First off I’ like to say hi to everyone being this my first post. I just installed comodo firewall and I was amazed by its potential. I am a novice to computing and since this is the first configuratio I’d like to leave no holes in my firewall…I have the feeling that my sistem files are being hacked. Denyed a few sistem atemptemps for incoming connections, especifically svchost. Is it normal for svchost to receive incoming conections? Also i did a port survey in comand line wich i am posting(dunno how helpful is that). I have a single laptop and a dial up\pen connection. I use torrent apps.Any help is apreciated.
ps. should I enable shared internet conections and ipv6 filter?
go to Firewall > Stealth Pors Wizard > click on “Block all incoming connection and make my ports stealth for everyone”. I f you go to Firewall Network Security Policy > Global Rules, you’ll see that now you have a rule that block all incoming connection.
disabled Netbios on TCP/IP ==> open control panel and select Network connections, right click on the Internet Connection, select properties, select Internet Protocol (TCP/IP) and click properties, click advanced, select the WINS tab, select the "Disable Netbios over TCP/IP, then OK,OK, finish
The ports netbios (137-139) won’t be listening anymore
if you use XP (I’m not sure the procedure is exactly the same for Vista/7), you’ll have to modify a registry key to prevent svchost.exe to be listening on port 445 (SMB protocol). Go to start, execute, type regedit, go to HKEY_LocalMachine\SYSTEM\Curent Control Set\Services\NetBT\Parameters\Transport Bind, right click Transprt Bind, select modify and delete \Device. For the change to be operative, you must reboot
you could also disable unnecessary services. You’ll find explanations on blackviper.com
From the image you’ve posted, you appear to be using either Vista or Windows 7, which means Ipv6 is enabled by default. If you’re not using Windows 7 Homegroups and you have no need for supporting the IPv6 protocol stack, it can be disabled. Selecting the filter option simplel means you won’t see Ipv6 related events, at least as far as I can tell.
The
For the most part svchost will only need to make outbound connections, however, there are a few occasions where inbound connections are required, for example Teredo tunnelling (IPv6)
If you have a LAN you want to ensure you allow NetBIOS communication (UDP and TCP ports 137-139) between the devices on the network but you can block NetBIOS communication to the Internet. See post above or create specific rules for the System process.
The connection for svchost on you image (91.199.212.171) is to Comodo, most likely this is a CRL (certificate revocation List) check. svchost will need to make these checks from time to time and not only for Comodo. It will also check Verisign and Godaddy.
The listening ports are all fairly standard, but as noted above, by either disabling certain services or performing other tasks, some of these ports may be either disabled or blocked.
if you need additional help, post images of your Application rules and ask questions about the things you don’t understand.
thanks for fast and helpfull replies. Couldn’ find control panel of comodo…neither the control panel>network of windows 7 shows any “deny netbios requests” option.
I blocked all incoming connection and made ports stealth to everyone and my general rules seemed to change from all red to all green(image below)
Here are the blocked sitem connections, I’d like to know if there’s any way to know if they are legitime requests or not. Already sent dcservice to comodo online analisys ant it came back trustworthy, so I allowed it but this ones over here I just can’t tell.
Here’s a prt scrn of the aplication rules “post-port wizard change”…Finaly take a look at the behavior settings to check if they’re allright. And I might be wrong, but defense+ reported explorer.exe is trying to disable comodo…and it isn’t me(added screen shot)
Here are the blocked sitem connections, I'd like to know if there's any way to know if they are legitime requests or not. Already sent dcservice to Comodo online analisys ant it came back trustworthy, so I allowed it but this ones over here I just can't tell.
There’s nothing bad in your screen shot, but you could create stronger rules.
I see you use Halite. I’d suggest creating rules for that. here are instructions for uTorrent, but they apply equally well to most torrent clients.
Here's a prt scrn of the aplication rules "post-port wizard change"....Finaly take a look at the behavior settings to check if they're allright. And I might be wrong, but defense+ reported explorer.exe is trying to disable Comodo...and it isn't me(added screen shot)
See attached image for changes to firewall rules.
You don’t need to check every box under behaviour settings, in fact, doing so may degrade performance. Unless you are trouble shooting a specific problem, leave just the block fragmented datagrams checked.
I don’t use D+ but I see nothing bad in your screen shot
Thanks, that was very helpfull. (:CLP)
I’ll apply the changes and make a bit of research on how to do stronger rules and also look into utorrent rules.
BTW: Dunno if you understood the image from defense+ bcause its in portuguese but it reported 4 attempts from winexplorer.exe to shut down comodo. And I don’t seem to recall trying to shut it down myself. ???
I had overlooked those events, they are curious, too. I can think of no logical reason why explorer would want to try and terminate cfp.exe, other than perhaps during a normal/abnormal shutdown of Windows.
The executable appears to be in the correct folder, although the parent folder is called WINDOWS and not as I would have expected, Windows, but that may be simply a naming thing on your system. It’s probably worth checking the properties of explorer.exe, make sure there’s nothing suspicious. Other than that, you could post a specific question about this in the Defense+ / Sandbox Help - CIS forum.
I came across with two diferent types of sistem apps in the security policyes. I underlined with blue those wich seemed legit, and in red those that semed…let’s say not so legit. But then again I might just be paranoic
Both of those are legitimate and in the right location. The Service control manager (services.exe) is responsible for stopping, starting and generally interacting with Windows services. Explorer.exe is essentially the the Windows shell.
With regard to the odd termination messages we discussed earlier, I checked a test system I’ve had running for day or so, with CIS installed and D+ active. The D+ event logs also had these events, so I assume it’s ‘normal’ behaviour. I wasn’t, however, able to force an event to be generated. As I said, your best option is to ask specifically about the cause of these, if they concern you, in the form I linked earlier.
If they are legit gess its allright…
But now that I’ve been doing a lot of reading in these parts I noticed that I made a lot of mistakes in my first config. of comodo. Is there any way to roll back from all my rules and tweaks without having to uninstall\reeinstall Comodo?
The path sugested does not exists when I get to NetBT\Parameters\ instead of “transport bind” there’s Parameters\Interfaces\Tcpip(3 entries) and\or Parameters\Security(end).
If you just want to get back to default settings for a given configuration, assuming the original configuration has been changed, you could ask a moderator to post which ever configuration file you need. See images for explanation. The path to the configuration files on disk is:
C:\Program Files\COMODO\COMODO Internet Security
You can also manage you configurations for the context menu of the system tray icon. If you want, you could always choose a different configuration and modify it to suit your needs.
The path sugested does not exists when I get to NetBT\Parameters\ instead of "transport bind" there's Parameters\Interfaces\Tcpip(3 entries) and\or Parameters\Security(end).
If you using Windows 7 it should look like the image below.
Since I am thinking about formating my PC I gess it’s just easier to configure the whole thing from the begining again. Thing is that I need to learn how to make stronger specific rules for each diferent program and (as much as I searched) I came out empty handed. Found alot of global rules and so on but nothing in specific. For instance; internet explorer, programs with frequent updates, download app’s, online games,etc… If there’s something like this troughout the forum please point me out to it.
There’s not a great deal by way of guides for creating secure firewall rules. Take a look through the Guides as a starting point but when you want to create rules for applications not covered, it’s probably best to ask.
You’ll find a lot of people are happy to simply make an application ‘trusted’, or to use one of the predefined policies. if that’s not for you, then a little work will be necessary but it’s worth while. the most important thing when creating tighter firewall rules, is to remember to change the default settings. You really need to be using Custom Policy Mode and the Alerts need to be on at least High.
