How to Optimize Security in Comodo V 2.4.18.184-Learning Thread 2

Discussion in 'other firewalls' started by Escalader, Jun 6, 2007.

Thread Status:
Not open for further replies.
  1. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Stem and Escalader have agreed to start a second Firewall learning thread.

    Stem is the FW expert and Escalader is once again playing the learner role, asking questions, making tests, observations and speculating on conclusions. Conclusions if any will be verified by Stem.

    This time it deals with Comodo Version 2.4.18.184

    FYI, Comodo is currently focusing their effort on V3 Beta and ideas for that should best be posted on their forum in that category.

    Again, please don't use the thread as a Comodo Organization bashing or support complaint opportunity. All that stuff achieves nothing on a technical knowledge level.

    So please restrict posts to technical content questions and answers please!

    The following question(s) should start the ball rolling.

    1. What loopback settings should users set to maximize security? (see attached jpg)
    2. How to determine what IP's / sites to block in the network control rules (see attached jpg)
     

    Attached Files:

  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    This is just the same questions as, if the "loopback" should be in a trusted zone or not. On a clean OS with no local proxy, you should be able to trust (skip) loopback.
    I normally just go from spyware/bogon IP list info.

    You may also want to change (uncheck) the setting (pic 2 ~Firewall alerts):- "Do not show alerts for the applications certified by comodo", so that you are prompted for all program access to the internet.

    In the program settings (pic 2),
    1,~ Automatically check for program file updates. : (This will allow comodo to connect out to check for any updates, and you will be posting asking why!)
    2,~ Automatically check comodo certified application updates: (if I remember correctly, comodo will connect out to check certificates for applications, so again, you may see outbound connections due to this setting)
     
  3. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I also disable updates and certified apps. It's not that i don't trust Comodo, but i always want to see everything. And if you consider that system is a "safe" item, all the more reason. You'll still see Comodo recognizing safe applications, but you will get prompts.
     
  4. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    I think we are saying here that on a clean OS with no local proxy, you should be able to trust (skip) loopback. IE both of them?

    I have (unchecked) the setting "Do not show alerts for the applications certified by comodo", so for now in learning mode I am prompted for all program access to the internet.

    Okay, I made some changes, CFW help default leaves TCP unchecked, because of potential trojans. Don't see how I can suffer there. How do I scan my PC for possible P2P applications? Is that what the CFW certificate check is doing?

    (I turned off those "call homes" for now, due to the history I have been through on these)


    Please comment on my version 2 settings attached
     

    Attached Files:

  5. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    recently un-installed ZA pro for unexplained call homes. These were unrelated to the need to update their product.

    I then installed CFW with a lot of help from CFW forum and this one!

    Having developed a blocked ip list of my own from the ZA experience I imported it into CFW network rules. One range entry I had was for Checkpoint Irving State U.

    Tonight you can imagine my surprise when the CFW log showed that they are still attempting to send packets from my PC to their site!

    Why are they doing this? What program on my PC is doing this?

    After the WHOIS check I am now expanding the block range out (see attached whois report)

    How do I stop this? Other than running about like trying to plug holes in a dike? by blocks.

    Does anybody care about this sort of thing?:mad:

    PLEASE someone out there put the range in your pc and see if it happens to you as well.!
     

    Attached Files:

  6. Doc Serenity

    Doc Serenity Registered Member

    Joined:
    Apr 4, 2007
    Posts:
    105
    Thanks to both of you for doing this series. I look forward to learning.
    Where can I find a good list of the technical terms used by you and Comodo?
    Or, in lieu of that, could you give a brief explanation of the terms used?
    I don't think I'm the only person that would benefit from this.
    Thanks.
    Doc
     
  7. xpsunny

    xpsunny Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    163
    Does Comodo blocks banners?
     
  8. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Escalader, make sure you uninstalled everything. Use Process Explorer for instance, and try to account for every process. Google them. That's what i would do anyway.
    No. NoScript + Adblock.
     
  9. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Where you browsing at the time, as it may of been redirects from sites you visited (for advertisement?). Or did the connection attempt while you had all browsers closed?
     
  10. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Try here to start
    If you see a post with ref to anything you do not understand, then simply post and ask. It is why the forum is here.
     
  11. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Pedro:

    This is a possible :doubt:explanation. This AM I revisted the ZA removal file list.
    One I had missed was vsconfig.xml in C:\windows\Systems32\Drivers\vsconfig.xml.

    I deleted it. I have now allowed loopback on UDP and TCP to be logged again so we will see.

    The ? arose on CFW forum re to test if the range of ZA bad ip's is being contacted users don't have to install/uninstall ZA. Just block the ip's and log the connects if any.
     
  12. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Nope, no browsing no adds under way. It was during bootup. See my reply to Pedro on the driver I missed on uninstall. The ZA uninstall process is not well, shall we say thorough.
     
  13. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    That info would of helped.

    Download HJT and PM me the log. I would like to check the startups etc.
     
  14. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Sorry Stem, I think I need a checklist of questions to answer for you!:oops:

    At any rate, I have PM's you the HJT log.

    I have also now run CFW's wizard on Network connections and it puts in 2 rules on top of the list allowing IN/OUT any IPPROTO to from Zone Intel(R) PRO/100 VE Network connection packet scheduler Mini Port 198.168.1.0/192.168.1.255

    This sounds like the trusted/internet subject again but it isn't since it trusts the network card which is NOT physically in the router which in our world view of security excludes the router. Tell me I'm wrong but this seems in line with that view?
     
  15. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Re:My ISP scanned my ports

    Hey Pedro:

    Here's one for you and Stem, I'm not sure this is OT re CFW but it happened!

    BTW where can I get a clean version of Process Explorer and link?

    Got a bit of a shock yesterday. Here is what happened and I would like some ideas / facts as to what went wrong here if anything.

    I had forgotten that many moons (before CFW) ago my own isp's ip was in the trusted zone of IE6.
    I have now removed it, but I always use FF anyway UNLESS S/W uses IE by default.

    Then I got this log: I have never knowingly been scanned before!

    COMODO Firewall Pro Logs
    Date Created: 15:30:46 08-06-2007
    Log Scope:: Today Date/Time :2007-06-08 15:04:44
    Severity :High
    Reporter :Network Monitor
    Description: UDP Port ScanAttacker: xx.yy.zzz.198
    Ports: 43783, 34055, 38151, 29703, 40455, 37895, 38407, 40711, 37639, 40967, 33799, 41223, 37127, 30215, 41479, 41991, 41735, 35079, 39431, 42503, 43015, 35335, 39175, 43271, 43527, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
    The attacker has been temporarily blocked
    End of The Report
     
    Last edited: Jun 9, 2007
  16. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
  17. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: My ISP scanned my ports

    I have seen this 2 or 3 times before, and at that time I ran a number of checks to see the alerts of scanning against comodo (I cannot at this time find the posts made (on this forum) on this), but the conclusion was that this is a possible bug in comodo. (Note:- You have to consider the fact, you are behind a router that will in itself block such scanning)
     
  18. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Re: My ISP scanned my ports

    Right, that what I thought a, "fake" scan alert.

    Check this CFW forum thread as there is another theory/solution posted.

    http://forums.comodo.com/index.php/topic,9665.msg70103.html#msg70103

    Others there report it as well, but I (as usual) doubt the reason and the solution. Maybe they are right, the definition times of flood rates can be altered.

    I am doing zip.
     

    Attached Files:

    Last edited: Jun 9, 2007
  19. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: My ISP scanned my ports

    More as a "possible bug".
    Port spoofing is certainly (easy) possible, but I do not see this from a DNS server.
    Even with(if) excessive DNS lookups, the replies should be allowed due to SPI UDP table.
     
  20. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Re: My ISP scanned my ports

    This is moving (again:oops: ) over my head.

    So, Stem, what does the CFW user do? (In this case it is me!:eek: )

    When you say the replies should be allowed I haven't stopped them have I do you mean logs or something else by reply s being allowed?
     
  21. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Basics:

    For an SPI firewall,.. this will normally consist of SPI for TCP. This is to check on replies from outbound connections, and to stop any inbound connections unless you place a rule to allow.
    UDP spi cannot be checked in the same way, there is less info within the packet, so, a table is created to log the outbound UDP packet (with available info (IP, port) and a time is allowed for the reply to this. So, for such as a DNS lookup, a log should be made of this outbound, and the returned(reply) allowed.

    For you, just ignore this alert when the IP is you own DNS server, this, to me is certainly a bug/problem with the firewall. Leave the settings as they are. (as I have mentioned, such scans will be blocked at your router, so do not worry, it is just a bug)
     
  22. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Thanks again Stem:
    Well, that's good. Now I have learned at least 2 things from this:

    1 S/W FW's have bugs, ZA Pro does and CFW does. Therefore users cannot assume the products $ one or free work properly.

    2 Better have a H/W firewall out front !

    Do we care in this thread about reporting bugs to supplier? I'm not doing it so unlike the ZA guys who claim they don't follow outside forums ;) I'm for now going to assume CFW is on top of these things for V3.

    What do you want to do next? How about "define a new trusted network"
    I already did that work, but I'd like to confirm it and make sure everybody else has that done right as well?
     
  23. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    As I have mentioned before, it is very difficult for a vendor to produce a firewall (or security app) that, such as comodo/ZA install deep into the OS, there will always be some problem on a particular setup, either due to other applications or the hardware drivers in use. I see these problems with many different outcomes, some firewalls will BSOD on my test PC, but if I change the NIC card, then no BSOD.

    It is a very good layer of defence.

    I am just following the thread, continue on as you would like.
     
  24. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Re: My ISP scanned my ports

    Probably this thread. https://www.wilderssecurity.com/showthread.php?t=169644&highlight=ocky

    Since using my ISP's proxy cache server (via Proxomitron) I have never
    encountered these UDP scans again. Ticket submitted to Comodo support
    - they are looking into it for version 3.
     
  25. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Re: My ISP scanned my ports

    Hi Ocky:

    Good, I just left that thread over their and am moving on to a new fishing hole now. Bug identified! Developers on it what could be better!:cool:
     
Loading...
Thread Status:
Not open for further replies.