[Vista 64] RPC port 135 open after default install...

After Installing CPF (3.0.24) on Vista 64 and trying
Steve Gibson’s ShieldsUP! Port scanner (www.grc.com),

Port 135 is reported as being open. I do not get asked
about whether or not I want to permit any incoming communication.

Config:

  • CPF “Firewall only” installation
  • CPF set to “Custom Policy” Mode.
  • No Router, direct internet connection.
  • Stealth ports Wizard not yet run.

Port 445 (SMB), on the other hand, is reported as being closed.

With Windows XP it worked like this:

When an outsider wanted to connect to Port 445, CPF
gave an alert that there was an INCOMING connection with
“System”, Port 445. I clicked deny and that was that.

Now under Vista, it does not ask when port 445 is contacted
but ShieldsUp reports it as being “stealth” by default. Why ?
Shouldn’t I be asked just like under XP ?

And Port 135 is reoprted as being open, and I am also not asked
(i.e. the FW does not trigger an alert window) Why ?

Thany you in advance, all the best and cheers,
raynor

:■■■■

Don’t know why the installations seem different under XP and Vista 64. Have you installed all the latest Vista updates? What Comodo version were you running under XP? If you want to stealth all your ports, run the stealth port wizard and select that option. Does anything show up in your logs? The “System” application usually listens on port 445, and has a CFP3 default rule to block and log incoming requests. Port 135 is listened to by svchost.exe, and uses the rules for “Windows updater applications”, should also have gotten a block and log. Neither would ask you since there are already rules. Don’t know why port 135 is open unless there are other rules ahead of WUA that allow it in. Can you post your firewall rules?

After doing a lot of investigations all night, I made some VERY INTERESTING
discoveries!

First of all, I noticed that Comodo does NOT DISABLE the Windows Firewall when
being installed on Vista 64. The Security Center reported that both firewalls were running
(CPF + Windows FW), and ideed Windows the FW was still acive and runing.
Can anyone confirm this ?

But now my Comodo Configs:

  • Direct internet connection (i.e. NO router)
  • A fresh & clean install of 3.0.24.368 on Vista 64 SP1 (and on XP SP3 as well)
  • Firewall only, Defense+ disabled
  • Firewall in custom policy mode
  • All Application AND Global Rules are on default (!), i.e. they
    were not changed and there were no new rules added after the clean install.
  • Stealth Ports wizard NOT yet run.

Note: The behaviour is also reproducable using a fresh install with 100% default options (see end of post), so my detailed settings are of no particular interest.

Discovery 1:
If the Windows Firewall is still active after Comodo has been installed, Port 135 will be closed. Obviously, it is blocked by the Windows FW 88)

Discovery 2:
If I properly, manually disable Windows FW (so that only comodo is still running), Port 135 will be OPEN! → The Comodo default install does not block it.

Discovery 3:
If I run the “Stealth Ports Wizard”, Port 135 will be properly “stealthed” afterwards.

Now, the main problem is:

As mentioned above, after cleanly installing Comodo under Vista, I DO NOT GET ASKED
if I want to allow any incoming conections with Port 135. In other words, the firewall
does not display an alert window.
The Port simply is open… —> I have to run the stealth ports wizard to close it.

But under Windows XP, the firewall correctly fires an alert, asking me if I want
any communication with “Svchost.exe” - Port 135. If I click on DENY and remember,
the firewall correctly creates a deny rule for svchost.exe, and consequently port 135
will be closed.

So, Summary:

Vista 64 clean install → Port 135 open, “no questions asked” :wink:
XP clean install → If Port 135 is contacted for the first time, I get asked.

… So why does it not ask under vista ? This seems like a (big) bug!

It is dead easy to reproduce, I also tried doing a clean install
without changing ANY options, it does make no difference:

Can anyone else please try to reproduce it under Vista 64 doing exactly the
folowing steps:

  1. Uninstall Comodo
    → reboot

  2. Do a clean install (100% default options, i.e. Firewall and Defense+)
    → reboot

3) Manually disable the Windows Firewall (important, as the Comodo installer does not do it)

  1. Do NOT touch ANY options of Comodo Firewall :wink:

  2. Visit www.grc.com, select ShieldsUP! scanner, click on “Common Ports”

  3. BAM! Port 135 is open, and the firewall does not trigger an alert (i.e. it does not ask)…
    :-X :-X :-X

Please continue any discussion in the following NEWER thread in the bug reports forum:
https://forums.comodo.com/bug_reports/vista_64_3024368_major_bug_port_135_is_left_open_by_default-t23266.0.html;msg163806#msg163806

Locked. Go to the bug report if you have vista_64 and this problem.