IE8 outbound dest port TCP 4000

Running XP SP3 fully patched, Comodo v4 lastest release.

Comodo installed as Firewall - Proactive. Both Firewall and Defense+ set to Safe. Firewall set stealth.

I was doing some firewall integrity testing last night. Was surprised to see in the Comodo firewall an entry for IE8 for TCP out dest port 4000. Now I use the “canned” web browser rule Comodo provides and have never seen anything TCP outbound except to port 80 or 443 since I converted to Comodo ver. 4.

Appears one of the test exploits was able to “dial out” to port 4000 using TCP. This appears to have over rode the “TCP Ports” associated with outbound HTTP traffic rule in the Comodo web browser rule.

[attachment deleted by admin]

When I look at your firewall logs I see allowed outgoing traffic being logged. Did you change the Browser policy for that purpose; if so can you show us your adapted browser policy? Or did you change the Global Rules for this purpose?

Here are the first part of my rules including the IE rule which is just the std. Comodo web browser rule with logging enabled for all detail rules.

[attachment deleted by admin]

That looks like a bug to me.

To exclude a configuration error. Are you willing to do a clean install for testing purposes? When doing the clean install first export your configuration first so you can import it later (that will save you the process of having to set up your rules again).

Hi Eric,

This is a clean install of ver. 4 with one update to release .482. Prior to installation, I pulled my ethernet cable and used RevnoUninstaller to uninstall all traces of Comodo 3. I then manually purged all traces of Comodo from my HDD and XP registry. I also rebooted multiple times to verify all traces were gone. I then installed ver. 4 using a stand-alone installer download.

I want to keep things as they are with my current Comodo setup. I have things running well and I know from past experience with ver. 3 that a reinstall does not always work well. I have not seen any other abnormal activity other than what I will mention below.

The web sites I was using for exploit testing when the port 4000 activity occurred were HackerWacker, HackWatch, and PCFlack. My above pic of my firewall log IP addresses should point you to the likely offender.

I will also mention that I really don’t care for the Comodo default stealth ports rules. They leave the NetBios ports 137 and 138 wide open. TCPView will use port 137 for web IP address resolutiion. I also caught java.exe trying to use port 137 to external web IP addresses. As you will notice, I have added LAN rules to System, svchost, and OS to control those ports. I have never bought the argument given in the forums about disabling NetBios in TCP/IP. I tried that and my flakey m/b NIC choked on DHCP.