Why is "Windows Operating System" ignoring rules?

I am new to Comodo, so I think this is probably user error. In the firewall log it says that several connection attempts to connect by “Windows Operating System” from 192.168.1.198 (a LAN IP) via TCP were blocked.

However, I have several global rules that specifically allow this traffic. I have used the Stealth port wizard to set 192.168.1.1 - 192.168.1.255 as a DMZ (it added 2 rules to the Global Rules to this effect). Then, when I saw this traffic being blocked, I added 2 more Global Rules, with one to allow any traffic from 192.168.1.1/255.255.255.0 and one to allow any traffic to that same subnet. Then I rebooted and yet this traffic was still blocked.

So I have 2 questions:

  1. Why is this traffic being blocked? Are there conditions that could be causing Comodo to block this traffic? Maybe a bug or some heuristic code that is misfiring?

  2. Which process are labeled as “Windows Operating System” by Comodo? That would go a long way towards helping me troubleshoot this. The term is so very generic and does not match with the terms used in Comodo’s Network Security Policy->Application Rules.

Thank you!

When there is no program listening and the traffic bounces CIS will log that as being blocked by WOS.

However, I have several global rules that specifically allow this traffic. I have used the Stealth port wizard to set 192.168.1.1 - 192.168.1.255 as a DMZ (it added 2 rules to the Global Rules to this effect). Then, when I saw this traffic being blocked, I added 2 more Global Rules, with one to allow any traffic from 192.168.1.1/255.255.255.0 and one to allow any traffic to that same subnet. Then I rebooted and yet this traffic was still blocked.

So I have 2 questions:

  1. Why is this traffic being blocked? Are there conditions that could be causing Comodo to block this traffic? Maybe a bug or some heuristic code that is misfiring?

  2. Which process are labeled as “Windows Operating System” by Comodo? That would go a long way towards helping me troubleshoot this. The term is so very generic and does not match with the terms used in Comodo’s Network Security Policy->Application Rules.

Thank you!

Could you post a screenshot of your Global Rules?

Sure, here are the blocks:

My rules:

Edit: I removed the images. Images were probably not a security risk, but since you log IPs, better to be safe. Thanks for the help!

You are getting those alerts from the other computer on your LAN because there is no application listening to that traffic. The traffic comes in because it is allowed by Global Rules but there is nothing listening so it gets dropped.

The traffic is at three ports:

  • Port 88 is for Kerberos protocol: Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography
  • Port 389 is for Lightweight Directory Access Protocol] LDAP: Lightweight Directory Access Protocol is an Internet protocol that email and other programs use to look up information from a server.
  • Port 8912 is for Windows client back up

In short, it looks like the other pc on your local network is looking for a back up facility on with folder structure and wants to use Kerberos authentication for secure transmission.

Why the other computer is behaving like that is something for you to find out. The traffic gets blocked by the firewall so your computer is not effected by it.[/list]

Thanks Eric! Actually I was already familiar with what that traffic was for. I didn’t, and still do not, understand why it was being blocked. There is a listener on the localhost for that traffic as this is a WSBSE 2011 machine and Windows backup is functioning correctly. I am using the CIS package on the localhost that was supplied by Comodo Endpoint Security Manager.

However, a few hours after I posted here, Comodo pushed out an update which has apparently fixed this problem.

I would add for you to relay, OT, that this is a fantastic package for a home WSBSE 2011, given the totally sparse options in non-Enterprise priced/marketed security products for this platform. 1 year, 3PC free license for this feature set is unreal.

Thanks!