IGMP Out and Host Attacks?

My computer has displayed a new log entry that hasn’t shown up since I installed the firewall it said system was sending below 100 bytes in (can’t remember the exact number) but my log only shows IGMP being sent out as being blocked yet the connection looked active I can only find this entry in my log could someone help me put my mind at rest? (destination)

ps something was blocked from attacking my HOST file, help please? and another ip address trying an inbound attack - this time using ICMP

Why have these attacks started as I never use to get ICMP and IGMP?

Above are in my humble opinion multicast addresses.Totally harmless but you can block it. No harm at all, it’s the built-in behaviour of all routers.


So whats happening is it something trying to change my HOST file or something?

(see below)

Date/Time :2007-09-14 22:44:18Severity :MediumReporter :Network MonitorDescription:Inbound Policy Violation (Access Denied, ICMP = HOST ACCESS PROHIBITED)Protocol:ICMP IncomingSource: Destination: Message: HOST ACCESS PROHIBITED Reason: Network Control Rule ID = 5

Date/Time :2007-09-14 22:28:14Severity :MediumReporter :Network MonitorDescription:Inbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)Protocol:ICMP IncomingSource: Destination: Message: PORT UNREACHABLE Reason: Network Control Rule ID = 5

Does Comodo protect users HOST file like Zonealarm does (ie a special inbuilt function to stop changes being made against a users will?)

Dailyfree is correct; the 224.x.x.x is a multicast address. Multicast has a group of IP addresses assigned for network usage (intranet, not internet) for a “shout out” to the entire network to see who responds. These are used by routers, networked printers, instant messaging clients, game units, and so on. Some people get a lot of IGMP traffic, some get very little or none (a lot of it depends on individual configuration).

The ICMP Host Access Prohibited is just a subset of ICMP Unreachable. I’ll try to explain this in a way that makes sense (wish me luck!). You’ll note that the connection attempt was Inbound. Windows has something called the TCP/IP Stack; this is what the Windows Firewall uses to filter traffic, and is what coordinates the in and out flow, making sure that all applications knows who’s talking to whom. CFP intercepts and blocks the traffic PRIOR to it being able to reach the TCP/IP Stack; thus, the system cannot interpret and coordinate with applications/processes. So CFP forwards a message to the TCP/IP Stack to pass along to the appropriate application or process that needs to know. This has nothing to do with your Hosts file.

And no, CFP does not have any integrated function to protect the Hosts file. I believe v3 can probably accomplish this, but most likely not in the way that you’re used to from ZA. If you want to protect the Hosts file, there are a number of low-profile applications that do just that.

As far as why you are only now seeing ICMP & IGMP being blocked in your logs, I can’t answer for you. Something has changed with your system, though. New hardware, software, drivers, etc, could account for IGMP Outbound (which will be blocked, as CFP does not allow it by default). Neither ICMP or IGMP, as far as I know, are considered to be a security threat.

It’s possible the ICMP were attempts by a website to ping you; this does happen on occasion. It’s also very common if you use any p2p applications.


PS: Sorry a response to your question has taken so long…

thanks for the reply mate, if anyone has anything to add that they found helpful that would be great

ps is it very important to protect the HOST file or will anti spyware detect any unlawful entries, if not what programs are available that can protect it it that dont conflict with Comodo or Avast.

Does anyone know if this function will be added to the next firewall version?

Here’s a handy link with some info about Hosts file. Toward the bottom are some links to apps that will help you secure it (spywareblaster, winpatrol, hostsman).

Here’s another good one with lots of info and helpful links:


Thanks little Mac you have helped me out a lot since I joined these forums I cant thank you enough

does anyone know if the next version of Comodo will have HOST protection built in?

No problem at all; glad to help!

Well, I had thought that v3 did not automatically protect the hosts file, but I knew it could be configured to do so. So I checked, and voila! It was already there.

So the answer is yes, v3 automatically protects the hosts file. See the attached screenshot. What it does is, defines that file (as highlighted) in the Protected Files section of the Defense + (HIPS) module. Thus, anything that tries to modify that file would prompt an alert.

Alternately, you could take it out of the Protected list and put it in the Locked list, thus preventing any changes, period.


[attachment deleted by admin]

Whats the difference between protected and locked in the BETA version?

Protected means you’ll get a popup that “such and such wants to modify the protected file…”

Blocked (sorry, I said Locked before) means that access will just be denied. AFAIK, there will be no popup.


If you use Spybot S&D, you can lock your HOSTS file using that. Switch to the Advanced menu, then click Tools in the menu on the left and checkmark the option: “IE Tweaks”. You’ll see that description appear in the left hand menu. Click that link and then at the top, checkmark the options you want to protect.

If you haven’t got Spybot, you can download it from: http://spybot.info/