Just Questions :)

Hey, I just installed the Firewall today, mainly because I had always NEVER used a firewall, but then again, I never had security problems either… as I know of ;D I used 3 different emails, i used AIM, MSN, YAHOO, and XFIRE messenger. I had forum accounts, all sorts of stuff with password, and ive never lost access to an acount or anything, although that doesnt mean someone couldnt have had the password.

Anyway, I decided to go ahead and do this, just in case, I just redid all my passwords, and got an antivirus too (which again, Ive never used
So I just have a few questions, most relate to the Firewall.

1.) Are the default entrys in Security/Network Monitor sufficent for secure use? Or should I be adding/changing something in here. I know that is where you allow/disallow connections, but that is about as far as i got in all of the many tutorials… I think i’m slow or something :-[ Also in the application monitor everytihng says [Any]… that’s normal also?

2.) I REALLY don’t understand the In/Out setting, for the Rule’s. Network or Application. I set Xfire (an instant messenger for gamers) to Out, and i could send and recieve messages. Then i set it to Out/In and i could still send and recieve messages the same way? I dont understand which one it needs to be.

3.) Learn Mode. Should I leave this ON always… or maybe change it after a certian amount of time to ‘On’?

4.) While I was playing my game, it seemed about normal… i mean the net that is, it maybe have been a tiny bit slower just for the change in resource usage that im used to, but im willing to keep it. but it was normal, then i come out of the game, and i see in the Logs there is some Medium notifications of blocks that the Network Monitor issued, and these blocks were for the game server IP, that I was playing in. Was I losing packets/performace or is this okay? I also had some ICMP Port unreachable Meduim messages in there?

5.) This pretty much goes along with Number 1 above, but is the firewall as a whole, secure on its defualt settings? There is WAY too much advanced words in the settings for me to understand =( which is okay, i DO understand that some people DO understand it though. (i have no idea if that even made any sense).

6.) The Anti-Virus that i downloaded is the so called “Spawn” of Kaspersky, but its the Free edition. It’s called AOL Active Virus Shield. My question is, would it be fine to run the comodo firewall and this anti-virus at the same time? I also have windows defender, but I do not plan on running this constantly, just for scans. Also - Am i wrong at what i picked? are there better ones, as you can see though - I’m a cheapo, i like going with the free software.

7.) I do like this firewall, a lot. All i need to do is be able to understand it more, I’m the kind of person that sticks with something, and i will be sticking with this firewall, Just gotta learn some stuff.
The main things i really just am hoping for a good clarification of is the Application/Network Rules.

8.) Another question. I get high security warnings for things like svchost, and then when i first started xfire i got some for some of its components. also something like a wgatray.exe from windows, but i litterally just did a clean install, and i really doubt i have anything on here right now. But my question being, some things say this, but its ok to allow them right? if they are known. Even if it says high risk? Also from the component monitor, i was wondering about two entrys, a java entry and a Viewpoint entry. Do you guys have that viewpoint player thing on your windows computers by default too? (windows XP home here) Its also in the add/remove programs.

EDIT - In the Network Monitor, there is an Allow IP Out entry enabled, and it has something about GRE there at the end. Is that there by default, or not? Sorry if that’s a dumb question but for some reaosn it seems like i did not see that one there earlier, although i have not modified any of those… i dont think. and no, i no not drink/smoke/sniff/snort/inhale any substances.

EDIT 2 - I’m also on a home wireless connection. Linksys.

ok, well, now that it’s clear I am an extremely ignorant person when it comes to computer security, I hope i can be helped with these questions. thanks to anyone who posts.

I’m new to firewalls too. But I might be able to answer some of your questions. I’ll leave the rest to the experts around here…

6.) I don’t like anything from AOL, just my own opinion. I’ve been using AVG Free Anti-virus for about 3 years now and I love it. Don’t know what the features list is like with the AOL Scanner but AVG Rocks! Link: Free Antivirus Download for PC | AVG Virus Protection Software. Also its just fine to have any anti-virus proggy and CPF running. Just remember whatever you use, please allow it to auto update. You can even run Windows Defender all the time too. Those three proggies all are looking for different things and this would provide the best security on all fronts.

8.) Ok first off any warnings you get from svchost.exe, allow them. This is Windows XP’s services proggy. They use it to renew your ip, allow Remote Desktop, etc. It’s safe to always allow. The wgatray.exe is part of the Windows Genuine Advantage Tool. Used to check if you have a valid copy of Windows XP and also used on MS sites to validate your copy for downloads, it’s ok too. And in the component monitor I have Java but not Viewpoint. Java is ok I wouldn’t worry about it. On the other hand here’s some info about Viewpoint: http://www.viewpoint.com/installer/v4/html/vmp_faq.html

Like I said, I don’t have enough experience to answer the other questions. Lets leave that to the pros.

Welcome to the forums, TheMeister88!

I’ll take on your ?? one by one…

1. Yes. In the tutorials https://forums.comodo.com/index.php/topic,6167.0.html there’s now a “set and forget” one, that may be helpful. Don’t know if you’ve seen this topic or not; it’s locked, to make for easier reading.

2. The “In” setting (in either one) means that essentially, unsolicited Inbound traffic will be received/accepted. Unless you have a specific application requirement (like a p2p scenario) you do not need or want Inbound network rules. Applications such as p2p apps will probably need an In aspect to their rules, as they need the ability to “listen” on the specified port while they’re running. Other than that, it may not be necessary.

3. My recommendation is to leave Learn Mode (component monitor) on until you have run/connected the majority of your applications, to minimize alerts to allow components. Then switch it to “On.”

4. You can post a specific question about these, in the FW Help Board, and it will be addressed. You may be blocking extraneous connections, or something that could speed up your connectivity. The logs hold the keys…

5. See the “set and forget” tutorial…

6. Some people have conflicts. Some don’t. Some it says they need to uninstall CFP; order of installation seems to play a role. It should be a good AV, but there are others as well, which are also free. If you search the forums here, you’ll find plenty of posts dealing with KAV, Kaspersky, etc.

7. Hope the info I’ve given will help in this clarification for you.

8. If it’s a High Security alert, it relates to Application Behavior Analysis, most likely. In this scenario with svchost.exe, it’s probably utilizing/being utilized by internal communications between applications, which is monitored by CFP as it relates to internet connections. Basic rule of thumb on such things is that if you know both applications, it’s safe to Allow. Allow and Remember, and you shouldn’t get that specific popup again.

9. Your “Edit” - it’s part of the default rules. It is required in some scenarios, but not in others. One user recently found that his ISP used GRE (a protocol) as part of maintaining his internet connection, and he actually needed to allow an Inbound GRE from his ISP’s server. Personally, I’ve never needed it. You can set the rule to “Log” and see if anything shows up; if it doesn’t, it’s probably safe to delete/remove that rule. Good to know you’re “clean.”

10. Your “Edit 2” - The tutorials link I posted above has a section on setting up your wireless network.

LM

Hey.
You guys have definitely cleared up a lot of stuff for me, i have a lot more understanding now.

For Mac’s post:

Q#1.) Thanks. I actually hadn’t read that yet, and that’s what i needed.

Q#2.) Thanks. I’m pretty sure i get it now.

Q#3.) Thanks. I kind of figured it meant something like that, just was scared to test… :-[

Q#4.) Thanks. I’ll look into that right now.

Q#5.) Thanks.

Q#6.) Thanks. I was actually running AVS with Comodo when i posted, and it was doing fine as far as I could tell. I just wasnt sure if it could be doing other stuff, I’ll read through the KAV/Comodo Threads.

Q#7.) Thanks.(x2) Yes, it definitely has helped me.

Q#8.) Thanks. Yeah, I guess I knew it couldnt be good to disallow operating system components… sad… sad me lol.

Q#9.) Thanks. How exactly do i set it to Log. I right clicked it and stuff, but i didn’t see an option, I havent checked hard though, so I might find it in a minute.

Q#10.) Thanks. I need to take the time to set my router security settings too, I need to do all this security in one sweep, cause i’m not a big fan of trying to monitor my computer activity, but I am a big fan of computers. (and keeping my personal information… :P)

I’ll post in here if I have any other questions. I’ll try not to be too big of a pain if I do, I will experiment with stuff.

Great posts by the way, thanks for the support.

No problem. Glad that cleared stuff up for ya!

9. Open the Network rule to Edit (double-click, or click then “Edit”, etc). Next to the entry for Action: Allow there’s a checkbox for “create an alert if this rule is fired.” That’s your log the rule feature. Check that, reboot (just to make sure the memory’s cleared out and set the changes), and it will log any traffic that is allowed by that rule.

You can use this for any rule that you want to check specific activity on. It’s good for diagnostic purposes, especially if you’re testing stuff out.

LM

Ahhh, I see. Thank you. I enabled that log, and will keep an eye on it.

Speaking of the Logs - I have 2 main ones i’m getting spammed with. Not sure if it’s normal or what. I mean I can read what it says… and can tell what it is doing, but is it a good thing?
Anyway, these are the 2 that i get a lot:

Date/Time :2007-04-16 15:25:32
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.101, Port = nbname(137))
Protocol: UDP Incoming
Source: 192.168.1.101:nbname(137)
Destination: 192.168.1.255:nbname(137)
Reason: Network Control Rule ID = 5

and

Date/Time :2007-04-16 15:25:27
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.101, Port = nbdgram(138))
Protocol: UDP Incoming
Source: 192.168.1.101:nbdgram(138)
Destination: 192.168.1.255:nbdgram(138)
Reason: Network Control Rule ID = 5

The ones above make up like… 95 percent of my logs as of right now.

I also have some of these:

Date/Time :2007-04-16 17:48:49
Severity :Medium
Reporter :Network Monitor
Description: Outbound Policy Violation (Access Denied, Protocol = IGMP)
Protocol:IGMP Outgoing
Source: 192.168.1.100
Destination: 224.0.0.22
Reason: Network Control Rule ID = 5

AND

Date/Time :2007-04-16 15:50:26
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 192.168.1.101, Port = upnp-mcast(1900))
Protocol: UDP Incoming
Source: 192.168.1.101:1070
Destination: 239.255.255.250:upnp-mcast(1900)
Reason: Network Control Rule ID = 5

I know… sorry, i bet you feel like a mcdonalds employee or something with me saying, One of these and one these, and yes why not one of those.

Thanks in Advance.

While I’m here, I have other questions.

In Application Monitor, my iexplorer.exe is set as “Out” only. Does only being set to Out not allow or slow down the downloads?

Also aim.exe is not even picked up as connecting to the internet when i log into it, and it obviously is connecting/ed to the internet. Is this because its registered as SAFE?

And i have Ping.exe Allowed. I’m guessing this is normal?

Dont worry - I have to run out of questions soone r or later.

Ok first off any warnings you get from svchost.exe, allow them. This is Windows XP's services proggy. They use it to renew your ip, allow Remote Desktop, etc. It's safe to always allow.

I've been playing around with comodo for a couple of months, and I really don't know about just blindly allowing svchost, unless if perhaps you have a perfectly clean computer. If you do, I would check the activity monitor. I've also been using FX, and I was getting a ton of aps trying to connect thru svc host. A couple of weeks ago, I deselected IE from "set program access and defaults" "custom". and then under "internet options" "connections" "lan settings" I checked "use a proxy server for your lan" ---I don't---and then put in "0.0.0.0 as my address with port 80." (I read about this on another board as a way to quiet down IE connections if you use Firefox as your browser and I don't know if setting the lan/proxy server setting is really needed if you deselect IE from "set program access/defaults--custom). I don't know the pros/cons of doing this but this has seemed to really quiet down all the svc host connection pop-ups from comodo. I can always reverse these for windows updates.

TheMeister88,

Those first two logs (ports 137, 138) are NetBIOS related. You will get those as long as you have NetBIOS enabled (Windows Services, and also may be set under your Network Connections Advanced Settings tab). Most cases for the average user, it’s not needed. You can do one of a couple things:

1. Completely Disable all NetBIOS - Service, Network Connections, etc. It’s another of Windows security issue anyway.

2. Create a block (and not log) rule for those ports. You don’t need any IP addresses; just identify the ports. You’re already blocking it; that way, you won’t log it, either (another little NM trick that’s good to know…)

The second two logs relate to Universal Plug N Play (UPNP) and Multicast (IGMP); combined. Probably because of having the UPNP Service enabled. Big security hole there. I advise disabling that anyway. If you IM, that’s probably a factor in that as well; the IM apps seem to like to throw IGMP stuff around. Again, it’s already blocked… So a couple things that can be done there as well…

1. Disable UPNP (for both services, go to start/run, type “services.msc” Find those entries, change the startup type to Disabled. Reboot.

2. Block IGMP in the NM. Your rule will be:
   Action: Block (no logging)
   Protocol: IP
   Direction: In/out
   Source IP: Any
   Destination IP: Any
   IP Details: IGMP

IE should be okay. My browser’s only set to Out. In’s really only needed if the app needs to be able to accept unsolicited Inbound connections (such as p2p/torrent application).

AIM’s probably in the SafeList. If it’s not showing, but has been allowed to connect, that’s probably it. Might run the Application Wizard (Security/Tasks/Scan for Known Applications); that may show the rules…

Regarding Ping.exe… are you familiar with it? It’s an App you know you have installed?

LM

Hey, Thanks i will do your suggestions.

Ping.exe, im not sure, i mean, when i highlight it, it says SAFE instead of unknown. and it says its in the system32 folder, and that its used for TCP/IP. I’m guessing its ok? i remember when i first installed comodo it was like the first thing that came up as an Allow ro Disallow entry pop-up.

Thank you for all of the hlep you have given me so far.

I Disabled UPnP Just fine. Although i disabled NetBIOS, i still get the 137, 138 port errors. But thats all i am seeing now, just 137 and 138. I could still do as you suggested and block ports, but it would be nice to know why exactly its doing this.

I have been wondering about something all day now, so im going to atleast ask it.
why arnt ALL .dll files listed in the component list? I see you can add some, but i dont understand how you would know what to do with a .dll?
What exactly can a .dll do? a key-logger? or what. and is there a way to see if its running/being used?
I’m mainly asking this because everything on my computer is clean in my opinion, its just theres 1 program I want to be sure of. It’s a game i got from P2P (azureus). and you obviously cant trust someone you don’t know. Although the game runs fine and everything, im just concerned about there being maybe hidden things in it, like key loggers? How can i see if its files are being used by the system. Sorry if that isnt Firewall related, just wondering this though, it would be great to clear up that my game is clean.

If CFP says ping.exe is SAFE, then it’s the MS executable, and should be ok. Don’t know why it’s running; there may be a setting somewhere in your system like a startup entry. Mine doesn’t run automatically. Might go to start/run, type “msconfig” then go to the startup tab. See if there’s an entry for it. If you don’t want it to run on auto, uncheck the box, click Apply then Close. A reboot will reset it. You can also always create a Block rule in the AppMon, or an Ask rule to prompt for connection.

For NetBIOS, you may need to also turn it off in your Network Connections settings. If you open Windows’ Network COnnections. Right-click your icon and select Properties. Then highligh the TCP/IP entry, and Properties. Go to the Advanced button. Then WINS. Uncheck “Enable LMHOSTS lookup” and check “Disable NetBIOS over TCP/IP.” Apply, etc. Then see if your 137/138 entries are still there.

The Component Monitor should only have those which relate to applications which can/do/are known to connect to the internet. It monitors and verifies those relationships. It will ask for approval if any change (once you’re out of Learning Mode). Details of what they do and how they work? Beyond my proverbial paygrade!

Does the game connect to the internet (an online game)? If so, you have an entry in the AppMon. You can right-click that entry and select to submit to Comodo for analysis. In doing so, you can provide an email so they can respond to you. You can also “google” it and see what you find out, as far as trustworthiness. If it is bogus in some way,it will probably act in a suspicious way (as far as how it connects), and CFP’s Application Behavior Analysis will kick warnings your way. Those warnings should always be paid attention to, as they may indicate a problem. It’s easy for us to get in the habit of Allow and move on, but it’s best not to…

LM

Hey, well i disabled that stuff and i still get constant 137 and 138 port errors. I dont know why.
If it isnt harmming anything I can live it it for now though, but it would be nice to not have them all in my logs, because i have to inspect them closely to find ones that arnt 137 and 138, cause there are so many of them.

One more question: In the Activity/Connections panel, im guessing this shows ALL internet activity going on? but my question, yes it is usually totally empty when i close my stuff like IE and messenger programs, nothing else i ever really see in there, but everyonce in a while, i’ll get one of the svchost.exe’s in there for like a few seconds or a minute or so. does this happen with you also?
Thanks

For the port 137, 138 issue. If you’re still getting it, you can always create a Network Monitor rule to Block and Not log, for those ports. That will get rid of them. Just do it like this:

Go to the bottom Block & Log rule. Right-click, select Add/Add Before.

Action: Block (don’t check the “create an alert” box)
Protocol: TCP/UDP
Direction: In/Out
Source IP: Any
Dest IP: Any
Source Port: Set of Ports: 137, 138
Dest Port: Set of Ports: 137, 138

As to Activity/Connections. That shows active/Established connections. It does not show Listening; it will in the future, though. With svchost, yes you’ll see it show up and disappear again from time to time. svchost is a system process that is used to update DNS and DHCP (to keep your internet connection going), the system clock updating, Windows updates, etc. A lot of people don’t like its level of autonomy, and crank down their security around it - disabling various Windows Services, creating application and network rules to only allow certain types of access for it (and to block others), etc.

LM

Alright, I blocked the ports. Thanks, and thanks for all of your help Little Mac.

I was looking at my MsConfig earlier, and was wondering something, here is mine:

http://img81.imageshack.us/img81/6627/untitleddi8.png

I was wondering what the “/background” meant exactly, especially since notihng else at startup has it. Does it need it?

Thanks

Yeah, that’s part of the commandline structure, showing how it’s running (ie, in the background). No problem there.

How’s the log now? Those entries no longer clogging it up?

LM

Oh ok, I was just testing with it, and trying to clean up my start-up items because theres no use in starting stuff I dont need right 88)
I took off background just to experiment, and found that it pretty much just made it not minamize to the tray, which im sure you knew, but atleast i feel a little smarter now. ;D

Yes, the 137/138 port logs are gone now, no more cluttering, I dont get many now, but the ones i do get relate to that ICMP thing. They all say ICMP=PORT UNREACHABLE.

Will you post those (or some of those) log entries for the ICMP Port Unreachable?

Do they happen all the time? Try it in different scenarios - clear the logs, then:

Do nothing; no active internet usage (keep applications closed) - see if it happens by default.

Do only email for a while (no browsing, etc) - see what you have.

Do only browsing for a while (nothing else) - see what you have.

And so on.

LM