Windows operating system trying to connect to the internet? Is it safe?

Hi guys,

A brief while ago Comodo popped up to notify me about a “process”, not sure whether this is the most proper form to name it, called Windows operating system and that it was attempting to connect to the internet. Considering it was the very first time that a request such as this one showed up, i promptly, or almost instantly to be honest, refused and blocked it. Now i’m wondering whether that was harmless or if i did right not to allow it. Should I have permitted it to access my internet connection?

I know what i’ve written above is sorta vague so i’m attaching a screenshot. I hope it’s no big deal.

Thanks in advance,

[attachment deleted by admin]

is it about activation windows , windows defender, update , windows firewall , metro app ?
anyway , removing internet explorer is impossible … comodo has never pop-up me about that … i do not know what it is.
Should I have permitted it to access my internet connection? funny question ! windows do not need your permission so this pop-up is a curious thing that i have not noticed before.

Thanks for the quick reply,

“is it about activation windows , windows defender, update , windows firewall , metro app ?”

So, i have no idea. It didn’t specify the actual purpose of the request. I was using the Opera browser at that moment, which i had just installed, and Vuze, a bittorrent client, was also active.

“windows do not need your permission so this pop-up is a curious thing that i have not noticed before”

Yep, that’s why i blocked it. It shouldn’t be asking for permissions i presume.

Btw, I did a little of a search to see if anyone else has had this peculiar “problem”, and i came across some similar situations but with disparate outputs that, as far as i understood, don’t appear to be related to my case specifically. Strange.

Yes very strange and it seems you was right : it is not vuze (i have tried four torrent software and i have not had this problem).
Maybe the answer is on opera forum.

Yep, that’s why i blocked it. It shouldn’t be asking for permissions i presume. same opinion !

Have you checked “sharing network” - “share printers” - have you asked the help (monitoring) of one of your friend by the network - do you share your router - are you on ‘slave’ or ‘master’ - ?

is it a bug of the firewall ?

Yeah, i imagine it has to do with Opera since i had never had a similar notification. But, it’s still weird.

“Have you checked “sharing network” - “share printers” - have you asked the help (monitoring) of one of your friend by the network - do you share your router - are you on ‘slave’ or ‘master’ - ?”

I have and there’s nothing out of the usual. My router is used only at home with two other laptops, and i don’t know if I’m slave or master.

I think it’s doubtful that it was a bug, but everything is possible

Btw, i was pondering if it may have been due to an incoming connection of some download i was doing on Vuze because i goggled the destination ip and it returned a Canada location; 24.86.121.89 - IP address - utrace - locate IP addresses and domainnames
Not sure if it makes any sense

? incoming connection + vuze = Not sure if it makes any sense
;D
torrent is sharing in/out.
i do not know if it makes sens :

have you verified your rules for vuzes ? (5)
Enable File Sharing Applications like BitTorrent and Emule

Yep, I know torrent is all about sharing and having connections entering and leaving your computer, but still, who knows right?

Actually now i doubt this was the problem because new requests have been made, and Comodo is blocking them automatically. Now i’m a little more concerned about it because what if it’s important like an Update or something similar and I’m stupidly blocking them? On the other hand, it’s better to be safe than sorry.

I’m attaching another screenshot with the updated information.

Oh, and thanks for the link.

[attachment deleted by admin]

Hi AstronomyDomine,

Some of these ips are from different places, some although not in some blacklists but have moderate risk.
Not identified as being essential and from Microsoft.

One of ips that is on the list is related to a malicious site , try to keep blocked and run a full scan on your system with Comodo Antivirus and also use a tool for second opinion (an example is the Malwarebytes) to make sure that no malicious program trying to connect remotely.

If in doubt, feel free to ask

Regards

if it is a malicious site , put it on the black list : so it is not vuze (but maybe a site where you downloaded something borderline).

Where you previously running a torrent/file sharing program and then closed it? If so Windows Operating System is where the connection goes to die, because no program is listening anymore, but the incoming packet has to be handled and then dropped by windows.

Thanks for the help jhkmaster_b and merke. I ran the antivirus and MalwareBits and it did happen to find a malicious unwelcome “guest” here. I’m just curious now how i happened to get infected. I’m always really cautious with every site i drop by, i don’t visit ‘borderline’ content or sites that are known to be possibly dangerous or a resort for threats, and i even use Adblock to block some of the dangerous ads. Well, it beats me.

Anyways, i’m not receiving those unfortunate requests anymore. Thanks guys. I owe you one.

*Aim4it, i didn’t really understand what you meant, but i’m thankful for your willingness to help. Edit: Oh, on reading it again, it does make sense, but that wasn’t the issue. Thanks again.

Best regards

The connection can be made ​​with the item you mentioned or even if you use P2P software type, Torrents, File Sharing …
When I mentioned I tested the IP in some specific solutions in which one of them pointed out that the source was malicious, possibly exploiting Windows.

Tip: To have a visualization of connections you can use KillSwitch and observe the current connections.

Great to hear that everything is fine, any questions feel free to ask

If you ask yourself: Should i allow it, you most likely DONT need to allow it.

If you dont KNOW what you are about to allow, DONT do it.

Windows operating system is a place holder name. In this light, its a bad placeholder, because it has a “trusted” name.

@ AstronomyDomine
can we reproduce your problem pls ?

if not , maybe chucknorris / clockwork could help us.
;D

With u_torrent , i do not see this ‘thing’.
Thx.

Hi … I registered to post here
I have the same problem. Win8 x64

Ip’s are the next (may be more of them)
12.54.32.146 port 33227 SUA
86.40.127.161 Ireland

I selected block and terminate and nothing visible happened. I’m using bittorrent but i dont think this is the problem

“Windows operating system”, unknown process, may be a trojan in my opinion.

Hi adi4x,
Some legitimate processes can also be used by trojans / malware, check your machine with an online scanner or anti-malware for a second opinion.

Attention:
peer-to-peer (P2P) file sharing programs (ie BitTorrent, BitComet, uTorrent, Limewire, eMule, …) are a security risk, leave your computer susceptible to malware infections and exposes your network to attacks.
Even these networks can disseminate new threats that are not detected yet.
If you use you assume certain risks.

Note:
It is recommended that you also have anti-malware real-time protection as provided by Malwarebytes or similar.
Avoid download or run software and games coming from these networks.
Check each and every download.
Try to understand the creation of firewall rules and use more aggressive policies for the use of P2P. Open ports can be used to attack you.
It is probable that during the use of such networks you receive alerts or identify blocked IPs in the log.

See if this can help too:
Set up the Firewall For Maximum Security and Usability
Enable File Sharing Applications like BitTorrent and Emule

If you have problems with the firewall configuration or removing malware allows us to know the issue and help you.

I use BitTorrent and now I set it not to open at each startup. Maybe this was causing the alerts to those strange connection requests to unknown IP-s. I’m waiting to see if i get more alerts with BitTorrent closed. I believe this was the problem

Malware scanner found 2 strange files called superfish (supposed to be component of window-shopper). Now are in quarantine.

Comodo firewall worked very well so far. Thanks for your help.

PS: This forum should have “notify by default” in my opinion.

You’re welcome
If you want to send the files to Comodo for analysis:
To submit selected quarantined items to Comodo for analysis

Regards

There is a tutorial of steps towards the middle of this post that should be taken by all that use CIS/C.F.

First, let’s clear up the misconceptions…

1. “Windows Operating System” is not accessing the internet due to
   any third party software (whether it be Opera, Chrome, Bittorrent, uTorrent, or any other
   third party software) or malware.
2. “Windows Operating System” is exactly what it says… it’s the Windows Operating
   System. Exactly what part of the system, you’d have to speak with Comodo’s corporate
   headquarters, and even then I’d doubt you’d get an explanation.

Now, with that being said, “Windows Operating System” will attempt to contact Google’s server on 74.125.., amongst other IPs and because Comodo refuses to elaborate on the files classified into Windows Operating System, it becomes near impossible to differentiate between Google services you use, like the search by voice option on the Google Omnibox or search page, and other companies utilizing Google’s hosting services. A bulk of the requests from Windows Operating System are going to the services for which rules are created below and I caution anyone of allowing an unknown IP through their firewall, outbound or inbound, without consulting WhoIS.com and making sure you know exactly what is being performed. I have my alerts set to very high and custom ruleset, and when you do this, you start to become familiar with different ports and the services and files that use them. For example, ports 80 and 443 should be allowed on any application or file you wish to have connect through a network card, as 80 is for unsecured communication (http) and 443 is for secured [encrypted] communication (https).

“Windows Operating System” is just like any other windows process and should be locked down and monitored. What is frustrating, at least to me as an end user, is Comodo giving no explanation as to what they changed in between this version of CIS Pro and the previous version (probably 2012, possibly 2013, edition) that eliminated the software’s ability to distinguish and name exactly which part of Windows “Windows Operating System” applies to. You can see this with other processes by looking at the bottom of the Application Rules under Firewall and you will see file groups (Windows Updater Applications, Windows System Applications, Metro Apps, System, and 1 from Comodo, Comodo Internet Security).

My thought is they did this to streamline and make the firewall interface more user friendly by grouping a plethora of Windows processes into their own unique groups within the internal algorithms that govern how CIS operates. I was as perplexed and worried as most whom posted on this thread were, however all the information given thus far in this thread is entirely inaccurate and incorrect.

In order to fix what Comodo forgot, we must first set up a few Network Zones, as they will be needed below, and then we can set up our application rules:

First:
Create Network Zones

1. Go to Advanced Settings - Firewall - Network Zones

2. Right Click and select Add - New Network Zone and Name it “Loopback Zone”

3. Right click on Loopback Zone, Add - New Address - IPv4 Subnet Mask
   IP:127.0.0.1 MASK: 255.0.0.0 then click okay.

4. Repeat Step 2 and Name it “Link-Local”

5. Right Click on Link-Local and select Add - New Address - Type - IPv4 Address Range
   and type in 169.254.0.0 - 169.254.255.255

6. Repeat Step 2 and Name it “Microsoft Update”

7. Right Click on Microsoft Update and select Add - New Address - Type - Host Name and
   add the following addresses by repeating Step 7 for each one:

   [i] - http://windowsupdate.microsoft.com

   • http://*.windowsupdate.microsoft.com
   • https://*.windowsupdate.microsoft.com
   • http://*.update.microsoft.com
   • https://*.update.microsoft.com
   • http://*.windowsupdate.com
   • http://download.windowsupdate.com
   • http://download.microsoft.com
   • http://*.download.windowsupdate.com
   • http://test.stats.update.microsoft.com
   • http://ntservicepack.microsoft.com[/i]

8. Repeat Step 2 and Name it [insert name of your home network here]

9. Right click on [your network name], Add - New Address - MAC Address and add
   the Mac Address of every device that accesses your home network.

   (You can get these from your router page, and while it will take some time if you haven’t
   already done so, this is imperative to locking down and preventing unauthorized access to
   your home devices, and at the same time, allowing system processes and other
   applications access to your devices without errors or constant pop ups. While end users
   may find comfort in the “let CIS do it’s thing” what CIS does too often when you allow an
   application through your firewall is allow it access to all 65,535 ports, essentially leaving
   65,535 doors open to your PC and Network… not wise and will eventually result in a
   compromised system.)

10. Right click on your network name, Add - New Address - IPv4 Single Address and
    add the DHCP Server address from your router (for many, this will be 192.168.1.1,
    192.168.2.1, or whatever you use for a custom IP. For example, I use 8.8.8.1 and it is
    the IP that is used to login to your router)

11. Right click on your network name, Add - New Address - IPv4 Single Address -
    and add your DHCP Server IP, but this time with 255 at the end
    (192.168.1.255, 192.168.2.255, etc.)

12. Right click on your network name, Add - New Address - IPv4 Single Address and
    add 255.255.255.255

13. Right click on your network name, Add - New Address - Host Name
    and add your computer’s host name [found by opening up a command
    prompt and typing ipconfig /all and “Host Name” will be the very first line
    returned).

14. Repeat Step 2 and Name it “Multicast Reserved”

15. Right click on Multicast Reserved, Add - New Address - IPv4 Address Range
    224.0.0.0 - 239.255.255.255

Second:
Add Application Rules
[i]
[color=purple]1.
Go to Advanced Settings - Firewall - Application Rules, right click and select Add
2.

• Name: Windows Operating System
• Rules (I will list them in reverse, so that when you add them, they will be in the correct
  order)
  • Ask and Log All Unmatching Requests (IP In/Out Any)
  • Allow Outbound UDP on 137 to Multicast Reserved on 137
  • Allow Outbound UDP from Link-Local on 137-138 to Link- Local on 137-138
  • Allow Outbound TCP to Microsoft Update on 8531
  • Allow Outbound TCP to Microsoft Update on 8530
  • Allow Outbound TCP to Microsoft Update on 443
  • Allow Outbound TCP to Microsoft Update on 80
  • Block and Log ICMPv6 Traffic
  • Block and Log ICMPv4 Traffic
    * Allow IP Traffic within [input your network name here] from your network
    zone to your network zone (IP In/Out, Any)[/i]

-----Once finished with Step 2, your rules should begin with Allow IP Traffic within your network name here and end with Ask and Log All Unmatching Requests (IP In/Out Any) for a total of 10 application rules under “Windows Operating System”.-----

A few additional suggestions…

There are a few Global Rules that everyone should have:

These should be ordered chronologically, as written below, and unlike the rules above, you’ll have to manually reorder each rule once added

1. Block and Log Outbound Traffic to “Public” [IP In/Out From Any on Any to
Network Zone Public on Any)
2. Block and Log Inbound Traffic from “Public” [IP In/Out From Network Zone
Public on Any to Any on Any)
- The “Public” Network Zone should be added to the Block List under
Network Zones, no exceptions.
3. Allow IP Traffic within your network name [home network] [IP In/Out from
Network Zone “your network” on Any to Network Zone “your network” on any]
4. Block and Log TCP\UDP Traffic within Link-Local on 135 - 139 (RPC) [TCP/UDP In/Out from
Link-Local on 135-139 to Link-Local on 135-139]
EDIT: 4. Block and Log TCP/UDP Traffic on 135 - 139 (RPC) [TCP/UDP In/Out from EXCLUDE Link-
Local on 135-139 to EXCLUDE Link-Local on 135-139; to exclude, tick the “exclude” check box
and exclude only Link-Local, NOT the port range 135 - 139]
5. Block and Log TCP/UDP Traffic on 445 [TCP/UDP In/Out from Any on 445 to
Any on 445]
6. Block and Log TCP Traffic on 4444 [TCP In/Out from Any on 4444 to Any on
4444]
7. Block And Log Inbound Privileged Ports request [TCP/UDP In from Any on
Privileged Ports to Any on Privileged Ports]
8 . Block and Log IP Traffic when Protocol is ICMPv4 [IP In/Out from Any to Any
on ICMPv4]
9. Block and Log IP Traffic when Protocol is ICMPv6 [IP In/Out from Any to Any
on ICMPv6]

[b][i][u]ABOVE ALL ELSE, DISABLE [TURN OFF] WINDOWS FIREWALL FOR BOTH PUBLIC AND PRIVATE NETWORKS. IF WINDOWS FIREWALL IS NOT TURNED OFF, IT’S LENIENT RULES AND UNFETTERED PORT ACCESS WILL ALLOW INBOUND ACCESS TO YOUR DEVICES AND NETWORK AS THE LENIENT RULES SUPERCEDE COMODO’S FOR SOME REASON. I HAVE NO CLUE WHY, ALL I KNOW IS IT OCCURS AND QUITE FREQUENTLY WITHOUT THE USER KNOWING.

THE CIS INSTALLER WILL TELL YOU IT’S TURNED OFF WINDOWS FIREWALL… NOT SO IN THREE DIFFERENT OCCASIONS ON MY WIN 8.1 PRO PC. TO BE ON THE SAFE SIDE, VERIFY IT’S TURNED OFF BEFORE AND AFTER YOU RESTART FOLLOWING AN INSTALL/REINSTALL AND PERIODICALLY CHECK IT EVERY FEW WEEKS TO MAKE SURE IT STAYS DISABLED.[/u][/i][/b]

While Windows Firewall is far more complex than any consumer grade firewall, resembling that of more complex enterprise level firewalls, it’s default settings are set up in such a way it allows unfettered port access, inbound and outbound. If a person was to take the time to customize Windows Firewall, it would be more secure than Comodo Firewall in the end as there are many features that allow you far more control over outbound and inbound traffic… it simply takes a decent amount of time to customize. If a person was interested in customizing it, I would wait until you’ve got Comodo Firewall (or other consumer grade firewall) customized the way you want it, then copy the settings one by one over to Windows Firewall. Once that’s done, there will be other options that will need to be setup and customized which will make Windows Firewall one of the most secure firewalls you’ll ever use… it simply take a lot of time to customize and set up.

By no means am I an expert in network security, and know very little about it, however my advice above is written from the hours of research I’ve done to make sure I have an extremely secure firewall after I noticed multiple devices showing up in my Network places on Windows 8 that shouldn’t have been there. These individuals gained access via the superseding unfettered access Windows Firewall was giving (even though it should have been disabled and I still have no clue how it became re-enabled). After realizing these individuals had probably been in my network for months, I became extremely ■■■■ about traffic in and out of my PC. If anyone cares to see how I’ve set up my firewall, they can download my configuration file at: http://1drv.ms/1qhEnHt

jmonroe0914

If anyone cares to see how I've set up my firewall, they can .... my configuration .....