To to comodo, no alerts and ports are not stealth with port scanning

I just installed Comodo after having reoccurring problems with ZA Pro. Comodo has a lot of options which is good but I am having a hard time configuring it correctly. I have tried to read the help, FAQ’s and watch the flash animations but I’m still having problems:

  1. I am not receiving any alerts flash up when someone tries to ping me or I do a port scan. I have the alert frequency level on very high and I turned off the “do not show alerts from COMODO certified programs.” Alerts are however logged in Comodo. Is that normal?
  2. When performing a port scan from GRC, not all of my ports are stealth. Some are, but to too many, my computer responds to them as being closed. Is that normal too? I have set comodo to block all TCP/UDP in from any source to any destination on ID=0

I am running XP pro SP2, Avira, and no other Firewall is running.
Please help. If I can’t figure this out, I will be switching back to ZA.
Thanks for any help

steviej, welcome to the forums ~

  1. Unlike ZA, CFP does not alert you to traffic which is stopped by the Network Monitor (which ZA doesn’t have). CFP has a “layered defense” which you might want to read about in this thread: https://forums.comodo.com/index.php/topic,6167.0.html

  2. Are you behind a router or other hardware between your computer and the internet? If so, this is what is being scanned by ANY online test; not your computer. You don’t need a Block In rule in position ID 0; there already is one in the very bottom position. Due to CFP’s powerful Stateful Packet Inspection and traffic filtering, by default no unsolicited TCP/UDP Inbound traffic is allowed. By placing a rule such as this in that position, you are effectively hindering your surfing, email, etc (legit activities).

LM

Thanks for your response.
I read the link you gave me and it helped me understand the network monitor. However, with ZA pro, one can define expert rules very much like you can with Comodo.
I am sorry I did not clarify but I am behind a router. I have however temporarily opened up the router so that no firewall or NAT is hindering my test of the firewall. I did do the same when running ZA Pro and every port was reported as stealth according to GRC. With Comodo they aren’t though. Is that still normal?
Thanks for your help

A router is a bit like having a bodyguard standing outside your house 24/7. Anybody bringing you package which might contain something nasty is forced to give it to your bodyguard who then inspects it thoroughly before passing it on to you. Since he’s already inspected it for dangerous material, there’s no need for him to warn you that he’s about to give you a safe package.

Not sure what steps you took regarding the router, but basically you’d have to forward all ports, and that still might not do it properly. Best bet would be (if possible) to take that piece of hardware out of the loop and connect directly; this may not be possible because:

  1. Many modems have router-like functions that are not fully controllable
  2. Many ISPs are providing stop-points along the way (ie, intra-ISP routing) to provide additional protection for their customers.

Presuming that the online scan IS directly contacting CFP, this will depend on your Network Monitor rules. In order to better diagnose, we’d need to see a screenshot of the NetMon (taken at full-screen), the GRC results, and a list of active processes at the time of the scan.

A lot of firewalls provide port security by actually controlling the port; they hold all ports in an Open state in order to control access; thus, the firewall is controlling the port rather than than the system. This tends to make them a bit heavier on resources, but it’s how they return the “stealth” rating.

If an authorized application/system process is actively using a port at the time of the scan, you may not get a “stealth” rating with CFP, since the scan can detect the port (CFP doesn’t control ports, only access to them). This doesn’t mean the port is accessible, just that it’s in use; CFP still blocks access unless there’s a rule to specifically Allow unsolicited Inbound traffic to that port.

Stealth is a term meaning that the normal “I’m not accepting any calls” response from a closed port has not been received. There is debate as to whether this is more desirable/superior action. Here’s the scenario… would-be hacker detects a potential target (ie, a computer - this happens whether you have a firewall or not), and scans it. Without a firewall, there is a response to indicate that ports are closed to external access (or open, as the case may be, which is what they’re looking for). With a “stealth” firewall there is no response. A non-stealth response would be that all ports are closed. The result is the same either way - there is no point of access: go find an easier target! A brute-force attack on a closed port is a waste of time and resources. However, if a port is being controlled by a firewall that’s returning a “stealth” response, there is a possibility that the firewall itself is holding the port open; and that (being software) is something that might be exploitable.

These online scanning sites are good to point the user in the direction of computer security. IMO, they should not be relied on as a sole indicator of security, as they are in the business of convincing users that their approach to security is the correct one; they have a mission or purpose. A better test (just IMO) is a resident scan of your system to make sure your system itself is secure (ie, it’s not opening ports to expose itself), using tools such as Foundstone’s SuperScan to scan the localhost.

Hope that all makes sense; my train of thought has been interrupted more than once, LOL.

LM