Hello to everyone at comodo forums, and thank you very much for your help in advance.
I noticed an strange ip connection being active every time i started the iexplorer application, after i used the netstat -b command, the socket looked like this:
TCP mypc:4146 ipand-strange-host-name.somedomain.com:http ESTABLISHED 4000
[iexplore.exe]
The connection was always there as long as i used the iexplorer, so being afraid about being a trojan, i low level formatted my hd, i reinstalled the OS, and even that the evil ip was connecting the same way so afterwards i noticed it, i installed the comodo firewall, and applied some network security policies to avoid the unwanted connection.
The rules are:
For protocols TCP-UDP/ICMP-IP
Action:Block
Direction: In/Out
Source address: The strange host name possible ip-addresses, entered as a range of ips, since i noticed the last octect varied, as i was killing each connection, i mapped the ports for that ip as well and looked like a linux server.
Destination address: Any.
Source port: Any.
Destination port: Any.
When the protocol is ICMP in the message field i choose the All option and when the protocol is IP i set the IP protocol on the IP details tags to Any.
Another policy set on the same way but just changing the source and destination addresses like this.
Source address: Any.
Destination address: The strange host name possible ip-addresses, entered as a range of ips, since i noticed the last octect varied, as i was killing each connection, i mapped the ports for that ip as well and looked like a linux server.
All this rules are applied as application rules, for the iexplorer.exe file.
I also applied global rules as mentioned above for all the protocols available, setting the possible ranges for that evil ip.
I also entered that evil ip ranges on the blocked networks settings on the same way.
Eg: 240.141.151.1-240.141.151.255
Finally on Attack Detection Settings i increased the blocking time to 120 minutes and the emergency mode to 120 seconds, the tcp/udp/icmp flood settings are the default ones and on miscellaneous i just block the fragmented ip datagrams the rest are unblocked.
The protected arp cache is enabled.
This worked because the intruder can’t set a established connection each time i use the iexplorer as far as i noticed, but what i have noticed is when i use hotmail or some other pages, my sniffer detects that my computer sends once and once again sync packets to the intruders active pool ip while apparently its still scanning my ports in a sequential order, this doesnt let me to load normally those sites.
I would like to receive some help to know if i can improve my setting to avoid the last behaviour, and also if my configuration is ok to avoid further attacks or intrusions by this host/hosts.
I am also planning to set my router firewall on, but i would like to do the best with the software firewall first so i dont affect my browsing experience too much.
Thank you very much for your time reading this and the will to share your expertise on this forum with the rest of the world.
Best Regards.