I recently installed comodo firewall 3 and while looking through the new gui i suddenly notice a lot of connection blocked i check the log and its all a bunch of incoming tcp from seemingly random ip’s for system idle proccess
what can this be?
Additional Information:
comodo firewall version:3.0.1
os: windows xp sp2
internet: adsl shared through home lan
other secuirty program: avast antivirus 4.7.1074
permissions level: admin
I got them as well, but I disabled the logging on it :). Depending on how you set your rules (I shouldn’t have picked expert on everything :’(), the application rules now have the ability to log blocked connection attempts.
Really? I’ve always had blocks against System Idle in probably every release. Although Egemen might have said… I’m vague on this. I’ve asked previously what it was, but I can’t remember if I got an answer. It’s not reference in the Help. I’ve assumed, up to now, that System Idle means “no associated process”… and/or maybe a Global Block.
Hi Kail, I guess the block does come under the Global Rule, but I’m curious as to what, exactly, it’s doing. I’ve never seen this in any firewall I’ve used. Almost as soon as I logged on to the Net, I got inundated with these block events.
I’ve put Wireshark on the case, maybe it’ll reveal something.
Have just installed and am also seeing plenty System Idle Process blocks. Even testing at
Shields Up (via dial-up to bypass router), shows all the Shields Up source ports as SIP blocks.
AFAIK SIP is only required to be configured for tunneling and can be safely blocked for other things.
Always blocked it, since it always tried to make outbound DHCP calls to some unknown(for me) locations.
I’m also getting this “system Idle process” blocked in my log for version 3. I’ve never seen it in any firewalls I’ve used either. What does it do and what is it blocking?
I’ve noticed this as well. The SIP from what I understand has to do with process’ in your own computer, nothing with the internet. Under Firewall-Advanced-Network Security Policy the system is outgoing only and blocks unmatching requests. I don’t know what it means but I, personally, don’t think it’s going to hurt the system.
If you look at the TaskManager processes window, SIP is the process that nominally uses all the system resources that are not being used by other processes. I think it is a RAM scavenger, picking up RAM from other processes as a housekeeping action. I don’t get the blocks on my system, but I have configured it for local and multicasting privileges. The multicasting IP range is from 224.0.0.0 to 224.0.0.255 and 239.0.0.0 to 239.255.255.255 for local multicasting and 224.0.1.0 to 238.255.255.255 for Internet multicasting. If you are seeing remote IP’s not in the multicasting range, you should try stealthing your ports. There is also the possibility of torrent servers polling your computer to see if it is available and probably others that I know nothing about.
I’m experiencing the same. Sorry I hadn’t bothered to examine the logs in v2. I seem to get millions of inbound attempts from all over the world on the System Idle Process, and from my IP vicinity on System and svchost.exe (better explained here). I’ve disabled logging for the block global rule just because of it, I wasn’t experiencing problems or noticeably high processor or hard disc usage but I though it was no good logging all that and besides burying more relevant events.
Anyway I guess that Source and destination ports are all random.
Here it is the deal it is possible to have SIP blocked entries with the same source port (usually source port 80 are caused by late RST packets) due to V3 Stateful Packet Inspection but the log cannot show this extra info ATM.
So I guess that this activity is due to SPI too.
Since this is strange traffic I guess you could install Wireshark and check if there are invalid TCP flag combinations or such.
Thanks gibran, I have wireshark installed already, but I until a few minutes ago I kept missing thise events.guess I should have just left WS running :-X
Anyway, I finally managed to capture several of these events and they turn out to be the typical NetSend rubbish
Message: STOP! IMMEDIATE ATTENTION REQUIRED\n\n Windows has found CRITICAL SYSTEM ERRORS.\n\n Download Registry Cleaner from: clean32.com\n\nFAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!\n\n
. Of course I have the Messenger service disabled, so I don’t see these pop-ups. It is curious, however, that these are being intercepted by SIP.
Your kit is unclean Sir! I’ve read about these… you run an on-line scan or download something… & occasionally it jumps out & tries to scare the skin off the user into buying the said product. Not nice. You need to run HiJackThis mate or something like that… adware? scareware?