Shields Up & PC Flank Port Scanning

Discussion in 'other firewalls' started by Dieselman, Feb 25, 2008.

Thread Status:
Not open for further replies.
  1. Dieselman

    Dieselman Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    795
    It seems like many users don't understand how these tests work. Shields Up gives you a good explanation if you read all the way through and not just click scan all ports. I have used many different firewalls and I always get the same results in Shields Up and PC Flank. All ports are not stealthed. With Shields Up the first top row or so would be blue then the rest green. Now this test WILL NOT BE accurate of a software firewall but it will be accurate of a hardware firewall. If you are behind a router or a modem with a built in hardware firewall Shields Up and PC Flank will test your hardware firewall first. People panic when the test comes up failed and think Comodo isn't protecting them. So I did 2 tests. One with my 2Wire Gateway DSL modem at default values and running Comodo 3.0. I went to Shields Up and ran the " All Service Ports" scan. The test failed and all ports were not stealthed. Was this Comodo's fault? Was Comodo not up to snuff. Not. Cause Shields Up is testing my 2Wire first. Then I went into my modem settings by typing in my IP address into Firefox's web address bar. Then I saw all my 2Wire modem settings. I went to firewall and checked off "Stealth Mode" and "Block Ping". I then went back to Shields Up and the test passed with flying colors and all ports stealthed. What does this mean? It means that when you fail the Shields Up test don't blame Comodo or any other software firewall you are using. This only applys to people who have a hardware firewall. Also I ran this test years ago and not recently but I thought I would share this info with people to help people understand. Thanks.
     
  2. wat0114

    wat0114 Guest

    Unless you are behind a "modem only" device, the results of the scans can be skewed with a hardware device that incorporates a built-in firewall and/or NAT, even if you disable stealth, block ping, or enable DMZ for your machine's ip address, especially if the ip that the scan "sees" is that of your hardware's WAN-side and not that of your machine's.
     
  3. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Also, your ISP might be using some kind of proxy which filters port scans.
     
  4. Dieselman

    Dieselman Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    795
    True. My main point of this was that people think if the fail the Shields Up test then there software firewall whether it be Comodo,Online Armor, Zone Alarm,Kerio is not working properly. Which is not true.
     
  5. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    I'm also behind a NAT router (with firewall turned ON) and when I do a GRC Port scan all ports come up 'stealthed'. This should be okay then?
     
  6. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Right, that's the expected result being behind NAT.
     
  7. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    And people overestimate the value of the "stealth status" and leaktests.
     
  8. FadeAway

    FadeAway Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    270
    Location:
    USA
    There are 65535 TCP and UDP ports in Windows XP. Shields UP! only
    checks the first 1056 ports. My NAT router shows perfect stealth at GRC,
    but has some ports open above 1056. Nothing listening though.
     
  9. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    How do you check those other ports (above the first 1056)? Is there a way to check all of those?
     
  10. FadeAway

    FadeAway Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    270
    Location:
    USA
    Go :

    HERE

    and take the Ranged Security Scan
     
  11. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Thanks FadeAway, very useful. :thumb:

    It does make me wonder why GRC only tests the first 1056 ports though.
     
    Last edited: Feb 26, 2008
  12. wat0114

    wat0114 Guest

    I think it's because these are the ports common Windows services listen on, so they are the most vulnerable to attack.
     
  13. FadeAway

    FadeAway Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    270
    Location:
    USA
    Just imagine how long it would take to load 65535 little green boxes!

    IIRC, GRC hits each port with multiple types of attack, so it would
    be very time consuming to run them all.
     
    Last edited: Feb 26, 2008
  14. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Yes.

    Those for (typical) home users are the ports to ensure are filtered.
     
  15. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    So typical home users shouldn't worry about ports 1056 or over (at least when you don't have any other services running etc.)?
     
  16. FadeAway

    FadeAway Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    270
    Location:
    USA
    A program, including a Remote Access Trojan (RAT), can be written
    to hold a port open in order to listen on it. The following scan tests
    some of the ports held open by some common Trojans.

    Try it.

    http://www.pcflank.com/trojans_test1.htm

    When it completes, look at the ports that it scanned. They are only
    a few of the possibilities.

    If you already know your machine is clean, then you have no worries.

    What I personally use a test like GRC for, is to insure that my firewall
    is operating properly. I would not scan all 65535 ports unless I
    suspected something, but had no idea what I was looking for.

    Just my opinion.
     
  17. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    On an home user, I would not expect any services on those ports, so at minimal, the high ports should be showing as closed.

    If any port on the system is showing open, then checks should be made to see what is listening on that port.

    The lower ports are scanned >1056 because users can inadvertently allow services server rights, which can then open the ports used by those services (such as netbios/ dcom etc.)
     
  18. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    So ports higher than 1056 should be either closed or stealthed?

    If I want to find out what the status is of my router ports 1056+ I have to scan them, as suggested by FadeAway for example?
     
Loading...
Thread Status:
Not open for further replies.