ICMP Logs

Let me start off by confessing that I am very much a beginner here. However, I have managed to reproduce the unrequested logged blocks that Iomayok describes. I have managed this by having an application rule for svchost.exe which has a final rule of “Block but do NOT log”. At the same time in global rules I have a “Allow and log ICMP out from IP any to IP any where ICMP message is echo request” rule. This has resulted in a log:

svchost / Blocked / 192.168.0.13 / Type(eight) / 82.144.228.22 / Code(0)

Now, my theory is that svchost tries to send a ping to 82.144.228.22 (no idea why!!), this is then blocked by the application rule (but not logged) and it is then allowed by the global rule. Comodo then logs this as a blocked attempt (which it is) but by a quirk of the programming logs the episode as a result of the allow and log in the global rules.

All sounds a little far fetched I know, but my experimentation so far appears to support this theory. I guess it is only going to surface if you have some allow and log rules set up … which I guess people only do when they are meddling like I am. My purpose in doing so was only exploratory as I tried to identify why each rule is in place ( I have essentially adopted the rules as suggested by Gibran in other threads). Hope this spreads more light on the situation as opposed to muddying more waters!! :THNK

What should be on the top and on the bottom of these list? Is it okey in any order?

http://i2.tinypic.com/86pb5sx.png

To my knowledge, there is no order in the Predefined Firewall Policies. These seem to be used simply as a convenience for writing rules as a group, and then giving that group a name. Individual application can then be tagged with that name for the rules to apply to that application. Then when you have to make a change, you need only make the change in one place, and it gets used by all the applications that use that rule group.

The thought occurred to me that maybe one of the predefined firewall policies is getting tripped.
You could be right on this one grue155. After turning off and on the loggings in predefined policies, nothing is being logged anymore. All the loggins are on but not a single log after overnight of downloading. Will try to reboot now and observe if everything stays the same.

Why should this be necessary if there is a global rule that blocks the ICMP traffic? If it is globally blocked IN it shouldn’t matter what applications are set to.

From what I see from the screenshots, it’s svchost.exe application that’s getting logged, not the system. Try putting that rule you made for the System application for svchost.exe and that will further stop your logging. (:NRD)