VMWare getting through Comodo unblocked?

Hello,

I have been using Comodo for a short while now, and have been very happy with the results.

I recently installed VMWare Workstation, and set up networking as Bridged only (removed the virtual adapters, and got the virtual machines to assign addresses from the network router).

I was surprised how VMWare didn’t cause Comodo alerts when trying to access the network, it got straight through unnoticed.

Is this to do with VMWare creating a new connection Comodo cant see via the bridging drivers, therefore can’t monitor traffic? I’d like to control it somehow.

My network rules are:

Allow TCP/UDP Out Source: Any Dest: Any
Block IP In/Out Source: Any Dest: Any

Thanks
Revolute

Not sure but I get a popup when ever I start my VMware Workstation on my desktop.

But also run it on my laptop and didn’t get one… and i was doing alot with it today.

EDIT: did you run the “Scan for known applications” maybe thats why.

You should still be able to log vmware source ip in network monitor.
Did the application monitor asked permission for vmware apps when you launched them?

I believe VMware does an auto-update check at startup, but thats not what I’m talking about.

Even with vmware.exe and vmware-vmx.exe blocked, traffic is still getting through. Network Monitor shows a bunch of denied alerts when this happens, but the machines are still able to get an IP from the router and use the network.

Am I missing any important rules in Network Monitor?

Thanks

Neither I ;D

When vmware components are loaded they open specific ports (eg 912) and dns at least, So the application monitor should ask you to allow them.
Do you have any existing vmware related application monitor rules?
Did you set them using the learn parent option?
Did you set them to block all ports?
What is your alert frequency level in cpf (security - advanced - miscellaneous section)?
Alert popups are a feature of cpf application monitor component.

In network monitor you have the option to log specific traffic (allowing or blocking it)
If you use vmware virtual adapters you can easily block and log that traffic (using the fixed ip).

But that is a feature of cpf network monitor component. If that component is not working properly in your config then vmware should be able to connect also when cpf is set to block all. Can you please test this?

Can you post a pic of your bridged adapter general setting window with tcpip and other components?

DHCP service is allowed by default (do not show any alert for app. certified by comodo in security - advanced - miscellaneous section) If you disable DHCP client sevice in windows (run services.msc to get to services management console) vmware is still able to get an ip?

Finally run a long download session in vmware an look for the process connected to that destination ip in cpf activity connections or use cports if there is no process connecting to that ip this would be a striking proof of the fact that cpf appmon cannot alert you because vmware is not connecting through a proxy app.

Thanks for the reply,

To start off I have done some screenshots of my current settings:

http://xs315.xs.to/xs315/07195/network_connections.JPG

http://xs315.xs.to/xs315/07195/network_monitor.JPG

http://xs315.xs.to/xs315/07195/vmware_1.JPG

http://xs315.xs.to/xs315/07195/vmware_2.jpg

http://xs315.xs.to/xs315/07195/vmware_3.JPG

Hopefully that explains my setup a bit.

  • I have no VMware virtual adapters in Device Manager
  • I have not got any application rules for VMware, my alert frequency level is Very High
  • I have component monitor set to On

There is no reference to VMware at all on Comodo’s Connection page, even when downloading a file through virtual machine.

Stopping the DHCP Service via MMC does not stop any connections via for VMware but it does kill my host network immediately.

Comodo Log page has a lot of connection denied entries and I can see they are for files downloaded through virtual machines, strange.

I remember with Outpost, it would block VMware connections altogether but wouldn’t give any alerts saying it was trying to connect outbound. Even setting rules up would still block it, I had to disable the firewall temporarily.

Thanks for any help in solving this.

Revolute

I am unable to make vmware networking to work properly using bridging… (it is netunworking)
In bridged mode I’m only able to ping the vmware hosting machine.
Maybe my netcard cannot work in promiscuous mode.
The pinging was handled by the system process. And appmon cannot catch that.
Please try to block the guest os ip in network monitor… See if that works.

Using nat the appmon is triggered by vmnat.exe. This way you get what you desire.

Thanks for the reply, hopefully I’ll be able to sort this as I’m away for a few days.

I will post back when I have a chance to get round to trying it.

Thanks again.
Revolute

I finally managed to get vmware bridging working.
I confirm your findings. Appmon is not triggered on connect. No system process is listed in cpf activity connections. It is possible to block by ip the traffic using a network monitor rule in cpf but you cannot log that traffic…

If you disable Safelist, does the situation of no alerts persist?

In other words, go to Security/Advanced/Miscellaneous and uncheck the box “Do not show alerts for applications certified by Comodo.” OK.

Go to AppMon and remove any rules relating to associated Applications, Processes, Services, etc.

Reboot.

See what happens…

LM