I have two computers on my home network. I see that on each, COMODO is blocking “intrusion attempts” from one to the other. There is nothing malicious going on here. How do I tell COMODO that if a computer is on my internal net, it’s ok (and is it safe to do so?). The range of addresses would be 192.168.0.111 to 192.168.0.115
I should add that I can access files from one computer to the other - it’s just that everytime I do, COMODO pops up an alert.
Welcome to the Forum, alicia1234.
Firewall/Stealthports Wizard. Select the second option. Also, make System ‘Outgoing Only’ in your firewall rules.
This has worked for me.
Thanks. Actually, used the first option and defined a new trusted network with an IP address range. That’s really what I was looking for.
How do I make “System” outgoing only?
From Firewall/Advanced/Network Security Policy,
If there is a firewall rule for System already, select it and click ‘Edit’.
If there is not an existing rule, click Add/Select/Running Processes. Select System. Click ‘Select’,
Select ‘Use Predefined Policy’ and select ‘Outgoing Only’ from the dropdown. Click ‘Apply’ and then ‘OK’.
Note this will also create a log of any non-matching requests (i.e. incoming).
In Firewall > Stealth Wizard, I picked "Define a new trusted network… ", then “I would like to define and trust a new network zone”. I put in a starting IP of 192.168.0.100 and an ending IP of 192.168.0.120.
In Firewall > Advanced >Network Security Policy > Global Rules, there are two rules for this IP range, one to "Allow All Outgoing Requests If the Target is IP In[…] " and a corresponding one for “Allow All Incoming Requests …”.
Yet, on the Summary page, it says the firewall has blocked xxxx number of intrusion attempts, and when I click on the number to see what the attempts were, I see multiple entries for:
Source IP: 192.168.0.114
Destination IP: 192.168.0.111
Destination Port: 137
Date/Time: (20 entries in the past 7 minutes!)
WHY? It appears that my network rule isn’t working at all.
What is the gateway address of your router. Usually is something like 192.168.0.1. So you may have excluded the router.
There are two ways to go. One is to make the range 192.168.0.0-192.168.0.255 trusted local network zone.
For the other one we need to find out the IP address of router. Assuming you are on Windows XP go to Start → Run → cmd → push enter → you now get a DOS box type of enviroment → type: ipconfig /all → push enter. In the results look up the address for default gateway.
Now you can add that address to your local trusted zone.
Does this fix it for you?
Yes my router is 192.168.0.1
BUT - if I excluded the router, wouldn’t my internet connection not work at all? It’s working just fine.
I thought I figured out what I did wrong: when setting up the trusted network, I set Protocol to “IP”. So I created rules for TCP and UDP too, both incoming and outgoing.
But I’m still getting those blocked items. I don’t understand what they are - what’s causing these things every few seconds? They are all for UDP protocol. There are over 300 of them just for today!
My pc is the .111 one. My husband’s is the .114. So my PC is blocking these “system” things from his.
So my firewall rule is Allow, TCP or UDP, direction=in; source address range 192.168.0.100 to 192.168.0.120, destination address range = any.
Hi your first rule was best go back to IP, and just add the router to the zone to complete.
Then go on his (hubby’s) PC and in Network Connections TCP/IP Properties disable NetBIOS over TCP
Since your PC isn’t playing I assume it is disabled already. But you can check.
See if that stops the blocks.
Yes with the router excluded you could still surf, outgoing traffic isn’t confined and responses to requests don’t count as intrusion or inbound connection attempt.
Let us know how it goes with these changes.
I’ll have to get back to this tomorrow. Don’t I need NetBIOS in order to share files between the two computers?
Not necessarily. Windows 2000 and up can maintain file shares using IP protocol, rather than NetBios (or NetBEUI). You should only have the protocols you require installed.
I disabled NetBIOS on both PC’s and that stopped all of the blocked intrusion events. I removed the rules I had created for my local area network so that I could basically start over. Each of us can access the internet just fine and all is working fine, EXCEPT THAT we cannot “see” each other’s PC’s. Before, we each had folders on the other’s PC showing up in My Network Places. Now we only have our own shared folders showing up.
Disabling NetBIOS did not cause this as with or without it, there is still the same problem. I just noticed this problem so I don’t know exactly when it happened, but I have to guess that it has something to do with COMODO?
Since I disabled NETBIOS everything ran ok for about a day. Now my pc is getting intrusion attempts every several seconds from my husbands pc again. This time they look like this:
Source IP: 192.168.0.114
Source Port: 57733
Destination IP: 192.168.0.111
Destination Port: 53
I went in to the Firewall > Advanced > Network Security Policy > Applications and found the rule for c:\WINDOWS\system32\svchoste.exe
It looks like this:
Block and Log IP In From IP Any to IP Any Where Protocol is Any
Allow UDP In From IP In [192.168.0.114 / 255.255.255.0] To IP Any Where Source Port is Any and Destination Port is Any
Allow TCP In From IP In [192.168.0.114 / 255.255.255.0] To IP Any Where Source Port is Any and Destination Port is Any
Allow IP Out from IP Any to IP Any Where Protocol is Any
I removed the first item: Block and Log IP In From IP Any to IP Any Where Protocol is Any
But it keeps coming back and the intrusions keep getting logged.
Why does it keep coming back?
Could you try to select the Block rule and then click move Down.
Until it is beneath the allow rules for svchost.exe I hope that when you wrote svchoste.exe that was a typo or is your OS working in another Language from English.
Remember in any setting window to click Apply or OK to get out, as just closing the window won’t save changes.
Let us know how it goes.
Are these both XP systems?
Yes that was a typo. Yes both systems are Windows XP SP3.
I did move the rule down and that seems to have stopped the intrusion blockings.
Any idea what these things are? My husband is not deliberately accessing anything on my computer. Why is his computer sending these things?
I always use Stealth Port Wizard to block my port to everyone and I had similar issue recently. I think there is an issue with CIS default configuration since if you choose ‘I would like to be fully accessible to other PCs in this network’, on the New Private Network Detected window then it will stilll block a few things. Here is how I sorted it out and what you can try.
You need to enable NetBios (prefereably over TCP/IP).
When the New Private Network Detected window appears allow all access to this network.
Add a rule for svchost.exe like this:
Allow IP OUT From IP ANY to [MY_TRUSTED_NETWORK_ZONE] Where Protocol Is ANY
Allow IP IN From [MY_TRUSTED_NETWORK_ZONE] To IP ANY Where Protocol Is ANY
Allow IP OUT From IP ANY to IP ANY Where Protocol Is ANY
As a side note, I think that svchost.exe should be moved from Windows Updater Application file group to System file group(with slight change of rules for System file group) because of this file sharing issue over NetBios and also because of that svchost.exe by default always sends ICMP or IGMP message to gateway after PC returns from spleep mode.
[attachment deleted by admin]