Listening ports?

salmonela · February 7, 2008, 10:29am

Please, why I dont have absolutely any prompts from CFP on listening ports?

For testing my diagnose about listening ports please download Inbound connection testing program from matousec

salmonela · February 7, 2008, 1:14pm

Anyone?
Please respond or confirm…

The_Schaft · February 7, 2008, 5:11pm

I’m not clear on what you are looking for. I ran your test by opening a “cmd” window, got notification from Spyware Terminator (slick freeware program at http://www.spywareterminator.com/ )that “test” was trying to run, I allowed it, then ran a second “cmd” window and did the telnet and got the data below. During that time, I had CFP>Firewall>Common Tasks>View Active Connections open and could see “test”.

[i]C:\Documents and Settings\Owner\Desktop\TST04ICC>test 222
Inbound connection testing programs (TST04ICC)
Windows Personal Firewall analysis project
Copyright 2006 by Matousec - Transparent security
http://www.matousec.com/

Creating TCP socket.
Binding socket to any interface on port 222.
Listening on port 222.
Waiting for incoming connection.
Use “telnet localhost 222” to establish the connection.
Connection established and closed successfully.

TEST SUCCESSFUL![/i]

Since CFP is in learning mode, it ballooned that it was learning that test was running.

What exactly are you expecting that isn’t happening?

– TheSchaft

salmonela · February 7, 2008, 6:51pm

test tool listening local port 222 (in your case) without any cfp FIREWALL department prompts…
only on telnet client actual connection CFP gives prompt 127.0.0.1 on port 222 for localhost, if you do not specified localhost FW will not give you any prompts but test will pass (intercept telnet connection), but that is not a serious problem, problem is listening without prompts, I have at least 2-3 listening ports without any notification from CPF and that listening could be malicious…

The_Schaft · February 7, 2008, 7:14pm

I believe the reason for no CFP prompts is that localhost is in the network zone and because “test” is considered a safe application.

I don’t see it as a problem if an accepted program, “test” in this case, is listening.

As noted previously, Spyware Terminator intercepted the run command for “test”. Once I allowed it to run, CFP learned about it.

– The Schaft

The_Schaft · February 7, 2008, 7:51pm

Salmonela edited the post to add:
“…problem is listening without prompts, I have at least 2-3 listening ports without any notification from CPF and that listening could be malicious…”

I also have several listening ports open at any time. As long as they are from known programs, it should not be a problem. (Mine are “alg” and “svchost”. Both are Microsoft programs and are running because I have a small LAN)

I would recommend running a spyware checking program like Spyware Terminator (free, see earlier post for link) to ensure that the listening programs are not malicious.

– The Schaft

system · February 7, 2008, 9:43pm

Listening is not malicious. Listening is a program waiting for another program to make an inbound connection, and is usually via localhost. You should only get an alert if something actually tries to make a connection and it is not allowed by your firewall rules.

salmonela · February 7, 2008, 10:24pm

Are you tried above test?
Ok, It can be some kind of virus sitting and listening music of my bank account…
I will never know if it is there if CFP dont give me prompt for listening ports.

The_Schaft · February 8, 2008, 12:28am

The only programs that can be listening are those that you have allowed to run.

A good spyware/anti-virus program will tell you what is trying to run and will assist you in managing what is running. In a similar manner, COMODO rules will keep programs from listening or accepting/originating connections.

Don’t depend on a single program to protect your system - run anti-virus, anti-spyware, HIPS (Host Intrusion Prevention System) AND a firewall (defense in depth).

My system goes through a router that stealths all the ports, a constantly running spyware detection program that does a daily scan and includes an anti-virus program (ClamAV) and HIPS, and COMODO. In addition, I run AVG on my e-mail, and CCleaner, AD-Aware, and Spybot on a weekly basis, if not more frequently.

salmonela · February 8, 2008, 1:31am

The Schaft post:9:

The only programs that can be listening are those that you have allowed to run.

A good spyware/anti-virus program will tell you what is trying to run and will assist you in managing what is running. In a similar manner, COMODO rules will keep programs from listening or accepting/originating connections.

Don’t depend on a single program to protect your system - run anti-virus, anti-spyware, HIPS (Host Intrusion Prevention System) AND a firewall (defense in depth).

My system goes through a router that stealths all the ports, a constantly running spyware detection program that does a daily scan and includes an anti-virus program (ClamAV) and HIPS, and COMODO. In addition, I run AVG on my e-mail, and CCleaner, AD-Aware, and Spybot on a weekly basis, if not more frequently.

BTW… if you have CPF you will not need something rudimentary such is spyware terminator, believe me, HIPS integrated in CFP (defense+) is by miles ahead of ST, (I assume you running it with HIPS functionality like you said above)

I was not saying here that I have any of malwares, it is simple what if, I also wanna be protected on all sides…

I also assumed that there is no prompt from CFP FIREWALL (not HIPS part) for transit packets so there will be no controlling for instance vmware virtual machine connections if network connection is bridged (connected directly to physical network) - but I am not sure on this last statement, someone should correct me if I am wrong…

salmonela · February 8, 2008, 1:38am

If something is allowed to run thats not presume that it is enabled to listen ports without my permission, I have CPF installed for such events… (in theory)

The_Schaft · February 8, 2008, 3:16am

COMODO is an exemplary product, but I never put all my eggs in one basket (:LGH)

Note from above posts that COMODO was willing to let “test” run, but ST alerted when it tried to execute.

Perhaps a change/tightening in the COMODO rules would have caught it, but with my configuration, I don’t have to depend on making just one application or approach bulletproof.

As any good computer security person will advise, “Defense In Depth”

blmqzjc · February 10, 2008, 3:49pm

I too have a couple of programs “listening”, but so what? If I understand the design structure of Comodo correctly, my default global rules will protect me. Only the home network could actually hit the listening port (Allow all incoming requests if the sender is in home network). Anything from outside my home network would be blocked by the final global rule in the list (Block and Log IP in from IP any to IP any where protocol is any). While one could make the argument that an “infected” computer on the home network could take shots at the listening port, I probably have bigger issues if that is the case. You could always block out other computers on the home network you don’t trust, but presumably it would be smarter to just “fix” them, and make them secure. I particularly worry about this when my daughter comes home from college with her laptop and jumps on the home network. God knows what she may have picked up on a university network!