ICMPv6 from NDP are assigned to random running processes causing asking pop-ups

A. THE BUG/ISSUE:
ICMPv6 connections, which are part of Neighbor Discovery protocol in my case (Neighbor Solicitation, Router Advertisement, etc.), comes (causing asking pop-up) to completely random running processes, most of them are standalone and never use any IP protocol. This is longstanding bug from the very first time IPv6 support was introduced in COMODO. Moreover, I see another firewall which does exact the same - assing ICMPv6 to random running proces - it was PC Tools Firewal, so it may be Windows 7 bug or the some sort of identical misinterpretation how IP stack works. And no, I can’t turn off IPv6 firewall to disable those annoying pop-ups because I need it. Yes, I have fe80::/10 in my trusted zone. Hope it will be fixed sometimes.

  1. What you did:Installed IPv6 local net with IPv6 router, st as trusted in CIS, let machine on network run as normal
  2. What actually happened or you actually saw:pop-ups telling that connections is made by random running processes, including ones which never use any IP.
  3. What you expected to happen or see:No popups from unrelated processes.
  4. How you tried to fix it & what happened:As suggested workaround at this forum I add ‘All Applications’ rule placed at the very top, allowing ICMPv6 from fe80::/10 to fe80::/10, but I need to move it again to the top each time new pop-up auto-rule is created, since such rules are placed to the top automatically. Very rare I notice the same random process problem, but with IGMP on 224.0.0.2 (obviously workaround will be the same).
  5. If a software compatibility problem have you tried the compatibility fixes (link in format)?:No
  6. Details & exact version of any software (execpt CIS) involved (with download link unless malware):No other soft in my testing case installed. The packets can be attributed to many different files even notepad.exe. One example file to which the packets are attributed by CIS is Itsecmng.exe from the Toshiba bluetooth stack for windows dowloadable from here.
  7. Whether you can make the problem happen again, and if so precise steps to make it happen:Just set up plain IPv6 local net with IPv6 capable router.
  8. Any other information (eg your guess regarding the cause, with reasons): The same thing happens on a machine with a clean Win 7 install and no third party software at all (in no security soiftware) running.
    https://forums.comodo.com/firewall-help-cis/random-icmpv6-connections-how-to-judge-t77575.0.html

B. FILES APPENDED. (Please zip unless screenshots).:No.

  1. Screenshots of the Defense plus Active Processes List (Required for all issues):Defense is turned off completely. Task list instead: http://i.imgur.com/g35Dj.png
  2. Screenshots illustrating the bug:Just usual connection made by program pop-up, local fe80::/10 address space and ICMPv6 type. http://i.imgur.com/q5XTl.png
  3. Screenshots of related CIS event logs:No events
  4. A CIS config report or file:Nothing unusual there
  5. Crash or freeze dump file:None
  6. Screenshot of More~About page. Can be used instead of typed product and AV database version:This bug is from the very first COMODO version where IPv6 introduced and left untouched since those times. CIS version 5.9.219863/2196. No AV installed.

C. YOUR SETUP:

  1. CIS version, AV database version & configuration:5.9.219863/2196. No AV installed. Firewall Security
  2. a) Have you updated (without uninstall) from a previous version of CIS:
    I try this way but nothing is changed.
    b) if so, have you tried a clean reinstall (without losing settings - if not please do)?:
    I try this way but nothing is changed.
  3. a) Have you imported a config from a previous version of CIS:
    It happens with clean or not clean config - no difference.
    b) if so, have U tried a standard config (without losing settings - if not please do)?:
    Yes
  4. Have you made any other major changes to the default config? (eg ticked ‘block all unknown requests’, other egs here.):No
  5. Defense+, Sandbox, Firewall & AV security levels:No Defense, Sandbox or AV, Firewall only
  6. OS version, service pack, number of bits, UAC setting, & account type:
    Win7 Ultimate SP1 32bit eng, UAC is turned off, admin acc
  7. Other security and utility software currently installed:
    No.
  8. Other security software previously installed at any time since Windows was last installed:No
  9. Virtual machine used (Please do NOT use Virtual box)[color=blue]:No

Thank you very much for your bug report in standard format. We appreciate the trouble you have taken with this.

The following items of required information missing from your post

  • active process list (please turn D+ on the collect this, or give a task manager screenshot)
  • identity of some sample processes from which these alerts seem to be coming (with download links if possible)

This is to eliminate the possibility of complex software interactions.

I’ve edited A.1 - please check this for accuracy.

We would be grateful if you would add these items of information so we can forward this post to the format verified board. You can find assistance using red links in the format - if you need further help please ask a mod. If you do not add the information after a week we may forward this post to non-format.

In the current process we will normally leave it up to you whether you want to make a report which meets all the criteria or not. We may remind you if we think a bug of particular importance.

Best wishes

Mouse

Oh sorry and a screen shot of a sample alert please

Ta!

Mouse

I have the same issue.

Thanks Ronny. Could you supply alert screenshot, APL etc then, if so will forward straight away and add to known issues list

(Incidentally I’ve enabled the setting, and have an IPv6 board, but don’t have these alerts yet. Probably because rest of network is not IPv6 yet?)

Best wishes and many thanks in anitipation

Mike

I’m not 100% convinced this is an issue. Windows firewall behaves the same way and if one reads the RFC for ND, this behaviour is pretty normal.

Hmm I’ll leave Ronny to discuss, if he does not mind, beyond me…

I’m not 100% convinced either but from the top of my head Microsoft Network Monitor traces these to svchost and CIS seems to connect them to all kinds of apps.
I’ll see if I can make a capture with NM to see if that sheds some light.

I’m not sure ND/NS/NA/RS are process specific, there’s certainly no PID associated with any of these in NM. When you think about it, ND is just glorified ARP for IPv6. I think once we get ‘proper’ ICMPv6 filtering, things will be easier to manage, until then I’d suggest doing something like this.

Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again

Mouse

Assigning ICMPv6 to completely random process may be not issue by itself, but popups from such processes is the issue, forcing user to either constantly close them each time or allow all programs (such as Calculator or Notepad or something else) to connect to internet.

Agreed it would make sense to do what is done with ndp on v4 networks. Alert citing system as source until trusted network defined, thereafter silent. Logging may be a different issue…

I found that full workaround is more complex than just allow fe80:/10 because of broadcasts, initial address requests etc.
Currently I use following zones:
http://i.imgur.com/TDZz9.png
With “All Aplications” rules:
Allow IP In/Out From In [Local Area Network #1] To In [Local Area Network #1] Where Protocol Is Any
Allow IP In/Out From In [Loopback Zone] To In [Local Area Network #1] Where Protocol Is Any

They’re not Internet connection requests, they’re link local. Personally, the only time I saw one of these alerts, was for a process with an existing firewall rule.

Interesting consideration. I don’t have a need for ULA addresses and the only multicast traffic I see is for all nodes.

Of course I know that, but 1) average user don’t 2) allowing it allows all internet connections when Alert Setting is set to Very Low (which is common case to reduce popups in general), 3) blocking it at any Alert Settings level can do some harm if either process really needs internet connection later or to NDP and 4) just repeatedly closing such popups is very tiresome.
If some process already have Allow All or Block All rule, of course no popup happens.

It’s all a bit moot really, as we still don’t have the complete implementation of IPv6. I guess if there’s still an issue once it’s done, we can revisit the situation.

It will be better to prepare to World IPv6 Launch - June 6th 2012 :slight_smile:

We can but hope. Unfortunately, the chap in charge of development of CIS, is on record saying that completing support for IPv6 wasn’t a priority, mind you that was a couple of versions ago. Seems to me version 6 of CIS, would be a good version to complete the support :slight_smile:

Oops! Just found that absolutely ANY IPv6/mask pair (but not single IPv6 address) added to the trusted network zone in the same time allows ALL IPv6 addresses too! ???