Just noticed this can someone please advise (see pictures below)
I’m link to a router via ethernet and have comodo set up to max protection + stealth all, no sharing.
[attachment deleted by admin]
The first image (Windows Operating System) is a bit strange as the PID for that pseudo process is usually 0 (zero) but I’ve seen this do weird things before. If this is still showing in Active Connections, please open a command prompt and type netstat -ano and post the results as a text file.
The other image (System and Svchost) are standard and nothing to be concerned about. Although it’s would be worth while making sure your router firewall is blocking inbound connections to TCP ports 135 and 445. You might also make sure inbound NetBIOS connections are being blocked as well TCP and UDP ports 137 to 139.
When a port is in a listening state, it simple means that it’s waiting for something to happen.
heres screenshots mate, couldn’t notepad them.
I think I may of found a cause for this. When I boot the system and log on it doesn’t appear but if I log off and log on to another user or mine again it appears in firewall so does that mean that network connections are not being closed when logging off? and plus it doesn’t say its closing network connections when logging off a user or powerdown - just logging off - saving settings.
I have netBIOS disabled (disable NetBIOS over TCP/IP) on all network adapters - I also have client for MS networks - File and Printer sharing for MS networks - QoS Packet Scheduler - all disabled
I’ve made some global rules reading your reply but I’ve probably set them up incorrectly.
edit: os tco listening - port changed to 1025 - added in global rules.
by the way, i done a fresh os install yesterday - I’m pretty sure the system hasn’t got a virus.
[attachment deleted by admin]
That localhost connection that is listening on tcp port 30606 such looks suspicious to me?
Two things right off the bat:
http://www.petri.co.il/whats_port_445_in_w2k_xp_2003.htm
Close it.
JQS (Java Quick Start) - close it - unless the speed of Java apps in the browser is of utmost importance to you. Go into control panel, java, advanced, miscellaneous. Uncheck JQS.
Certain system process connections will persist across all users, however, individual user process, such as a browser connection, will be closed.
There is something very odd about the Active Connections viewer in Comodo and particularly with the way it handles the Windows Operating System (WOS) pseudo process. The problem is, WOS is a Comodo construct, it’s nearest equivalent in Windows is System Idle process and for the most part, they do behave in a similar way, they also share the same PID, usually, which is 0 (zero).
If you look at the image below you can see WOS is reporting a PID of 284 and is apparently listening on TCP port 1025. However, netstat and process explorer do no see either the PID or the listening port. This is really strange behaviour and at this time I don’t have a comprehensive answer.
I have netBIOS disabled (disable NetBIOS over TCP/IP) on all network adapters - I also have client for MS networks - File and Printer sharing for MS networks - QoS Packet Scheduler - all disabledI’ve made some global rules reading your reply but I’ve probably set them up incorrectly.
edit: os tco listening - port changed to 1025 - added in global rules.
There are better ways of dealing with these ports and for a basic tutorial you might like to read this thread.
by the way, i done a fresh os install yesterday - I'm pretty sure the system hasn't got a virus.
I don’t have any doubts your system is clean, it’s just normal behaviour, aside from the reported information by the active connections viewer.
[attachment deleted by admin]
[Edit] I forgot to mention the basis for the following. It is not normal to see persistent foreign localhost connections.
Below is the result of netstat -ano on my WIN XP SP3 installation.
Looking at my localhost 127.0.0.1 connections, I can easily resolve them all. I will also add these are the normal localhost connections one would see on an XP box.
TCP 1029 is alg.exe - Xp’s application layer gateway service
TCP 1028 is Norton’ s ccsvchst.exe; I have NIS 2011 installed on this box.
UDP 123 is NTP; XP’s time updating service
UDP 1900 is nPnP; XP’s device plug and play service
Normally localhost TCP connections are in the range of 1028 - 1040. There are exceptions.
The first thing you have to do is resolve your localhost connections to a valid XP service or known safe application. If there are unknown connections, access your router’s GUI via entering it’s gateway address as a http address in your browser. You can determine your router’s gateway address by entering at the command prompt C:> ipconfig /all. My router’s gateway address is 192.168.1.254. I would enter the following URL into my browser, http://192.168.1.254. You will have to enter your router’s user id, usually “admin” and a password if you set one for the router’s GUI.
Once in the router’s GUI, open up the router log file. It is located in various places depending on your router. Mine is in the “troubleshooting” section. Scroll down to the area that shows your current WAN and LAN connections. Inbound is into the WAN side of your router and is usually on the left side of the log display. Look for localhost entries in the 127.0.0.1 - 127.0.0.255 range that are being output to your IP address. If you see that activity, your router is probably hacked.
One suggestion I have is to create an inbound general rule to block and log any TCP or UDP DNS port 53 activity to localhost. Move the rule to the top of existing general rules. If that rule is triggered, it indicates that DNS hijacks are possibly occuring.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Don>netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 1464
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:1028 0.0.0.0:0 LISTENING 784
TCP 127.0.0.1:1029 0.0.0.0:0 LISTENING 3260
UDP 0.0.0.0:445 : 4
UDP 0.0.0.0:500 : 1148
UDP 0.0.0.0:4500 : 1148
UDP 127.0.0.1:123 : 1588
UDP 127.0.0.1:1900 : 712
UDP 192.168.1.1:123 : 1588
UDP 192.168.1.1:1900 : 712
Just to add to your explanation. When CIS sees traffic but does not see a matching process it will log that WOS is active.
For unsolicited incoming traffic that no application listens to it will say that WOS blocks that traffic.
When CIS does not see a process that generates outgoing traffic or listening it will also say WOS is generating it. This may happen when another driver is “blocking view” metaphorically speaking. I don’t know if CIS will assign a PID other than 0 in this situation.
Localhost connections are not foreign. A connection made using loopback (127.0.0.1) is an internal connection routed by the local network adapter to the internal TCP/IP stack, hence the name.
Normally localhost TCP connections are in the range of 1028 - 1040. There are exceptions.
Loopback can use any valid TCP or UDP port.
Thank you for the additional information. It is indeed true that WOS behaves most strangely, in certain circumstances, and really goes against the grain by assigning fictitious PIDs that no other process viewer can see. It’s for this reason I chooses not to use the Active Connections Viewer.
I would recommend SysInternal’s TCPView for the average user. Can run from the desktop without installation and can be set to “run on top” so you can easily monitor your connections while surfing. ProcessExplorer can be downloaded from the same site if you really want to examine what each process is doing.
For more experienced users, open source nmap is very powerfull. It does have limited capabilty when examing local ports when installed on a Windows OS.