Intrusion Attempts? [Merged Threads]

Hello all,

Is everyone else getting blocked intrusion attempts from the firewall or is mines not configured properly?

Firewall = Train with Safe Mode
Defense+ = Clean PC Mode (it’s giving me a hard time with installations, etc; might disable)

When I used 2.4 I remember seeing tons of blocked intrusion attempts but now on 3.0 I see none. Makes me wonder if it’s working like it should…

Yeah, my firewall is blocking intrusion attempts and logs them all in ‘View Firewall Events.’
Perfectly normal.

With respect to the installation ‘problem’ there is the option in the pop up from Defense + to treat the process as ‘an installation’ which means you stop getting all the pop ups while you install, update or uninstall something.

Shortly after Defense + asks you if you want to return to it’s normal mode. (as a reminder)

Hm. Yea. I’m not getting any blocked attempts. It just says:
The Firewall has blocked 0 intrusion attempt(s) so far.

And I’ve had it since it’s been released. Something wrong with the configurations?

And I do switch to installation mode but it still gives me a ton of Allow or Deny popups. =(

I just started using the newest version of Comodo and I’ve noticed one thing: it’s logging an unusualy amount of intrusions in my Network Security (right now it says 860). I looked at hte log and the majority of them say “System Idle Process” is the application causing this. Is this normal for Comodo to be tracking this many intrusions?

I am using Windows XP SP2 Home Edition

Is there a way that I can stop Comodo from reporting this application’s actions as “intrusions”?

Thanks in advance for a reply…

I think I inadvertently discovered a solution. I wanted to turn the stuff in the log off, so created a rule to do it. Looking at the intrusion counts, which stopped at 58, it appears that Comodo only counts as intrusion attempts incoming things that generate an alert, and thus a log entry. So try this: Under Firewall/advanced/Network Security Policy for System, add a rule “Block Incoming from HTTP Ports” (don’t alert) prior to the block and log entry
Block/TCP/In/Any/Any/HTTP Ports/Any .
At the rate these things were coming in, I would have counted a godzillion intrusions without this rule. :wink: . Good luck and hope it helps; Ed.

Thanks for your timely response: It seemed to reduce the problem, not stop it. :SMLR

I tried it and it worked to reduce the amount of intrusions detected. Before I did that, I also noticed a tab called “Global Rules” and I decided to mess with. I used your suggestion where you take off the “log as a firewall event if this rule if fired” suggestion, and the intrusion seems to stop at 104 and it significantly reduced the amount of intrusions that were coming in (I reinstalled the firewall since I posted it). Thank you for your great advice.

The problem was not solved just yet (despite my previous claim). I did some more tests (i.e. watched the counter) and it still continues to provide me with the same intrusion application: System Idle Process. IT just gives me different ip addresses now instead of the same ones several times in a row.

I have installed comodo firewall since a few hours.
In the past 4 hours i received 4474intrusion blocked attempt
And well it grows at about one intrusion each few second.

Is this a normal behavior ?

I have no special application listening rigth now (p2p)
All those intrusion are directed to System idle process or svchost.

What can cause such a behavior ?

a) I’m really under attack by some zombie computer
b) Wrong setting or definition of intrusion by firewall
c) Ip address still registered with a p2p network xyz ? and client still try to connect to me, even if i havent been connected for last 24h ? This ip adress could have belonged to another person ?

Is there any way to filter out that noise logging ?
So we can focus on real events if there’s any …

Many of us have been seeing lots of blocked incoming connection attempts in the log, from a variety of sources. It looks like these are all counted as intrusion attempts because they generate alerts and are logged. Haven’t seen a complete explanation for all this stuff-some of mine came from visited sites, lots came from unknown sites (probably associated with the visited sites), some GOK. Maybe just to show that Comodo is blocking lots of intrusions? :wink: . In any case, if you make a rule in Firewall/Advanced/Network Security Policy/System to “Block TCP from HTTP Ports”

Block (do not alert/log or the intrusion counter will keep rolling)
Source IP Any
Destination IP Any
Source Port HTTP Ports
Destination Port Any

your intrusion counter should stop rolling (reset it by turning CFP off and on) and you will be able to read your log without sorting through the clutter. AFAIK, no one has discovered a problem with leaving all this stuff blocked. And there are reasonable explanations for some of it as various trafic from the visited servers, other is ?

[at] sded


is this what the network rules for system should look like afterwards?

I did not want to edit the predefined rule so I changed the TreatAs ‘outgoing only’ to Custom and added what you mentioned to see if this helps thin out my log file.


[attachment deleted by admin]

Yes, that’t what I have. If other programs have similar problems, you can try a similar rule in their section-I also have one for Avast! ashwebsv.exe that blocks the same thing there, since it is the browser interface to the internet.

I have tried that can’t get it work? What am I doing wrong? It says this rule already exists. Can i add this rule under Global rules?

Guys, these “intrusion attempts” are like what sded first states: it’s due to the logging of blocked incoming connection. This is coming from someone who disables logging, so I know. Also, the count is reset to zero everytime CFP is closed. If you reopen CFP, what do you see?

There are 3 places where logging (excluding Defense+ for now) can be disabled:
Application Rules, Global Rules, and Miscellaneous > Settings > Logging


Apologies if this question has been dealt with elsewhere on these forums, but my Comodo Firewall has apparently registered and blocked over 8000 intrusion attempts, a number which is increasing at the rate of about one a second. Obviously I think it’s pretty unlikely that these are all real attacks, and I wondered if it was something to do with me connecting through a university network, or alternatively whether I was accidentally blocking something I shouldn’t be.

Thanks for your help.

I am trying to filter the logging that is taking place for the system idle process. I have had some success by creating the rule ‘Block TCP from HTTP Ports’ previously mentioned by sded in this thread. I am still getting unsolicited packets which I would not exactly call intrusions since this seems to originate from my ISP. Anyway, I would like to filter the following from being logged:

                                          Source                             Destination

SIP Blocked ICMP Type(3) MyIPAdrr Code(13)

Code (3) = Destination unreachable
Code(13) = Communication Administratively Prohibited

I tried to create a rule for this without logging, but it is still showing up in the network logs.

Rule= Block, ICMP, In, “Block ICMP Desitination Unreachable”, Single IP (,
Single IP (MyIPAddr), Any (also tried custom entering code/type)

Any ideas how to filter this out without turning off logging completely?

Thanks, Al

Do you have the System process in Application Rules there and is it logged? I suspect it has something to do with that since I didn’t have a problem in not logging type 3 code 13.

Yes, take a look at the Policy image I posted a few posts back. I don’t want to turn logging completely off since I’m interested in what else might show up there. I thought if I created a block rule for that item and not log it, it would disappear from the log. Similar to the Block TCP from HTTP ports rule.


[attachment deleted by admin]

If you want to block & log everything without specifically logging ICMP Type 3 Code 13, there is no efficient method. You’ll have to block & log every single ICMP type and code combination and for the Type 3 Code 3 rule not log it.

I could be wrong, but this is due to CFP never had any implementation on the NOT or EXCLUDE feature in rule creation (not at least for ICMP or by protocol). On the other hand, if you were able to make it work for the Block TCP from HTTP Ports rule, I wonder why the other doesn’t work…

How about a screenie of your Global Rules?

I managed to get rid of the logging of ICMP ‘Destination Unreachable’ by moving the block rule to the global set. I am still seeing a lot of SIP blocks being logged coming from the outside ( port 80 ), so I’m no longer sure if my ‘Block and do not log TCP from HTTP Ports’ for SIP is working or if I need another rule elswhere.

Application  	        Action  	         Src IP   	     Src Port   Dest IP      Dest Port

System Idle Process Blocked 80 MyIPAddr 1602
(belongs to Tiscali Int. Net.)
System Idle Process Blocked 80 " 1596
System Idle Process Blocked 80 " 1600

All these don’t seem to be intrusions and I would like to see these filtered too so there is less clutter in the log. I have not had enough dealings with networking to understand a lot of what’s going on and don’t want to make any mistakes by hiding so called unimportant log entries. What amazes me is the amount of stuff that gets blocked. Seems like a lot of unnecessary network traffic going on.


[attachment deleted by admin]

The SIP blocked “intrusions” are the default named entries that, as per Egemen:

Hi Guys,

“System Idle Process” is NOT a real process and it never sends/receives any packets. For this reason, CFP uses it to for something when it does not detect any process for a packet. So blocked “System Idle Process” simply means blocked “unsolicited packet”.


But I think you already know that as you were in that thread.

How is it again we are getting “unsolicited packets” (TCP) through NAT routers. Unless there has been some previous connection to the source (redirect or ?), how does this happen? And has Comodo Abandoned SPI or just done an unusual implementation? Inquiring minds want to know! :wink: