WallWatcher - Comodo Setup

Can some Comodo guru confirm that I have setup my network control rules for WallWatcher properly. All modules in WallWatcher work ok, but I’m not a networking expert.

WallWatcher is a small application that collects information from the router’s log records, to be used for analysis and charting (in real time). It can for instance analyze bandwidth usage (if the router supports SNMP or shows packet lengths in log records):

http://www.wallwatcher.com/

In my Linksys BEFSX41 the LAN-IP address is:

192.168.1.1

so the start-end of the IP range configured in Comodo should be:

192.168.1.0 - 192.168.1.255

You need to do the following:

  1. Shut off WallWatcher

  2. In Comodo remove all WallWatcher entries that might be already there, check:
    a) Network Security Policy - Application Rules
    b) Defense+ - Computer Security Policy

  3. Go to Firewall - Advanced - Network Security Policy - Global Rules and add two lines with WallWatcher settings as follows:

http://img191.imageshack.us/img191/3360/12292009141400.png

Two new lines will appear (on the screenshot they are moved to the top):

http://img262.imageshack.us/img262/3570/12292009143712.png

  1. I assume that nothing needs to be done in Defense+

  2. Start WallWatcher - when Comodo prompts pop up click Always Accept.

When it works like expected it should be fine, shouldn’t it? :wink:

The rules look like I expected them to be. However you can limit the rules for Wallwatcher by limiting the address to the router’s address only (192.168.1.1).

Thanks, Eric. I finally had some time to have a closer look at this. You can actually restrict IP address, the destination port and protocol, all can be found in WallWatcher’s options and in FAQs. Most routers use SysLog port 514, and Linksys BEFSX41 and BEFSR81 use SNMP Trap port 162:

http://img69.imageshack.us/img69/6368/01012010033025.png

screenshot: http://img21.imageshack.us/img21/8072/01012010041113.png
web page: http://www.wallwatcher1.com/WWFAQ.html#NoLog

The settings in Comodo for BEFSX41 router will look as follows:

http://img96.imageshack.us/img96/839/01012010034357.png

I hope I didn’t miss anything.

I also noticed that just after installing Comodo with default settings WallWatcher was actually running ok without anything being touched in Comodo’s settings, but after a few tweaks were performed in Comodo, WallWatcher stopped working. To avoid surprises it’s better to assume that network control rules should be set up just like they were in the past.

The network control rules look fine. You could fine tune the destination address to the MAC address of your NIC or the computer’s name. And you could also fine tune the source port to 162.

Where did it not start working?

With Destination Address set to MAC Address of NIC and Source Port = Destination Port, WallWatcher Log won’t work. I found MAC address in command line window after running “ipconfig /all”, the address can also be found in router’s Status window, so it’s correct. Maybe you need to enter a different Source Port number?

Where did it not start working?

Right after Comodo installation, with all its default settings untouched, WallWatcher was working right out of the box. I actually found it a bit surprising. Then I changed settings mostly following Kyle’s thread (link below) and WallWatcher stopped working. But it’s not really that important, although might be a bit confusing, especially when you install some other application at the same time and you assume that it is causing WallWatcher problems.

https://forums.comodo.com/firewall_guides/setting_up_firewall_for_maximum_security-t30535.0.html

Go to Attack Detection settings and disable all but the one on top.That is the default Attack Detection Setting of CIS.

Does that help?

I don’t really want to turn off Protocol Analysis, it doesn’t interfere with any of my applications, and I have lots of those that won’t even start until they connect to their servers to check the registration/payment status, and then keep loading all kinds of data in real time all day long. So for now, instead of more experimenting, I will stick to the settings described in my post from January 01, 2010, 03:51:56 AM:

http://img96.imageshack.us/img96/839/01012010034357.png

Thanks for your help.

I can see you reluctant to experimenting but with disabling Do Protocol Analysis as described you are actually returning to default settings for Attack Detection. As far as I know not enabling Protocol Analysis doesn’t get in the way of server connections like you describe.

Please reconsider trying it.

  1. I had to put further experiments on “to do” list. I wish the day had 36 hours, at least.

  2. The next question is about Comodo logs and SNMP traffic. I have come across a thread (sorry, I lost the link) where it was advised to set some extra filters for Comodo logs when SNMP traffic is coming from the router (which is the case when you use WallWatcher). Do you have any suggestions? There doesn’t seem to be any extra traffic in Comodo’s log, WallWatcher’s traffic has much more entries recorded (maybe log filter was needed in some earlier version of Comodo):

http://img253.imageshack.us/img253/1535/01102010021057.png

  1. What are all those blocked ICMP requests from threatcast.comodo.com (72.9.241.58)? Maybe I should turn “threatcast” function off:

http://img85.imageshack.us/img85/7175/01102010014633.png

  1. When there isn’t extra traffic no need to use a filter, wouldn’t it?:wink: However when analysing long logs you can go to an advanced mode when you push the More button at the bottom of the log screen. In the Menu bar of the advanced mode you will find the filter option.

The ICMP alerts are Type 3 Code 3. That means that the destination port can not be reached. Why these alert occurs I don’t know. May be the server was down or was not properly configured.

For a bit more information on ICMP alert you can read this Wikipedia page: Internet Control Message Protocol - Wikipedia .

Thanks, Eric, that answers all my questions for now.

I have it setup like in the above, and I have turned off protocol analysis, but still nothing shows up in Wallwatcher. I am using CF 5.0163652.1142. What might I be doing wrong? WW used to work fine with online armor.

Thank you for any replies :smiley:

The WallWatcher application rule also needs to allow the incoming traffic. That may be the key here.

If WallWatcher is a safe program then CIS will use a default rule that will not allow incoming traffic. To change this you need to make an application rule for WallWatcher. For testing give the Trusted Application Policy. Once that is showing to work you can make the rule tighter.

See Comodo Help for reference on how to make an application rule.

Thank you Eric :smiley:

I’m not sure I completely understood what you wrote, but I have added Wallwatcher as a trusted application. Still, no records show up in Wallwatcher. I’ll attach a picture.

[attachment deleted by admin]

Let’s see if it is related to the firewall or not. Try disabling the firewall for a minute and see if WallWatcher can access the logs.