There is a tutorial of steps towards the middle of this post that should be taken by all that use CIS/C.F.
First, let’s clear up the misconceptions…
“Windows Operating System” is not accessing the internet due to
any third party software (whether it be Opera, Chrome, Bittorrent, uTorrent, or any other
third party software) or malware.
“Windows Operating System” is exactly what it says… it’s the Windows Operating
System. Exactly what part of the system, you’d have to speak with Comodo’s corporate
headquarters, and even then I’d doubt you’d get an explanation.
Now, with that being said, “Windows Operating System” will attempt to contact Google’s server on 74.125.., amongst other IPs and because Comodo refuses to elaborate on the files classified into Windows Operating System, it becomes near impossible to differentiate between Google services you use, like the search by voice option on the Google Omnibox or search page, and other companies utilizing Google’s hosting services. A bulk of the requests from Windows Operating System are going to the services for which rules are created below and I caution anyone of allowing an unknown IP through their firewall, outbound or inbound, without consulting WhoIS.com and making sure you know exactly what is being performed. I have my alerts set to very high and custom ruleset, and when you do this, you start to become familiar with different ports and the services and files that use them. For example, ports 80 and 443 should be allowed on any application or file you wish to have connect through a network card, as 80 is for unsecured communication (http) and 443 is for secured [encrypted] communication (https).
“Windows Operating System” is just like any other windows process and should be locked down and monitored. What is frustrating, at least to me as an end user, is Comodo giving no explanation as to what they changed in between this version of CIS Pro and the previous version (probably 2012, possibly 2013, edition) that eliminated the software’s ability to distinguish and name exactly which part of Windows “Windows Operating System” applies to. You can see this with other processes by looking at the bottom of the Application Rules under Firewall and you will see file groups (Windows Updater Applications, Windows System Applications, Metro Apps, System, and 1 from Comodo, Comodo Internet Security).
My thought is they did this to streamline and make the firewall interface more user friendly by grouping a plethora of Windows processes into their own unique groups within the internal algorithms that govern how CIS operates. I was as perplexed and worried as most whom posted on this thread were, however all the information given thus far in this thread is entirely inaccurate and incorrect.
In order to fix what Comodo forgot, we must first set up a few Network Zones, as they will be needed below, and then we can set up our application rules:
Create Network Zones
Go to Advanced Settings - Firewall - Network Zones
Right Click and select Add - New Network Zone and Name it “Loopback Zone”
Right click on Loopback Zone, Add - New Address - IPv4 Subnet Mask
IP:127.0.0.1 MASK: 255.0.0.0 then click okay.
Repeat Step 2 and Name it “Link-Local”
Right Click on Link-Local and select Add - New Address - Type - IPv4 Address Range
and type in 169.254.0.0 - 169.254.255.255
Repeat Step 2 and Name it “Microsoft Update”
Right Click on Microsoft Update and select Add - New Address - Type - Host Name and
add the following addresses by repeating Step 7 for each one:
[i] - http://windowsupdate.microsoft.com
Repeat Step 2 and Name it [insert name of your home network here]
Right click on [your network name], Add - New Address - MAC Address and add
the Mac Address of every device that accesses your home network.
(You can get these from your router page, and while it will take some time if you haven’t
already done so, this is imperative to locking down and preventing unauthorized access to
your home devices, and at the same time, allowing system processes and other
applications access to your devices without errors or constant pop ups. While end users
may find comfort in the “let CIS do it’s thing” what CIS does too often when you allow an
application through your firewall is allow it access to all 65,535 ports, essentially leaving
65,535 doors open to your PC and Network… not wise and will eventually result in a
Right click on your network name, Add - New Address - IPv4 Single Address and
add the DHCP Server address from your router (for many, this will be 192.168.1.1,
192.168.2.1, or whatever you use for a custom IP. For example, I use 126.96.36.199 and it is
the IP that is used to login to your router)
Right click on your network name, Add - New Address - IPv4 Single Address -
and add your DHCP Server IP, but this time with 255 at the end
(192.168.1.255, 192.168.2.255, etc.)
Right click on your network name, Add - New Address - IPv4 Single Address and
Right click on your network name, Add - New Address - Host Name
and add your computer’s host name [found by opening up a command
prompt and typing ipconfig /all and “Host Name” will be the very first line
Repeat Step 2 and Name it “Multicast Reserved”
Right click on Multicast Reserved, Add - New Address - IPv4 Address Range
188.8.131.52 - 184.108.40.206
Add Application Rules
Go to Advanced Settings - Firewall - Application Rules, right click and select Add
- Name: Windows Operating System
- Rules (I will list them in reverse, so that when you add them, they will be in the correct
Ask and Log All Unmatching Requests (IP In/Out Any)
- Allow Outbound UDP on 137 to Multicast Reserved on 137
- Allow Outbound UDP from Link-Local on 137-138 to Link- Local on 137-138
- Allow Outbound TCP to Microsoft Update on 8531
- Allow Outbound TCP to Microsoft Update on 8530
- Allow Outbound TCP to Microsoft Update on 443
- Allow Outbound TCP to Microsoft Update on 80
- Block and Log ICMPv6 Traffic
Block and Log ICMPv4 Traffic
* Allow IP Traffic within [input your network name here] from your network
zone to your network zone (IP In/Out, Any)[/i]
-----Once finished with Step 2, your rules should begin with Allow IP Traffic within your network name here and end with Ask and Log All Unmatching Requests (IP In/Out Any) for a total of 10 application rules under “Windows Operating System”.-----
A few additional suggestions…
There are a few Global Rules that everyone should have:
These should be ordered chronologically, as written below, and unlike the rules above, you’ll have to manually reorder each rule once added
1. Block and Log Outbound Traffic to “Public” [IP In/Out From Any on Any to
Network Zone Public on Any)
2. Block and Log Inbound Traffic from “Public” [IP In/Out From Network Zone
Public on Any to Any on Any)
- The “Public” Network Zone should be added to the Block List under
Network Zones, no exceptions.
3. Allow IP Traffic within your network name [home network] [IP In/Out from
Network Zone “your network” on Any to Network Zone “your network” on any]
4. Block and Log TCP\UDP Traffic within Link-Local on 135 - 139 (RPC) [TCP/UDP In/Out from
Link-Local on 135-139 to Link-Local on 135-139]
EDIT: 4. Block and Log TCP/UDP Traffic on 135 - 139 (RPC) [TCP/UDP In/Out from EXCLUDE Link-
Local on 135-139 to EXCLUDE Link-Local on 135-139; to exclude, tick the “exclude” check box
and exclude only Link-Local, NOT the port range 135 - 139]
5. Block and Log TCP/UDP Traffic on 445 [TCP/UDP In/Out from Any on 445 to
Any on 445]
6. Block and Log TCP Traffic on 4444 [TCP In/Out from Any on 4444 to Any on
7. Block And Log Inbound Privileged Ports request [TCP/UDP In from Any on
Privileged Ports to Any on Privileged Ports]
8 . Block and Log IP Traffic when Protocol is ICMPv4 [IP In/Out from Any to Any
9. Block and Log IP Traffic when Protocol is ICMPv6 [IP In/Out from Any to Any
[b][i][u]ABOVE ALL ELSE, DISABLE [TURN OFF] WINDOWS FIREWALL FOR BOTH PUBLIC AND PRIVATE NETWORKS. IF WINDOWS FIREWALL IS NOT TURNED OFF, IT’S LENIENT RULES AND UNFETTERED PORT ACCESS WILL ALLOW INBOUND ACCESS TO YOUR DEVICES AND NETWORK AS THE LENIENT RULES SUPERCEDE COMODO’S FOR SOME REASON. I HAVE NO CLUE WHY, ALL I KNOW IS IT OCCURS AND QUITE FREQUENTLY WITHOUT THE USER KNOWING.
THE CIS INSTALLER WILL TELL YOU IT’S TURNED OFF WINDOWS FIREWALL… NOT SO IN THREE DIFFERENT OCCASIONS ON MY WIN 8.1 PRO PC. TO BE ON THE SAFE SIDE, VERIFY IT’S TURNED OFF BEFORE AND AFTER YOU RESTART FOLLOWING AN INSTALL/REINSTALL AND PERIODICALLY CHECK IT EVERY FEW WEEKS TO MAKE SURE IT STAYS DISABLED.[/u][/i][/b]
While Windows Firewall is far more complex than any consumer grade firewall, resembling that of more complex enterprise level firewalls, it’s default settings are set up in such a way it allows unfettered port access, inbound and outbound. If a person was to take the time to customize Windows Firewall, it would be more secure than Comodo Firewall in the end as there are many features that allow you far more control over outbound and inbound traffic… it simply takes a decent amount of time to customize. If a person was interested in customizing it, I would wait until you’ve got Comodo Firewall (or other consumer grade firewall) customized the way you want it, then copy the settings one by one over to Windows Firewall. Once that’s done, there will be other options that will need to be setup and customized which will make Windows Firewall one of the most secure firewalls you’ll ever use… it simply take a lot of time to customize and set up.
By no means am I an expert in network security, and know very little about it, however my advice above is written from the hours of research I’ve done to make sure I have an extremely secure firewall after I noticed multiple devices showing up in my Network places on Windows 8 that shouldn’t have been there. These individuals gained access via the superseding unfettered access Windows Firewall was giving (even though it should have been disabled and I still have no clue how it became re-enabled). After realizing these individuals had probably been in my network for months, I became extremely ■■■■ about traffic in and out of my PC. If anyone cares to see how I’ve set up my firewall, they can download my configuration file at: http://1drv.ms/1qhEnHt