Just upgraded today to CIS 4 - Im running win 7 ultimate and receiving large number of intrusion attempts
Mostly with the following info - what are they and how to I get rid of them
Windows Operating System Blocked In ICMP 192.168.1.254 Type(3) 192.168.1.65 Code(1)
E:\Program Files\Skype\Phone\Skype.exe Blocked In UDP 192.168.1.64 51937 192.168.1.65 1689
E:\Windows\System32\svchost.exe Blocked In UDP 192.168.1.254 1900 192.168.1.65 57849
To be honest I am not sure how I can allow these - been running CIS for years so cant believe they are bad otherwise they would have been picked up before. Guess its something new in CIS4
PS This continues to bug me with many more events this morning - am I better reinstalling to the previous verson of CIS
New 100’s of events this morning
3/15/2010 8:54:55 AM Windows Operating System Blocked In UDP 192.168.1.254 1900 192.168.1.65 53753
3/15/2010 8:57:05 AM E:\Windows\System32\svchost.exe Blocked In UDP 192.168.1.254 1900 192.168.1.65 63278
The default rules for the firewall changed with v4 to blocking all incoming traffic by default without notification.
Traffic from 192.168.1.254 is probably coming from your router. To get rid of that traffic you can make the router IP address or your local network a trusted zone. Following is a tutorial on how to make your local network trusted; you can adapt it to making only the router IP address trusted.
You will need to define your local network as a trusted network by using the Stealth Ports Wizard.
First we need to do some groundwork by defining your local network. That is done under Firewall → Avanced → Network Security Policy → My Network Zones.
Usually you will find it defined by the automatic detection of new private networks. You will see a network defined with an IP address/mask like 192.168.1.x/255.255.255.0. Select and Edit it and give it a proper name like My Home Network.
In case it is not there we will define it. Choose Add → A New Network Zone → enter the name: My Home Network → Apply.
Now select My Home Network → Add → A New Address → choose An IP Address Mask → fill in your local IP address in the first part (192.168.1.x; with x being a number) and 255.255.255.0 in the second part.
Now open the Stealth Ports Wizard → select “Define a new trusted network - stealth my ports for everyone else” → Next → select “I would like to like to trust from a network zone previously defined” → from the drop down menu below choose My Home Network → Finish.
Now we are done. You can see the newly added rules under Firewall → Advanced → Network Security Policy → Global Rules.
The ICMP message Type (3) Code (1) means “Destination host unreachable”.
The traffic on port 1900 is part of the Universal Plug and Play framework (uPnP). UPnP makes it possible for devices to find each other on the local network to share files and makes it possible for programs to open and close ports on the router (port forwarding).
Ok - thanks for responding. carried out your instructions - the network was already there and the stealth Ports wizard told me that the network zone had already been added to the trusted zone list.
Today I am up to 697 intrusion attempts!!
Most are like this
3/16/2010 5:40:52 PM Windows Operating System Blocked In ICMP 192.168.1.254 Type(3) 192.168.1.65 Code(1)
3/16/2010 5:40:56 PM Windows Operating System Blocked In ICMP 192.168.1.254 Type(3) 192.168.1.65 Code(1)
3/16/2010 5:41:04 PM Windows Operating System Blocked In ICMP 192.168.1.254 Type(3) 192.168.1.65 Code(1)
3/16/2010 5:41:20 PM Windows Operating System Blocked In ICMP 192.168.1.254 Type(3) 192.168.1.65 Code(1)
and some like this
3/16/2010 10:23:32 AM E:\Program Files\Skype\Phone\Skype.exe Blocked In UDP 192.168.1.64 51937 192.168.1.65 1689
3/16/2010 10:23:36 AM E:\Program Files\Skype\Phone\Skype.exe Blocked In UDP 192.168.1.64 51937 192.168.1.65 1689
Also I have been unable to find how to clear the logs - seems to be different in CIS4??
Can you show me screenshots of My Network Zones and Global Rules?
Screenshots attached - started up this morning in 15 minutes Im up to 45 intrusion attempts.
How can I clear the logs?
[attachment deleted by admin]
CIS4 going mad - today I have had 1700 odd intrusion attempts today - why is my PC being attacked since I upgraded to CIS4 - wasn’t reported in CIS3?
[attachment deleted by admin]
The Global Rules changed for v4 to a default stealth: block all unsollicited incoming traffic. I think there are easy 4 ICMP alerts per minute coming your router. So over hours that can add up considerably. (On a side note; it’s a bit odd a router telling it is not reachable.)
The easiest thing to do is to create an allow rule in Global Rules for incoming ICMP Type (3) Code (1).
Here is how to add that rule. When in Global Rules → Add → fill in the following:
Description: Allow ICMP Destination Host Unreachable message from router
Source Address: 192.168.1.254
Destination Address: 192.168.1.65 *
ICMP details: ICMP Host Unreachable
When done push Apply → make sure the new rule is somewhere above the basic block rule (with the red icon) → Ok.
- only use an IP address as way of identification here when using a fixed IP address otherwise use your computer’s name or MAC address.
Tried that using IP address and MAC address - no change - the event logs keep filling up.
[attachment deleted by admin]
This is becoming an increasingly annoying problem. Have made the changes using the rules suggested and I would say the logging has become even more frenetic. The intrusion attempts are at 450 within 15 minutes of the PC being on. I did try this with a single IP address and as a MAC address and really has only increased the logging. I am using WIN 7 ultimate and the only application running at startup is Skype if that helps to diagnose the problem in any way. CIS4 is setup with complete default rules and have allowed the network and common applications I have used - browsers, video driver application ATI, Xmarks, Live Mail etc
Would you suggest returning to CIS3 as I do not have this problem with that version?
Can you try the following? In the Global Rule you made change IMCP details: Custom; fill in Type 3 Code 1.
Just to be certain here. Make sure the ICMP rule is above the basic block rule.
Altered the rule - no difference - the log is running at about 250 intrusions an hour. The rule is in line 3 of Global Rules immediately after the network in and out rules. It is still logging the same issue. Thanks
That’s interestingly wicked. I will ask the other mods to share their wisdom here.
An other “All Applications” Block and log All IN issue.
Please edit the Firewall, Applications, “All Applications” rule and add the following line above the Block rule"
Your global rules will only allow specific cases and the rest will be blocked.
You can also Add a rule to prevent logging and keep blocking it like:
Type 3 Code 1
And locate this above the Block and Log rule BUT it’s better to allow IMCP type 3 messages they could speed up your torrent and other p2p traffic because the system now directly knows this host is unreachable… (Type 3 / Code 1).
Could you please give me the exact menu options to edit this rule. I tried to edit the All Application rule and it wouldn’t allow me. I ended up with three All application rules and then couldn’t delete them. I reinstalled CIS4. Thanks
Right figured it out - got the new rule in place and yes the intrusion attempts are now stable. I only included the first rule as i do use some P2P apps. One final question - how can I clear the logs as my reinstall did not get rid of the old log files and have some 30,000 records in there and would more or less like to start from scratch to see what is going on.
Appreciate your help
At the moment you need to delete it manually
C:\Documents and Settings\All Users\Comodo\Firewall Pro*.sdb
Depending on Vista/Win7 or WinXP
maybe you have to close the GUI via the tray icon, exit before you can delete them…