Questions about Comodo (ICMP, logging, etc...)

I’m fairly new to Comodo, so please bear with me (:AGL). I’m using the last stable release

I understand the interaction between “Application Monitor” (AM) and “Network Monitor” (NM). However, as I came from using a firewall with a somewhat different and simpler GUI (Kerio), there are still some things that I don’t understand:

  1. AM seems to know only about TCP and UDP protocols. I have an application that only connects to Internet to send pings (ICMP). I know that for sure since I programmed it (:WIN). But Comodo asks for an AM rule to allow outgoing TCP/UDP ???

  2. The logging with a P2P running is very disk intensive. I disabled NM logging with the right-click menu, but Comodo seems to “forget” that setting from time to time and continue logging NM alerts anyway (most are about ICMP packets). Is it there a way to disable logging completely?

  3. While I was reading about the ICMP protocol to add/edit NM rules to minimize the logging (and without compromising security), I was stunned with Comodo default ICMP rules (“Echo Request” outgoing, “Time Excedeed” incoming and “Fragmentation Needed” incoming). How come I can use the “ping” utility without problems (my program and the Windows command-line one) if there’s no “Echo Reply” incoming rule?

  4. Will Comodo version 3 have a way to add a comment to rules? I think it will be useful to write down and remember later why I added that rule to NM or why I blocked that other application. Is there a feature suggestion topic/forum somewhere?

  5. Will adding a rule to NM to allow incoming Port/Host/Protocol/Net unreachable ICMP be ok? It will help the logging problem with P2P applications, and allow the connections to timeout faster when a peer gets disconnected, but I read somewhere that that can allow a black hat hacker (:TNG) to disconnect a client from a server by forging the server’s IP and sending that incoming ICMP packet. What will be a good compromise?

  6. Is there a way to disable the logging of a blocked application connections attempts by AM? I got tons of logs entries when I blocked “System” incoming connections (to avoid Netbios hacks; ports 137,138,139,445, etc…)

Thanks in advance for the answers. And thanks to Comodo developers for providing such a good firewall for free (L)

1. May be the application uses DNS (UDP53) or WINS (UDP137) to resolve host names instead of using Windows DNS client?

Alternatively, if you want to keep your logs and not encounter this issue, right-click on this file and set it to read-only: C:\Documents and Settings\All Users\Application Data\Comodo\Personal Firewall\Logs\logs.log. Unfortunately, your log history will only be kept during CFP's active session. Once you exit CFP, the log will reset to the point when you set it to read-only.;msg49930#msg49930 [b]3.[/b] Excellent question. Same behaviour in CFP 3.0 Beta. My guess is that CFP is implementing some pseudo-statesful ICMP technique. [b]4.[/b] Yes: [url=][img=][/url] [b]5.[/b] Not sure. There are many exploits related to different ICMP messages, and to the best of my knowledge, BT protocold relies on regular time outs instead of unreachables. [s][b]6.[/b] Add specific block rules without the log option, just above the bottom catch-all rule. [/s] Edit: [b]6.[/b] In CFP 3 the AM is more organized and adding rules is trivial.

Why does my logs say that an outbound violation with port displaying unreachable???

Hi nubiatech, thanks for your answers: (:WAV)

  1. The application uses the gethostbyname API to get hosts IPs from hostnames, but I think that svchost should take care of that since the Client DNS service is active. Besides, that doesn’t matter. AM doesn’t have a “ICMP outgoing” rule for that application (AM doesn’t have that option, only TCP/UDP) and my application can ping perfectly

  2. Thanks for the suggestion! Now logging isn’t a so important disk drain (according to Sysinternal’s Process Monitor, Comodo still tries to open the file but fails with an “access denied”). But I hope Comodo improves the firewall logging in upcoming 3.0 version, it bothers me to depend on workarounds

  3. That was my thought too (maybe it also uses something similar for UDP?). But it seemed a little strange, as ICMP is a connection-less protocol

  4. Ok, that’s nice to know :Beer

  5. I use more ed2k (eMule) than BT, but I guess it’s also like that. Maybe I should ask that in the eMule forums. I was afraid that Comodo’s ICMP blocking was slowing down eMule connections. Now that my logging issues are temporarily solved, I think I will leave ICMP rules as they are now

  6. So there is a checkbox in V3 AM rules to log or not log, isn’t it?

To answer sanctuary24 question, I think it is because a UDP packet was sent to one of your closed ports, and specification demands that an ICMP “Port Unreachable” packet should be sent back, but Comodo is blocking that packet to hide your presence from a possible attacker

6. So there is a checkbox in V3 AM rules to log or not log, isn't it?

Yes, on the attached image, “Winpooch.exe” has 2 allow outbound rules: the first one logs connections to web servers, and the second one to allow any other UDP/TCP traffic.

[attachment deleted by admin]

Ok, thanks

One more question: the eMule and Bittorrent FAQ recommends deactivating “Protocol Analysis” to let eMule search Kad Network. What are the security implications of doing that?

Not sure about “Protocol Analysis”. I couldn’t find any documentation on the subject, such as which protocols are supported?
There are few “personal” firewalls that feature signature-based Network Intrusion Prevention System (NIPS), of which, “Protocol Analysis” is a tiny fraction. I don’t want to bash CFP, but in IMHO, Protocol Analysis is next to useless.

Relevant to this:

Quote from: MasterTB on August 13, 2007, 06:19:43 AM Hi:

I see’ya all concerned and worried about leaktest, but… have you ever considered about inbound attacks?? The reason I post this is because besides the TCP, UDP or ICMP flood analisis on Comodo to prevent DoS attacks, I don’t see that the firewall enables a true Network Intrusion Prevention System (with signatures and all) like the ones you can find in firewalls like Kerio -to name one of the best in the job-.
I used Kerio, before they sell it and I tell you, nothig ever got in, so, why worry about leak tests if you can stop them before getting in??
That said, besides the “Block all” rule in the Network Globall Rules, what does comodo to prevent inbound attacks, like os fingerprinting, scans, network scans, nmap, trojans with particular signatures and drivers to generate TCP traffic…

BTW V3 beta… R O C K S !!!

Hi MasterTB,

A signature based network intrusion detection system, is normally not a vital component of a personal security system because the attacks such a system can detect are usually in the domain of a server computer. Snort, for example, is hardly suitable for a PC. However, this does not mean, an IDS does not mitigate some sorts of risks even for a PC.

An IDS suitable for personal computers/users is in our wish list and will be implemented in the future. But till that time, your firewall should be quite enough to make sure you have a robust inbound network defense.

Good luck,