Advice Request Comodo Firewall blocking network access to Windows services and OS?

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.

Arequire

Level 29
Thread author
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
Over the past week I've had Comodo Firewall blocking network access to a couple of Windows services and I can't understand why. On Monday it went and blocked three svchost.exe inbound connections, on Wednesday it blocked a MSASCui.exe inbound request (Windows Defender. It keeps turning itself on even though I disabled multiple times a week) and within the last hour I've had it block a outbound request from "Windows Operating System". I've unblocked all of them.

Any reason for this? System applications, files and processes should be trusted by Comodo so I can't understand the reason why the firewall is blocking network access to them. I also haven't a clue what svchost would be receiving with its inbound requests or what Windows Operating System would be sending with its outbound request.

I'm using Windows 7 if that's any help. I'm off to work but shall respond to any questions or queries once I return.
 
D

Deleted member 2913

I too have set -

Firewall settings - Dont show popup messages - Checked & Set to "Block".

I have searchui.exe, iexplore.exe, windows operating system, explorer.exe & svchost.exe as blocked in Unblock Apps.

I guess searchui.exe is related to Cortana so I have left it blocked.
I think iexplore.exe shows up as blocked coz I tried couple programs in sandbox & guess internet explorer was started by any of those sandboxed programs. Internet Explorer runs fine so I have left iexplore.exe blocked.
I dont know whats windows operating system And dont notice any probs on the system so left it blocked.
I noticed sometimes explorer kinda momentarily freezing so unblocked it & didn't noticed the freeze yet.
I noticed svchost.exe is sometimes there & sometimes not there i.e automatically disappears...........currently its not there.
 

Arequire

Level 29
Thread author
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
I too have set -

Firewall settings - Dont show popup messages - Checked & Set to "Block".

I have searchui.exe, iexplore.exe, windows operating system, explorer.exe & svchost.exe as blocked in Unblock Apps.

I guess searchui.exe is related to Cortana so I have left it blocked.
I think iexplore.exe shows up as blocked coz I tried couple programs in sandbox & guess internet explorer was started by any of those sandboxed programs. Internet Explorer runs fine so I have left iexplore.exe blocked.
I dont know whats windows operating system And dont notice any probs on the system so left it blocked.
I noticed sometimes explorer kinda momentarily freezing so unblocked it & didn't noticed the freeze yet.
I noticed svchost.exe is sometimes there & sometimes not there i.e automatically disappears...........currently its not there.
Glad to know I'm not the only one.
So your advice would be to remove the exclusions and let it block system related stuff if it doesn't affect my PC's operation?

True, even the CIA have had troubles with Comodo so it must do something!
Us paranoid Comodo using bastards, eh? ;)
 
  • Like
Reactions: AtlBo and ZeroDay
5

509322

Over the past week I've had Comodo Firewall blocking network access to a couple of Windows services and I can't understand why. On Monday it went and blocked three svchost.exe inbound connections, on Wednesday it blocked a MSASCui.exe inbound request (Windows Defender. It keeps turning itself on even though I disabled multiple times a week) and within the last hour I've had it block a outbound request from "Windows Operating System". I've unblocked all of them.

Any reason for this? System applications, files and processes should be trusted by Comodo so I can't understand the reason why the firewall is blocking network access to them. I also haven't a clue what svchost would be receiving with its inbound requests or what Windows Operating System would be sending with its outbound request.

I'm using Windows 7 if that's any help. I'm off to work but shall respond to any questions or queries once I return.

svchost.exe constantly makes outbound\inbound connections. That is normal network behavior for svchost.exe.

Where are you seeing the blocked inbound connections - in the log or getting actual alerts ?

What are ALL your firewall settings - mode, stealth all ports, on the firewall settings pane ? (There's more than 10 settings altogether.)

Do you have ARP\loopback blocking enabled ? - it's on the firewall settings pane at the bottom.

I would bet that it all comes down to your settings and also not knowing about Windows and how COMODO works...
 
  • Like
Reactions: AtlBo and ZeroDay

Arequire

Level 29
Thread author
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
Where are you seeing the blocked inbound connections - in the log or getting actual alerts ?
I've got it set to not show firewall alerts so everything ends up in blocked applications. Anything I know is legit I unblock myself but I've never seen it block "Windows Operating System" before and I've been using CF for a good while now.

Do you have ARP\loopback blocking enabled ? - it's on the firewall settings pane at the bottom.
Don't have that enabled. I've heard it causes issues with UPnP.

Firewall settings:
Safe Mode
Do NOT show popup alerts: Block Requests
Enable Trustconnect Alerts: Unsecured Wireless Networks Only
Turn traffic animation effects on
Filter loopback traffic

Everything else is unticked as it came default. Using proactive configuration, HIPS off, auto-sandbox on, file rating on. Nothing touched in terms of Windows system/updater app rules. Probably does boil down to me not knowing what the actual OS is doing in the background.

It's more curiosity than anything. I haven't seen anything affected by Comodo blocking this stuff. I just wondered why it does so.
 
Last edited:
  • Like
Reactions: AtlBo and shmu26

Arequire

Level 29
Thread author
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
I would bet that if you disable this setting then all of the block events that you are concerned about will disappear from your log.

You have to disable\delete the firewall rules you created first.
Got it. So it's probably just Windows apps communicating with themselves via loopback? I figured Comodo would be set to allow this by default but I guess there's exceptions.
 
  • Like
Reactions: AtlBo
5

509322

Got it. So it's probably just Windows apps communicating with themselves via loopback? I figured Comodo would be set to allow this by default but I guess there's exceptions.

Did you confirm it ?

Keep loop back filtering enabled and just ignore any blocks.
 
  • Like
Reactions: AtlBo and Arequire

Arequire

Level 29
Thread author
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
Did you confirm it ?

Keep loop back filtering enabled and just ignore any blocks.
Removed them from the exclusions. Kept filtering on but didn't see any blocks. I'll just ignore 'em like you said unless I experience any issues with their blockage. Thanks. :)
 
  • Like
Reactions: AtlBo
5

509322

Removed them from the exclusions. Kept filtering on but didn't see any blocks. I'll just ignore 'em like you said unless I experience any issues with their blockage. Thanks. :)

It's not common to experience a problem with loopback filtering.

If you're at home and your system is sitting behind a NAT router, COMODO firewall is overkill - but that's your decision. If you use public wifi hotspots, then a firewall makes more sense. In my opinion, a VPN is the a valuable addition when using public\questionable wifi - but a person using such a network should not be doing online financial transactions or sharing exploitable personal data over such a network.

Issue solved ?
 
Last edited by a moderator:

Arequire

Level 29
Thread author
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
It's not common to experience a problem with loopback filtering.

Issue solved ?
I believe so. There wasn't any lost functionality over it, I was just confused over system apps having their connections blocked in the first place. No way for me to confirm if it is loopback filtering causing it or not. The connections happen randomly and I don't know how to trigger svchost or Windows Operating System to make connections that would be blocked by Comodo. Like I said, if it happens again I'll just ignore it.
 
  • Like
Reactions: AtlBo
5

509322

I believe so. There wasn't any lost functionality over it, I was just confused over system apps having their connections blocked in the first place. No way for me to confirm if it is loopback filtering causing it or not. The connections happen randomly and I don't know how to trigger svchost or Windows Operating System to make connections that would be blocked by Comodo. Like I said, if it happens again I'll just ignore it.

You will notice 127.0.0.1, 10.0.X.X, fe..., etc blocks when loopback is enabled.

Just enable\disable loopback filtering. You will learn what is what by studying the differences in the unfiltered and filtered logs.
 
  • Like
Reactions: AtlBo
D

Deleted member 2913

Glad to know I'm not the only one.
So your advice would be to remove the exclusions and let it block system related stuff if it doesn't affect my PC's operation?

;)
I haven't unblocked any of those except explorer.exe as noticed occasional explorer freeze for a sec or 2.........after explorer unblock no freeze yet.
So its your choice.............

I have also set FW to "block incoming connections".
 
  • Like
Reactions: AtlBo and shmu26

Arequire

Level 29
Thread author
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
You will notice 127.0.0.1, 10.0.X.X, fe..., etc blocks when loopback is enabled.

Just enable\disable loopback filtering. You will learn what is what by studying the differences in the unfiltered and filtered logs.
Isn't that then. Windows Operating System's destination was 50.7.100.202.
Svchost's connection was a local connection (192.x) so that's fine. Windows Defender was a loopback connection.
 
Last edited:
  • Like
Reactions: AtlBo
5

509322

Isn't that then. Windows Operating System's destination was 50.7.100.202.

Inbound or outbound ?

Anyhow, if nothing is broken, ignore it. Don't constantly harbor doubts in your mind that the filtering is causing things to be broken on the system - but you just are unaware of it. Doing that you are just over-complicating things - creating a problem where there probably isn't a problem.

The best way to learn is to study the logs with filtering and without filtering. It takes time and effort, but you will get there.
 
  • Like
Reactions: AtlBo and ZeroDay

Arequire

Level 29
Thread author
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
Inbound or outbound ?

Anyhow, if nothing is broken, ignore it. Don't constantly harbor doubts in your mind that the filtering is causing things to be broken on the system - but you just are unaware of it. Doing that you are just over-complicating things - creating a problem where there probably isn't a problem.

The best way to learn is to study the logs with filtering and without filtering. It takes time and effort, but you will get there.
Outbound.

I was a little concerned about it. Didn't want something that I don't pay attention to or am unaware of being broken in the background and causing non-visible issues. But as you said if there's nothing visibly wrong I'll stop worrying about it.
 
  • Like
Reactions: AtlBo
5

509322

Isn't that then. Windows Operating System's destination was 50.7.100.202.
Svchost's connection was a local connection (192.x) so that's fine. Windows Defender was a loopback connection.

On my system I see that MicrosoftEdge connects to FDCservers = 50.7.X.X (I didn't lookup the IP ranges). So it is evidently a Microsoft related thing.

WRONG ! (See bottom)

Cap1.PNG


You could make it a full-time occupation just studying all of Microsoft IP addresses\URLs and what they do... (this is still true even after my edit).

EDIT: Actually above is me making a blatant mistake... I manually visited the FDCservers.net website. :D I'm tired... I start to not think straight ... and I'm going home.
 
Last edited by a moderator:
  • Like
Reactions: AtlBo
5

509322

Outbound.

I don't pay attention to or am unaware of being broken in the background and causing non-visible issues.

This is understandable. With experience you just get to the point where ... meh... if I don't see it obviously broken, then I'm not going to worry about it. Your system is more vast than you comprehend - and there is always something going wrong on it that isn't readily apparent. It's just the nature of the beast, but that doesn't mean errors and non-visible issues automatically create huge, hidden problems and gaping security holes. Occasionally that is the case - and if you follow security news such stuff gets reported in articles.

If you go crazy constantly auditing your system you will do nothing but keep yourself crazy. Such behavior is all over the security forums.
 
Last edited by a moderator:
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top