I’ve got this weird issue with Comodo firewall seemingly blocking “Windows Operating System”.
I’ve checked the logs and roughly every hour there is an entry in “Firewall Events” for “Windows Operating System” as follows:
Date Application Action Direction Protocol Source IP Destination IP
2016-02-22 16:15:41 Windows Operating System Blocked In ARP xxx.xxx.x.xx xxx.xxx.x.xx
2016-02-22 13:43:41 Windows Operating System Blocked In ARP xxx.xxx.x.xx xxx.xxx.x.xx
2016-02-22 13:19:29 Windows Operating System Blocked In ARP xxx.xxx.x.xx xxx.xxx.x.xx
the xxx.xxx.x.xx are all the same except for the last two digits that vary only slightly each time. They are the same for both in and out.
This is a new install of Windows 10 as the previous install was having issues and brining up errors when doing a System File Check. Comodo then started having “Access Denied” when trying to update.
Only basic additional software, such as browser, etc, has been installed.
Any suggestions on the course of action to take?
I’ve never had this before, even with the previous Windows 10 install.
I’ve done full scans that have come back clean and SFC reports that everything is fine.
This is the result of having enable anti-ARP spoofing set in the firewall advanced settings. When the source and destination IP address is the same and the protocol is ARP, the firewall is blocking gratuitous ARP frames. Back in CIS 5.x it was possible to disable blocking of gratuitous ARP packets while still protecting agains ARP cache poisoning attacks see this for version 5 Advanced Settings | Comodo Internet Security | Comodo Internet Security v5.9/5.10 but now its hardcoded enabled when setting anti-ARP spoofing. Unless you are using a laptop that you use to connect to public networks, you really don’t need to have this setting enabled because the chance of someone accessing your home network to perform a MiTM attack via ARP cache poisoning is highly unlikely to happen to you. Unless of course you have no control over who connects to your local network.
That is a fantastic and detailed reply, thank you. Exactly the kind of indepth info I was hoping for.
This is the first time I have encountered this and I could have sworn I was enabling Anti-ARP spoofing with each installation of CIS.
I have disabled this setting but will keep this in mind if I ever use my laptop on a public network. Many thanks!
My searches brought up others that had encountered this very issue, going back a couple of years. This is the first instance of an explanation and direct highlighting of the cause. I’m sure others who encounter this now will appreciate your reply.
I’m curios, though. Why was Windows making this kind of traffic?
Windows isn’t creating the traffic but is being blocked from receiving the packets as all network traffic is handle by the Windows networking stack which is located in the kernel. When you see blocked intrusions with the direction of incoming and the “application” says windows operating system, it just means the firewall is blocking the packets from reaching the Windows kernel/networking stack to process the packet.
Ahh, I understand.
That’s everything cleared up now.
Thanks again, futuretech!