Windows Firewall butting in?

Hi. Using Comodo Firewall and HIPs for quite a while. Just found event logs as follows … covering pretty much random times and dates (i.e. not at boot when I guess Windows Firewall might just kick in? :-\ ):

Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Reason:		The application is a system service
Application Path:	C:\windows\system32\lsass.exe
IP Version:	IPv4
Protocol:	TCP
Port:		49156
Process Id:	616

The port shifts to 49155 equally randomly.

Far as I know Isass.exe is related to Protected Storage and SamSs and isn’t a bad thing. But can’t understand what Windows firewall is doing if I’m using Comodo? Action Center shows WF off anyway. :o

Should I have a block rule for this in Comodo?

Not seeing a problem. :-\ Just would like to understand.

If you’re running the CIS firewall the Windows firewall should be disabled. Usually this is done when you install CIS, however, if this didn’t happen, you can easily turn the firewall off in control panel. You can also stop and disable the Windows Firewall service through services.msc.

Lsass.exe (local security authentication/authority server service) is actually part of the identification and authentication process on single systems and when accessing server based resources. if you have only a single PC or are part of a workgroup, lsass.exe does not require network access. Therefore, you do not require rules for this process.

However, if you are part of a Domain or have a need to be authenticated against server, you will need to allow lsass.exe network access.

Hi Radaghast, thanks for detailed answer.

Admit that with WF showing off in Action Center, didn’t disable it. Also, found this article on MSDN:

Quote: [i]"…Because multiple firewall programs can be problematic due to conflicts, if you install a third-party firewall program, you need to turn off the Windows Firewall. In previous versions of Windows, turning off the firewall meant also disabling all of the related services. If the third-party program does not provide all of the same functionality, then you might be unintentionally exposing your computer to threats for which you no longer have protection.

In Windows Server 2008 R2 and Windows 7, Windows Firewall with Advanced Security enables more specific disabling of its features through published application program interface (API) calls. When a third-party firewall program is installed, the installer can disable only those portions of Windows Firewall with Advanced Security that conflict with the services that are provided by the third-party program. [b] Other Windows Firewall with Advanced Security services are left enabled, and continue to help protect your computer."[/i] endquote

Just assumed “the installer” here was the third party firewall — who knows how to “disable only those portions” that conflict with Comodo anyway? — and felt it was safer to let Comodo and WF sort out their roles :-\

Is there maybe any time lapse on boot between the network adapter kicking in and the third party firewall when WF stands guard? Seems that’s what my Event Viewer is showing.

Thanks for info on Isass. Another listening service I can block! :smiley:

I’ve read that before and to be honest I think it’s a little misleading.

There have been reports of the windows 7 firewall re-enabling itself, although I’ve never actually seen this. The problem is, one never knows with Microsoft. if they’ve left some kernel level checks in place, even when the firewall is supposedly disabled, only those with that level of knowledge will know.

If you have doubts, disable the service.


I’m thinking … as the event log is telling me something incoming is being blocked, and i like blocking things if they don’t seem to be doing anything useful ;D … I’m minded to leave things.

I’ve sometimes fired up Action Center after boot, before it’s default delayed start, and it has blinked a very brief warning that my firewall is disabled. :o Not every time. Now, maybe that’s because WF is fighting with Comodo, or maybe it’s because Comodo does take a nano-hour to come on sometimes, or it could mean absolutely anything and I’m never going to figure it out, so I’ll leave well alone.

Apart from this unexpected event log Comodo seems to have the show well in hand :slight_smile: