WOS intrusion attempts on Utorrent port.

What’s this all about? (:NRD)

Over 13,000 intrusion attempts and uTtorrent isn’t even running. (R)

[attachment deleted by admin]

You know that uTorrent isn’t running. All those other machines that know about your machine, don’t know that uTorrent isn’t running.

Until it dawns on each of those other machines out there that your uTorrent is down, they’ll keep knocking on the door to see if anybody is home.

Sounds reasonable. Is that why they’re labeled WOS rather than uTorrent?

BTW, I’m using pandlouk’s rules.

Because uTorrent isn’t running, by default all unknown packets are destined for ‘the system’.

Thanks grue. You can close this thread if you’d like.

Perfect timing! my question on exactly this line is how to disable logging for this WOS event, namely

“DONT log UDP/TCP IN where source IP/port is any and dest IP is [My IP] and port is [uTorrent Port]”

I want other events that filter all the way to WOS logged, just not these thousands of known attempts…

Thx, --MM

Maltby, I haven’t but you may want to try this.


Thanks for link / quick reply

added "block but dont log all IN to [uTorrent Port] as last rule in WOS and they went away. No effect on Utorrent functionality (it is higher in rules list…).

Thanks again

What are your rules for “system”? I have outgoing only which are, allow outgoing TCP and UDP requests, block and log all unmatching requests.

I don’t mind the logs that much and can check who’s knocking after hours. I saw one was a company connected with IANA.

Mine too.

“System” allows IP ANY out, blocks all others
“Windows Operating System” also specifies TCP/UDP out blocks all others, with the new rule for “block dont log utorrent port” that we discussed. I’m curious, why are you curious?

PS I guess I dont really mind the logs either… I DID mind not knowing how to control them…

The closest I saw to WOS in firewall application rules was “system” so I’m assuming that’s WOS.

Why am I curious, about what? If you mean making the rule to not log WOS blocks after I close uTorrent, just that but I’m not sure where to put it.

PS I see where if I want to add a application rule I can pick “Windows System Application” from file groups.

Right. I’m Using “WOS” to mean the comodo application “Windows Operating System” which can be created from ->Running Processes… versus “System” which shows up automatically. I created my “WOS” application entry some time ago while solving another, forgotten, problem.

Looking at it, and the way the process tree is structured (with “System” being the only process in “WOS”), I am beginning to think that my use of WOS is redundant. The block that is the topic of this thread might be placed in as the last rule in “System” just as effectively? I havent done any testing yet…

I put the block rule in WOS because Thats where the log entries are coming from. It may not be the cleanest way, looking at it… hmmm. I want the block at the highest logical level available when uTorrent is not running. . Double hmmm…

“System” versus “Windows Operating System (WOS)”. I cant say I fully know how to use them well. How does rule order interact with process heiarchy? Dang! Time to read the documentation! :’(