Thank you! Sounds like a mystery.
I am no longer getting these since upgrading to 3.0.14.273.
Regards,
Mike
Their still there.
Renamed to Windows Operating System.
Ok, I’ve read through all posts (didn’t necessarily understand them all, though) and I would like to boil this all down to something I can get my hands around. Therefore, I ask the following:
- What is the most likely cause of these blocked intrustion attempts listing Windows Operating System -NetSend? Bots? Something else? Does it really matter?
- Are these particular instrusion attempts ok to ignore and as such are not necessary to have logged?
- If they are ok to ignore, how can I get CFP v3.014.276 to NOT log these benign events so I can keep my log uncluttered?
- Have I missed an important aspect of this issue?
Phew! Hope everyone is well and thanks for any guidance on this one.
Best,
Max
(V)
This is strange toggie ,i to was getting a block log every 20 secs from sip which has now changed to Windows operating system.All the logs are from the same source ip and port(my routers ip) with the same destination ip and port.
Any suggestions?
ps .Im now on the latest v3 with loopback zone in my network zones.
I have Comodo firewall v. 3 with Windows XP.
During a connection, the program reports 2/3 (blocked) intrusion attempts every second. This means thousands of attempts every session. Is this normal ??
Hi Ez99, welcome to the forums.
The number of attempts does sound high. Could you provide a little more detail please.
IMPORTANT: HOW TO WRITE HELP REQUESTS
Take a look at how you submit the firewall log files. Probably something configured wrong, this causing something to be blocked all the time(System Idle Process?).
Cheers,
Ragwing
Hi. I have the same problem…when I check under Firewall Logs, Today, they are all for System Idle Process…up to 3,598 and counting for today ! Source IP varies, Destination IP is always the same. Is this normal ? How do I configure properly. Thank you for your help.
I think the attacks should be refined a bit or at least have a filter to do that. I don’t want Comodo to count every ICMP as attack (which simply isn’t by itself), but i do want it to count actual port scans for example. And even after i disabled ALL ICMP logging it was still logging them. Weird and useless.
Hello Everyone,
I could be wrong but me thinks this topic should be merged with this one here:
You can see my post there asking for a summary on this issue but no one has ponied up with a response yet. 
The only diff is that CFP is listing Windows Operating System as the application responsible for the instrusion, not System Idle Process but I think this is the same thing (?).
I have uploaded a screenshot of my firewall logs for referrence and the first person who can answer the summary questions from my post under the other topic will be rewarded with their own Swiss bank account (not that there will be any money in it but hey, it is sure to impress people at parties, etc. :P).
Any takers?
Best,
Max
(V)
[attachment deleted by admin]
Essentially, SIP is now WOS. It will still capture the same events. I don’t, as yet, have the answer to all of these, but most are application less rubbish, such as NetSend messenger spam.
For the most part, I’d suggest creating a rule for WOS that simply blocks without logging, either everything, or as selectively as you wish. Right now I can’t find any reason to capture any WOS log detail, but I’ll keep looking at it.
Do you have a UPnP router?
Hi Toggie,
I see you have a Swiss Bank Account in your future . . . ;D
My concern with creating a rule that blocks incoming traffic for WOS was that I might actually block something useful and thereby create more havoc for my system. From your last post it would seem you saying this is highly unlikely and that WOS, in principle, shouldn’t be receiving any incoming packets of any consequence. Am I understanding you correctly?
If this is true, I would simply create a rule that would block without logging ALL incoming traffic for WOS since I wouldn’t know how to discern that which is has any value from that which is valueless.
Another question I have is: where may I find the rule that is already in place which is currently blocking the incoming traffic for WOS? Is it in Network Security Policy>Global Rules? If it is I didn’t see it.
I almost created a rule for WOS on my own but when I saw that WOS basically incompasses all other running processes, I became just a wee bit nervous about doing so. I would much prefer, if possible, to modify the rule that is already in place.
Hope that made sense!
Best,
Max
(V)
Hi max2 - there is no default rule for WOS. I just clicked Add on the Firewall> Advanced>Network Security Policy and on the dialog, clicked Select > Running Processes. WOS is at the top. With the process selected, and Use a Custom Policy chosen, click Add and write the following rule: Allow IP In/Out (Describe the rule) Source (my home IP address range = 192.168.0.0 - 192.168.0.255) Destination (same as Source) IP Details Any. Click Apply. Then click Add again and write the following: Block IP In/Out (leave the Description blank or call it Block) Source Any Destination Any Details Any (Check the Log… box if you want to inspect blocked connections from outside). Click Apply, Apply and Apply. I have not had any trouble from blocking any outside connection attempts this way.
AnotherOne – many thanks for the explanation; I will give it a whirl and see what happens.
Best,
Max
(V)
More strangeness from the Logs:
This just started today, there are loads!
[attachment deleted by admin]
I am getting the same thing as Toogie! :-\
Josh.
Curious. You entries are exactly the same, IP Address and Port?
What about the ICMP attempts at the top of this log? I’d guess they’re illegit, and they come from China, only I was curious because I don’t get ICMP ones often (and I don’t really know what ICMP is).
http://www.imgplace.com/directory/dir3805/1198100719.png
Also, what about the last outbound one? That remote IP belongs to Microsoft. :o