Windows Operating System IGMP Protocol "Blocked" entry in FW Events

At each boot up my Firewall Events list shows “Windows Operating System” (no executable indicated) , using IGMP protocol, is attempting to connect from my IP address to, which ARIN WHOIS tells me is IANA. My first thought, I assume this is related to my dynamic IP that is auto-assigned by my ISP/router each time I sign on?

Comodo BLOCKS this connection attempt each time. That blocking action is not stopping me from accessing the internet via FX 3.06 and is causing no surfing problems, symptoms I can readily see. FWIW I recently had a HDD wipe & clean reinstall of Windows XP Home due to a crash (they said due to infection). I think/hope I now have Comodo global/application rules set up as before.

Should I be alarmed at this particular entry? As no particular executable file is indicated, how do I set up a rule to ALLOW, if that is your recommendation.

Hello buttoni,

IGMP is used for Multicast traffic, do you have any other device on you local network that could be using it, or are you on a corporate lan that has switches who support this ?

See also Wiki for IGMP:

It could also be that your provider supports Multicast.

No, my LAN consists of just one personal use home pc (and the potential for 3 more to be added to the modem in future) and my ATT 2-wire DSL modem/router. Nothing corporate here. The SBC DSL tech that installed this said it was like a LAN since I could add 3 more pc’s to the modem/router.

Don’t know if ATT supports Multicast or not. I tried reading all that Wiki stuff on IGMP this morning and most of it was over my head. (:WIN) I’ll read it again and see if it makes any more sense on second reading.

I failed to mention that after Comodo blocks this attempt at boot up, it does not recur. No repeat attempts during that entire on-line session (often lasting several hours).

Well, since there’s no further input here, I’ll go bounce this off the good folks over at BBR-DSL forums. I feel somewhat reassured Comodo is BLOCKING and that I have no connectivity issues. All scans with SAS, Avast, MBAM and A-squared are finding no malware. I assume it is using svchost.exe to call out (though not certain of that) and I assume ATT DSL modem uses this protocol to ID it’s customers or something like that. Maybe the folks at BBR-DSL will recommend an ALLOW rule be set up in Comodo, so I may be back if I need any help setting up such a rule, if that is what they recommend. I may even need to call ATT phone support & bounce this off them, in case the modem needs a PW reset or some setting adjustment since my recent disconnect.

I think the IGMP is being used by threat cast for sending feedback about an alert to all the people who subscribed to use threat cast…

I was still researching this issue, normally you pc does not send out IGMP traffic if it doesn’t “see” multicast traffic on the network, i only see this sort of traffic sometimes on my work, and also when i run VMWare, do you happen to have that installed btw ?

To Darth:
TC is using udp 53 “dns” traffic, not multicast.

ooh, Thank you for clarifying this. I misunderstood the working of the IGMP protocol than, because I saw also IGMP alerts… But I can not remember what application was firing the alert…

Hello again. No VMware here. Opted out of Threatcast feature at install. I just now got off the phone with ATT tech support (India I think) and they said my modem SW and PW is all OK, even though my ethernet cable was disconnected for 2 days. Even though powered off the modem for a minute this morning to “reset” it. No need to reset modem PW.

First he said my Windows OS was corrupt. NOT, it was just format/clean installed! He then said it must be some problem with Comodo FW and that I should consider uninstalling it to eliminate this “error” and use the Windows FW. I laughed and said why would I want to give up outbound protection, to which he replied Win FW has outbound. I told him nobody else on multiple tech forums agrees with that statement (unless the Vista FW has outbound). At that point I realized he didn’t know what he was talking about at all. Maybe his first week on the job? He then went on to tell me ATT offers McAfee AV, which was a better AV than my Avast. Again I laughed and said I once had McAfee (preinstalled by Dell) and never again. My recent reformat/clean install of OS rid me of it once and for all.

Thanked him for his time but that I’d wait until my connectivity became an issue and call back at that time and wished him a nice day. (:WIN)

Here’s a link to my thread on this topic on BBR-DSL if anyone’s interested:

Just had another thought. You don’t suppose this has to do with WGA “phoning home” to Microsoft to report my Windows OS is a legitimate copy, do you? Does Microsoft use MultiCast for WGA, by any chance?

I Have similar problems with IGMP alerts, and the applications that fires this kind of alerts is very random, I just got one alert and I managed to cap it. I still do not know what the alerts mean and I did not had them before… I think these kind of alerts are coming wiith the 3.8 version of the firewall.

[attachment deleted by admin]

It’s not WGA, it has something to do with IGMP v3 specific stuff, i’ll see if i can find more info tomorrow.
But don’t worry about it to much, seems like google talk triggers this also.

Now that you mention it, I don’t recall ever seeing this boot-up IGMP entry on my FW event log before updating to CIS 3.8 either. Hmmmmm. Wonder if it could have anything to do with that huge .NET Framwork 3.5 Family update MS pushed recently. I did do that update. No other apps but the OS have tried to connect OUT with IGMP …just Windows Operating System at power up. And as I said earlier, I don’t get the pop-up alert like you at all. Comodo just blocks the outbound attempt.

Ronny, I also look forward to your findings on this.

I also had that .NET Framework update family pack and I updated too, but I did not get IGMP alerts… Later when installing version 3.8 I got those IGMP alerts and also alerts of Windows operating system is trying to connect to the internet, If i blocked those alerts I had no internet, I had to set it as trusted or outgoing only… I just did a reinstall of CIS and the problem was gone.

I’m seeing this too. Not as a pop-up, but in the logs, every time I restart my computer. But on my setup, it’s getting automatically allowed. I do remember seeing it in the logs in the previous version of Comodo, but I just ignored it because I thought it was just regular LAN traffic since I’m behind a wireless router. I’m not so sure now.

Here’s what it looks like in my logs and these are my Comodo firewall settings.

[attachment deleted by admin]

Well here are my Application & Global Rules for the firewall. Much simpler than yours, as I don’t know that much about specific ports for such rule specificity. But as you can see, System is allowed to Send OUT if the Target is in my LAN. System is allowed IN if the sender is in my LAN. I know how to add a rule for System, but don’t want to do so until I’m certain some malware is not using System to call back to it’s nefarious server or something.

Edit: Sorry, couldn’t get all my app rules to show. FX is set up as a “browser” just like IE and all other apps pretty much like those shown “outbound only and block & log all unmatching requests”

[attachment deleted by admin]

A quote from MS TCP/IP fundementals:

For a Application to receive Multicast traffic it must inform the IP stack that it will receive multicast traffic at a specified address.

For the rest this is not new, there are posts about this from around 2006, but i can’t stand the fact that i have not found the answer yet :wink:
RFC 3376 IGMPv3 October 2002

4.2.14. IP Destination Addresses for Reports

Version 3 Reports are sent with an IP destination address of, to which all IGMPv3-capable multicast routers listen. A
system that is operating in version 1 or version 2 compatibility
modes sends version 1 or version 2 Reports to the multicast group
specified in the Group Address field of the Report. In addition, a
system MUST accept and process any version 1 or version 2 Report
whose IP Destination Address field contains any of the addresses
(unicast or multicast) assigned to the interface on which the Report

So there must be an application that wants to send out IGMP v3 reports, i think we need a packet capture to see what’s in it. also a Router running uPNP could trigger some IGMP traffic.

FWIW I have had the UPnP service disabled in Windows Services for some time now. I’m having no connectivity issues.

Sorry, you’re over my head on the packet capture. Pray tell, how would I go about doing that for you?

It’s not only uPNP on your system, other devices on your local network could also be using uPNP like a router or multimedia streaming servers etc…

I’ll look in to if further before we need a packet capture.

I found one in my logging, there is an application asking for uPNP.
Before WOS sends out an IGMP request as per RFC.

See screenshot, and notice the timestamps.

I’ll see if i can “force” this with uTorrent or so to see how this behaves.
That it is WOS triggering this is not a real surprise because the app asks the IP Stack to set up Multicast communication.

[attachment deleted by admin]

Well, uPNP is disabled on my router, but it is running on my laptop (the only computer on my network). So I’ll disable it on my laptop as well and see if the WOS IGMP still shows up in the logs when I restart my computer.

EDIT: OK, since disabling uPNP and its partner, SSDP, the WOS IGMP has disappeared from my logs at startup. Also seeing that uPNP calls out to port 1900, svchost.exe and explorer.exe have stopped calling out to port 1900 at startup since disabling the 2 services, too. So, it looks like you’re right Ronny.