Ever since I installed, I have observed a connection to a Hotmail IP range connection at boot time. Now I don’t use Hotmail. I assumed this was normal MS dialing home baloney.
Sometime later, I noticed Comodo firewall auto-generate an allow application rule for ping.exe for all ICMP outbound. Never saw anything like that before so I changed the rule from Allow to Ask.
Rule sat dormant for a long time. Recently, I saw a block action on this rule. I must have been away from my PC when the Ask alert was generated. so Comodo blocked it. Low and behold, it was an ICMP 8,0 request to a Hotmail IP range.
Yes, I believe it is normal. The Hotmail activity is probably W7 (maybe Live ID related) trying to put your unread email count (if there is one) on the Login screen and the PING is probably either the same email activity (trying to make sure the connection is OK) or one of W7’s periodic tasks trying to test the same for wired/wireless connections (they’re small VBS scripts).
Check W7’s Task Manager, if you’ve not seen it before it will be quite an eye-opener… it’s very extensive and there are lots of W7 related tasks than run for many reasons (some scheduled & others on events, etc).
I just checked my global rules. I have a rule allowing all ICMP outbound. It appears Comodo ignored that and generated generated the application rule. Don’t know what it did that.
Then there is the Hotmail issue. Like I stated previously I don’t have a Hotmail account. I can buy the boot dial-out to Hotmail which I have observed using TCPView. Don’t know why it would dial out randomly at any other time?
Are you’re saying Hotmail based on a reverse DNS lookup of the IP address or because of something else? Also, when you say “dial out” do you mean an outgoing connection or are you talking about Dial-Up Networking (DUN)?
PS Check the Microsoft - Windows sections with the Task Scheduler. It’s fairly likely that you’ll find your culprit in there (somewhere).
Personally, I don’t see any ICMPv4 activity related to this address, or any other address during boot, so your ‘Ping’ event may be caused by something else. However, running a dumpcap during boot, on my system, shows these events to be NCSI/NLA (Network Status Connectivity Indicator/Network Location Awareness) related, although I wasn’t aware this service used that address range. The normal behaviour for NLA is controlled by svchost and the parameters found at:
Which is a request to www.msftncsi.com, but if you look at the trace below, you can see the URI request towards the bottom.
Thanks Radagast for the detail work on that boot Hotmail url connect event. I figured it was “benign.”
As far as I can determine, Windows Mail is not active or activated.
I have used a few firewalls and Comodo’s starting with ver. 3 and I have never seen a system triggered application outbound rule generated for ping.exe. I have seen a rule created for ping.exe when I manually executed the ping command. Note that I did not executed a ping command at the times shown in the firewall log screen shot. Something within WIN 7 generated those ping commands. Also the pings are generated randomly it appears.
I do know one thing for sure about WIN 7 - it should be remaned “Microsoft Spyware.” The more I learn about it, they more intrusive I see it is.
I changed some of my global ICMP rules and will wait and see what falls out.
I was purposely blocking ICMP outbound destination unreachable for everything except to router. I always viewed that as a security risk to inbound port probing but WIN 7 might require it to “dial home” for God knows what.
I also added an allow inbound ICMP echo reply prior to any outbound ICMP rules. This in reality might be the issue. I suspect WIN 7 was generating an outbound echo reply and wasn’t receiving a reply and attempted to re-test connectiviry by internally generating another echo request hence the generation of the Comodo application outbound ICMP echo request rule.
I can’t really see why you’d want to configure any outbound ICMP rules for the firewall, other than application rules for ping and tracert, especially not echo reply. The only Global ICMP rules the majority should consider, are inbound for destination unreachable, time exceeded and fragmentation needed.
I have attached the ICMP rules I created. These are one for one copies of NIS 2011 global ICMP rules. In fact, I have made my Comodo global rules equal to those given for NIS2011. A few of them are shown.
I have never been infected in close to a year using NIS 2011. I have been infected twice already since May using Comdo’s firewall and Defense+. One time was so severe, I had to restore from an image backup. I am not taking any more chances with Comodo’s default rules.
I have not added NIS 2011 IPv6 ICMP rules yet since they are extensive and I am not using IPv6 for Interent access since my ISP does not support it yet.
You have a number of Global rules in there that make little sense:
Allow DHCP Broadcast.
Providing you have an Application rule for svchost that allows a limited broadcast out over UDP to port 67, you don’t need this rule. If you haven’t changed the defaults, this is already happening.
Allow ICMP OUT ANY is pretty pointless. If there’s unsolicited outbound ICMP traffic originating from your PC, you should find out why.
Both of your NetBIOS rules fail to include support for NetBIOS Session service (TCP over port 139) which is the single most exploited NetBIOS port.
ICMP Echo Request IN is not needed, even in a LAN environment, unless you’re constantly ‘pinging’ other devices on your LAN.
Windows file sharing is NetBIOS and direct hosting over TCP/UDP ports 137-139 and 445. What do your Windows file sharing rules do?
Win 2000 SMB? SMB (Service Message Block) is used in Windows and Samba file sharing (NetBIOS and Direct hosting. What is this rule for?
As I said elsewhere, it’s pointless copying rules from another firewall, as they work differently and you’re not doing yourself any favours. In CIS there are specific guidelines about the way the rules work, which can be simply defined as:
Application rules allow control of individual processes, typically for outbound traffic
Global rules allow control of ports and protocols, typically for inbound traffic
Whilst it’s quite easy to deviate from this behaviour, it’s worth adopting it’s structure. If you want help defining rules, please ask.
You have a number of Global rules in there that make little sense:
The rules all make perfect sense to me. NetBIOS rule is for ports 137-138, the Windows File Sharing rule is for port 139, Win 2000 SMB is for port 445, etc. Wording shown is Norton’s and I used it to cross-ref to the NIS 2011 rules. Yes, I could create application rules for system and svchost.exe to cover the above but global rules are more secure. Note that these rules all apply for the most part to inbound UDP activity which is not stateful and does have a way to enter a PC. I have seen it do so multiple times over the years.
As far as the DHCP rule see: Comodo Forum. I need this for my router. It will not assign/renew DHCP address without it.