My computer has displayed a new log entry that hasn’t shown up since I installed the firewall it said system was sending below 100 bytes in (can’t remember the exact number) but my log only shows IGMP being sent out as being blocked yet the connection looked active I can only find this entry in my log could someone help me put my mind at rest?
ps something was blocked from attacking my HOST file, help please? and another ip address trying an inbound attack - 126.96.36.199 this time using ICMP
Why have these attacks started as I never use to get ICMP and IGMP?
Dailyfree is correct; the 224.x.x.x is a multicast address. Multicast has a group of IP addresses assigned for network usage (intranet, not internet) for a “shout out” to the entire network to see who responds. These are used by routers, networked printers, instant messaging clients, game units, and so on. Some people get a lot of IGMP traffic, some get very little or none (a lot of it depends on individual configuration).
The ICMP Host Access Prohibited is just a subset of ICMP Unreachable. I’ll try to explain this in a way that makes sense (wish me luck!). You’ll note that the connection attempt was Inbound. Windows has something called the TCP/IP Stack; this is what the Windows Firewall uses to filter traffic, and is what coordinates the in and out flow, making sure that all applications knows who’s talking to whom. CFP intercepts and blocks the traffic PRIOR to it being able to reach the TCP/IP Stack; thus, the system cannot interpret and coordinate with applications/processes. So CFP forwards a message to the TCP/IP Stack to pass along to the appropriate application or process that needs to know. This has nothing to do with your Hosts file.
And no, CFP does not have any integrated function to protect the Hosts file. I believe v3 can probably accomplish this, but most likely not in the way that you’re used to from ZA. If you want to protect the Hosts file, there are a number of low-profile applications that do just that.
As far as why you are only now seeing ICMP & IGMP being blocked in your logs, I can’t answer for you. Something has changed with your system, though. New hardware, software, drivers, etc, could account for IGMP Outbound (which will be blocked, as CFP does not allow it by default). Neither ICMP or IGMP, as far as I know, are considered to be a security threat.
It’s possible the ICMP were attempts by a website to ping you; this does happen on occasion. It’s also very common if you use any p2p applications.
PS: Sorry a response to your question has taken so long…
Well, I had thought that v3 did not automatically protect the hosts file, but I knew it could be configured to do so. So I checked, and voila! It was already there.
So the answer is yes, v3 automatically protects the hosts file. See the attached screenshot. What it does is, defines that file (as highlighted) in the Protected Files section of the Defense + (HIPS) module. Thus, anything that tries to modify that file would prompt an alert.
Alternately, you could take it out of the Protected list and put it in the Locked list, thus preventing any changes, period.
If you use Spybot S&D, you can lock your HOSTS file using that. Switch to the Advanced menu, then click Tools in the menu on the left and checkmark the option: “IE Tweaks”. You’ll see that description appear in the left hand menu. Click that link and then at the top, checkmark the options you want to protect.