Intrusions

I have Comodo Firewall installed on my desktop and my daughters laptop. However both machines have recently started getting intrusions. The intrusions are communications between both computers. One has destination …199 from source …198 and the other is …198 from source 199. This just started recently and hasn’t occurred previously can someone help me change the settings so this will stop.

Can you show us a screenshot of the firewall logs?

Here is the log from daughters computer. Mine looks the same but the source and destination is reversed.

[attachment deleted by admin]

On machine 199, run the following commands as in the following example. While I’m showing UDP 1194 in the example, you want to look for UDP 8612 to find out what the process is.

Open up a command prompt. Running “netstat -ano” will give you a process identifer. Feed the PID number into the tasklist to get the app name. And then a dir command will find the location of the app.


C:\Documents and Settings\User>netstat -ano

  Proto  Local Address          Foreign Address        State           PID
  UDP    0.0.0.0:1194           *:*                                    1980

C:\Documents and Settings\User>tasklist /FI "PID eq 1980"

Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============
openvpn.exe                 1980 Console                 0      5,064 K

C:\Documents and Settings\User>dir c:\openvpn.exe /s /b
c:\Program Files\OpenVPN\bin\openvpn.exe


Once you find out what the process is, then it’s easier to decide what to do. Either stop the application, change the firewall rules, or dig into a possible problem.

Ok the program is a Canon Scan Utility that is set as a trusted program that allows all incoming and outgoing requests. However it is logging a intrusion. I’m lost why this is happening.

Interesting. Your earlier CIS log is showing blocked traffic at 15 to 30 second intervals, which isn’t too terribly fast. CIS will sometimes log a burst of traffic as a port scan, but that likely isn’t the case here. What I find more unusual is that CIS has logged this as “Windows Operating System”, which is what is used when there isn’t a listening app at the destination port.

So, if the Scan Utility is running, and listening at UDP 8612, does CIS on that same machine have the same log as before, showing blocked traffic to that machine?

If the Scan Utility is running, then CIS should be letting the packets thru. If CIS isn’t letting the packets thru, then there is a mismatch somewhere.

Does the netstat report show the same listening ports as CIS active connections?

My usual tactic at this point is to see what’s actually on the wire, using a network monitor. That may be a bit much to do if this can be run down more simply. Download Process Explorer from Microsoft SysInternals.

Process Explorer will show each running process on a machine. You can right click on the process, and select Properties to get details about that process. One of the property tabs is TCP/IP, and will show the ports in use. This will confirm, or not, the netstat report or the CIS active connections list. If the Scan Utility is in fact using the port, and CIS isn’t recognizing that fact, then there is a problem in CIS. If the Scan Utility isn’t running, but something says it is, then there’s a system problem, and CIS is correct in flagging a problem.

I’ve done a little research on UDP port 8612. Seems it is a printer port for Canon’s BJNP network printing protocol. 8611 is port 1, 8612 is port 2, 8613 is port 3, and 8614 is port 4. Does this make sense for your setup?

If it does, then it could be a wedged print job, and something is trying to query status constantly.

Ok regarding your point about a listening app. If I turn my scanner/printer on these intrusions stop on both computers.

When I turn off the scanner/printer and one of the computer the intrusions stops.

When I run netstat I don’t see a UDP 8612.

Running Process Explorer seem to show the activity in the TCP/IP alternating from RED to Green. I have never used these programs before so I am not quite sure what I am looking at.

I have never had this issue before so I don’t know why the 2 computers thinks that the other is the scanner now.

Thanks for your help.

Thank you. That helps to clarify what seems to be going on.

What I’m thinking right now, is that printer/scanner is turned off, each machine starts trying to find it somewhere on your LAN. That search would be done by checking port 8611/8612/8613 on each IP address on your LAN. That’s why each machine is seeing the other show up in the CIS log.

Since CIS is blocking that search for a printer, the search will contnue until the printer gets turned on. Normally, this kind of search wouldn’t be seen, as Windows firewall doesn’t typically keep that kind of log.

So, two ways of proceeding then.

One is to allow the packets in, so that Windows can send back an error message (an ICMP packet) saying “nothing here”, and hope the search is intelligent enough to stop asking. To do that, you’ll need to open up the 8612 port for the “Windows Operating System” with this rule:

Action: Allow
Protocol: UDP (select from the pull down list)
Direction: In
Source Address: your LAN address space 192.168.10.0 mask 255.255.255.0
Destination Address: any
Source Port: any
Destination Port: a range of ports: 8611 thru 8614

This may have a side effect of CIS now logging blocked ICMP packets. If that happens, then a couple of extra rules will be needed.

Second alternative, since this seems to be for a networked printer/scanner, as opposed to device device from one machine to the other, is to simply block and ignore the packets, and let the Canon drivers search for their missing printer until you decide to turn it on. It doesn’t change the search, but just gets it out of your CIS logs.

Again, for the “Windows Operating System” application, this rule:

Action: Block (do not log)
Protocol: UDP (select from the pull down list)
Direction: In
Source Address: your LAN, as above
Destination Address: any
Source port: any
Destination port: range of ports: 8611 thru 8614

That should take care of it, now that there is some idea of what’s happening.

Thank you for the 2 solutions! :slight_smile: