Log & Rules?

Hi gang,

I installed Comodo for the first time yesterday (R)

I just have two questions for you:

I’m behind a router and I noticed my IP address being blocked in Comodo log so I went to “Define a new trusted network” and it automatically detected the router and put a rule for it.

Since I have done this I see it’s still being blocked according to the log. Can someone guide me in the right direction to fix this? The IP range I was using in ZA Pro is 192.168.11.0-192.168.11.1 and 192.168.11.4.

I’m going to post two screen shots so you can see. I added a rule I seen at your forum in the FAQ’S but I don’t know if I put it in the right place or not. Please tell me if something is out of order.

It takes a lot to impress me, and by god Comodo has done this (:CLP) You all have done an outstanding job. I wish you all the BEST (V)

Thank you, Rilla927

[attachment deleted by admin]

Oh Geez,

The log file wasn’t attatched. For some raeson the second file didn’t attach, sorry.

Rilla927

[attachment deleted by admin]

Can someone take a look at this please (:WIN)

Thanks,

Rilla927

Delete the first rule as that is blocking all inbound connections. The Network Rules work from the top down, that is, the first rule is checked then the second rule etc…

Go to the bottom Block IN/OUT rule and change it to IN only.

Right-click on the connection icon and choose Repair.

If you still can’t connect, check your Activity log to see what ports are being blocked. Then you can make rules for the blocked ports by using the lower window on that same page as your guide.

If you need help writing the rules then click on one of the Blocked rules and take a screenshot of the lower window only, post it here, and we will do one rule at a time until you get connected.

Add any new rules above the bottom Block All IN rule.

Hope this helps you.

jasper ;D

Also remember that you don’t need a specific “In” rule to browse and download from the internet (unless as application specific). If you have an “Out” rule, your surfing and downloads will come as a response to your Outbound request, thus it’s not an “In” action.

There’s a great explanation of Network Control Rules Here. It was written for an earlier version of CPF, so some of the wording is different, but it should help you get the picture.

Like Jasper said, any questions, just ask; someone will be glad to help you…

LM

Hi Jasper, Little Mac,

I did delete the first rule not long after I made it because I could see that it was causing problems.

I’m connected with no problems.

I did get a prompt about SvcHost wanted to act as server, just as I was allowing I noticed the “Act as Server” part (I didn’t have my glasses on) so I didn’t notice at first, but it was to late. When something like this happens how do you undo it? It really bothered me because I knew I shouldn’t have done it. Even though I allowed it Comodo blocked it, boy did I feel a lot better after I seen that in the log. It was a High Severity.

Do all block rules that are made go at the bottom underneath the default block rule Comodo came with? I have a list of IP Ranges I keep for blocking that I would like to add to Comodo. All these IP Ranges are linked to that Nasty Grozomon Rootkit.

I seen the test results from Moustec yesterday about Comodo and the other FW’S. First thing I thought was yahya, Comodo is kicking all their ■■■■■ :BNC I’m really, really like this FW (R). It’s user friendly for novices. Comodo has done an “EXCELLENT JOB”.

Now Moustec mentioned he used Comodo at it’s “Highest Security Settings”, what is considered the highest security settings?

I did read all the info for Network Control rules. I understood some of it, but not all. I will lean as I go a long. It’s great when us folks have folks like you all at this forum to go to so we can learn.

One more question before I let you fellers go.

How do you go about testing a FW when your behind a router? I thought of just unplugging it, but I don’t know if I would be able to get on the internet because it connects by wireless. I never done it before so I hope that’s not a dumb question (:SHY)

Thank you, Jasper & Little Mac (:WIN)

Rilla927

Glad you got it working, Rilla927.

I did get a prompt about SvcHost wanted to act as server, just as I was allowing I noticed the "Act as Server" part (I didn't have my glasses on) so I didn't notice at first, but it was to late. When something like this happens how do you undo it? It really bothered me because I knew I shouldn't have done it. Even though I allowed it Comodo blocked it, boy did I feel a lot better after I seen that in the log. It was a High Severity.

If you allow a program that starts doing weird stuff and you want to stop it right now, you can right-click on the firewall icon down on the lower right and under “Adjust Security Level” choose “Block All”. If that doesn’t stop it then go to the wireless router and unplug the cable from the wireless router to your cable/dsl modem and that will stop it for sure.

One more question before I let you fellers go.

How do you go about testing a FW when your behind a router? I thought of just unplugging it, but I don’t know if I would be able to get on the internet because it connects by wireless. I never done it before so I hope that’s not a dumb question (:SHY)

I just usually plug my Ethernet NIC card straight into my cable/dsl modem with a cable to test mine. That is the easiest for me because I can just disable the modem firewall with one click. There is also a program called SuperScan that you can run from your PC and use an address of 127.0.0.1 that will test for open ports. I’m sure Little Mac or some others can walk you thru some other testing methods that work for them.

As far as wanting to block ranges of addresses, I have seen some people put their rules at the top of the list then they get blocked right away. I probably would put my rules at the bottom just above the Block All IN rule and after all of the Allow rules.

You are now a safer surfer with Comodo! (R)

Hey that would be a good slogan for Comodo, “The Home of the Safer Surfer!”

Ok, enough blabbing from me tonight. Have a good one.

jasper :■■■■

[quote author=jasper2408 link=topic=4140.msg31605#msg31605 date=1164856869]
Glad you got it working, Rilla927.

If you allow a program that starts doing weird stuff and you want to stop it right now, you can right-click on the firewall icon down on the lower right and under “Adjust Security Level” choose “Block All”. If that doesn’t stop it then go to the wireless router and unplug the cable from the wireless router to your cable/dsl modem and that will stop it for sure.[quote/]
Ohh! Okay.

[quote]I just usually plug my Ethernet NIC card straight into my cable/dsl modem with a cable to test mine. That is the easiest for me because I can just disable the modem firewall with one click. There is also a program called SuperScan that you can run from your PC and use an address of 127.0.0.1 that will test for open ports. I’m sure Little Mac or some others can walk you thru some other testing methods that work for them.[quote/]
Once I find a way around the router I will try the SuperScan. I wouldn’t be able to remove the NIC card cuz it’s a laptop, but I’m sure I will find a way.

[quote]As far as wanting to block ranges of addresses, I have seen some people put their rules at the top of the list then they get blocked right away. I probably would put my rules at the bottom just above the Block All IN rule and after all of the Allow rules.[quote/]
That’s what I figured, but wasn’t sure.

[quote]You are now a safer surfer with Comodo! (R)[quote/]
Yes, you are absolutely right (R)

[quote]Hey that would be a good slogan for Comodo, “The Home of the Safer Surfer!”[quote/]
Yes, it is! They should use it.

Ok, enough blabbing from me tonight. Have a good one.

jasper :■■■■


A man after my own vice :■■■■ :■■■■ :■■■■

You are too cool Jasper (:KWL)

Thanks,

Rilla927

You don’t have to do anything but run SuperScan from your computer. You don’t have to mess with your router.

Also, you don’t have to remove your NIC card. I have two NIC cards in my laptop-wireless and ethernet(uses a cable to connect). I just use the ethernet NIC when I’m testing the firewall. Both NIC cards send and receive the same information basically. You don’t have to remove the NIC, just plug it in using a cable and it should automatically pick up an address from the router. The one thing you will have to do is make a new Trusted Zone on the firewall as your IP address will change. That’s why I use my machine name instead of a hard coded IP address when I make rules on a laptop. When I get a different IP address all I have to do is add a new Trusted Zone and I’m back in business.

Hope this helps you.

jasper ;D

Rilla,

svchost.exe often “acts as a server” internally - on your machine (this is the 127.x.x.x loopback), and between your machine and your router. This isn’t a problem. When you haven’t already allowed it, you should see it typically at startup. When you do something like that and think you need to change your mind, here’s something to do:

  1. Go into the Application rules, find svchost, and delete that rule.
  2. Go into the Component Monitor, find svchost, and delete that rule. (You should be in “Learn” mode here by default, at the start).
  3. Stop and restart CPF.
    a. From the systray icon, rt click, choose “Exit.” CPF will warn you that you won’t be protected. That’s okay.
    b. Start/Programs/Comodo/Firewall/Comodo Firewall. This re-engages CPF, and should reset the svchost (or whatever application you’ve decided you don’t want).

Alternately, you can go find the rule(s) for that application and change from “Allow” to “Block” or “Ask”.

Make sure you have Log Alerts enabled for your Network “Block” rules, so that when a rule is fired, a log entry will be created that you can check for details (you probably do, if you saw the “High Severity” alert.

Yes, the bottom “block” rule should be the absolute stop-all rule. The rules filter from the top, going thru every rule that allows, until it meets one with matching criteria that blocks. So your IP-blocking rules should come before the very bottom. You can also set your browser to block the IP, too. Some other programs like Spyware Blaster, Spybot Search & Destroy will allow you to set blocks for nasty IPs as well.

As Jasper said, to test your firewall go straight thru your modem, being sure to turn off any NAT or hardware firewall with your modem (most modems don’t have NAT, I think). Basically, you’ve got to make sure that your software firewall is what is exposed to the outside…

I was wondering about what Matousec meant by “highest security settings” myself. I think I’ll ask that question…

You can get Superscan 4.0 here: http://www.foundstone.com/resources/proddesc/superscan.htm

Be sure to read the instructions for how to use it, to make sure you’re testing the correct way. It’s pretty specific, and you want to make sure to get the right results.

LM

Here’s what Egemen has to say about the “Highest security” on the Matousec test.

https://forums.comodo.com/index.php/topic,4175.msg31651.html#msg31651 (R)

I also want to clarify what I said about Superscan. The key there is that you want to make sure you know what you’re scanning - computer, router, modem, etc. If you open CPF on the main page (lower right) it shows your network adapter, IP, Subnet Mask, etc. That IP is your computer. You can also check all this info by Start/Run/cmd and typing “ipconfig /all”. 127.0.0.1 is your local host (internal to your machine).

Here’s a good article about Superscan: http://articles.techrepublic.com.com/5100-6345_11-5215709.html?tag=crm

Ultimately, you want to see that if finds no open ports… :wink:

LM

@Jasper & Little Mac,

I by passed the router and every port is a 100% stealthed :BNC

Comodo seems to ask over and over the same thing even though I put it in the trusted zone with Apply to All. Sometimes a prompt will come up and I will click allow and it just sits there and does nothing, it won’t go away. My system just locked up on me a few minutes ago when this happened. I don’t know if Kav’s process started at this time or not.

I love this FW (V)

I will have to keep an eye on things.

Just want to clarify. When I make a new rule it will go above the “Block All Rule” right?

Should there be a rule for SvcHost?

Thanks (:WIN)

Rilla927

Good report on the stealthing; just what is expected! :wink:

Try this - run the Scan for Known Applications wizard. Then reboot your computer.

If Comodo is still giving you alerts for your router after that, please capture & post a screen shot of the next popup you’re getting for that.

LM

PS: No, you shouldn’t need a special rule for svchost.
PS2: Yes, when you make a new rule, it will go above your “Block All” rule.
PS3: What AV are you running?

I should have asked this question before. I needed to make a rule so Comodo wouldn’t block some stuff from my Router. It’s an IP Range. I put it above my Marvell. Is this correct?
http://i143.photobucket.com/albums/r157/Rilla927/ComodoNetworkRules.png
Thanks,

Little Mac

As far as I see, that should work. The proof is whether or not it’s working for you! If it’s working, then you’ve got it. As far as the rule placement, it should be fine. Primary thing is that it comes before a rule that would block it. With some applications that require specific network rules, I have the impression (although I’m not sure) that the order of rules becomes important, but for router communication it really shouldn’t.

If you have any problems with it, I would remove the rule, run the Network Wizard for your router, name it, and reboot. If it works as it is, I’d leave it alone…

LM

Well, the only thing I was concerned about is that I see my address in these Outbound Policy Violations when I don’t have that rule at the top for the IP Range. (See screen shot) When the rule for the IP Range is there nothing is blocked.

The 192.168.11.6 is what the Router issued to identify this PC, but this PC still needs to communicate with the Router through 192.168.11.0- 192.168.11.1 other wise the Router would be blocked.

Comodo automatically uses 192.168.11.6 (will post screen shot) when I ran the Network Wizard only. So the other two addresses are not being seen by Comodo and thats what I was wondering about all the Outbound Policy Violations.

I guess it comes down to the order of the rule. When I had ZA I put the IP Range 192.168.11.0-192.168.11.1 rule before the actual IP for the PC itself other wise it would be blocking the Router. I’m going to try this and I will let you know what happens.

The Antivirus I’m using is Kaspersky 6.0. Sorry I missed it before.

                                                                                                                          http://i143.photobucket.com/albums/r157/Rilla927/OutboundPolicyViolationDetails.png

Rilla927

That outbound warning is IGMP; that’s a multicasting protocol. Your router might be involved with that, but I doubt it. Typically it’s related to a software on your machine; Messenger does it, as do others. If you are not intentionally multicasting, you probably don’t need IGMP, and you can create a block for it. Better yet, look at what Application is causing the IGMP traffic, and stop that as well…

LM

I have windows messenger blocked. Could it be Google Talk, wonder how I find out?

Little Mac send me to my room, I’m a bad girl (:SHY)

I guess this is what happens when you don’t where your glasses.

I just noticed for the first time when I highlight the Marvell Yukon (under details) that it is covering everything for the Router so I have been worrying for nothing, it is all covered :BNC

See here:

I’m sorry (CLY)

Little Mac thank you for being so helpful (:HUG)

Rilla927

Google Talk, hmm? Could be the culprit. ;D Glasses can be a necessity… :wink:

Glad to help. Once you see that it works the way you need it to, if this issue is good to go, would you please do the following for others’ benefit:

Go to you original post in this topic, click to Edit (the little finger icon toward the lower right) and add [Resolved] to the Subject line, either before or after your existing text.

If you continue to experience difficulties with this, by all means post back.

LM

Ya, I know but I hate glasses (:AGY)

The only problem I’m having is with Online Armor constantly crashing. It never did that before. I done a search on OA where some others had issues but I could find anything on a fix.

I uninstalled the version that was crashing and Mike gave me a logging version to install so we could find out what the problem was but since I installed the logging version OA hasn’t crashed at all. But the logging version is a newer version though.

I’m going to uninstall this logging version probably later tonight and reinstall my regular version. I just hope it doesn’t keep doing what it was doing. Either way we will get it sorted. I will keep you posted.

Thanks as always,

Little Mac