Good Evening all. So I’ve spent the entire weekend searching through numerous FAQs, forum posts, and general info on the web. I’ve managed to solve some problems but not all. I thank you in advance for your help.
My problem is this - I originally noticed that my internet seemed a little slower than usual (perhaps unrelated) and I was getting anywhere from 20 to 40 medium severity log entries per minute - most were OUTBOUND POLICY VIOLATION (Access Denied, ICMP = PORT UNREACHABLE).
After some research, I found out that these entries were coming as a result of my torrent program “advertising my PC to the world”.
From the original post asked by a different forum member:
https://forums.comodo.com/help/outbound_policy_violations_gone_haywire_please_help-t14030.0.html
[i]When you shut off the Torrent program your pc knows that the program is shut off but the rest of the world doesn't so those pc's keep trying to connect to you.You might try allowing the ICMP Port Unreachable packets out so that it will maybe tell the other pc’s that you aren’t available and they will stop trying to connect to you. When I have used those types of programs it can take from a couple of days to months for the traffic to stop.[/i]
As per the advice to the original poster, I added a rule that allows ICMP out where ICMP message is Port Unreachable. This eliminated a great deal of the block logs. Following this fix, I am now getting a number of other recurring logs and am wondering whether anyone can help explain these log reports to me and whether I should be concerned?
Here are my log files:
Date/Time :2007-11-04 21:17:06 (this one repeats again and again, from the same IP address but different ports)
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 99.250.218.199, Port = 5900)
Protocol: TCP
IncomingSource: 99.250.218.199:27364
Destination: 99.250.XX.XX:5900
TCP Flags: SYN
Reason: Network Control Rule ID = 7
In the attackers’ world, this port is usually used by Trojan.Backdoor.Evivinc(5900)
[i](This is recurring from the same IP address but different ports - not in a specific pattern, sometimes once every minute, sometimes once every 5 minutes - and is my biggest concern. I run an updated AVG antivirus + online PANDA virus scans, as well as Spyware Terminator and Spybot Search & Destroy. No viruses have been found and my computer is not acting weirdly.
It is coming from the same domain as my own IP address - ROGERS???)[/i]
Date/Time :2007-11-04 21:08:21
Severity :Medium
Reporter :Network Monitor
Description:Inbound Policy Violation (Access Denied, ICMP = ECHO REQUEST)
Protocol:ICMP
IncomingSource: 99.250.219.240
Destination: 99.250.XX.XX
Message: ECHO REQUEST
Reason: Network Control Rule ID = 7
(As above, same IP address as my own IP provider ROGERS)
These ones run as soon as I start the computer
Date/Time :2007-11-04 21:06:26
Severity :Medium
Reporter :Network Monitor
Description: Outbound Policy Violation (Access Denied, Protocol = IGMP)
Protocol:IGMP Outgoing
Source: 99.250.XX.XX
Destination: 224.0.0.22
Reason: Network Control Rule ID = 7
(my own research shows that it seems to have something to do with ALL-ROUTERS.MCAST.NET, but I’m not sure what is happening here…)
Date/Time :2007-11-04 21:06:26
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = ROUTER SOLICITATION)
Protocol:ICMP Outgoing
Source: 99.250.XX.XX
Destination: 224.0.0.2
Message: ROUTER SOLICITATION
Reason: Network Control Rule ID = 7
Date/Time :2007-11-04 21:06:26
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 10.249.64.1, Port = dhcp(68))
Protocol: UDP Incoming
Source: 10.249.64.1:bootp(67)
Destination: 255.255.255.255:dhcp(68)
Reason: Network Control Rule ID = 7
If someone could please kindly explain these violations, it would be very much appreciated.
These are my current network control rules:
- Allow TCP/UDP OUT from IP [ANY] to IP [ANY] where source port is [ANY] and destination port is [ANY]
- Allow ICMP OUT from IP [ANY] to IP [ANY] where ICMP message is ECHO REQUEST
- Allow ICMP OUT from IP [ANY] to IP [ANY] where ICMP message is PORT UNREACHABLE
- Allow ICMP IN from IP [ANY] to IP [ANY] where ICMP message is FRAGMENTATION NEEDED
- Allow ICMP IN from IP [ANY] to IP [ANY] where ICMP message is TIME EXCEEDED
- Allow IP OUT from IP [ANY] to IP [ANY] where IPPROTO is GRE
- Allow TCP/UDP IN from IP [ANY] to IP [ANY] where source port is [ANY] and destination port is 58483 (this is for uTorrent)
- Block and Log IP IN/OUT from IP [ANY] to IP [ANY] where IPPROTO is ANY
The only other activity that I am unsure of is that svchost.exe continually shows up in the CONNECTIONS window: Protocol - UDP In/Out, Source - 0.0.0.0 : 68, Destination - 255.255.255.255 :67
If I can offer any additional information, please let me know.
Regards,
Dale Russell