A. THE BUG/ISSUE:
ICMPv6 connections, which are part of Neighbor Discovery protocol in my case (Neighbor Solicitation, Router Advertisement, etc.), comes (causing asking pop-up) to completely random running processes, most of them are standalone and never use any IP protocol. This is longstanding bug from the very first time IPv6 support was introduced in COMODO. Moreover, I see another firewall which does exact the same - assing ICMPv6 to random running proces - it was PC Tools Firewal, so it may be Windows 7 bug or the some sort of identical misinterpretation how IP stack works. And no, I can’t turn off IPv6 firewall to disable those annoying pop-ups because I need it. Yes, I have fe80::/10 in my trusted zone. Hope it will be fixed sometimes.
What you did:Installed IPv6 local net with IPv6 router, st as trusted in CIS, let machine on network run as normal
What actually happened or you actually saw:pop-ups telling that connections is made by random running processes, including ones which never use any IP.
What you expected to happen or see:No popups from unrelated processes.
How you tried to fix it & what happened:As suggested workaround at this forum I add ‘All Applications’ rule placed at the very top, allowing ICMPv6 from fe80::/10 to fe80::/10, but I need to move it again to the top each time new pop-up auto-rule is created, since such rules are placed to the top automatically. Very rare I notice the same random process problem, but with IGMP on 22.214.171.124 (obviously workaround will be the same).
If a software compatibility problem have you tried the compatibility fixes (link in format)?:No
Details & exact version of any software (execpt CIS) involved (with download link unless malware):No other soft in my testing case installed. The packets can be attributed to many different files even notepad.exe. One example file to which the packets are attributed by CIS is Itsecmng.exe from the Toshiba bluetooth stack for windows dowloadable from here.
Whether you can make the problem happen again, and if so precise steps to make it happen:Just set up plain IPv6 local net with IPv6 capable router.
B. FILES APPENDED. (Please zip unless screenshots).:No.
Screenshots of the Defense plus Active Processes List (Required for all issues):Defense is turned off completely. Task list instead: http://i.imgur.com/g35Dj.png
Screenshots illustrating the bug:Just usual connection made by program pop-up, local fe80::/10 address space and ICMPv6 type. http://i.imgur.com/q5XTl.png
Screenshots of related CIS event logs:No events
A CIS config report or file:Nothing unusual there
Crash or freeze dump file:None
Screenshot of More~About page. Can be used instead of typed product and AV database version:This bug is from the very first COMODO version where IPv6 introduced and left untouched since those times. CIS version 5.9.219863/2196. No AV installed.
C. YOUR SETUP:
CIS version, AV database version & configuration:5.9.219863/2196. No AV installed. Firewall Security
a) Have you updated (without uninstall) from a previous version of CIS:
I try this way but nothing is changed.
b) if so, have you tried a clean reinstall (without losing settings - if not please do)?:
I try this way but nothing is changed.
a) Have you imported a config from a previous version of CIS:
It happens with clean or not clean config - no difference.
b) if so, have U tried a standard config (without losing settings - if not please do)?:
Have you made any other major changes to the default config? (eg ticked ‘block all unknown requests’, other egs here.):No
Defense+, Sandbox, Firewall & AV security levels:No Defense, Sandbox or AV, Firewall only
OS version, service pack, number of bits, UAC setting, & account type:
Win7 Ultimate SP1 32bit eng, UAC is turned off, admin acc
Other security and utility software currently installed:
Other security software previously installed at any time since Windows was last installed:No
Virtual machine used (Please do NOT use Virtual box)[color=blue]:No
Thank you very much for your bug report in standard format. We appreciate the trouble you have taken with this.
The following items of required information missing from your post
active process list (please turn D+ on the collect this, or give a task manager screenshot)
identity of some sample processes from which these alerts seem to be coming (with download links if possible)
This is to eliminate the possibility of complex software interactions.
I’ve edited A.1 - please check this for accuracy.
We would be grateful if you would add these items of information so we can forward this post to the format verified board. You can find assistance using red links in the format - if you need further help please ask a mod. If you do not add the information after a week we may forward this post to non-format.
In the current process we will normally leave it up to you whether you want to make a report which meets all the criteria or not. We may remind you if we think a bug of particular importance.
I’m not 100% convinced either but from the top of my head Microsoft Network Monitor traces these to svchost and CIS seems to connect them to all kinds of apps.
I’ll see if I can make a capture with NM to see if that sheds some light.
I’m not sure ND/NS/NA/RS are process specific, there’s certainly no PID associated with any of these in NM. When you think about it, ND is just glorified ARP for IPv6. I think once we get ‘proper’ ICMPv6 filtering, things will be easier to manage, until then I’d suggest doing something like this.
Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.
Developers may or may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.
Assigning ICMPv6 to completely random process may be not issue by itself, but popups from such processes is the issue, forcing user to either constantly close them each time or allow all programs (such as Calculator or Notepad or something else) to connect to internet.
I found that full workaround is more complex than just allow fe80:/10 because of broadcasts, initial address requests etc.
Currently I use following zones: http://i.imgur.com/TDZz9.png
With “All Aplications” rules:
Allow IP In/Out From In [Local Area Network #1] To In [Local Area Network #1] Where Protocol Is Any
Allow IP In/Out From In [Loopback Zone] To In [Local Area Network #1] Where Protocol Is Any
Of course I know that, but 1) average user don’t 2) allowing it allows all internet connections when Alert Setting is set to Very Low (which is common case to reduce popups in general), 3) blocking it at any Alert Settings level can do some harm if either process really needs internet connection later or to NDP and 4) just repeatedly closing such popups is very tiresome.
If some process already have Allow All or Block All rule, of course no popup happens.
We can but hope. Unfortunately, the chap in charge of development of CIS, is on record saying that completing support for IPv6 wasn’t a priority, mind you that was a couple of versions ago. Seems to me version 6 of CIS, would be a good version to complete the support