So today I get an outgoing connection request from Windows Operating System, and Comodo says it could not be recognized. After checking the target IP address, it seems it belonged to the website I was visiting at that moment, but I don’t know why such a connection would be requested and I’ve never seen connection requests coming from Windows Operating System.
But even more curious is why CIS wouldn’t recognize Windows Operating System? Is that normal? How do I check the validity of that?
My OS is Windows 8.1 and I’ve had CIS installed for months.
I use the latest version of Firefox (with NoScript & AdBlock) under Sandboxie. The website I was checking out at least seems to have a trustworthy rating on MyWOT (https://www.mywot.com/en/scorecard/omegle.com), but beyond that I don’t know.
I checked the logs and yes it was outgoing, with destination port being 80. Does this info help determine anything?
And for the record, I denied the connection request.
It is VERY unexpected to have the placeholder for an outgoing attempt. As it should be on your computer, so should be known.
I wonder what caused it. Could it be something like a bug in CIS or would this imply malware/hacking of some kind? Any suggestions for what I should/could do? AV scan doesn’t pick anything up. The logs show that this is the first and only time there’s been an outgoing connection attempt of that kind since I’ve had CIS installed.
When CIS reports Windows Operating System is being blocked for outgoing traffic it means that it cannot see what process is making the connection. That means that something that runs at driver level is blocking view metaphorically speaking.
Can you see if the same thing happens when you run FF when it is not in Sandboxie? I am trying to establish if this is caused by using Sandboxie.
Can you see if the same thing happens when you run FF when it is not in Sandboxie?
I tried and nothing happened. But I am not able to reproduce this event when FF is run in Sandboxie either. It occurred only one time. And to clarify, it was not automatically denied, I had to manually deny the connection request.
Wouldn’t it be in a Firewall’s best interest to find out what those programs are? Or is it simply impossible? Is the “Windows Operating System” often used for legit traffic or could one block all access for it without any issues?
Hard to tell. It is too technical for me. I don’t recall comments by egemen making definitive statements. The catch is that once a program has a driver running in the kernel everything is possible including deliberately cloaking it’s presence (rootkit). I guess sometimes programming techniques get in each other’s way.
Is the "Windows Operating System" often used for legit traffic or could one block all access for it without any issues?
It all depends on how badly a program needs internet access. :-\
I didn’t run into this issue for a month but today I finally got it again. This time Windows Operating System (again not recognized by Comodo) tried connecting to my router (192.168.100.1) through port 41294.
Keep in mind that some communication happens between your router and your computer, like netbios name resolution, dhcp, upnp, although the port you are providing doesn’t appeal to these services but it might be a secondary attempt by some application to make further tests on your router, like a computer game for example might be set up to use upnp.
People often get worried when something like that happens, but if there really were malicious intent behind it, it would also want to connect to the internet, not just your router. Usually, if the target address is harmless and there are no other addresses involved, it usually isn’t anything to worry about.
You can use a packet sniffer to check what it is actually sending to your router.
There are a number of other posts on this forum about this subject, but no real explanations other than CIS cannot identify the process requesting the connection. I have seen it a few times to different IP addresses and have always blocked it without apparent ill effects. The IP addresses did not appear to be related to what I was doing at the time or to anything that might be looking for updates to existing s/w on my system. I don’t use Sandboxie so that isn’t causing he problem. Frequent on-demand scans using different anti-malware programs have never found anything.
My rule is:- ALWAYS block if you don’t know why a connection is being requested. If this stops something working you can allow it next time.