Why so many intrustions with Comodo?

Discussion in 'other firewalls' started by phillip559, Mar 24, 2008.

Thread Status:
Not open for further replies.
  1. phillip559

    phillip559 Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    20
    Hi, I'm running the latest version of Comodo.

    So far I have had about 438 intrusion attempts blocked (in only a matter of a few days). Is this normal?

    To me it looks more like outbound attempts but I'm still learning.

    My IP is the source each time. Most of the protocalls are IGMP but a few are UDP. Most of the destination IPs are the same and when a port is listed (only a few times) both the source and the destination are 1900.


    When I look at my network security policy there are no blocked items except "block and log unmatching requests" that is set for firefox, IE, and Comodo.

    By the way, I have a router with an SPI firewall.



    Sorry if this is a noobish question.
     
  2. Dieselman

    Dieselman Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    795
    What are the names of the programs being blocked? This is my set up for Windows programs.
     

    Attached Files:

  3. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Are you using Messenger by chance? It will (most common example) use IGMP protocol. Comodo will block this by default, you would need to make an explicit rule to allow it.

    As for UDPs on port 1900, this is caused by SSDP Windows' service. It is a peart of Universal Plug'n'Play (automatically opening ports on a router for say online gaming), and it is not needed in most cases.

    Whether you want to allow or block both is up to you.
     
  4. sded

    sded Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    512
    Location:
    San Diego CA
    A few comments:
    1) an "intrusion" is anything incoming that is blocked and logged by CFP3. So to get rid of them, you can just create a rule to block the unnecessary traffic but not log it. The source is often your router, since there can be a lot of chatter in a network.
    2) you can reset the counter to zero by turning cfp3 off and on.
    3) There is a lot of SSDP (and other) activity even at start up, as part of the network setup. CFP does selective logging, but doesn't ignore everything. Attachment is a Wireshark log of just getting a NIC on the air in a LAN, before anything actually happens. So block and not log the unnecessary crap is a good tool.

    wsstart.jpg
     
Loading...
Thread Status:
Not open for further replies.