D+ event ... services.exe modifying registry key

[Guest]

[piattj]

Hi

I am new to this forum but recognise the talent in the pool.

I see the Comodo summary showing a number of suspicious attempts blocked by D+ each day and in D+ tab I see a lot of events relating to services.exe modifying registry key, ie...
services.exe ...modify key...HKLM\SYSTEM\ControlSet001\services\BITS\start.

My question is... does this represent a security issue? Is D+ acting in a valid / appropriate way or should this action be allowed? If so, how and why?

Thanks!

[piattj]

Any views or advice on this topic please? Thanks...

...D+ logs a number of suspicious attempts blocked by D+ each day and these events relate to services.exe modifying registry key ...services.exe trying to modify the key HKLM\SYSTEM\ControlSet001\services\BITS\start.

My question is... does this represent a security issue? Is D+ acting in a valid / appropriate way or should this action be allowed? If so, how and why?

[piattj]

D+ logfile entries as below... any advice? Please?

Date/Time   Application   Action   Target
15-Dec-09 8:27:54 AM   C:\Windows\System32\services.exe   Modify Key   HKLM\SYSTEM\ControlSet001\services\BITS\Start
15-Dec-09 8:28:07 AM   C:\Windows\System32\services.exe   Modify Key   HKLM\SYSTEM\ControlSet001\services\BITS\Start
15-Dec-09 8:35:43 AM   C:\Windows\System32\services.exe   Modify Key   HKLM\SYSTEM\ControlSet001\services\BITS\Start
15-Dec-09 10:37:28 AM   C:\Windows\System32\services.exe   Modify Key   HKLM\SYSTEM\ControlSet001\services\BITS\Start
15-Dec-09 10:37:55 AM   C:\Windows\System32\services.exe   Modify Key   HKLM\SYSTEM\ControlSet001\services\BITS\Start
15-Dec-09 10:47:55 AM   C:\Windows\System32\services.exe   Modify Key   HKLM\SYSTEM\ControlSet001\services\BITS\Start
15-Dec-09 10:57:55 AM   C:\Windows\System32\services.exe   Modify Key   HKLM\SYSTEM\ControlSet001\services\BITS\Start
15-Dec-09 11:07:55 AM   C:\Windows\System32\services.exe   Modify Key   HKLM\SYSTEM\ControlSet001\services\BITS\Start
15-Dec-09 11:17:55 AM   C:\Windows\System32\services.exe   Modify Key   HKLM\SYSTEM\ControlSet001\services\BITS\Start
15-Dec-09 11:27:55 AM   C:\Windows\System32\services.exe   Modify Key   HKLM\SYSTEM\ControlSet001\services\BITS\Start
15-Dec-09 11:37:55 AM   C:\Windows\System32\services.exe   Modify Key   HKLM\SYSTEM\ControlSet001\services\BITS\Start
15-Dec-09 11:47:55 AM   C:\Windows\System32\services.exe   Modify Key   HKLM\SYSTEM\ControlSet001\services\BITS\Start
15-Dec-09 11:57:55 AM   C:\Windows\System32\services.exe   Modify Key   HKLM\SYSTEM\ControlSet001\services\BITS\Start

[OmeletGuy]

Are you on windows 7?

[piattj]

Yes, Win7 Professional (64 bit)...

[SS26]

If i'm right BITS is a legitimate system service named Background Intilligent Transfer Service.  It should not be blocked by Def+.  If You do not trust this system service, it can be switched off with the help of Windows Control panel applet.

To get rid of Def+ block rule for this service:
- backup current Comodo config: main program window > Miscellaneous > Managing config > export config which is active;

- then: main program window > Defense+ > advanced > Computer security policy > locate entry %windir%\system32\services.exe > Edit > access rights > protected registry keys > modify > blocked exceptions > delete corresponding entry (HKLM\SYSTEM\ControlSet001\services\BITS\Start);

[Creasy]

Hi

I am new to this forum but recognise the talent in the pool.

I see the Comodo summary showing a number of suspicious attempts blocked by D+ each day and in D+ tab I see a lot of events relating to services.exe modifying registry key, ie...
services.exe ...modify key...HKLM\SYSTEM\ControlSet001\services\BITS\start.

My question is... does this represent a security issue? Is D+ acting in a valid / appropriate way or should this action be allowed? If so, how and why?

Thanks!

It should be allowed.

read this please.
https://forums.comodo.com/defense_help/servicesexe_is_blocked_every_time-t46548.0.html

[Tags:]