Network shield and DCOM attacks

[MikeBCda]

The only alerts I've ever gotten from the Internet shield have related to DCOM attacks which it blocked.  Two of them in less than 24 hours, after over 3 years since the last one.

Obviously if they've been blocked, no problem.  But I'm wondering if my firewall (Comodo) let them slip through, otherwise avast should never have "seen" them at all, right?

No relation between the IPs of these last two ... all of them including those old ones ended in ":135", which I'd guess is the port.

Any suggestions as to firewall setup changes?  Or should I just trust avast to do its thing?

[DavidR]

I too would wonder why they got past Comodo as that really should be the first line of defence with the Network Shield as a back-up (thankfully).

Yes the :135 at the end of the IP is the port. Port 135 is often used for exploits in the hope that the system on the other end isn't fully patched and up to date. If it is up to date then it isn't vilnerable to the DCOM exploit, but that doesn't stop them trying.

It sounds like your firewall isn't stealthing your system, you can check out the ShieldsUp test at grc.com. See http://www.grc.com/port_135.htm.

[Lisandro]

Obviously if they've been blocked, no problem.  But I'm wondering if my firewall (Comodo) let them slip through, otherwise avast should never have "seen" them at all, right?

Yes, if your firewall is working well, it should have block it.
I suspect that you've disabled Defense+ in Comodo. Without it, Comodo is not a good firewall.

[ggf31416]

Perhaps you (or a glitch) allowed by accident inbound connections to svchost.exe 
Go to firewall -> advanced ->  network security policy and check that inbound connections to system and svchost.exe from outside your network are blocked (or that your global rules are blocking incoming connections).
Tech, disabling Defense+ will  affect only the leak protection, not the inbound/outbound protection.

[psw]

Obviously if they've been blocked, no problem.  But I'm wondering if my firewall (Comodo) let them slip through, otherwise avast should never have "seen" them at all, right?

Yes, if your firewall is working well, it should have block it.
I suspect that you've disabled Defense+ in Comodo. Without it, Comodo is not a good firewall.

For me it is a rather doubtful statement. E.g. previous version of Comodo (2.4) without any Defense+ was a rather good FW. The real problem is that default settings in Comodo 3.0 are written in such a way that effectively they can work only when Defense+ is enabled. E.g. svchost.exe can make any IN/OUT connections using ANY port etc. When user disables Defense+ he should write and use the own FW rules.
My preference - disabling any HIPS and using plain FW rules. The simpler is the better.

[Lisandro]

Tech, disabling Defense+ will  affect only the leak protection, not the inbound/outbound protection.

Only that? Parental application control is a must have for a firewall and it's disabled without Defense+. One application uses another (allowed before into firewall settings) to connect. For me, Comodo 3 without Defense+ is a very poor firewall.

[MikeBCda]

Thanks, all.

Yes, I'd disabled the Defense+, more trouble than it was worth.  But if Tech's correct that there are (apparently undocumented) interactions between that and the firewall, I'll grit my teeth and set it back to Learn-with-Safe mode.  One of the biggest problems I'd found was that it's almost impossible (for me, with my connection) to submit Pending List items to Comodo for analysis, and of course I'm reluctant to simply accord them Trusted status on my own.

And in the firewall, I've changed permissions for System and Svchost from the default in-Allow to in-Ask.  Hopefully the contexts when it's necessary to decide will be clear enough.

[ggf31416]

Only that? Parental application control is a must have for a firewall and it's disabled without Defense+. One application uses another (allowed before into firewall settings) to connect. For me, Comodo 3 without Defense+ is a very poor firewall.

Parental application control is leak protection not outbound protection (according to Comodo's CEO leak protection is not included in outbound protection but others may disagree). Anyway it's well know that Comodo without Defense+ is not safe without another HIPS (but still better than Kerio 2.1.5 as Comodo have better outbound control for ICMP and better pseudo-SPI for UDP and ICMP).

Anyway the problem with open ports is independent from Defense+. The connections are allowed only if they are allowed by the application rules AND the global rules.  The open ports problem is caused by global rules allowing inbound connections from everywhere (default mode, bad idea IMO) ANDapplication rules allowing inbound connections (user mistake or bug. The default alert level (low) does not help) as well.
The fix is either correct the application rules for svchost.exe and other programs OR correct the global rules (using the stealth port wizard or creating the rules directly) OR both.

[AverageJoe72]

It sounds like your firewall isn't stealthing your system, you can check out the ShieldsUp test at grc.com. See http://www.grc.com/port_135.htm.

I have been getting a flurry of DCOM Exploit messages from avast over the past several weeks (port 135).  Searched the topic and found this thread.  Followed the link to Shields Up, tested port 135, and it reports its status as "stealth".  I am using Comodo v 2.4.  Have XP and just recently updated to SP3.

Any ideas on why I keep getting the pop-up from avast on the DCOM Exploit?  Checked my log activity on Comodo and I do not see anything to correspond to the avast message.  I'm stumped.

Thanks for any assistance.

[DavidR]

Well I don't know why comodo isn't getting in there first (it isn't a firewall I have ever used), but it may be a little different to this topic as you are using the earlier version 2.4 without the defence+ module.

It may simply be down to windows booting as there doesn't seem to be any set order in which it loads applications, so avast could be being loaded first.

You could try, uninstall avast, reboot, install, reboot.
It would probably be best to first Download the latest version of avast http://www.avast.com/eng/download-avast-home.html and save it to your HDD, somewhere you can find it again. Use that when you reinstall.

Then again you could also try using the latest version of the comodo firewall or reinstalling the one you have.

Obviously either of the above options could generate a lot of comodo pop-ups (less if you reinstalled avast) as comodo would have to built its permissions information again.

[AverageJoe72]

You could try, uninstall avast, reboot, install, reboot.
It would probably be best to first Download the latest version of avast http://www.avast.com/eng/download-avast-home.html and save it to your HDD, somewhere you can find it again. Use that when you reinstall.

Thank you for your response.  I think I will proceed with an uninstall/reinstall of avast.  I started using avast for the first time back in May.  As I recall there was a license key involved.  Not sure I can locate that number.  Do I need that license key when I reinstall avast (i.e. does it track by IP address?)?  Thanks again for the assistance.

[Lisandro]

Do I need that license key when I reinstall avast (i.e. does it track by IP address?)?

No, you can register again and use a new one.
For Home version there isn't a track back by IP.

[AverageJoe72]

You could try, uninstall avast, reboot, install, reboot.It would probably be best to first Download the latest version of avast http://www.avast.com/eng/download-avast-home.html and save it to your HDD, somewhere you can find it again. Use that when you reinstall.

Can I do an uninstall/reinstall while being offline or do I need to have an internet connection when doing this?  I continue to get a getting a flurry of these DCom Exploit attacks and while I hope that Comodo will catch them if I uninstall Avast, I always like to play it safe.  So in other words ... download and save Avast to my HD, go offline, uninstall avast, reboot, install, go online and then reboot.  Will that work?

Thank you for your assistance.

[CharleyO]

***

At the end, I think you should reboot and then go online.


***

[YoKenny]

Get a router with a built in firewall such as Linksys BEFSX41 or D-Link DSL-2540B that will provide external protection.