Regd. Firewall intrusions

Hello,

I’m a Comodo Firewall user, recently upgraded to 5.3.175888.1227

Firewall Mode: Safe (same setting for Defense too)

Last month I’ve switched my ISP, started observing lot of Firewall Intrusions whenever I use uTorrent application. Here’s a sample log renty:

Windows Operating System Blocked In TCP 58.177.99.71 55019 (source) 53545 (dest.)
System Blocked In TCP 183.83.90.162 52053 445

All blocked entries are intruding into Windows Operating System and System, every day Comodo records thousands of them. This is really mind numbing and quite scary.

I could also see blocked intrusions in the Defense but it’s about 50 per day (Access COM, memory etc by uTorrent application). I’ve scanned my PC with tools such as GRC and auditmypc, all tests passed and no ports open. GRC also reported that my PC is safe because of the new ISP’s network which is in reverse DNS.

But, is everything OK? I mean, nothing to be worried by those intrusions? Please help in this regard. Maybe, am missing something here :slight_smile:

Thank you.

I’m just wondering why no one replied to this ???

Check if you have anything blocked and related to this in Firewall → Network Security Policy → Blocked Zones and in Defense+ → Computer Security Policy → Blocked Files.

Nothing ???

Should I just ignore these everyday bulk blocked intrusion entries because Firewall is taking care of them very well? My concern is, with so many intrusions, what if someone could get into my PC! Just a worry…

My concern is, with so many intrusions, what if someone could get into my PC!
By definition, if a connexion is blocked, it is not an intrusion.

Now, if using uTorrent or similar, you can’t expect not being permanently assaulted by connexion attempts…

Are you on a cable or adsl connection? Is there a router present in your network set up?

It’s a 2 Mb/s Cable connection.

When using a p2p program like uTorrent you will need to have two open ports for incoming traffic. When you don’t open these ports you will see that in the logs.

When you have the ports open and closed uTorrent it will take several hours for the network to realise you are off line. Then you will see those incoming connected bounce at WOS. WOS is shown in the logs when there is no application listening to the incoming traffic; it is pseudo process. Is 53545 the port number for uTorrent?

It looks like there may not be a router in your network set up. Do you have if the cable modem has one built it? Do you share your connection with more people in your house or are you the only person using the connection?

You mean 2 open ports for incoming in the Firewall?

Sorry, what is WOS?
uT has Radom ports for incoming connections. Is that a problem or any better way to do it?

Earlier my parents used to have (last time when I visited my home land) a 1 Mb/s ADSL Router based connection. They’ve changed the ISP some 2 months back, with a 2 MB/s Cable connection (RJ-45). I remember very little problem with the earlier ISP but with the new ISP tons of ID block alerts. This connection is only used on a single PC, by my Mom or Dad. No sharing of any type.

Indeed.

Sorry, what is WOS?
In the logs you see traffic being blocked by Windows Operating System. WOS is the abbreviation for Windows Operating System.
uT has Radom ports for incoming connections. Is that a problem or any better way to do it?
Make sure you don't have "Randomize port each start" enabled. See attached image.
Earlier my parents used to have (last time when I visited my home land) a 1 Mb/s ADSL Router based connection. They've changed the ISP some 2 months back, with a 2 MB/s Cable connection (RJ-45). I remember very little problem with the earlier ISP but with the new ISP tons of ID block alerts. This connection is only used on a single PC, by my Mom or Dad. No sharing of any type.
From what I see from the two log entries you provided in your start post I think you may have a modem without a router. With a router present the router will block all unsolicited incoming traffic silently. You won't see that on the firewall logs.

When you have a situation with only a modem you will see all incoming requests that were previously blocked by the router and its firewall. That’s nothing to worry about. The logs simply show the firewall is doing its work.

To be absolutely certain about your network set up.Can you tell me what modem you have with what provider? I will look up the specifications for you.

Since we are talking about uTorrent I would like to kknow the firewall settings for uTorrent to see if the firewall is properly set up.

Can you post screenshots of your Global Rules and of the application rule for uTorrent?

How to post a screenshot?

To copy a screenshot of the active window push alt+print screen to copy the active window to the clipboard (pushing print screen will copy the complete window to the clipboard not just the active window). The window is now copied to the clipboard. Paste the image in any image editing program, Paint, Paint.net, the Gimp etc. Use the “crop” function to resize the canvas to size of the image. Now save the file as 32 bits png image.

At the forum push the reply button. Or when using the Quick reply type some text and push the preview button.

Underneath the text box click on Additional options. Push the Choose button and navigate to the file and select it. When you want to post more images click on the more attachments link.

When done typing push the Post or Preview button.

[attachment deleted by admin]

Thanks for clarifying. But what port numbers should I add in the Firewall and where? Sorry, please bear with my novice questions because am somewhat new to the Comodo on Windows (since 2007, am more aquainted with Kaspersky and I mostly use Mac and Linux in the US).

I never heard such an acronym, learned something new :slight_smile:

Thanks again, I did uncheck random feature in the uT.

Sounds good, then nothing much to worry since Comodo is doing an excellent job? :slight_smile:

Earlier ISP’s ADSL2 Modem + Router small box (with Telephone, Landline - splitter) used to be like this:

But with the new ISP, there isn’t any Modem/Router installed to this PC. This is the solution they are using:
http://beamtele.com/index.php?option=com_content&view=article&id=41&Itemid=7
So, I can see only a black color thin cable comes directly to the PC (RJ-45) from another building. Maybe that building’s box has a Modem/Router which I don’t know.

Appreciate for looking into the depth.
All I could see is Firewall and Defense+ levels are in Safe Mode but Sand Box is disabled.
Configuration: Comodo - Firewall Security. Hope this is OK.
But I couldn’t find any Global Rules and App. rule for uT. I didn’t find such a setting in Comodo’s Firewall tab. How to open that screen :-[

No problem. I had already guessed you were novice to the firewall.

I never heard such an acronym, learned something new :)
Thanks again, I did uncheck random feature in the uT. Sounds good, then nothing much to worry since Comodo is doing an excellent job? :)
The firewall is top notch.
Earlier ISP's ADSL2 Modem + Router small box (with Telephone, Landline - splitter) used to be like this: http://www.mitodigital.com/prod/ADSL2_sys.jpg But with the new ISP, there isn't any Modem/Router installed to this PC. This is the solution they are using: http://beamtele.com/index.php?option=com_content&view=article&id=41&Itemid=7 So, I can see only a black color thin cable comes directly to the PC (RJ-45) from another building. Maybe that building's box has a Modem/Router which I don't know. Appreciate for looking into the depth.
Thanks for the information. I see you are on a fiber connection. I am not familiar with them but that's not a problem. To get the information I need to instruct you to do something. That is easiest done when I know what Windows version you are using.
All I could see is Firewall and Defense+ levels are in *Safe Mode* but Sand Box is disabled. Configuration: Comodo - Firewall Security. Hope this is OK
Those are secure settings.
But I couldn't find any Global Rules and App. rule for uT. I didn't find such a setting in Comodo's Firewall tab. How to open that screen :-[
Global Rules and Application Rules can be found under Firewall --> Network Security Policy.

That’s the reason why I chose for them this one over all others, no doubt in it :-TU

Duh!! I saw many times Network Zones tab but forgot to recollect about the ‘Rules’ tabs :embarassed:
Anyway, here’s the OS info and please check the attached png pics below:

Microsoft Windows XP [Version 5.1.2600] - SP3

Hope I could put an end to this nagging thing. Thank you.

[attachment deleted by admin]

I want to know the IP address your pc uses without running the risk of putting a public IP address at the forums.

In Windows XP go to Start → look up the Run box → type cmd and push enter → a black box will pop up (that the command prompt) → in the command prompt type ipconfig and then push enter. Write down what it says with IP Address from your LAN connection and sent it to me by PM.

I looked at your Global Rules and uTorrent settings. They are fine. Does uTorrent say it receives incoming connections?

Please check your account’s inbox.

Of course, they are able to use the uT 2.0.4 version from many months. They download documentaries etc. Should I need to post any setting from uT?

Well, this isn’t done yet. Any recommended ports?
I need to add them in the App Rules for uT, isn’t it?
Thanks.

Thanks for the pm. The shown IP is a public IP address. That means you are not behind a router.

Currently there are some problems with the forum. Most attached images can not be seen. That may result in repeating things.

The default Firewall settings are set to give alerts when there is uncalled for incoming traffic. Those settings work fine when the user is behind a router. Most requests from the web will be blocked by the router leaving th user with few alerts to answer.

For your situation I would advice to set the firewall to stealth settings using the Stealth Ports Wizard: choose the third option “Block all incoming connections and make my ports stealth for everyone” .

Next step is to open the ports for uTorrent. Read the following tutorial I made. Substitute the port numbers and protocol for your situation. Read the used port by uTorrent from Preferences. See attached image. I will use the port number from the image: 57634

To open the port TCP/UDP 57634

Firewall → Network Security policy → Global Rules → Add → fill in the following:
Action: Allow
Protocol: TCP/UDP
Direction: In
Description: Incoming Port

Source address: Any
Destination Address: Any
Source Port: Any
Destination Port: 57634

Then push Apply → Now make sure that the new rule is somewhere above the basic block rule(s) as the bottom (the block rules have red icons); you can drag and drop the rules → Ok.

Next step is to make an application rule for uTorrent. Easiest is it giving it the Trusted Application policy. If you want a tighter application rule let me know.

[attachment deleted by admin]

I’m glad you’ve looked up about it. So, there isn’t any Router.
Question: Is it more secure to use the present connection with a ADSL2+Wifi-Router which my parents were using with the previous ISP (PC+their laptops)? Please have a look at this, it’s lying idle in a rack.
http://www.beetel.in/for-my-business/international-business/adsl/450-four-port-wifi-modem

I think the Firewall is working exceptionally well with Stealth mode (tested a week back with GRC tool). Anyway, as suggested, I’ve done the same with the help of the Stealth Wizard. I ran GRC again, ■■■■ good. Please see the attached pic.

I’ve followed your instructions and did the same. Thanks for helping me with patience :slight_smile:
Well, please have a look at the attached pics.
I’m not very sure whether to grant Trusted status to uT app or not ??? Anyway, will there be any issue if I don’t grant that status?

Result: At last, I don’t see any more Intrusion Blocked events in the Firewall :slight_smile:

Note: If you look at the uT-App-Rules pic, is ‘IP’ Protocol correct in that setting? Or should it be TCP/UDP?

Lastly, I’ve attached Defense+ Events pic. Only in this case, I do see something or uT itself is trying to access a few things. Should I ignore it?

[attachment deleted by admin]

A router would add an extra layer of security. That being said the firewall in CIS is very much up to the job. It is up to you what you prefer.

I am not familiar with turning a modem/router combination into a router only solution. It is possible but could not help you with that process.

I think the Firewall is working exceptionally well with Stealth mode (tested a week back with GRC tool). Anyway, as suggested, I've done the same with the help of the Stealth Wizard. I ran GRC again, ■■■■ good. Please see the attached pic.
We usually get a lot of complaints about CIS not standing the GRC test; but these people are usually always behind a router. So GRC is then probing their router's firewall.... ;)
I've followed your instructions and did the same. Thanks for helping me with patience :) Well, please have a look at the attached pics. I'm not very sure whether to grant *Trusted* status to uT app or not ??? Anyway, will there be any issue if I don't grant that status?
I am using it when I am too lazy to set up a proper rule and never got into trouble with it.

For tighter rules for uTorrent read Firewall Tutorial for Utorrent with Comodo Internet Security. Also check out the rules made by colleague Bad Frogger; the part about how to not log ICMP messages when uTorrent is off line could be interesting.

[b]Result[/b]: At last, I don't see any more Intrusion Blocked events in the Firewall :)

Note: If you look at the uT-App-Rules pic, is ‘IP’ Protocol correct in that setting? Or should it be TCP/UDP?

See the above for tighter rule set.

Lastly, I've attached Defense+ Events pic. Only in this case, I do see something or uT itself is trying to access a few things. Should I ignore it?
When it does not impact uTorrent don't fix it. I don't recall having seen topics where allowing things monitored by D+ were needed to make uTorrent work.

EricJH,

Thanks for your time and patience. I’m happy to find a such a good support, that too for a Freeware.
Great :slight_smile: