Some considerations and doubts about CPF Stealth Capabilities [Resolved]

Dear COMODO Team, (:LOV)

I have done some tests at PC Flank site (http://www.pcflank.com/) and Shields UP! Site (GRC | ShieldsUP! — Internet Vulnerability Profiling  ). Shields UP! Reported after several different tests (there a few ones there) that all scanned ports were stealthed and everything was OK. But PC Flank reported randomly during some tests port 139, 27374 and other number that I don’t remember now. Well, I’ve gone to Shields UP! And checked particularly the problematic ports and they were stealthed and OK.
After this ports misunderstanding I decided to check a third opinion and downloaded Tenable Nessus Vulnerability Scanner 3.0.4 and I attached one of its reports below. I really would like that someone could comment, give suggestions, ideas or thoughts about this strange situation and the role played by COMODO Firewall in this whole scenario. As you can see Nessus showed some open ports and vulnerabilities.
My working scenario:

Windows XP SP2 (Fully Updated)
COMODO Firewall 2.3.6.81
Avast! Pro 4.7.892
SSM 2.2.0.599
Ad Muncher 4.7.27105

I’ve already scanned my system using the following fully updated software: a-squared free, AVG Anti-Spyware 7.5, Spybot - Search & Destroy, Lavasoft Ad-Aware SE Professional they reported my system is clean. I’ve scanned using Kaspersky on-line scan which reported a clean system as well. I use in silent background SpywareBlaster too.

See you later,

aeolis (L)

Tenable Nessus Security ReportTenable Nessus Security
Report

                    Start Time:Sun Nov 26 19:19:23 2006 Finish Time:Sun Nov 
                    26 19:23:30 2006 



              localhost


              127.0.0.110 Open Ports, 12 Notes, 0 Warnings, 0 Holes. 




        127.0.0.1[Return to top]

              adobeserver-2 (1103/tcp)


                    Port is open
                    Plugin ID : 11219






              unknown (50300/tcp)


                    Port is open
                    Plugin ID : 11219






              adobeserver-1 (1102/tcp)


                    Port is open
                    Plugin ID : 11219






              ftranhc (1105/tcp)


                    Port is open
                    Plugin ID : 11219






              pt2-discover (1101/tcp)


                    Port is open
                    Plugin ID : 11219






              epmap (135/tcp)


                    Port is open
                    Plugin ID : 11219






              xrl (1104/tcp)


                    Port is open
                    Plugin ID : 11219






              ntp (123/udp)


                    An NTP (Network Time Protocol) server is listening on 
                    this port.


                    Risk Factor : Low
                    Plugin ID : 10884






              general/tcp


                    127.0.0.1 resolves as localhost.
                    Plugin ID : 12053




                    Information about this scan : 

                    Nessus version : 3.0.4
                    Plugin feed version : 200611251815
                    Type of plugin feed : Registered (7 days delay)
                    Scanner IP : 127.0.0.1
                    Port scanner(s) : synscan 
                    Port range : default
                    Thorough tests : no
                    Experimental tests : no
                    Paranoia level : 1
                    Report Verbosity : 1
                    Safe checks : yes
                    Max hosts : 20
                    Max checks : 4
                    Scan Start Date : 2006/11/26 19:19
                    Scan duration : 234 sec

                    Plugin ID : 19506






              imap (143/tcp)


                    Synopsis :

                    An IMAP server is running on the remote host.


                    Description :

                    An IMAP (Internet Message Access Protocol) server is
                    installed and running on the remote host.


                    Risk Factor :

                    None


                    Plugin output :

                    The remote imap server banner is :
                    * BYE [ALERT] Cannot connect to IMAP server 127.0.0.1 
                    (127.0.0.1:143), connect error 10061

                    Plugin ID : 11414






              smtp (25/tcp)


                    The SMTP server on this port answered with a 421 code.
                    This means that it is temporarily unavailable because it 
                    is
                    overloaded or any other reason.

                    ** Nessus tests will be incomplete. You should fix your 
                    MTA and
                    ** rerun Nessus, or disable this server if you don't use 
                    it.

                    Plugin ID : 18528

Hi.
First, can you add some more info please.
Have you installed with “auto”?
Have you untouched default network rules?
Do you have a router?
If you have a router, have you made a trusted zone/network?

Can you scan 127.0.0.1 with this tool as well?
http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/superscan4.htm
Just to see if you get the same results.

G’day,

Couple of notes before you repost;

  1. Shields Up testing reports the port status of the first responding device it finds on the return path to your IP. If you are behind a router, Shields Up is reporting the status of your router (unless, of course, you have ports 1 - 1056 forwarded).

  2. PC Flanks test are flaky to say the least. Their leak test displays a dialogue reporting that your firewall has failed before their leak test ever attempts to send any data anywhere, by any method. It doesn’t matter what firewall you have, this test is flaky. IMHO, any other test on this site must be considered dubious, at best.

  3. The status of ports on the 127.X.X.X interface are irrelevant to your safety on the internet, as the 127 subnet is entirely local to your machine. The 127 address space CANNOT exist outside a local PC - it is an explicitly non-routable address.

Hope this helps,
Ewen :slight_smile:

Hello folks,

Thank you very much for you time and patience! Thannk you very much AOwL™ and panic. Well, at first I will answer AOwL™ questions and requests:

  1. As far as I know I installed CPF using its default schemes, values and action. So everything was automatic.
  2. No. The only two rules that I have added are those I’ve found here in this forum about uTorrent and eMule. I use those rules to be able to use the mentioned software without problems. And they are:

ALLOW TCP IN FROM IP [Any] TO IP [Any] WHERE SOURCE PORT IS [Any] AND DESTINATION PORT IS IN [36052,12851,]

ALLOW UDP IN FROM IP [Any] TO IP [Any] WHERE SOURCE PORT IS [Any] AND DESTINATION PORT IS IN [36073,12851,]

  1. No. I don’t have a router. As far as I know I use a rented SpeedStream 5200 DSL modem from my broadband provider.

    And now the results requested by AOwL™:

  • Scenario 1 -

The IP list contains 1 entries
Service TCP ports: 65535
Service UDP ports: 65535
Packet delay: 10
Discovery passes: 3
ICMP pinging for host discovery: Yes
Host discovery ICMP timeout: 2000
TCP banner grabbing timeout: 8000
UDP banner grabbing timeout: 8000
Service scan passes: 3
Hostname resolving passes: 3
Full connect TCP scanning for service scanning: Yes
Service scanning TCP timeout: 4000
Service scanning UDP timeout: 2000
TCP source port: 0
UDP source port: 0
Enable hostname lookup: Yes
Enable banner grabbing: Yes

Scan started: 11/27/06 09:55:15

-------- Scan of 1 hosts started --------
Scanning 1 machines with 1 remaining.
-------- Host discovery pass 1 of 3 --------
Host discovery ICMP (Echo) scan (1 hosts)…
1 new machines discovered with ICMP (Echo)
-------- Host discovery pass 2 of 3 --------
-------- Host discovery pass 3 of 3 --------
TCP service scan (full-connect) pass 1 of 3 (1 hosts x 65535 ports)…
TCP service scan (full-connect) pass 2 of 3 (1 hosts x 65535 ports)…
TCP service scan (full-connect) pass 3 of 3 (1 hosts x 65535 ports)…
UDP service scan determining ICMP unreachable hosts pass 1 of 3 (1 hosts)…
UDP service scan determining ICMP unreachable hosts pass 2 of 3 (1 hosts)…
UDP service scan determining ICMP unreachable hosts pass 3 of 3 (1 hosts)…
UDP service scan pass 1 of 3 (1 hosts x 65535 ports)…
UDP service scan pass 2 of 3 (1 hosts x 65535 ports)…
UDP service scan pass 3 of 3 (1 hosts x 65535 ports)…
Performing hostname resolution…
Pass 1 of 3
Pass 2 of 3
Pass 3 of 3
Performing banner grabs…
TCP banner grabbing (21 ports)
UDP banner grabbing (0 ports)
Reporting scan results…
-------- Scan done --------

Discovery scan finished: 11/27/06 11:44:51

Live hosts this batch: 1

127.0.0.1
Hostname: localhost
TCP ports (21) 25,110,113,119,135,143,1101,1102,1103,1104,1105,1106,1241,11025,11110,12025,12080,12110,12119,12143,50300


Total live hosts discovered 1
Total open TCP ports 21
Total open UDP ports 0

  • Scenario 2 -

The IP list contains 1 entries
Service TCP ports: 65535
Service UDP ports: 65535
Packet delay: 10
Discovery passes: 3
ICMP pinging for host discovery: Yes
Host discovery ICMP timeout: 2000
TCP banner grabbing timeout: 8000
UDP banner grabbing timeout: 8000
Service scan passes: 3
Hostname resolving passes: 3
Full connect TCP scanning for service scanning: No
Service scanning TCP timeout: 4000
Service scanning UDP timeout: 2000
TCP source port: 0
UDP source port: 0
Enable hostname lookup: Yes
Enable banner grabbing: Yes

Scan started: 11/27/06 11:49:58

-------- Scan of 1 hosts started --------
Scanning 1 machines with 1 remaining.
-------- Host discovery pass 1 of 3 --------
Host discovery ICMP (Echo) scan (1 hosts)…
1 new machines discovered with ICMP (Echo)
-------- Host discovery pass 2 of 3 --------
-------- Host discovery pass 3 of 3 --------
TCP service scan (SYN) pass 1 of 3 (1 hosts x 65535 ports)…
TCP service scan (SYN) pass 2 of 3 (1 hosts x 65535 ports)…
TCP service scan (SYN) pass 3 of 3 (1 hosts x 65535 ports)…
UDP service scan determining ICMP unreachable hosts pass 1 of 3 (1 hosts)…
UDP service scan determining ICMP unreachable hosts pass 2 of 3 (1 hosts)…
UDP service scan determining ICMP unreachable hosts pass 3 of 3 (1 hosts)…
UDP service scan pass 1 of 3 (1 hosts x 65535 ports)…
UDP service scan pass 2 of 3 (1 hosts x 65535 ports)…
UDP service scan pass 3 of 3 (1 hosts x 65535 ports)…
Performing hostname resolution…
Pass 1 of 3
Pass 2 of 3
Pass 3 of 3
Performing banner grabs…
TCP banner grabbing (0 ports)
UDP banner grabbing (0 ports)
Reporting scan results…
-------- Scan done --------

Discovery scan finished: 11/27/06 13:32:57

Live hosts this batch: 1


Total live hosts discovered 1
Total open TCP ports 0
Total open UDP ports 0

Now about panic questions and suggestions:

Thank you for your time and knowledge! Well, you said 127.0.0.1 scans are irrelevant so what IP should I use to scan and see relevant results about my network safety. COMODO Firewall reports WAN (PPP/SLIP) Interface as my network adapter and shows its IP Address. Shields UP! Uses that IP to scan my network ports. Should I use that IP to scan?

See you later,

aeolis (L)

I don’t know if this helps any but I did a search on google for “SpeedStream 5200 DSL modem”. I found out that they can be configured as a router. So the tests might be checking your modem’s built in router instead of the Comodo FireWall.

If he has a router, it’s the router that gets scanned.

Hello folks,

AOwL™ you asked me some questions and requested my some tests. I answered all your questions and reported the tests results. Could you please be gentle and read them, so you could post at least a briefly comment.
panic you could answer my questions if possible, couldn't you? I gave an idea, so could you be gentle and come back with suggestions too.
I did some research about dal’s post and as far as I know my modem IS just a modem. It is NOT a router (I even didn't know how to change its status from modem to router. Now I've learned how to do that, but I will not change it anyway).

See you later, (L)

aeolis

P.S.: Sorry if I offended somebody. Please accept my apologies in advance. (:SHY)

NP, you haven’t offended me, just the rest of my life got in the way of answering quicker. :wink:

The IP address you should scan is the address of the adapter that is used to access the internet. In a command prompt window (START - RUN - CMD), type “IPCONFIG /ALL”. This will show all IP configured devices in your system. Identify the adapter that connects to your router or modem and that is the IP you should scan.

I really doubt that CPF isn’t stealthing everything, unless you have created custom rules that explicitly allow traffic.

Hope this helps,
Ewen :slight_smile:

here is the latest leak test result that shows whether CPF stealths or not…

http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php

Melih

Comodo got a nice score… ;D
Just fix that Coat leak… :wink:

Aeolis, no need to be impatient…
If you look, there was a possibility that you had a router, so I was waiting for your answer on that.
I don’t work for or get paid from Comodo.
I’m just a user like you, and I’m trying to help.
You must admit that it’s not easy to solve, because almost everyone get stealth from auto install and default rules. The users that don’t, “must” have altered the rules, scanning their router and/or have had something going wrong at the install.
If you scan the correct IP, I would uninstall it, reboot, clean registry and install it again. Use auto, reboot, scan for known apps (security/tasks), and if you have a router?, add a new trusted network.
It doesn’t take long…
Now, you can do a portscan.
Something that is getting common these days, is that ISP’s is providing firewalls/antivirus directly on your connection. You don’t have anything like that?

SpeedStream 5000 DSL Modem/Bridge series are routers!

For more information on how to configure it properly visit the siemens support site:
http://subscriber.communications.siemens.com/subscriber_networks/support.shtml#

The best way is to check your IP, and the IP that is getting scanned, just like Panic describes in his post.
I found a link with some info and a PDF.

Well for being more correct they are Dsl bridge modems(have a usb and a lan interface). Lets just say that they are hybrids of modem and routers. But they have more similarities with a router than with a normal dsl modem. Thay have NAT capabilities and is possible to connect two pcs on them that can communicate with each other or not. It depends if you activate their bridge ability or not.

I have 1 normal dsl modem, 1 bridge modem, and 1 router. And the bridge/modem is more similar to my router than my normal dsl modem.

If your pc has a different IP from your connection then the modem functions as a router.

Hello folks,

I went to the link posted by pandlouk and check their FAQ. So the conclusion is my SpeedStream 5200 modem is configured as a bridge (although I don’t know what this mean). Quoted from pandlouk the link: “If your Default Gateway is 192.168.254.254 your unit is a Router should have access to the Web Management Interface. Otherwise your product is configured as a Bridge and will not have access to the Web Management Interface.”. I can’t access the configuration address and my default Gateway is not 192.168.254.254, so my modem is configured as a bridge.
Does that influence my stealth tests? Well, AOwL™ I’ve already noticed and reproduced panic instructions, so now I have what I think is the right IP and I will do a new test using SuperScan 4 (as suggested by AOwL™). I will post back the results later.

NOTE: I have a different IP every time I reboot and start my computer is that strange or normal? Does that have some connection with the stealth tests?

See you later,

aeolis

Hi can you please PM me the ip that you see under the system info of CFW?

Hello folks,

pandlouk is that safe?

See you later,

aeolis

As a moderator I can see your IP. :wink:
That is why I asked to send it to me through a private message. I’m the only one who will read it. :wink:
And it will help to check if it is the same with the one of your connection

Hello folks,

pandlouk did you receive it?

See you later,

aeolis

Yes. It’s the same with the one I see.

This means that your modem is configured as a normal modem.

But maybe it has enabled somekind of firewall. CFW should not fail any scan test.

Your ISP, by way of your modem, assigns a new IP with every boot, as you have what is called a “dynamic” IP (as compared to “static”).

Your modem has a default setting (which can be changed, but you don’t need to, and probably wouldn’t want to) that causes it to regenerate the IP; depending on its setting capabilities, this may be on every boot, every login, or even over a certain time period.

LM