My CIS 5 Summary says Firewall has blocked 190 intrusions so far. Here is one typical:
Windows Operating System Blocked UDP (DHCP & DNS Server IP) Type(8) (MyComputer IP) Code(0) date
All Blocked items are incoming and Source is the same IP, in this case, 192.168.1.254. This seems doubtful but possible, and I could wish for better information. The Help/Guide doesn’t address Types and Codes for PORTS! Maybe this is my own ignorance, but I am far from a beginner.
If you can enlighten me on this, I am sure that it will help many others, as well. TNX!
The address you quoted (192.168.1.254) is more than likely your router. Addresses in the 192.168.X.X range are private address and reside somewhere on your local LAN.
UDP type 8 code 0 is ECHO REQUEST. Something on your LAN (not on the internet) is trying to find out if your system is “live” on the LAN.
I would suggest you run the STEALTH PORT WIZARD and enter a port range of 192.168.1.1 - 192.168.1.255. This will cover your entire LAN and allow traffic between your LAN devices without affecting your systems internet facing security.
Thank you, experts, for the essential information. Am just returned from travel, and internet has unexpectedly been unavailable to this workstation for several hours tonight. I will study your guidance and report back tomorrow, if possible. Bedtime here, two hours ago.
P. S. Am running Win XP Pro x86 [32-bit]. Goodbye, for now.
To panic et al.: Thank you, but, I am puzzled.
On 16 NOV 2010, panic advised:
I would suggest you run the STEALTH PORT WIZARD and enter a port range of 192.168.1.1 - 192.168.1.255. This will cover your entire LAN and allow traffic between your LAN devices without affecting your systems internet facing security.
But, those numbers are IP addresses, aren't they? I thought that Ports were numbered from 0-65535, are they not? The Add a New Port box refuses to accept the numbers you specified, so, I cannot do that; I could put these numbers into the name of a port Set, but, then, what should I enter as the ports, shall the ports include all of 0-65535?
Am updated with CIS v5.4.189822.1355.
What Panic is referring to is the stealth ports wizard. See image
Think of it this way, An ip address is how to get somewhere and a port is how to deliver something when it arrives at the address. By using the Stealth ports wizard in this way, you’re allowing full communication between all ip addresses and all ports on your LAN, but making yourself stealth to the Internet.
Thank you, Radaghast, but when I ran the Stealth Ports Wizard in the Firewall tab, it didn’t give me any slots to enter data; it gave me a small Windows letter-i-in-a-white-balloon dialog box with COMODO I S 2011 Complete in its blue title bar, and a line of text, “Your firewall has been configured accordingly.”
Should note that I am presently running Windows XP in Safe Mode with Networking, having immediately run the Sophos Anti-Rootkit Tool, and Sophos ART having detected 701 Hidden Rootkit Files, including the 44 that CIS detected, and, having selected 200+ of those for Sophos to Clean just a few minutes ago, and Sophos having reported successful removal of all, then restarted into Safe Mode with Networking. Maybe I will see your image when I restart into normal Windows to re-run the Sophos ART scan. Wish me luck?
What is your primary real time AV that you are running? 700+ rootkits is an outrageously high number of rootkits.
Be carefully with Sophos Anti-Rootkit scanner. It will detect all hidden files. Some of those might be valid files. You should only remove the ones the scanner identifies as OK to remove unless you are an expert.
How long have you been running Comodo? Was it installed on a “clean” malware free PC?
Do you have an image backup of your PC prior to when this “infestation” occured?
One of my Global firewall rules is to allow ICMP out from NIC to DNS IP where ICMP message is PORT UNREACHABLE. I also allow that for ICMP specific to CIS dest IP address.
On ‘Windows Operating System’ I’m allowing UDP in from a particular CIS specific zone on ports 4447 / 4448. UDP is typically DNS on port 53.
I’ve found that UDP in from [modem] to [NIC] src port 137 dest port 137 is necessary. This is NBName lookup and I’ve seen routers doing the same thing.
Judicious allowance of ICMP outbound will stop the constant UDP inbound. But you must be careful; ICMP can be used in probing attack to discern network topology.
