Everyday, when I turn on my pc & log onto my user account, I open up my FW events log and it looks very much like the screenshot below. All items look fairly normal, showing router dynamic IP assigning, SAS getting updates, Win Autoupdates doing its thing, etc. But then when I go on-line via FX (set up in Network Policy as a “Web Browser”) I see all these entries with source IP 0.0.0.0, source ports vary, OUT to 127.0.0.1 (is this Loopback?), destination port 12080 (which Avast WebShield uses). Each time I navigate to a new web page & refresh this screen, 1-3 new entries have been added to the list, so the number of these entries increases rapidly the longer I surf the internet. Do you other people with Avast see these source 0.0.0.0 entries as well? Is there a way to stop them from being logged?
Process Explorer shows nothing untowards running via 6 svchost.exe’s listed. Just Windows stuff. And a run of GMER shows nothing hidden is running on the system. PC was recently reformated and OS reinstalled at a tech repair shop due to a crash. AV and AS scans show a clean pc.
[attachment deleted by admin]
What I find most unusual is I don’t recall ever seeing these entries on my events log until recently, but I don’t know if that is due to a CIS update new setting, or a setting I failed to configure correctly when I reinstalled CIS after my recent HDD reformat/OS clean install.
I did, however, find where I can impact the loopback entries to a certain extent. I went in and unchecked the box for “Enable Alerts for Loopback Requests” on the GUI screen in Firewall, Firewall Behavior Settings, Alert Settings. But that just makes CIS log the many loopback entries as Avast’s ashWebsv.exe TCP out from random ports my pc to port 80 at the various web servers my ATT dsl connection usually travels through per tracert. Is there some way to get these FX/Avast loopback entries off my log? What can I tweak in my Comodo rules/settings to stop all the the loopback logging?
Hi buttoni,
One thing you could try is to set up a Global rule for the loopback address and have it set not to log.It looks like you have your top Global Rule as Allow(and log) IP Out From IP Any to IP Any Where Protocol is Any,is this correct?
Try going to Firewall/Advanced/Network Security Policy/Global Rules–>Create/Add the rule–>Allow(don`t tick the log box)–>Protocol IP–>Direction Out–>Description “loopback rule”–>Source Address “Any”–>Destination Address “Single IP-127.0.0.1”–>IP details “Any”
APPLY all the way out and then move this rule to the top of your “Global Rules”
Regards,
Matt
Actually, my Global Rules are attached for your perusal. Make any suggestions you feel appropriate. I wasn’t sure if the Block rules up at the top should be there, or moved down but before the Block everything else rule at the bottom.
I thought the FW looked at Application Rules first for OUTBOUND. Wouldn’t I want your Loopback Rule rule there? Or perhaps putting it both places might help?
[attachment deleted by admin]
It does check the application rules first for outbound connections,i think the rule that is being fired to cause the logging is Allow(and log) TCP or UDP out from IP Any to IP Any->source/destination Any
Unless that is you have logging Allow IP rules set up for your applications
Try putting the loopback rule directly above the rule above in “Global Rules”
You could also put the rule in for ashWebsv.exe but try the above first and see if it helps.
Also it might be an idea to turn “Enable Alert for Loopback Requests” back on then if an app which doesn`t have a loopback rule at least you will get an alert
Aha, I see. No, my apps in Application Rules are pretty much all set as Outgoing Only (Allow outbound request and Block & Log unmatching requests). Oh, and I had already reenabled the Alert for Loopback Requests after running that little experiment.
So I’ll make the Loopback rule you indicated and see if that stops the logging. Thanks for the suggestion. I’ll post back the results of that action.
Well, it would appear as though now my FW event log is showing what is actually going on with ashWebSv.exe and FX. I logged on at 1:36 and you see the logging results in my screenshot below. Navigated to 6-8 sites. Now the actual connections to those specific websites I went to are in the log (even FX & CIS calling out for updates). So I can check out anything suspicious via Arin Whois. This is how I have always remembered seeing the logs in the past. The odd part of all this is I’ve never added an actual Loopback Rule before, ever. Truly strange. I think I’ll leave well enough alone now, Matty_R. Thanks for your time on this…and on a Sunday, even. 
Appreciate you guys being there for we less savvy folks.
[attachment deleted by admin]