There are outbound IP addresses That I am unsure about. Where is the log so that I can review the outbound IP addresses?
At the time of connection attempts, these can be viewed by clicking ‘outbound connections’ under Network Defense in CIS summary. AFAIK, successful outbound connections are not logged, but blocked attempts can be by clicking on ‘firewall has blocked ___ intrusion attempts’ in Network Defense.
The permitted outbound policies can be reviewed at
CIS>Firewall>Advanced>Network Security Policy
Welcome to the forum wawa,
This can be achieved but really it should only be done for a short period of time otherwise the logs could end up huge!
First off have you used the “Stealth Ports Wizard” to create any Global rules?Specifically the bottom option “Block all incoming connections-stealth my ports to everyone”/Next. (you should get the message your firewall has been configured accordingly) If so go to the bottom of this post 88)
The reason i ask this is because this creates a “Global Rule”–>Allow IP Out from IP any to IP any where Protocol is any
We need to activate logging on this rule.
If not,no problem we can just create the rule and activate loging on it.To do this:-
-
From the main interface Firewall/Advanced/Network Security Policy
-
Now choose “Global Rules” and click on “ADD”
-
Action=Allow Tick the box"Log as a Firewall Event if this rule is fired"
Protocol=IP
Direction=Out
Source Address/Destination Address/Source Port and Destination Port should allready be ANY -
Click APPLY you should see the rule appear,click APPLY again and the rule should be set
-
Go back to “Global Rules” and make sure the rule “Allow and Log IP Out from IP Any to IP Any where protocol is Any” is there
All outgoing connections will now be logged and you can check out any which you`re not sure about.
If you allready have the Allow IP out rule in place,double click on it and tick the logging box APPLY x2
Matt
This is exactly what I wanted to do. Thank you Matty_R.
How do I save the logs to text or…?
If I can save it to a text file I can delete the garbage.
I have also a file I am unsure about.
I have program A installed where this file is located.
Google says the file belongs to program B which I don’t have installed.
It says the file is a keylogger for Program B.
This file is a lot larger than what program B states it is supposed to be. Double.
I don’t know if it does belong to Program A or is a true unknown file. Outbound IPs are going to program Bs IP range.
Defense + says that the file is being executed by program C (rundll32.exe)
I am going to have to find what IPs are coming from what processes or programs to find the culprits.
How do I track this particular file to see where the arrows go.
Can I use CIS to do any of this tracking?
You can save the logs to .htm format by going in Firewall/View Firewall Events/More
This will bring up the main log page and from here top left–> Filter/Firewall logs/Application name(or whichever)
Next “Export to HTML” give it a name and save to your desired location.
It may be an idea to upload the file to the Comodo instant Malware Analysis server here http://camas.comodo.com/cgi-bin/submit
Also maybe take a look at Xan`s post https://forums.comodo.com/virusmalware_removal_assistance-b58.0/ and download MBAM and SAS to see if they pick up anything(there both free and are excellant programs)
Matt
Process Explorer - Sysinternals | Microsoft Learn Also this may help
Hi Matty_R,
Do you know how to log the time-out alert notifications?
Thanks,
Stefano. :-\
Submitted the file to Comodo, Not rated as suspicious.
Virustotal 0/39.
The file is idle.dll, the size is 45376, Located in Program Files\Ay Recovery.
No google research states idle.dll belongs to Ay Recovery but creation date matches other files in that folder.
File.net maximum size for the file says 24,000+.
Because of the IP activity to yahoo I think it is this file involved. I don’t surf Yahoo anything.
If this file is a keylogger not belonging to Ay Recovery then there must be an EXE somewhere that loads it.
On my system that EXE was Rundll32.EXE according to Comodo alert.
That doesn’t mean that Comodo is right. Just look at aigels posting about the conficker being listed as Rundll32.exe when it was really jxmeqrs.vmx trying to write to svchost.exe.
It seems that Comodo alerts can lie about what is really happening.
If Comodo isn’t lying to me I can submit the involved files to a scan, but if Comodo is lying to me then my search for malware is misdirected by a security product that is supposed to help me. I lose time in which other malicious components can be loaded further rooting the system.