some newbie questions

Hello,

nice to find this forum.
I am using the Comodo Firewall since a few days and I got a few “newbie questions” about its functions and proper configuration.

First of all, I installed it and I didn’t change anything in the settings with one exception, namely in “Stealth Ports Wizard”, I decided to switch to the 3rd option - “Stealth my Ports to Everyone” (although whenever I click again on the “Stealth Ports Wizard”, I see the first option checked, but I guess that’s just the confusing part, because I clicked for sure to activate the third option…can someone confirm BTW?)

anyway, I wonder if there are any other recommended changes to do in the settings, to ensure a proper protection? I’m using WIN XP HOME with SP3, it’s a home computer, not on a shared network (i’m from Europe BTW).
Should I change something in the configuration? If yes, where and why? Or maybe in the “my ports set” (I see many default ports there) or “my network zones” (I only see a loopback zone there). But as you can deduct from my message, I am pretty much clueless when it comes to such things. (right now my settings are for firewall as “safe mode” and for defense as “clean PC mode” (the default settings).

For example, I came acoss this thread on this very forum
https://forums.comodo.com/leak_testingattacksvulnerability_research/cant_stealth_the_port_139_with_comodo_i_did_not_pass_shieldup_file_sharring-t21236.0.html
where someone says that under the default Comodo settings, his firewall did not pass some kind of security test.
can you please point to me what exactly do I need to change and where, to increase the security level in that regard?

Also, under “Firewall events”, I can see hundreds of events with application: Windows Operating System, action: blocked, protocol: TCP, UDP, sometimes ICMP and different IP’s & ports.
I reckon that although these are listed as “intrusions”, these are in fact harmless operations which are/should normally run in my system (?). Can someone confirm this and explain to me what blocking them means or causes?

Under “defense events” yesterday I saw only mshta.exe responsible for “Direct Monitor Access” so far but from my currect research it looks like I needed to enable that, because these were standard processes required to enter and manage the “User Accounts” in my XP’s Control Panel…

But today I see in “pending review” files QTFont.for and temp0.exe? I guess these files are connected with some natural processes and I can enable them (or add to my “safe files”?)

Also, I wonder, if someone will try to attack my system (some hacker trying to get into my PC), then I will see the information about it in “defense Events” and not “Firewall Events”, right?
But how it will get listed most likely?

anyway, just some basic questions, I would appreciate some help to a total newbie

oh and final question, I am using some messangers, such as ICQ. However, the Comodo Firewall has never asked me so far if it should allow ICQ to connect from my computer to the Internet.
I was expecting that it will ask me about this. Is it normal,. or is this showing that my Firewall is not configured properly?

I hope some of you will find the patience and time to answer my questions. I will make sure NOT to ask such simple questions in future and I will recommend this Firewall to my friends
And sorry for the bad English!

PS I just re-read what I wrote and I have one more question. Now that I have the Comodo Firewall, should I disable the XP built-in firewall, or not?

kindest regards,

Sorry but this is all I can answer. Yes you should disable Windows built in firewall. They don’t have any known conflicts running together but you should never run two firewalls at the time time to prevent possible conflicts. Same goes for Anti Viruses.

A few more answers :
Stealth port wizard blocks inbound connections by adding a rule at the end of your global rules to not allow incoming connections. The wizard doesn’t show the status; it just has the first option checked by default.
You should not need to change to default settings arbitrarily; in safe mode you will get popups for applications that let you select how CFP should treat them and CFP will make rules for you accordingly. To make more selective rules, I prefer to set alert settings to high.
To test how well your settings block intrusions, you can go go   Home of Gibson Research Corporation   and run Shields Up and let it probe your ports.
An intrusion in CFP is an incoming connection attempt that is blocked and logged. Most of them have to do with normal networking for things like file sharing, or network status checking by your router. They are blocked as normally unnecessary to your network functions. To make the logging go away, make rules that block the same messages you see, but don’t select logging. This will also stop them from showing up in the intrusion counter.

thansk for the answers guys, I saw them immediately but decided to wait with replying, as I was hoping for more replies that would eventually answer all my questions

I have done the “file sharing”, “common ports” and “all services ports” tests and passed them perfectly.
No idea why the user in the link quoted above had problems with the “file sharing” test :o

However, some specific question here:

On this site (i havent used the test there yet) I have read that:

[b]Note that some high-end hardware firewalls (cisco PIX, etc) and software firewalls may permanently block an IP address if it detects a security audit. You’ll want to temporarily disable this autoblock feature (not the firewall) or you’ll receive incorrect results (if you are an average user, this probably won’t concern you).

Here’s why: If we start to test your firewall for ports 1 to 1024 and your firewall blocks our IP address after a only few ports, then the remaining ports will appear closed to us when in fact they may actually be open[/b]

can someone tell me if that can be also a concern with the Comodo Firewall and the GRC test?
I mean, did that test really test all ports, or did the Comodo Firewall block their IP adress after a few times trying already, as described above, which coulnd constitue a false result.??? some expert opinion appreciated (maybe someone from Comodo?)

also, sded, you said

An intrusion in CFP is an incoming connection attempt that is blocked and logged. Most of them have to do with normal networking for things like file sharing, or network status checking by your router. They are blocked as normally unnecessary to your network functions. To make the logging go away, make rules that block the same messages you see, but don't select logging. This will also stop them from showing up in the intrusion counter.

personally, Im not doing any file sharing, I am just surfing the web normally, but I still get LOTS of blocked connections, that I am not sure where they are coming.(what do they mean) I don’t think i am attacked all the time, so I realise, they can be harmless. But I wonder if you guys, are seeing the same?

thanks and regards

First of all are you behind a hardware firewall? What do your Comodo logs say is being blocked?

Im in Europe now, it’s just after midnight and for some reason the firewall is showing logs only recorded from “today”, but I see two firewall events already.

I see protocol UDP and two connections, the source IP are as following:

125.211.198.23 and 190.80.198.142 (not sure if I should reveal the source and destination ports as well?)

hmm I just googled the first IP and it seemd to belonging to an attaker indeed?

http://www.mittineague.com/dev/dids.php (its on that list)

hm, so if i didn’t have the Comodo Firewall, then what would have happened? would someone get into my PC? or is that just automatic scanning for open ports?
I’m really a tech-newbie

thanks for any comments !

EDIT: no, not behind a hardware firewall. Only Comodo and the Windowxs Xp firewall (didnt disable it YET)

If you are not using a router, what you are seeing then is normally called “internet noise”. There are computers on the internet constantly scanning potentially vulnerable ports to enroll careless users in the “zombie army”. Most users have routers that get rid of all this ■■■■ before it hits the software firewall. Get rid of the log in the “block and log” rule created by CFP so you won’t see it anymore. And yes, without a firewall you are likely to become infected, although even the included Windows firewall will protect against these attacks.

thank you

can anyone answer this?

also, in Firewall → Advanced → Attack Detection Settings, I see a rule that says that the suspicious host attempting a port scan will be blocked for 5 mins… so isn’t this connected with what I quoted above, therefore can’t it theoretically falsify the GRC test results?

BTW after done the “file sharing” or “common ports” tests, only a few times these IP’s are logged in “firewall events”, but I see them (4.79.142.192 etc) showing more often as “active connections” while doing the tests, is that normal? (I mean WHILE doing the common ports test, I see these IP’s showing like 10 times as “Active connections” but they are recorded in “firewall events” only 4 times here)

finally, did anyone do the leakTest from GRC? (leaktest.exe)

I read in an ancient article about it, but on that website the info about the LeakTest seems a few years old.

anyone did it? GRC | LeakTest -- Firewall Leakage Tester  

regards,

Of course Comodo passes this test. Any firewall can actually pass this test. You first need to let D+ allow the test to run.

GRC doesn’t scan your ports fast enough or long enough to trigger the attack detection settings. The “active connections” you should see are the outbound connections from your browser to the GRC site to run the test. TCP connections have some persistence and websites use multiple http connections-do you see something else? CFP does selective logging, so you won’t generally see all the scans in the log.

Oh yeah by the way if you have a Hardware Firewall, GRC Will scan that first and not the Software Firewall.

He was talking about the GRC leak test not the Shields Up test.

To clarify, I have done the 3 shields up tests and asked more specifically about them (their accuracy and how they are logged etc)

LeakTest I only asked if it’s worth doing it, becuse I saw it mentioned in an old article yesterday.

Thx. Just realized that 88)

Ok so I guess overall I’m pretty much safe.

Final question, the GRC site mentions some vulnerabilities with the MSN messanger.
i am not using it but I use ICQ.
Does it also have any vulnerabilities, eg someone can detect my IP based on my ICQ number (or so) and then somehow hack my PC?

I hope its not the case, just making sure.

With all the “packet sniffers” out there today I’m sure a hacker who knows a little something could easily get an IP from anyone/any messenger.

yes, but even then the Comodo Firewall would prevent him from getting into my PC, right?
or can he somehow use the ICQ ports, are there any vulnerabilities?

No, with CFP 3 all ports are stealthed by default so no one can see them even if you have ICQ or other programs running. CFP3 would also give you a few alerts if anything fishy is going on. :-TU

You are completely sheathed and “invisible” with CFP 3 installed, Defense+ is also a bonus for fighting malware.

You have a great piece of software on your PC!

you have a great piece of software on your PC

I hope so

ok, final thing, as said I have the default settings (the only exception is that I have chosen to stealth all connections)

I wonder if it makes sense to switch defense from “clean PC” to “Safe mode”? I have been using the firewall for about a week now.

Before installing Comodo, I have scanned my PC with Comodo and lots of other programs as well (Deckard System Scanner, Kaspersky Antivirus Online scan etc) and I have also Avira anti-virus running , I can assume that my system is really 100% safe so the “clean PC” mode is sufficient, right? so there’s no need to switch Defense to "Safe mode?

but curious, if I switch it, then will it mean that I will be suddenly asked to approve all processes, even the ones that have been running fine in past week?
but judging on what I said above, makes it any sense to switch to “safe mode” on Defense??