Comodo is working or not?

I have used Kerio, ZAP and trial of Kaspersky Antihacker in the past and i used to get off and on alerts about blockage of inbound attempts( high risk, medium risk etc). I am not getting any such event logged with Comodo even after many weeks of use. In the log window however there are some medium risk inbound attempts denied.
I wonder is it really stopping any inbound attempts or it is just a logging issue.

Thanks

 

I get mostly medium severity logged hits also. About the only time I get a high risk if I start a new application that I have not configured. Very rarely have I had a high risk involving something that was not my doing. If you want alerts, you could go to security > advanced > misc. > configure and move the alert frequency level up. It wouldn't hurt to at least slide it up and down do get an idea of what type of alerts are possible. I think by default it is set to low. Thats what mine is set at anyways after reinstalling ver. 2.3 the other day. I hope this helps.

 

I mean network inbound attempts, not application behaviour.

I don,t want popups. I was talking about logging of events not the pop ups. I lowered popups to very low level with no pop ups for comodo certified applications and disabled COM/ OLE automation thing, still I get popups that I don,t want.

 

Go to the ShieldsUp! site and do a "All service ports" stealth test.

 

Are you behind a router with firewall, don't have any alert window about some dangerous action by some program, or you don't use P2P?

If yes, that could be normal...

 

I might be mistaken, but I think the risks go back to 0 at the end of each day. I just checked mine and it says 0 high risks at 9AM.

 

Comodo is a great firewall(better than zonealarm).See the results at
http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php
If you want to see the inbound attempts blocked.Click on activity tab at the top and then click logs in the side.

 

As I told there are some medium risk attempts.

 

I don,t use P2P. I use a proxy server for dia up. But it has been so since long.

 

I am not sure about this. Don,t expect so BTW.

 

It's hard to say what is happening without seeing the rules you've created. As far as rules, Comodo will log any rule that is created if you check the "Create and alert if this rule is fired" box (by right-clicking on a rule and choosing "Edit.") If the box is not checked (or if your rule does not say "Block & Log" or "Allow & Log") then the occurance won't be logged. I have a total of 17 network rules for Comodo, with all but 2 set to be logged, and my log each day is usually quite large. A couple to play with just to see if Comodo is working correctly that you might want to add:

Block & Log/TCP-UDP In/Any/Any/Where Source Port is ANY and Destination Port is 1024-1029

Block & Log/TCP-UDP In/Any/Any/Where Source Port is ANY and Destination Port is 137-139 (Unless you use NetBIOS for network, router, etc.)

I also have other rules that prohibit inbound connections from certain IP ranges and incoming to other frequently-exploited ports.

Even with the first rule (Ports 1026-1029), you should have a pretty healthy log, as these ports are always being randomly probed.

Also keep in mind that the ORDER of the rules is extremely important. For example, if you were to have a rule such as:

ALLOW TCP/UPD In Any Any Where Source port is Destination is ANY and IP is ANY, then had the block rule below it, Comodo would never get to the block rule as the traffic would have already been allowed. In my ruleset, I have my bad IP block rules (first 3 rules) first, then several allow rules for specific IPs and ports, then more block rules to block all the bad stuff, then my allow rules afterward. At the end is the generic block rule that blocks any other traffic that isn't specified in the rules. Hope this helps answer your questions.

 

Also, i think for Comodo, blocked inbound is not considered high risk, unless some parameters are met. It's blocked, there was a rule for that, so no big risk, and no use alarming the user.
For outbound, there's no rule for that app, so it's high. This is all subjective, but logical in its own way.

Now that i'm testing Kerio 2.1.5, i see that it really needs improvement in the logs area, but this is not critical IMO.

 

Thanks for replies.
@KDNeese
I am not knowlegable about networking/ firewall rules etc. I just use simple default rules

 

OK. That was what I was wondering about. With those default rules in place, you aren't going to see a whole lot in your log. Things are going to be blocked regardless, but won't generate a log entry unless the activity matches a specific rule that you've marked to be logged. Just for experiment's sake, why don't you try creating a rule blocking what are called the "trojan ports," Ports 1024-1029, and make sure you mark the rule to be logged. Put the rule at the TOP of your network rules. This won't affect your browsing or anything else, as Comodo already blocks these ports via the default block rule at the bottom of your list. To add this rule, just right click your top network rule and select "Add Rule > Add Before." Then just follow my example above, making sure the "Create an Alert" box is checked. Then after a while check your log. It will have grown significantly. Like I said, adding this particular rule won't make any changes in your browsing or anything else. It will simply place in the log what has already been happing behind the scenes. Try it and let me know how it goes, as I'd be curious to see the result. Also, if you want to tighten Comodo down and create some rules that will help do so, I or others more knowledgeable than myself would be happy to walk you through it step-by-step. The rules are actualy very easy to create once you undestand Comodo's little nuances.

 

Hi KDNeese, thanks a lot. I will guve it a try but hepofully after few days when I get my own laptop back.

Thanks

 

I'm new to this port-blocking as well. are these all the xp ports outbound/inbound that should be blocked at the software FW level (for basic surfing) and when you say blocking the trojan ports do you mean block from these ports to any ports outbound. sorry, I'm new to this and just learning as well. I think you mean blocking ports 1024 thru 1029 outbound to any , but I'm not sure. (out/in). thx

 

No, I mean blocking any INBOUND connections. No reason to block them outbound from your computer, as in many instances they are necessary. Just so there's no confusion, OUTBOUND is going FROM your computer to the net. INBOUND means someone from the net is attempting to connect to your computer (which can be legitimate or not). So, you want to block inbound connections to these ports. In reality, you really don't need extra rules to specifically block these ports, as your firewall should be blocking them regardless. I only suggested creating the rule for logging purposes. Basically, if you were to create this rule, you would see a lot of entries for blocked IPs in this range, especially for ports 1026, 1027, 1028 & 1029. That doesn't mean that someone is trying to hack you. These are basic service ports for services such as DCOM, so the entry could simply be an ISP doing a scan for whatever purpose. However, at the same time, these are ports that are often exploited by hackers. Following are the rules I have set up and the order in which I have them, along with my comments in brackets:

Block UDP In: Ports 135-139 [These are your NetBIOS ports]
Block TCP or UDP In: Ports 1024-1030 [The so-called "trojan ports"]
Block TCP or UDP In: Ports 123, 135, 445, 1433, 1434 [These are other service ports to which I do not want incoming connections]
Block TPC or UPD In: Ports 23,363,531,1243,3306,4333,5190,6667,6776,10008,23456 [These are other ports I want to protect, such as Telnet, RSVP, Gateway, etc]
Block 200.x, 210.x, 211, 219, 220, 221 [These are simply bad IP ranges that I want to block, and have set them up in the "zone" categories]
Block TCP or UDP In: 199.95.207.0 - 199.95.208.255 [Another IP range that is blocked, connected with Doubleclick, spammers, etc]
Block IGMP to Any [Protocol that I don't need and wish to block]
Allow TCP/UDP out to any port [This is my allow rule that comes after my block rules that allows Internet access, etc. I don't like allowing TCP/UDP IN, but Comodo is kind of strange in that it is required. I still don't really like the idea, but Comodo swears it's safe. Still makes me nervous.]
Allow ICMP IN - Port Unreachable [The next five are just my preference, and you may not want to have these rules. This has to do with total stealth, which is not always the best idea, and actually totally stealthing your computer is not legal. The reasons I have my rules the way I do is much too involved to get into in this thread.]
Allow ICMP In - Protocol Unreachable
Allow ICMP Out - Echo Request
Allow ICMP IN - Fragmentation Needed
Allow ICMP In - Time Exceeded
Allow IP out where IPProto is GRE [This rule is one of Comodo's default ones.]
Block IP In/Out where IPPROTO is ANY [Same with this one - default rule or the "block all the rest" rule.

Like I said, you don't really need to create specific rules to block the vulnerable ports, as your firewall should be blocking anything that isn't allowed. However, I don't like leaving things to contingency, so I like having rules in place to make sure that all the ports are blocked that I want blocked. Also understand that blocking these ports inbound will not affect your surfing. For the most part, your browser uses port 80 for http and port 443 for secure sites (https). Your email client should be allowed to use ports 25, 110 for pop mail. IMAP mail uses different ports, such as 143. I would do some research and study until you understand how the rules work, ports, etc before trying to create too many rules. Anyway, hope this gives you a little more info. Also hopes it makes sense, as I've tried to cram a lot of info into this post.

 

Great stuff KDNeese ! I am now also using Comodo and am fairly pleased, although using it with Proxomitron (localhost proxy server) still confuses me, but I think that the default setting of Skip loopback TCP disabled (not ticked), is OK as, taking opera.exe as an example, the first alert will prompt for a connection to 127.0.0.1, and then there will be an alert prompting for Proxomitron to connect.

BTW a tiny (about 39 KB) application called Seconfig XP completely closes netbios ports and more. Here is the link. http://seconfig.sytes.net/

Regards.

 

KDNeese, I see no reason to make extra rules since that final block all rule is already set to log? It is set to log with a purpose. When you run some software and it is not working, to check what unsolicitated connections need to be allowed incoming. So I cannot understand your posts, except that they contain other usefull information. But as told I see no need to make any extra redunndant blocking rules.

I don't run Comodo currently, nor intend to until a new version that might fix the cryptic log window. So I may have misunderstood something.
Jarmo

 

KDNeese-- ...thx

 

From one of my posts above:

While all the extra rules may not be necessary for most people, I simply provided some experimental rules just to check Comodo's logging for those who wanted to do so. At the same time, the final block rule's purpose is to block any other protocol or connections that aren't allowed by the other rules. I prefer to limit the freedom my applications have so they are using the ports, etc that they should be using. For example, I want my browser to use port 80 for http and port 443 for https. One simple reason for that - if some piece of malware were to hijack my browser and attempt to communicate through some other port, it would be unable to do so if my rules are configured properly. That is a simplistic example, but is also something that happens in the real world. As others have suggested here, there are other ways to do things, but for me it's just simpler to create a rule in my firewall. Also, if I have rules created limiting my vulnerable ports, that means of some trojan, let's say, tried to use the Telnet port (23)to phone home, it could not do so, since I have port 23 blocked in my firewall rules. It is common practice for malware to hijacks browsers, applications, etc and piggyback on those apps that have already been given permission in the firewall rules to access the Inernet. If, through rules creation, you limit the ports (and/or IP ranges) through which apps can communicate, this lessens the likelihood of some piece of malware being able to contact the hacker who placed it there. Granted, there are many ways to get around any security measures we take, but good firewall rules are one of those weapons that we can use to lessen the chances of our systems being compromised.

 

Hi, I made a rule like this but still I see only medium risk logging. No high risk attempts.
I however must explain that I am a very safe surfer and surf only few legitimate sites. No p2p,
and no IM. I use dial up and a proxy server that has a filter( mainly for sex). I have no router though.

 

KDNeese,

I do not see any rules set up for this. One point to note, a browser will connect out to remote ports 80/443 using local ports >1024

Your rule will not prevent any outbound connection from that port, so a Trojan could connect out on that port and download.


edit:
You would be better to split the last block rule into protocols. IE: block inbound TCP: Block inbound UDP etc, etc.
To restrict the lower reserved ports (for possible "phone home" from local port 23 etc), set a rule to allow outbound only for local ports above 1030 (with the exception of ports 67/68 for DHCP, if needed)

 

Hi aigle,

For inbound blocking, should you not be setting the remote(source) ports as any, and the local ports(destination) as 1024-1029 (unless comodo as a strange rules system?)

 

Thanks for correction. I will correct. Sorry, I never made such rules. No idea at all.
Like this u mean?