Question About Intrusion Attempts

Hi, first of all I’d like to thank these wonderful people at the forums.
They’ve always provided excellent help, and I’m afraid I’ll be needing it again.

Once I had this problem:;msg313750#msg313750

Now its the complete opposite. I’ve recently installed CIS 3.10 and it detects no
intrusion attempts which I found hard to believe due to my past experience. I went to GRC
Shields Up! Test & PC Flanks Scanners. Normally my firewall would list those as intrusion
attempts, but now it doesn’t even respond. I’ve been online for more than hours
and I usually get 200-500 attempts. Now, 0. I know I’m being paranoid but why do I get 0 attempts now? Thanks a lot!

I’ve reinstalled it, usually fixes most problems. Still 0. My alert options are set to medium. I even used CIS Clean-Up tool and surprisingly, it had errors too. I’ve attached the screen shots. Thanks again.

Edit by EricJH: made the url something to click on

[attachment deleted by admin]

What OS are you on? When did you run the clean up script? I think it is best to run that after rebooting after you uninstalled Comodo. When needed try the script in Windows Safe Mode. When doing the latter we can be very sure all stuff is removed.

My idea for now is to export your configuration then uninstall COmodo. Reboot when asked and run the clean up script in after reboot. When things are locked try the script in Safe Mode. Then install CIS again.

Im using Windows XP. Okay, I’ll give safe mode a shot.

So there is nothing wrong with 0 intrusion attempts? And I exported the config but idk what file extension it should be.

I agree it’s unusual not to see any intrusion attempts, but I have to ask. Do any of your firewall rules, either Application or Global, having logging enabled?

By logging, do you mean Misc → Settings → Logging whether I have checked the" disable firewall/defense + logging" option?

Turns out my problem was a missing registry key for guard32. After I fixed it, the intrusion number went up. :slight_smile:

Sadly, I’m having the same problem once more. :frowning: 0 attempts. But this time, CIS diagnostics says there is nothing wrong with the installation. This happened when I updated CIS yesterday, version 3.11. Or could it really be that I am not being intruded?

Can you use the firewall’s “view active connections” window to see if it lists anything ?

Those seem to be related, if it shows no applications and connections there is something wrong with you installation… and chances are the firewall is not functioning like it should.

I have done so, and yes it is functioning. I have also tried clicking on the “0” intrusion attempts,the last attempt was August 29. (start of 0 attempts was on August 30) Should I re-install a fresh copy?

Best thing to test first is to look up your browser in the Firewall policy and set those rules to logging enabled, now if you start browsing the web the log viewer should display that traffic…

If that does then there could be something blocking but not logging for instance…

I have set everything to logging enabled. Still 0. :frowning:

Yes but does it show in the Firewall, “View Firewall Events” ?

No, it does not. It is as if I have not installed the guard32 key.

Can you try this in an administrative command-box

net start inspect

And press ENTER after that, it should complain that it’s already started…

Seems there is something preventing CIS from successfully installing on your system, do you have other security software installed no matter if it’s real-time or on-demand ?

It’s funny, I’ve always found the opposite. I’ve been using Comodo for five months now and had never had a single intrustion attempt blocked until a week ago. I presumed it was normal not to get blocked intrusion attempts and that such things meant someone/something was actively trying to gain access so you can imagine what I thought when I suddenly started getting them every couple of seconds a week ago.

I still get one every couple of seconds now but haven’t been able to find out why it suddenly started or why it is continuing.

Hi Barns,

That can be caused by numerous things, can you tell us what traffic is blocked ?
Did you change anything on your network setup ? /router/switch/modem extra pc ?

Normally if your behind a router it will firewall most internet “noise” out.
If you are directly connected to the internet without a firewall you will notice an immediate increase of blocked traffic or alerts for incoming connections because of the “noise”.

“noise” is people with port scanners looking for vulnerable ports, infected machines with worms trying to spread, windows noise mainly on cable networks, etc etc…

No, I didn’t change the network configuration at all, I still use the same single laptop through the same external ADSL router so that should filter it all out. It can’t break in that way can it?

The blocked intrusions only happen when I start up a torrent programme (bottorrent or Vuze) and stop when I shut it down. This may seem obvious with P2P but it never happened before and I can’t remember anything specific changing on September 3rd. Or wasn’t there a Comodo update around then?

Are those ICMP errors type 3 code 3 for instance ?
Or can you post a screenshot of the firewall logging ?

I don’t know what you mean by “ICMP errors type 3 code 3”, sorry.

Here’s a screenshot of the last lot of Firewall events but for fear of hijacking this thread there’s a separate thread I started on the subject on the front page called “Constant intrusion attempts” or similar and it’s got screenshots of rules and firewall events.

I’ve also noticed that the intrusion attempts are happening all the time now, even when bittorrent/Vuze have been shut down for hours. I don’t know whether it’s relevant or not but they all used to be UDB but now some, but only a few, are TCP.

[attachment deleted by admin]

This is pretty common with torrent programs.

If you look on the right side you see your internal network address that in combination with the destination port staying the same suggests your torrent application was active on that port, it apparently now no longer is because the firewall can’t match the traffic against the application, and windows can’t either so it get’s delivered at the last resort the “Windows Operating System” and that get’s blocked by CIS and if is is not active blindly dropped by Windows OS.

If you have set your torrent application to a fixed port then that port will always be the same, if it’s dynamic the port number can vary and the logging can be even from a previous version because torrent client keep searching for your pc+port for a torrent you are no longer sharing…

But I use fixed ports for both Vuze and Bittorrent and neither of the ports I use are the 41435 which appears over and over again in the screenshot. However, I have had to change the port in the past so I may have used that one and it’s suddenly now looking for that port+pc combination. I’m worrying unnecessarily really I think.

It still doesn’t explain why it suddenly started happening a week ago after never having happened before though. Oh well, I’ll just ignore it then if it’s not dodgy.

Thanks for your help Ronny.