UDP Port Scan on HP all-on-one printers [CLOSED]

Hi all,

I’ve recently installed Comodo to replace ZoneAlarm. I’ve been able to get just about everything configured so that it connects correctly to the network. The only problem I’m having is the networked HP All-in-one which apparently does a port scan which Comodo blocks. Today, I needed to totally shut down Comodo just to send a document to the printer.

I’ve got my internal IP addresses mapped as a trusted zone, a network rule for the printer’s ip address set up to allow TCP or UDP, in or out, to any port, and all the HP executables set up as allowed as well.

Under Security/Advanced attack & detection, I’ve got the Port Scan Probing rates set to 500. The Miscellaneous tab has only the Block Fragmented IP Datagrams checked. Everything under Security/Application Behaviour Analysis is checked.

I’ve seen only a couple of posts on the issue, but not any sort of resolution. Is this issue something that can be configured for, either now or in an upcoming version? Because other members of the family use this pc, I can’t expect them to have to disable the firewall each time they want to print.

Thanks in advance,

JL

Any takers?

JL: welcome to the forum (:HUG)

I don’t know the answer, but I can lead you to some (hopefully relevant ones):
https://forums.comodo.com/help/network_printer_problem_on_maxtor_nas_resolved-t5879.0.html
https://forums.comodo.com/faq_for_comodo_firewall/shared_printer-t6011.0.html
https://forums.comodo.com/help/file_and_printer_sharing-t740.0.html
https://forums.comodo.com/feedbackcomments/printer_sharing_resolved-t7149.0.html
https://forums.comodo.com/help/printer_friendly_prints_are_blocked-t5142.0.html
https://forums.comodo.com/help/novice_newbie_printer_sharing_problem-t8495.0.html
https://forums.comodo.com/help/how_to_enable_file_and_printer_sharing_resolved-t10127.0.html

Thanks for the reply Soya!

Unfortunately none of these are relevant to this issue. Here’s what happens…

If the port is not blocked (by Comodo), then I’m able to print ok. All the programs associated with HP are set to allow all connections. Every so often, for whatever reason, the HP All-in-one scans the ports to all computers on the network. There’s some client software on the PCs that requires/expects this. When this happens, Comodo sees it as an attack and shuts down the connection to the printer’s ip.

After the set amount of time in the settings (right now still at 5 minutes), the port is opened again until the printer scans the port again.

I've got my internal IP addresses mapped as a trusted zone, a network rule for the printer's ip address set up to allow TCP or UDP, in or out, to any port
Did you use the Wizard to setup a trusted zone or did it manually? Can you post some of the network monitor logs from when this happen(end) ...

Nubiatech,

I added the zone both manually and using the wizard, deleting it in between.

Interestingly, I haven’t seen the event since I last posted. The only thing I believe I did since then is manually edit the spoolsv.exe program entry to allow invisible connections…I think.

I’ll keep monitoring the log to see if the scan shows up again.

Thanks.

Hello again,

I haven’t been monitoring this for a while, but today I was blocked from printing because Comodo detected a port scan and blocked traffic to my printer’s ip address. Attached is a portion of the log…

Thanks.

[attachment deleted by admin]

Hello again,

Really hoping that there is or will be a solution for this as it’s still happening on a daily basis.

Thanks, :-\

Hi

Your log pic reminds me of Emergency Mode, which can’t be disabled but can be controlled to a certain extent:
Security > Advanced > Advanced Attack Detection & Prevention > Configure > In the Intrusion Detection tab, these various settings can lower the chances of emergency mode from kicking in. See if that works.

Cross that out. It looks like you have to allow 192.168.1.50 access or define whatever IP range (e.g. 192.168.1.1 - 192.168.1.100) in addition to that IP as a trusted network.

Thanks Soya,

I do have the IP as a network rule plus the entire network is in there as well as a trusted IP range.

After reading your post, though, I think I’ll bump up the UDP Flood Duration from the default of 20 seconds to 45 seconds and see if it helps at all. Not too confident but here’s hoping…

Thanks,

Those rate settings don’t equal to a permanent solution.

Also ensure that the trusted / allowed rules in Network Monitor are above any blocking rules because of the order of priority from top to bottom.

Sorry for the delay, Soya. I did a complete reinstall of XP; been having some issues.

The UDP port scan is still happening. I have the trusted range at the top of the list.

JL

I don’t think increasing the UDP Flood duration will help if you’re using the printer a lot of the time. What if you increase the UDP Flood rate? (FYI: The highest value is 2000)

If you upload a copy of your log that might help a bit and screenshots (maximized) of your Network rules. More details here on how to do it. Also edit out any private IP.

Curiousity question, what model of HP All-in-One is this? It could be something in its settings that could stand some tweaking.

For comparison, a printserver that I once had the misfortune of having to work with, broadcast itself to any and all in 4 different protocols (TCP/IP, IPX, the original Netbeui, and Appletalk), and it couldn’t be configured to not broadcast. The workaround was to put it behind a cheap NAT/router configured to forward the printer ports in TCP. The LAN could then talk to the printserver, but the printserver was shouting in its own little rubber room.

I eyeballed your screenshot of the CFP log. It could well be that the packets coming from the printer are not IP packets, but are being interpreted as UDP/IP packets.

That’s why I’m asking about the model. If it talks other protocols, that may be what you’re seeing, at least in part.

The only other thing I could think of is allowing multicast DNS. Apparently HP-all-in-one relies on this protocol to discover devices and such.

Anyway, could you please try allowing mDNS either by adding ip address 224.0.0.51 as a trusted zone. Or just the rule:

  • ALLOW UDP IN FROM IP 224.0.0.51 TO IP [Any] WHERE SOURCE PORT IS [Any] AND DESTINATION PORT IS 5353

Also, add the same rule for svchost.exe in the Application Monitor.

Please note that ip address 224.0.0.51 is a multicast address, it is not a host address, and is only used in the local network. By allowing this ip address you are NOT allowing outside hosts.

Please let us know if that help, otherwise, post your current Application Monitor and Network Monitor rules along with the latest logs …

Thanks for the assist!

The printer is an All-In-One 2575 and I don’t have a whole lot of options regarding setup. Connection speed and IP addresses are about it.

I’ve added the network and application rules as you suggested, nubiatech, to enable multicast DNS. I’ll clear the logs and restart the machine and monitor how it does.

Thanks,

Well, that didn’t take long.

I rebooted and had the UDP port scan in the logs immediately. Attached are the application and network setup and log file.

Nubiatech, I saw another post where you responded with (Add a new trusted zone, with start range: 224.0.0.1 and end range: 239.255.255.255) for setting up muticast

https://forums.comodo.com/help/this_is_not_a_dos_attack-t12950.0.html

Should I attempt the same?

[attachment deleted by admin]

Thanks for the log and rules snapshots. You’ll need to make a change to your rule 0. Multicast addresses cannot be source addresses. You need to rule to be “allow and log UDP from any to 224.0.0.0/255.255.255.0” (to catch the range, rather than 224.0.0.51 - no particular reason why the range, just my force of habit)

I checked the hp.com/support site for the 2575 printer. Nice printer, and you’re right in that there aren’t a lot of options to set. A couple of things to check, though… In the network settings, turn off mDNS, and turn off “Instant Share” which seems to be some kind of photo sharing service that HP has. These are probably already turned off, but it wouldn’t hurt to make sure. If there isn’t a “turn off” option, then don’t worry about it. The documentation I rather hurriedly read wasn’t all that clear.

There is a support page about firewalls and HP printers:
http://h10025.www1.hp.com/ewfrf/wc/document?docname=c00897551&cc=us&lc=en&dlc=en&product=441240&dlc=en&lang=en

The short summary of that page is to open UDP ports 161, 427, and 137, and TCP ports 9220, 9500, and 9290.

Your log is showing a bunch of UDP port 0 scans. Port 0 isn’t really defined, so I’m suspecting these are bad packets or partial packets. It could be that the printer ethernet hardware is bad. That would take a packet sniffer to confirm, and I don’t think things are to that point yet.

Thanks grue155

I made the change to rule 0 plus opened it up to all ports in & out. Still getting the UDP port scan, but the log now shows UPnP from the printer as allowed (see attached).

The attached image shows the setup page for mDNS. There’s no enable/disable, just the three shown fields. There is a page for enabling or disabling the UPnP.

As far as the HP support page goes, I can scan from the printer to the pc with no problems. First time causes Comodo to prompt for applications to enable. No issues with that.

[attachment deleted by admin]

Reading back to the beginning, there seems to be a confusion in the Source & Destination, whose roles are reversed, depending on the direction of the connection (incoming or outgoing). Since these “attacks” are UDP port scans, we’re dealing with incoming connection problems. This means Source IP must be your printer’s IP of 192.168.1.50, whereas the Destination IP is your computer IP (or ANY or whatever Trusted Zone you have setup) with the Destination Port being anything that’s available (i.e. according to your first screenshot of the log, it seems to range in the 30000 area).

I hope it’s something as simple as just one rule you need at a minimum like:
Permission: Allow
Protocol: UDP
Direction: IN
Source IP: 192.168.1.50
Source Port: ANY?? → This one I’m not sure
Destination IP: computer IP (or ANY or whatever Trusted Zone you have setup)
Destination Port: 30000 - 35000 (or the relevant port range the printer potentially uses)

What does your rule #2 Zone for the VIA Compatable Fast Et… cover? Does it include 192.168.1.50?