Can some Comodo guru confirm that I have setup my network control rules for WallWatcher properly. All modules in WallWatcher work ok, but I’m not a networking expert.
WallWatcher is a small application that collects information from the router’s log records, to be used for analysis and charting (in real time). It can for instance analyze bandwidth usage (if the router supports SNMP or shows packet lengths in log records):
Thanks, Eric. I finally had some time to have a closer look at this. You can actually restrict IP address, the destination port and protocol, all can be found in WallWatcher’s options and in FAQs. Most routers use SysLog port 514, and Linksys BEFSX41 and BEFSR81 use SNMP Trap port 162:
I also noticed that just after installing Comodo with default settings WallWatcher was actually running ok without anything being touched in Comodo’s settings, but after a few tweaks were performed in Comodo, WallWatcher stopped working. To avoid surprises it’s better to assume that network control rules should be set up just like they were in the past.
With Destination Address set to MAC Address of NIC and Source Port = Destination Port, WallWatcher Log won’t work. I found MAC address in command line window after running “ipconfig /all”, the address can also be found in router’s Status window, so it’s correct. Maybe you need to enter a different Source Port number?
Where did it not start working?
Right after Comodo installation, with all its default settings untouched, WallWatcher was working right out of the box. I actually found it a bit surprising. Then I changed settings mostly following Kyle’s thread (link below) and WallWatcher stopped working. But it’s not really that important, although might be a bit confusing, especially when you install some other application at the same time and you assume that it is causing WallWatcher problems.
I don’t really want to turn off Protocol Analysis, it doesn’t interfere with any of my applications, and I have lots of those that won’t even start until they connect to their servers to check the registration/payment status, and then keep loading all kinds of data in real time all day long. So for now, instead of more experimenting, I will stick to the settings described in my post from January 01, 2010, 03:51:56 AM:
I can see you reluctant to experimenting but with disabling Do Protocol Analysis as described you are actually returning to default settings for Attack Detection. As far as I know not enabling Protocol Analysis doesn’t get in the way of server connections like you describe.
I had to put further experiments on “to do” list. I wish the day had 36 hours, at least.
The next question is about Comodo logs and SNMP traffic. I have come across a thread (sorry, I lost the link) where it was advised to set some extra filters for Comodo logs when SNMP traffic is coming from the router (which is the case when you use WallWatcher). Do you have any suggestions? There doesn’t seem to be any extra traffic in Comodo’s log, WallWatcher’s traffic has much more entries recorded (maybe log filter was needed in some earlier version of Comodo):
When there isn’t extra traffic no need to use a filter, wouldn’t it? However when analysing long logs you can go to an advanced mode when you push the More button at the bottom of the log screen. In the Menu bar of the advanced mode you will find the filter option.
The ICMP alerts are Type 3 Code 3. That means that the destination port can not be reached. Why these alert occurs I don’t know. May be the server was down or was not properly configured.
I have it setup like in the above, and I have turned off protocol analysis, but still nothing shows up in Wallwatcher. I am using CF 5.0163652.1142. What might I be doing wrong? WW used to work fine with online armor.
The WallWatcher application rule also needs to allow the incoming traffic. That may be the key here.
If WallWatcher is a safe program then CIS will use a default rule that will not allow incoming traffic. To change this you need to make an application rule for WallWatcher. For testing give the Trusted Application Policy. Once that is showing to work you can make the rule tighter.
See Comodo Help for reference on how to make an application rule.