Invisible dialogue and a mystery process

One thing comes to mind - DHCP (automatic IP address allocation).

In a nutshell, 0.0.0.0 means “any address”.

The IP address 0.0.0.0 is used during the initialization of any network interface that is set to acquire it’s address from a DHCP server. When a NIC is initializing, it sends a DHCPDISCOVER message using the address 0.0.0.0 with a port of UDP67. It uses this address as the NIC has no idea what subnet is should be on, so it sends the request to all addresses.

If a DHCP server is contacted, it replies with a DHCPOFFER message. If more than one DHCP server is contacted, they will all respond with their own DHCPOFFER message. When the DHCPOFFER message is received, the client responds with a DHCPREQUEST message. If the client receives more than one DHCPOFFER message, it will choose one of these. The clients DHCPREQUEST is also sent as a broadcast message using the address 0.0.0.0 but it sets the “Server Identifier” option field with the DHCP servers IP address (which serves to let the other DHCP servers that may have responded that the client has chosen a specific server and to drop currrent DHCP operations for this client).

To test if this is the cause, try setting your network adaptor to a static address (rather than DHCP), reboot and then check if the 0.0.0.0 traffic ends or changes.

As I said, this is the first thing that popped into my head.

Hope this helps,
Ewen

Hello,
I’m in France. So far I’m very happy with Comodo. For a few days now, there is an application that I can’t remove from the blocked applications menu. It’s written in Chinese. At the same time I have many network intrusion alerts, also in Chinese. Thank you for giving me advice (2 screenshots attached)
Have a nice day

Hello,
can you locate the application?
Rclick on the blocked app, details, go to folder

If I Rclick on the blocked application, the detail is not accessible (in grey). (see screeshot3)
If I just move the mouse over the line, a text appears (see screeshot4)

try to find chinese characters in the files > Comodo Help remember you have to chose all types (files) not only executables top left of the file list window > right click go to folder or jump you can take ss and we need sha hash
you can easily do it with right click file details

Thank you. I followed your procedure carefuly but there are no files with Chinese characters (scennshot 5). I Rclicked on the files that might look suspicious in the last weeks but I didn’t see anything unusual.

You might use Comodo Killswitch and Comodo Autoruns Analyzer (from CCE comodo cleaning essentials) accessible direclty from the Activities tab → advanced activities in the fw in order to try to spot the app which is likely trying to connect outbound

Moved and merged topics of the same bug, it is an issue with corrupted log entries that might be fixed in the new 12.1.0.6914 release if you want to check.

Comodo Firewall 12.0.0.6818
I am getting a lot of firewall blocks from a process that refuses to identify itself.
I recently updated from Windows 1803 to 1903, maybe this is connected.
log attached.

It is an issue with corrupted log entries that might be fixed in the new 12.1.0.6914 release if you want to check.

Thanks.
So basically, if I want to just ignore the logs, that’s okay?
I heard some reports that the newest version causes slow system startup on some computers, so I would rather wait it out, if possible.

Yes you can ignore the logs, as for the other issue it most likely an issue with Windows 10 that MS released an additional cumulative update to fix and in combination with the anti-virus process crashing, so if you don’t install the AV you shouldn’t have the slowdown.

Hi, I am getting the same mix of blank and chinese characters in network intrusions. One note, when scrolling back to when they initially began within log viewer, the program crashes at the same point trying to get back to the initial first log. Is there a fix for this?

Hi dnbdruid,

Our developers are working in it,once Resolved we will notify you.

Regards,
PD

Hello,
I made the recommended update 1 week ago (very difficult to find on the Comodo website…) and since then I no longer have any Chinese intrusions.

But I still can’t remove the blocked application in Chinese.
Until the problem can be solved, I try not to approve it by mistake !! :-[

Dear experts,

2 questions

(1) What do the firewall logs mean?

I have what I think is a pretty secure Windows 10 system. I run nothing on it except for Microsoft software, Comodo firewall (Safe mode) / HIPS (safe mode) / Secure Shopping, Avira AntiVir antivirus, Libre Office (and a Symantec VIP Access software installed after the problem I will describe started). I only visit known / good websites on this system and do nothing else. This is my “clean” system. I am running Windows 10 with some SRP policies and other security tweaks.

As part of my Comodo setup a year or two ago, I had removed from Trusted Vendors all vendors I am not familiar with, including all Asian character ones that I could not read. I only left Microsoft, Comodo, Intel, Adobe, and a bunch of such “regular” vendors that I am familiar with. This has not been a problem.

I just discovered some strange behavior however in Firewall logs. Prior to September, I had a lot of strange empty lines there going from 0.0.0.0 to 0.0.0.0 address with Protocols 0, 66, 74, and others. Starting September I also started having some Asian characters on similar lines. I don’t know why I would have any software installed with non-English characters.

Further, Firewall screen shows that there are “0 Inbound” and “0 Outbound” things going on and “No Connections” even though I am clearly connected to Internet, and Comodo Icon itself is showing traffic with little red and green arrows.

Please see attached screenshots for everything I am describing.

What should I check? Do you have any idea what this might be about?

(2) What’s my true firewall status?

Can I be sure that my Firewall is REALLY on and working “in full”? Is there some way to confirm it? Sometimes it says the Agent is not running and I am at Risk because Firewall is not working but then eventually it switches back to Green state. I just find this behavior strange along with no other Firewall messages in the log and “No Connections” displayed by the firewall (see the last attachment).

I ran tests on ShieldsUp site. All ports show as in stealth mode succeeded but 1 test failed: ping reply (ICMP Echo) was received.

Thank you!

Justin

P.S. Comodo Firewall version 12.0.0.6818. Avira AntiVir full system scan did not find any viruses.

Hi justin_smith,

Thank you for Reporting and also enclosing the screenshots,We will check this issue.
Could you please check your inbox for PM and provide us the log for further investigations.

Regards,
PD

justin_smith, I merged your topic of the same issue with corrupted log entries.

Sometimes it says the Agent is not running and I am at Risk because Firewall is not working but then eventually it switches back to Green state.

The cmdagent service most likely crashed hence the error, you can check C:\ProgramData\COMODO\CisDumps for memory dumps.

Thank you futuretech,

You are always very helpful on these forums. I appreciate it! (Do you work for Comodo? It appears not but your support has been exceptional here)

I provided requested logs via PM to Dharshu. I hope it’s possible to confirm this is not a real intrusion but just a Comodo bug.

Some follow up questions:

(1) My C:\ProgramData\COMODO\CisDumps is empty.

(2) There are 2 kinds of Firewall log entries - ones with EMPTY application name and those with Asian / Chinese characters. All going from 0.0.0.0 to 0.0.0.0. Are both incorrect and buggy? Are both fixed in 12.1.0.6914?

(3) When I ask Comodo to update itself it’s not updating to 12.1.xxx. Am I missing something? Should it eventually auto-update to correct version on its own?

(4) In my post I also asked for a way to check if my Firewall is “really” ON. One of my screenshots shows Comodo Firewall part of the screen (always) showing there is 0 In/Out traffic and “No Connections” while the main Comodo on-screen widget is showing that there is traffic (and I am clearly online). Also ShieldsUp showed that while I am mostly “stealthy”, Ping DOES reply for some reason. Is this a related item or should I create a separate post on this?

(2) There are 2 kinds of Firewall log entries - ones with EMPTY application name and those with Asian / Chinese characters. All going from 0.0.0.0 to 0.0.0.0. Are both incorrect and buggy? Are both fixed in 12.1.0.6914?

Yes both are incorrect and part of the bug, I do not know if it is fixed in 12.1 and I do not know how to reliable reproduce the bug to check if it is fixed, I never had this happen with any of the v12 builds.

(3) When I ask Comodo to update itself it's not updating to 12.1.xxx. Am I missing something? Should it eventually auto-update to correct version on its own?

Comodo has not made available the update to older versions, they always seems to take forever to do so. Even 6882 is not being offered.

(4) In my post I also asked for a way to check if my Firewall is "really" ON. One of my screenshots shows Comodo Firewall part of the screen (always) showing there is 0 In/Out traffic and "No Connections" while the main Comodo on-screen widget is showing that there is traffic (and I am clearly online). Also ShieldsUp showed that while I am mostly "stealthy", Ping DOES reply for some reason. Is this a related item or should I create a separate post on this?

You can temporary set up a block rule for an application to block all requests and see if you can still make outgoing connection requests. If you are behind a router shields up is testing the router and not the system with comodo firewall.