In checking Activity Logs in Comodo, when everything is checked Network Monitor owns the Activity Log. When Network Monitor is unchecked I have yet to see anything posted.
One of the first things I noticed that Network Monitor log shows a Medium Severity blocking the “same” port occurring 3-5 times every 5 seconds. What really is unusual is that when checking the log for 1 day only that port is listed Port 30394.
It is a UDP inbound violation, Rule 7 Block and Log.
Little Mac suggested a program called “Whats Running” but still no luck in identifying what software/program is attempting to logon to my PC using Port 30394?
There are many, Many different IP addresses, but wondered how I could identify what program. I might have used it or have it OFF? To have one port dominate the blocks and so many has me almost paranoid as to what and why!
I tried changing the rules for ports for Qnext to any and the above inbound violations disappeared and a new one appeared all outbound and “All” for the same port but a different one.
Can the incoming software/program trying to access Port 30394 be identified?
Also wondered why I saw no other ports identified in Network logging?
Thank you All for your suggestions and time!
I hope you mean something like this:
The first picture is the comodo logview. If you make a right-click, you’ll get “export as html” (i don’t know it exactly, because I’m using a different language). Open the html-file and search for the log-entrie (i prefere the time) you want to know more. And that’s picture two: There is the name of the program and the port is also shown.
PS: if you take a bigger logfile, you’ll get more informations about what happened because if the maximum is reached, it will overwrite itself.
[attachment deleted by admin]
That’s not going to help him, Xerye, unfortunately. What your log is showing is from Application Monitor. In Doug’s case the Network Monitor is what is blocking the access; Network Monitor does not show the application associated with the block (since it’s an Inbound access attempt).
Doug, my other question would be if you recognize any of the IP addresses that are given as the source address for these inbound connection attempts?
Also, is it possible that these are attempted QN connections from someone else? Perhaps they have QN configured differently?
The only other thing I would suggest is to run a packet sniffer on it; something like wireshark. Then you can examine the results in great detail (probably more than you want, but there you go…).
Your other option (which I might be inclined to take) is to simply create a specific block rule for Inbound UDP on Destination Port 30394; no logging enabled on that rule. It’s already being blocked, so as long as your connection isn’t having trouble, keep on blocking, but don’t log it…
Thank you for your assistance! Since I last posted here with the problem with medium severity attacks on port 30394 I did an IPconfig /release, and also a /Flushdns. A complete temp file cleaning. and then shut my system down for 18 hours. Had to take my daughter to college 5 1/2 hours north and then needed to rush to a Funeral.
When I rebooted, I left the modem unplugged from the power source and after everything loaded I rebooted again this time with the modem plugged in.
After everything loaded I checked the Comodo Activity Logs,
I did not find to this point ANY references to port 30394.
Also before that reference had Dominated the Comodo Activity Log as the only port listed with a problem.
This block with port 30394 occurred 3-5 times every every 5 seconds. The IP addresses listed with each problem did re occur but there were many different IP addresses.
Now problems might not show up for quite a while with varying ports listed, I did not know how, nor try to identify the IP addresses on the Port 30394 incident, doubt if any IP address would help with what was going on.
But If the software could have been identified (probably not because Comodo was doing its job of blocking) I would have contacted my IP provider to keep an eye out.
Somehow that software had my old IP address, and was still using it to send to other users!
Thank you again
No problem, Doug!
I’ll go ahead and close the topic; if it reoccurs just PM a Moderator (please include a link back here) and we’ll reopen it for you, and keep diggin’ at it.
Discovered What is causing medium errors for Port 30394 to be posted 3 to 5 times every 5 seconds.
One of the Joost software fiels is called TVprunner. I am guessing it creates Proxy Servers and when I Stop Joost it does not stop but keeps redirecting other Joost users to my IP even though Joost is OFF.
I sent a help ticket to their support.
Thanks UncleDoug, I hope their support can sort this out for you,
I’ve merged your new post with the existing topic, and unlocked it. I’ll leave it that way, so you can reply and let us know what Joost support says about it.
Little Mac, not sure when I will be getting a reply? Normally I probably will not, but a new update might be out in 6 to 8 weeks.
What I think caught his attention was when I said the logs were happening so quickly and was so presistant it almost looked like malware attacking my IP address at port 30394.
The Support rep said " As far as I know, Joost is not using your computer as a proxy. We don’t even support proxies after all. " The persistance sure looks like a Proxy Server Trying!
I can confirm that after changing my IP address the log files were for different problems for various incoming ports. After starting Joost and then stopping it, I only have the errors for port 30394 from different IP addresses. And the only file I saw associated with Port 30394 was one of Joost files TVprunner. This occurred 5 different times, (I got tired of resetting my IP address)
I know being in stealth mode is hard to obtain more information. But knowing what program is causing the attempt could help us IF it is persistant to contact that software support. Besides the IP address this would be something else to aid in analyzing what is happening.
Wonder if Melih might see if enought information might be gleaned from blocked attempts while stealthed with the Comodo Firewall Pro?
(Little Mac is there a quicker way to obtain a new IP address, than to let the PC sit OFF for several hours after running IPconfig /release and unplugging the modem?)
IF I receive a reply I will repost here.
Thank You again,
Just received a reply from Joost Support.
" It’s a known issue.
After you exit the program, and you turned off the icon on the taskbar.
Can you press crtl+alt+del and see if the process tvprunner.exe is still
running or not?
It should not be in the process list but if it is, then it will continue
with requests. "
Well, there you go! Glad they followed up so promptly, and succinctly.
As far as obtaining a new IP address, sure you can. Go to Start/Run, type “cmd” (no quotes). When the DOS window opens, type “ipconfig /release” at the prompt (again, no quotes). This will clear out your IP lease. Then type “ipconfig /renew” to get the new one.
PS: I’ll close out the topic now, since you know the answer. If you need it reopened, just PM a Moderator (please include a link back here) and we’ll reopen it for you.