Not stealthed

Sorry to post this a second time but I haven’t had any reply yet.

Original post read
“I have been using COMODO firewall for a month …no problems…
However, I checked with SHIELDS UP (Gibson) today and it showed that
Port 1 tcpmux - TCP Port Service Multiplier - was closed but not stealthed
Before, I got 100% stealth rating and I have changed nothing.
Any comments about this?
How can I stealth this port?”

Is there any reason why this port does not show up as stealthed?
I never had this result in the past.
Can anyone tell me how to steath this port?
Does anyone else have this result ?
I cannot understand why this firewall does not stealth this particular port
I would appreciate any advice

Sorry no one has answered your first thread, TheBFG. (BTW, I removed that older one to avoid duplication).

I would’ve answered earlier, without a doubt, had I known the answer :-[. The fact that it’s closed rather than stealth means that CFP is at least protecting you because you’re still safe. The basic difference is that stealth means the internet won’t “know” your ports are there or not. Another thing to note is that there is some application/process/service running that is using this port if I’m not mistaken.

I found some related info:

TheBFG, are you behind a router? Because if you are, this test scans your router, not your computer.

I don’t know about that, Bubu74. Why would it also be just port # 1?

I’m not sure I know why its just port 1, but there is a thread over at Wilders : (granted its not about CFP) that has some details about port 1 and routers…


I’m not sure, I think it depends on the firewall that is integrated into the router.

When I run the GRC test connected through a router, I also get many closed ports, depending on the router’s firewall settings. On the other hand, when connecting with dial-up, all ports are stealth :slight_smile:

Thank yous. I don’t have a router so I didn’t know. Two members with the same answer must be right. :smiley:

Some say that GRC doesn’t report correctly on some issues, so it may be worth trying some other tests, such as


With the exact same setup, I get different responses on each test site. And yes, I’m behind a router, so that’s being tested. I can go from one to the other, with the same applications running, and have different results. Go figure.

Whether they’re inaccurate or not, they are different. This would lead me to question the accuracy, at any rate.

Generally it seems to be considered a better/more reliable test to use a resident scanner (such as SuperScan) and scan the localhost for open ports.

There is also debate over whether it is “better” to have “stealthed” ports or “closed” ports; all agree you do not want “open” ports! Basically, if a hacker gets either no reply (stealth) or a port unreachable reply (closed), they know the same thing: a computer is there, and it has a firewall.


And what about a listening port that’s opened up for a program like uTorrent to accept incoming connections? When testing at those scanning sites it shows Opened, but is it just for uTorrent or can the internet hack from there? (Common question, but our friends need to know (:WIN))

If a port is open and you don’t have CFP (or some form of firewall), you’re vulnerable.

However, with CFP an inbound connection will only be allowed if there is an allowed application actively running to receive it. So to take the p2p example, with utorrent. Let’s say you have rules in the NetMonitor to allow TCP, and UDP In, on port 46847 (just to pick a number). There are a couple things you need to know:

  1. The port is not OPEN. Not unless utorrent is running; then it’s a listening port (which is still not actually the same as being open). This is why it’s important to set the port in the p2p application, application & network rules, so that access is controlled, and you don’t have some other application authorized to use the same port…
  2. In order for a connection to be successful, utorrent must be running and accessing the torrent (now the port will be seen as open). However, there can only be a connection if the NM rule matches an AM rule, and the app in question is actively running.

Just to give an idea of testing your security, here’s some scan results:

The IP list contains 1 entries Service TCP ports: 179 Service UDP ports: 88 Packet delay: 10 Discovery passes: 1 ICMP pinging for host discovery: Yes Host discovery ICMP timeout: 2000 TCP banner grabbing timeout: 8000 UDP banner grabbing timeout: 8000 Service scan passes: 1 Hostname resolving passes: 1 Full connect TCP scanning for service scanning: No Service scanning TCP timeout: 4000 Service scanning UDP timeout: 2000 TCP source port: 0 UDP source port: 0 Enable hostname lookup: Yes Enable banner grabbing: Yes

Scan started: 03/13/07 11:25:33

-------- Scan of 1 hosts started --------
Scanning 1 machines with 1 remaining.
-------- Host discovery pass 1 of 1 --------
Host discovery ICMP (Echo) scan (1 hosts)…
1 new machines discovered with ICMP (Echo)
TCP service scan (SYN) pass 1 of 1 (1 hosts x 179 ports)…
UDP service scan pass 1 of 1 (1 hosts x 88 ports)…
Performing hostname resolution…
Performing banner grabs…
TCP banner grabbing (0 ports)
UDP banner grabbing (0 ports)
Reporting scan results…
-------- Scan done --------

Discovery scan finished: 03/13/07 11:25:46

This was done just now, while connected to the internet, with Firefox running. Note the attached screenshot from currports; firefox has established connections on localhost, but the scan still shows nothing is open…


[attachment deleted by admin]

So in short, there’s nothing to worry if it’s set up in the application, the Application Monitor, and the Network Monitor to all match the same port #.

Thanks for the explanation.

In short, you are correct. :smiley:

Little Mac, sorry for being off topic, but may I ask you what options did you use for this scan? Whatever I do, all I get is this:

What am I doing wrong? ???


I’ve attached two 'shots of SuperScan settings. If yours is the same, I’m not sure. The only thing I would think at that point is if you blocked it with CFP; I normally get two popups asking permission to connect, which I allowed (without remember).


[attachment deleted by admin]

Thanx for the answer.
Unfortunately it didn’t help :(, it still cannot find localhost…
I don’t think that CFP blocks it, since I’ve tired scanning with CFP off (allow all)

I finaly solved the problem with superscan not scanning the localhost: for some reason it doesn’t work with the wireless connection, but it works perfectly with the wired one.

But there is another problem: superscan found 5 opened ports:

TCP Ports (5)
113 Authentication Service
135 DCE endpoint resolution
445 Microsoft-DS
1025 network blackjack
5000 UPnP / / Socket de Troie (Windows Trojan)

Total hosts discovered 1
Total open TCP ports 5
Total open UDP ports 0

Is this something I should be worried about?

Thanks for the replies
My set up …I have cable connection in my home. Three computers are on the network.
One of them (mine) has COMODO firewall…the other two use XP2 firewall.
The cable modem output is split by a switching HUB.
Two weeks ago this setup was exactly the same and ALL computers recorded 100% stealth on the Shields Up test.
Now ALL computers show port 1 as closed rather than open.
So I realize now that maybe it’s not a COMODO issue.
But I still don’t see why the change occurred.
But at least I can see COMODO is doing it’s job in the light of the replies.
If anyone has any other suggestions I appreciate it ( It’s always good to increase knowledge!)

First question, did you have any applications (such as your browser) open when you ran Superscan?

Port 113 is normally used for IDENT on IRC channels.
Port 135 is for RPC (Remote procedure Call) used by some applications in an MS world.
Port 445 is used for various things on a MS Active Directory network.
Port 1025 is a bit strange! Do you play on-line card games?
Port 5000 is for SSDP and UPNP unless you have a router that needs this you can kill the services.

I guess we need a little more information to make a decision…



A couple questions:

  1. What Make/Model of cable modem do you have?
  2. If you open CFP, on the Summary page on lower right, it shows your IP address. Is this address the same/different than the one showing in your posts on the lower right corner?