Windows Firewall and Comodo

Hi.

I like to think i can write firewall rules ! 8)

Can’t make sense of this…

I use CIS firewall. Nicely set up… loads of rules ;D … no access issues… reported running by Action Center.

Perceived wisdom is to turn off Windows Firewall so I did. Action Center confirms only CIS on.

Noticed Resource Monitor say listening ports like 139, 445 etc all ‘Allowed, not restricted’ by firewall status. Not what my Comodo rules say!

Checked WF in control panel. WF back on! But off according to Action Center ???

Now, if WF is on, then WF’s rules are active, right? And WF allows all outgoing traffic by default. How does that fit with my Comodo paranoia rule-set?

Checked EventViewer. Confirms WF is on and ‘core networking’ Allow rules are all active.

Turned WF off again via control panel.

Event viewer told me dllhosts.exe turned WF back on again! Maybe Comodo needs WF on? :-\

So changed WF’s default to block all outgoing. Couldn’t get DHCP, let alone online. Proves WF is active if nuffing else.

Enabled WF’s DHCP Allow rules and changed WF’s DNS Allow rule to point to Comodo DNS addresses.
Now I got a connection but nothing else worked.

Sooo… if i can’t turn WF off and its rules are active, either I revert WF to allow all outward traffic or start making rules in WF for my browser, email etc. So I reverted WF to allow all outgoing that doesn’t have a block rule and blocked all the core networking stuff i didnae want. And here i am!

But hang on, I have Comodo! Does Comodo stand on WF’s shoulders? If so, how do the different rules work together? Surely I don’t need to create all my in/out rules in WF too?

If I’m missing a trick I’d like to know.

Windows firewall does not need to be enabled. Run services.msc from the start menu/run and disable the windows firewall service. If you have problems it mat be due to your rules in CIS.

Hi Radaghast

Here’s why I never turned off the WF service(MpsSvc) and only turned it off in the control panel WF gui:-

"Do not disable the firewall by stopping the Windows Firewall (MpsSvc) service. Because MpsSvc also implements Windows Service Hardening, which provides additional protections for other Windows services, Microsoft does not support disabling MpsSvc. Instead, use the interface shown here in the Windows Firewall icon in Control Panel, or use the Windows Firewall with Advanced Security MMC snap-in. "

That’s from the MMC snap-in ‘Help’.

Also: Mike Halsey MVP among many says re third party firewalls in Windows 7:- see pic attached:

It’s not my CIS rules. Fact is I’m now back online with WF rules active to block the things i also block in Comodo ? Only my email client is giving me grief. I can go back to having WF allow everything out by default but I don’t want to turn of the MPsSvc if it is making things HARD ;D

[attachment deleted by admin]

Okay… I’ve just found by googling this topic might be a very old can of worms…

There is NO way I’m leaving CIS after the time i took to learn its HIPs and firewall set up. Windows firewall sucks for no easy quick access to traffic info and logs. Mind you, its rules wizrd seems far more in depth than CIS?

There again, I’m told opposite facts - disable the WF service or don’t disable. If i don’t, I have this obviously long-standing issue of two firewalls on together. If Mister Halsey is right it isn’t a problem. Except no-one seems to know which rules take precedence? Short of disabling MpsSvc, seems I’m stuck with a mystery. Wish I’d never noticed WF was back on! >:(

If anyone at Comodo knows how the two sets of rules work together, I’d appreciate some guidance. Given Comodo does seem to switch WF back on automatically (if MpsSvc isn’t disabled) then presumably that is for a reason?

Thanks. :-TU

It is curious that some people have had problems with the Windows 7 firewall apparently turning itself on. Personally, I’ve never seen this on any of my PCs. I’m wondering if the wbem repository has been corrupted in some way and it causing this behaviour. It may be worth while taking a look at this:

To see if cleaning out repository helps.

With regard to which firewall takes precedence, you could do some tests. To enable better logging in Windows 7 firewall, open a command prompt and copy and paste the following:

auditpol.exe /set /SubCategory:“MPSSVC rule-level Policy Change”,“Filtering Platform policy change”,“IPsec Main Mode”,“IPsec Quick Mode”,“IPsec Extended Mode”,“IPsec Driver”,“Other System Events”,“Filtering Platform Packet Drop”,“Filtering Platform Connection” /success:enable /failure:enable

Then stop and restart the service:

net stop MPSSVC
net start MPSSVC

This will capture firewall events to the security event log so you can see what the firewall is allowing/blocking. You can even create a simple script with Log Parser 2.2 to extract the relevant data and create a readable report.

As far as service hardening is concerned, I’m only aware of two areas where disabling the firewall service will have an impact. The first, is with the boot time filters, which prevent a window of opportunity for malicious activity during system boot. I would hope CIS also covers that area but we’d need a comment from a Dev to clarify that. The second area is ipsec policies, which will fail to take effect if the service is disabled.

One other thought, the Windows 7 firewall has several services associated with it and disabling one or the other has a different effect on the overall:

Base Filtering Engine
Network List Service
Windows Firewall

You can also look at stopping the firewall through netsh:

Netsh Firewall set opmode disable

That should still work even though it’s probably been depreciated by the advfirewall commands.

I wonder if this has something to do with how Comodo was installed. I installed Comodo ver. 5 on a new WIN 7 Premium x64 build and have had zip problems with the WIN 7 firewall. What i did notice was that this ver. of Comodo automatically disable the WIN 7 firewall for me.

I know in prior ver. of Comodo, it did not disable the WIN firewall and when I disabled it manually after the Comodo installation, it would on occasion be “magiccally” set to on.

[at] Radaghast

Sorry for not acknowledging help quicker.

I tried the wbem repository spring-clean. Got half-way thru and for nefarious reasons my system wouldn’t let me complete or revert to my exported wbem key. Solved that chaos with a quick image restore. Is the fact i have x64 Win 7 a reason the two firewalls come on together? :-\

The auditpol suggestion was a whole new toy. :-TU Seems Windows Firewall is active alongside Comodo. Windows Filtering Platform logs Comodo’s callout changes; WF then kicks in and intercepts traffic. No rules logged by WFP for Comodo’s filtering, but guess that needs another auditpol sub-category (?) I’m thinking I’ll just duplicate my rules in both firewalls! ???

Turning off WF using netsh is the same as using the gui. Also, with WF off – file and printer sharing comes on! That’s no good to me on Public profile.

Found a whole new mystery tho … bad password audit failures trying to log on to my disabled guest and real administrator accounts! Now that’s keeping me busy.

@ DonZ

I’m using latest Comodo. WF has always come on via dllhost.exe whatever times i turn it off!

Hi Qibbler,

I presume you have already seen this on how to disable WF in win7

but, well, just in case.

Are you running on a Domain? Only way you can turn off the WIN 7 firewall on a domain is via Group Policy editor.

Not sure what happened to the ‘spring-clean’ did you use the batch file or one of the utilities? It shouldn’t matter if you’re running x86 or x64. I have a mixture of the two and the Windows firewall is off on all those running CIS.

The auditpol suggestion was a whole new toy. :-TU Seems Windows Firewall is active alongside Comodo. Windows Filtering Platform logs Comodo's callout changes; WF then kicks in and intercepts traffic. No rules logged by WFP for Comodo's filtering, but guess that needs another auditpol sub-category (?) I'm thinking I'll just duplicate my rules in both firewalls! ???

Seems like overkill to me but unless a sensible solution can be found…

Turning off WF using netsh is the same as using the gui. Also, with WF off -- file and printer sharing comes on! That's no good to me on Public profile.

That’s my fault, I gave you the wrong commend. What I should have suggested is:

netsh advfirewall set profiles state off

Change profiles to one of the following:

AllProfiles
CurrentProfile
DomainProfile
PrivateProfile
PublicProfile.

You should be able to do something similar via the UI.

The situation with file and printer sharing being enabled is apparently by design :o As I found out when I asked the question How to disable firewall as well as file and printer sharing

Found a whole new mystery tho ... bad password audit failures trying to log on to my disabled guest and real administrator accounts! Now that's keeping me busy. :'(

Under Administrative Tools there’s an option for Local Security Policy, which enables you to perform a variety of security related tasks, such as renaming the Administrator and Guest accounts. It may be worth your time investigating.

If you are part of a Domain, depending on which version of Windows 7 x64 you’re using, you can disable the firewall by running gpedit.msc from the start menu then navigating to:

Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile.

Then selecting:

Windows Firewall: Protect all network connections

And setting the option to disabled. You will have to leave and rejoin the Domain or force a refresh of your Group Polices. Really, this should only affect the Domain Profile.

Well, methinks I’ve established the blatantly obvious… 88)

WF will keep coming on if i keep turning F&P sharing off in Advanced Sharing settings. Funny thing is, I gave up Privatefirewall for Comodo originally because I kept finding P&F sharing turned on after i turned it off! It was a ‘selling point’ to me that Comodo left F&P sharing off. Now I know why. Comodo lets WF back ON. Presumably Privatefirewall was knocking WF off?

Ah well… I live and grow more stupid. ;D As I write this all is well again. WF is asleep with the fishes and F&P sharing is on…

I’m not on a network (apart from to my router) and have no need for remote access or network discovery etc. So I’ve always used Public Profile with File & Printer sharing off in the LAN adapter. I turn off IPV6 and LMHOSTS and disable ‘Netbios over TCP/IP’ in IPV4. I set the adapter to use Comodo DNS.

The nice big radio buttons for knocking off Network Discovery, File & Printer sharing and Public Folder sharing in Advanced Sharing always got ticks in both profiles (domain isn’t offered). Action Center always reported only Comodo on.

Like i said above, it was only when I got to wondering why Resource Monitor showed no firewall restrictions against listening ports that I went into eventlog for WF and found dllhost.exe had turned it back on months ago.

And so i started this magical mystery tour. :embarassed: Now its clear as mud. Dllhost.exe turns WF on in a profile if F&P sharing is turned off. No getting around it. (I just tested this for the private and public profiles one at a time).

Sooo … what does it matter if F&P is on in Advanced Sharing, I now arsks myself, if I have it off in the adapter? Apart from SMB file sharing listening on port 445?

Which brings me back to how this story began… Why the heck doesn’t resource monitor report listening ports blocked by my Comodo rules? (see pic) It did so when I used WF to block them!

Sanity says I can’t have two firewall rulesets. No idea what new hell that would bring. I’m just going to have to live with F&P sharing on in Advanced Sharing. It’s counter-obvious for a dumb user like me but heck…

Shame is, WF has a pretty cool rules wizard and gave loads of port connection info in eventviewer with the auditpol tweak…now lost again.

I’m off for me tea.

@ Radaghast Cheers for suggestions. sadly I don’t have LSP on Home Premium. Just another vexation!

[attachment deleted by admin]

The situation with file and printer sharing and the Windows firewall is slightly bizarre but in all honesty, if you have no need for it, simply disable NetBIOS on the adapter, which you’ve already done. This will block traffic on TCP and UDP over ports 137 to 139.

Service Message Blocks (SMB) over TCP port 445 is a slightly different prospect ,so you might fine the information I posted here Re: CIS ver5: System(4) Listening port on: 445 question to be of use.

Been delayed with Null Sids!

@ Radaghast: Thanks for link. Already found errors in my rules. Need to study your tutorial.

As to Windows Firewall on/off. Found these quotes in Msoft’s “Windows Firewall with Advanced Security Design and Deployment Guide”:-

“If you must disable the firewall, such as when you want to use a third-party firewall program, do not disable Windows Firewall by stopping the service. Instead, use the Windows Firewall with Advanced Security interface (or equivalent Group Policy setting) to turn the firewall off.”

Okay, knew that, but not this…

“Third-party firewall software compatible with Windows 7, Windows Vista, Windows Server 2008 R2, and Windows Server 2008 can programmatically disable only the parts of Windows Firewall with Advanced Security that might need to be disabled for compatibility. Do not disable the firewall yourself for this purpose.”

My head’s spinning.

Also, Msoft says no rule should be based just on containers like svchost.exe. WF offers process names as well. Comodo app rules’ “Running Processes” opens a window to, er, running processes, obviously with loads of PIDs for svchost. Does Comodo take account of the PID you click on? I’ve started ruling for process exes or dlls (like rpcss.dll ) found in process explorer properties.

Then there’s dynamic ports. WF allows local ports to be specified by keywords:
RPC Dynamic Ports *
RPC Endpoint Mapper *
IPHTTPS
Edge Traversal ( IPV6 carried in IPV4 )

(* matched pairs of rules to neatly cope with RPC ports).

Not sure if i understood this subject, or even if it matters to me once I work thru your tutorial link again, but are dynamic ports also covered by Comodo’s rules?

Interesting reading.

Okay, knew that, but not this...

“Third-party firewall software compatible with Windows 7, Windows Vista, Windows Server 2008 R2, and Windows Server 2008 can programmatically disable only the parts of Windows Firewall with Advanced Security that might need to be disabled for compatibility. Do not disable the firewall yourself for this purpose.”

It gets better What's New in Windows Firewall with Advanced Security | Microsoft Learn

Because multiple firewall programs can be problematic due to conflicts, if you install a third-party firewall program, you need to turn off the Windows Firewall. In previous versions of Windows, turning off the firewall meant also disabling all of the related services. If the third-party program does not provide all of the same functionality, then you might be unintentionally exposing your computer to threats for which you no longer have protection.

The question we have to answer is, does CIS provide all of the same functionality. Or perhaps, all of the functionality we, as users, require. This more or less goes back to my earlier post regarding ‘Service hardening’ and the individual services related to the firewall. For example, I disable the service and I loose the ability to use IPsec connection security. This is not something I use, so it’s not hugely important.

Incidentally, with regard to ‘service hardening’ you might want to read this:

Understanding Windows Service Hardening - Windows 7 Tutorial

My head's spinning.

I can understand why

Also, Msoft says no rule should be based just on containers like svchost.exe. WF offers process names as well. Comodo app rules' "Running Processes" opens a window to, er, running processes, obviously with loads of PIDs for svchost. Does Comodo take account of the PID you click on? I've started ruling for process exes or dlls (like rpcss.dll ) found in process explorer properties.

Unfortunately this is something that, as far as I know, is only available in the Windows firewall. CIS doesn’t differentiate between instances of svchost. However, through the implementation of rules based on ip addresses, protocols and port usage, we can get part way there, but it’s far from perfect. In actual fact, this is something that’s been on the wish list for a long long time. [Merged] Advance svchost Rules/Name The problem is, for a lot of people this is really unimportant and they’re are quite happy to allow processes like svchost to connect to wherever they wish.

Then there's dynamic ports. WF allows local ports to be specified by keywords: RPC Dynamic Ports * RPC Endpoint Mapper *

Although I don’t believe this is something any third-party firewall can do, there is a better approach. Instead of using dynamic ports, we remap the ports in the registry, then we simply create the necessary rules.

IPHTTPS Edge Traversal ( IPV6 carried in IPV4 )

Both of these relate to ipv6 tunnelling, whilst we do have ipv6 support in CIS, it’s still early days and more needs to be done.

IPHTTPS is basically IPv6 over an HTTPS and works in a similar way to a VPN. As I haven’t used this, I’m not completely sure of the requirements.

Edge Traversal actually has a patent Edge Traversal [PDF] so is a slightly different prospect.

Not sure if i understood this subject, or even if it matters to me once I work thru your tutorial link again, but are dynamic ports also covered by Comodo's rules?

Please see above for the answer to that. Also, please keep in mind that the tutorial is very basic and really just a beginning.

Yeah, but it showed me I’d somehow hit Comodo’d stealth wizard and promoted the allow all / block all rules back to the top again in Global. Not where I’d left ‘em :’(

Thanks for being a star. :-TU

You might also want to check out what rules are used by other firewalls pertaining to ports 135 - 139, 445, and uPnP and SSDP ports 1900 and 2869.

I have NIS 2011 on my XP installation. I use Comodo firewall and Defense+ on my WIN 7 x64 installation.

Norton’s firewall is similar to Comodo’ in that it has System and Program rules. The system rules are equal in scope to Comodo’s Global rules. Norton by default generates individual System rules for all the above ports. Without getting into individual rule detail, the rules generally allow all local network access and block all inbound external network access. I find it interesting that Norton would create individual rules rather than create a policy option that Comodo’s “Define a new trusted network and make my ports stealth to everyone else.”

From past history with an XP install using Comodo ver.4, I had leakage on ports 135 - 139 and 445 using the above Comodo policy. Disabling NetBIOS eliminated the ports 136 - 138 issues. It did not correct the port 135 or port 445 issues. Note that on XP, disabling NetBIOS forces XP to use port 445 for that activity.
Also localhost functionality for XP is required for both ports.

Pertaining to WIN 7, I have not seen the same issues with NetBIOS that I did on XP. Perhaps MS finally got it right?

Bottom line - if you really want to be doubly secure, create individual Comodo global rules for ports 135 - 139, 445. 1900 and 2869. Norton also has individual system rules for IPv6 traffic, ICMPv6, web services,
LLMNR-IPv6-NDP, and web services discovery.

I assume by suggesting Global you’re talking about inbound rules?

Norton also has individual system rules for IPv6 traffic, ICMPv6, web services, LLMNR-IPv6-NDP, and web services discovery.

If you get rid of the default rules and make changes to Custom policy mode and alert level, you can have much more control, which is what I’ve shown in the basic tutorial I linked to in an earlier post.

It may be nice having a firewall vendor create pre-set rules, but if the user has no clue as to their function, they’re pretty useless.

Anyway, I think this conversation is off topic and may be better placed if appended to Re: CIS ver5: System(4) Listening port on: 445 question