How to Optimize Security in Comodo V 2.4.18.184-Learning Thread 2

Stem and Escalader have agreed to start a second Firewall learning thread.

Stem is the FW expert and Escalader is once again playing the learner role, asking questions, making tests, observations and speculating on conclusions. Conclusions if any will be verified by Stem.

This time it deals with Comodo Version 2.4.18.184

FYI, Comodo is currently focusing their effort on V3 Beta and ideas for that should best be posted on their forum in that category.

Again, please don't use the thread as a Comodo Organization bashing or support complaint opportunity. All that stuff achieves nothing on a technical knowledge level.

So please restrict posts to technical content questions and answers please!

The following question(s) should start the ball rolling.

1. What loopback settings should users set to maximize security? (see attached jpg)
2. How to determine what IP's / sites to block in the network control rules (see attached jpg)

 

This is just the same questions as, if the "loopback" should be in a trusted zone or not. On a clean OS with no local proxy, you should be able to trust (skip) loopback.

I normally just go from spyware/bogon IP list info.

You may also want to change (uncheck) the setting (pic 2 ~Firewall alerts):- "Do not show alerts for the applications certified by comodo", so that you are prompted for all program access to the internet.

In the program settings (pic 2),
1,~ Automatically check for program file updates. : (This will allow comodo to connect out to check for any updates, and you will be posting asking why!)
2,~ Automatically check comodo certified application updates: (if I remember correctly, comodo will connect out to check certificates for applications, so again, you may see outbound connections due to this setting)

 

I also disable updates and certified apps. It's not that i don't trust Comodo, but i always want to see everything. And if you consider that system is a "safe" item, all the more reason. You'll still see Comodo recognizing safe applications, but you will get prompts.

 

I think we are saying here that on a clean OS with no local proxy, you should be able to trust (skip) loopback. IE both of them?

I have (unchecked) the setting "Do not show alerts for the applications certified by comodo", so for now in learning mode I am prompted for all program access to the internet.

Okay, I made some changes, CFW help default leaves TCP unchecked, because of potential trojans. Don't see how I can suffer there. How do I scan my PC for possible P2P applications? Is that what the CFW certificate check is doing?

(I turned off those "call homes" for now, due to the history I have been through on these)


Please comment on my version 2 settings attached

 

recently un-installed ZA pro for unexplained call homes. These were unrelated to the need to update their product.

I then installed CFW with a lot of help from CFW forum and this one!

Having developed a blocked ip list of my own from the ZA experience I imported it into CFW network rules. One range entry I had was for Checkpoint Irving State U.

Tonight you can imagine my surprise when the CFW log showed that they are still attempting to send packets from my PC to their site!

Why are they doing this? What program on my PC is doing this?

After the WHOIS check I am now expanding the block range out (see attached whois report)

How do I stop this? Other than running about like trying to plug holes in a dike? by blocks.

Does anybody care about this sort of thing?

PLEASE someone out there put the range in your pc and see if it happens to you as well.!

 

Thanks to both of you for doing this series. I look forward to learning.
Where can I find a good list of the technical terms used by you and Comodo?
Or, in lieu of that, could you give a brief explanation of the terms used?
I don't think I'm the only person that would benefit from this.
Thanks.
Doc

 

Does Comodo blocks banners?

 

Escalader, make sure you uninstalled everything. Use Process Explorer for instance, and try to account for every process. Google them. That's what i would do anyway.

No. NoScript + Adblock.

 

Where you browsing at the time, as it may of been redirects from sites you visited (for advertisement?). Or did the connection attempt while you had all browsers closed?

 

Try here to start

If you see a post with ref to anything you do not understand, then simply post and ask. It is why the forum is here.

 

Pedro:

This is a possible explanation. This AM I revisted the ZA removal file list.
One I had missed was vsconfig.xml in C:\windows\Systems32\Drivers\vsconfig.xml.

I deleted it. I have now allowed loopback on UDP and TCP to be logged again so we will see.

The ? arose on CFW forum re to test if the range of ZA bad ip's is being contacted users don't have to install/uninstall ZA. Just block the ip's and log the connects if any.

 

Nope, no browsing no adds under way. It was during bootup. See my reply to Pedro on the driver I missed on uninstall. The ZA uninstall process is not well, shall we say thorough.

 

That info would of helped.

Download HJT and PM me the log. I would like to check the startups etc.

 

Sorry Stem, I think I need a checklist of questions to answer for you!

At any rate, I have PM's you the HJT log.

I have also now run CFW's wizard on Network connections and it puts in 2 rules on top of the list allowing IN/OUT any IPPROTO to from Zone Intel(R) PRO/100 VE Network connection packet scheduler Mini Port 198.168.1.0/192.168.1.255

This sounds like the trusted/internet subject again but it isn't since it trusts the network card which is NOT physically in the router which in our world view of security excludes the router. Tell me I'm wrong but this seems in line with that view?

 

Re:My ISP scanned my ports

Hey Pedro:

Here's one for you and Stem, I'm not sure this is OT re CFW but it happened!

BTW where can I get a clean version of Process Explorer and link?

Got a bit of a shock yesterday. Here is what happened and I would like some ideas / facts as to what went wrong here if anything.

I had forgotten that many moons (before CFW) ago my own isp's ip was in the trusted zone of IE6.
I have now removed it, but I always use FF anyway UNLESS S/W uses IE by default.

Then I got this log: I have never knowingly been scanned before!

COMODO Firewall Pro Logs
Date Created: 15:30:46 08-06-2007
Log Scope:: Today Date/Time :2007-06-08 15:04:44
Severity :High
Reporter :Network Monitor
Description: UDP Port ScanAttacker: xx.yy.zzz.198
Ports: 43783, 34055, 38151, 29703, 40455, 37895, 38407, 40711, 37639, 40967, 33799, 41223, 37127, 30215, 41479, 41991, 41735, 35079, 39431, 42503, 43015, 35335, 39175, 43271, 43527, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
The attacker has been temporarily blocked
End of The Report

 

Re: My ISP scanned my ports

Process Explorer (ZIP file)
Sysinternals Home

 

Re: My ISP scanned my ports

I have seen this 2 or 3 times before, and at that time I ran a number of checks to see the alerts of scanning against comodo (I cannot at this time find the posts made (on this forum) on this), but the conclusion was that this is a possible bug in comodo. (Note:- You have to consider the fact, you are behind a router that will in itself block such scanning)

 

Re: My ISP scanned my ports

Right, that what I thought a, "fake" scan alert.

Check this CFW forum thread as there is another theory/solution posted.

http://forums.comodo.com/index.php/topic,9665.msg70103.html#msg70103

Others there report it as well, but I (as usual) doubt the reason and the solution. Maybe they are right, the definition times of flood rates can be altered.

I am doing zip.

 

Re: My ISP scanned my ports

More as a "possible bug".
Port spoofing is certainly (easy) possible, but I do not see this from a DNS server.
Even with(if) excessive DNS lookups, the replies should be allowed due to SPI UDP table.

 

Re: My ISP scanned my ports

This is moving (again ) over my head.

So, Stem, what does the CFW user do? (In this case it is me! )

When you say the replies should be allowed I haven't stopped them have I do you mean logs or something else by reply s being allowed?

 

Basics:

For an SPI firewall,.. this will normally consist of SPI for TCP. This is to check on replies from outbound connections, and to stop any inbound connections unless you place a rule to allow.
UDP spi cannot be checked in the same way, there is less info within the packet, so, a table is created to log the outbound UDP packet (with available info (IP, port) and a time is allowed for the reply to this. So, for such as a DNS lookup, a log should be made of this outbound, and the returned(reply) allowed.

For you, just ignore this alert when the IP is you own DNS server, this, to me is certainly a bug/problem with the firewall. Leave the settings as they are. (as I have mentioned, such scans will be blocked at your router, so do not worry, it is just a bug)

 

Thanks again Stem:
Well, that's good. Now I have learned at least 2 things from this:

1 S/W FW's have bugs, ZA Pro does and CFW does. Therefore users cannot assume the products $ one or free work properly.

2 Better have a H/W firewall out front !

Do we care in this thread about reporting bugs to supplier? I'm not doing it so unlike the ZA guys who claim they don't follow outside forums I'm for now going to assume CFW is on top of these things for V3.

What do you want to do next? How about "define a new trusted network"
I already did that work, but I'd like to confirm it and make sure everybody else has that done right as well?

 

As I have mentioned before, it is very difficult for a vendor to produce a firewall (or security app) that, such as comodo/ZA install deep into the OS, there will always be some problem on a particular setup, either due to other applications or the hardware drivers in use. I see these problems with many different outcomes, some firewalls will BSOD on my test PC, but if I change the NIC card, then no BSOD.

It is a very good layer of defence.

I am just following the thread, continue on as you would like.

 

Re: My ISP scanned my ports

Probably this thread. https://www.wilderssecurity.com/showthread.php?t=169644&highlight=ocky

Since using my ISP's proxy cache server (via Proxomitron) I have never
encountered these UDP scans again. Ticket submitted to Comodo support
- they are looking into it for version 3.

 

Re: My ISP scanned my ports

Hi Ocky:

Good, I just left that thread over their and am moving on to a new fishing hole now. Bug identified! Developers on it what could be better!