run (the premise is someone receives this file from a co-worker who belives it is a funny video…i played along with this social engineerng theme). so even as CFP3 was giving me pop-ups, which i was allowing (again i ‘believe’ it is a flash video) Prevx2 was monitoring the files it was dropping, comparing them to the ‘Community’ and jailing them. for me CFP3 and Prevx2 are indeed very compatible and are a great 1/2 punch.

again thanks for your assistance. this seems more of an emule problem than a CFP3 problem. i’ll take the fight to them.

Mike