system is trying to receive a connection from the internet upnp/ssdp(2869)?

[Guest]

[stuartf1]

I got a pop up on this a few times now.  Not sure what to do . Earlier today I read through some posts here and one said system should only have outgoing set, so I went ahead and set system and svchost in Comodo Firewall for outgoing only. 
Could this possibly be something suspicious?

TIA
Stuart

[Radaghast]

I got a pop up on this a few times now.  Not sure what to do . Earlier today I read through some posts here and one said system should only have outgoing set, so I went ahead and set system and svchost in Comodo Firewall for outgoing only. 
Could this possibly be something suspicious?

TIA
Stuart

Receiving connections from other plug and play devices on the LAN,  over TCP 2869, is quite normal. Two questions:

1. Do you have a router?
2. Do you use UPnP?

[stuartf1]

Receiving connections from other plug and play devices on the LAN,  over TCP 2869, is quite normal. Two questions:

1. Do you have a router?
2. Do you use UPnP?

Yes I have a router.
Yes I use UPnP. 

Stuart

[Radaghast]

Yes I have a router.
Yes I use UPnP. 

Stuart

These are probably SSDP event notifications from your router. For UPnP/SSDP to work correctly, you should allow these, but it probably won't cause any considerable problems if you continue to block the requests. Your choice.

[stuartf1]

These are probably SSDP event notifications from your router. For UPnP/SSDP to work correctly, you should allow these, but it probably won't cause any considerable problems if you continue to block the requests. Your choice.

Thank you.  I went ahead and accepted.

Stuart

[aguyonapc]

I'm dealing with the same thing here (I think) but I'm not sure why it's happening as it's pretty recent.
I do have UPnP enabled, and my modem is a Cisco DPC3825 Gateway.
I switched to ComodoDNS and am wondering if it's got something to do with that.
My first alert was svchost.exe trying to connect to 57058.  I blocked that for a while, but did end up allowing it once.  After that I started seeing system trying to connect to 2869.  I've been blocking it as I'm not sure exactly what it is.  Should it be ok to allow?

[Radaghast]

I'm dealing with the same thing here (I think) but I'm not sure why it's happening as it's pretty recent.
I do have UPnP enabled, and my modem is a Cisco DPC3825 Gateway.
I switched to ComodoDNS and am wondering if it's got something to do with that.
My first alert was svchost.exe trying to connect to 57058.  I blocked that for a while, but did end up allowing it once.  After that I started seeing system trying to connect to 2869.  I've been blocking it as I'm not sure exactly what it is.  Should it be ok to allow?

The DNS service will connect outbound via UDP to port 53 and the addresses used, last time I looked, were:

8.26.56.26
156.154.70.22

Other than that, svchost, along with other system services, use ports from the dynamic range (49152-65535) for a variety of things, so we'd need more information to determine the precise nature of the connection.

With regard to the SSDP/UPnP connection, these are typically event notifications, basically, just a UPnP enabled device, letting other similar devices, know it's alive. If you're using UPnP you should probably allow the connections, but it's worth making sure you know where the connections are coming from.

[aguyonapc]

I just logged into windows and got over 60 (so far) events logged.

Windows Operating System
Action - Blocked
Protocol - TCP
Source IP - 192.168.0.1
Source Port - 1099, 1100, 1101, 1102, 1103
Destination IP - 192.168.0.10
Destination Port - 2869

How do I get this to stop exactly.
I blocked it sometime yesterday and obviously need to unblock it (if it's safe to do so).

I did delete some rules that showed up (started another thread on that issue).
https://forums.comodo.com/firewall-help-cis/where-did-these-rules-come-from-t82344.0.html
Perhaps that may have something do do with this?

[Radaghast]

I just logged into windows and got over 60 (so far) events logged.

Windows Operating System
Action - Blocked
Protocol - TCP
Source IP - 192.168.0.1
Source Port - 1099, 1100, 1101, 1102, 1103
Destination IP - 192.168.0.10
Destination Port - 2869

How do I get this to stop exactly.
I blocked it sometime yesterday and obviously need to unblock it (if it's safe to do so).

I did delete some rules that showed up (started another thread on that issue).
https://forums.comodo.com/firewall-help-cis/where-did-these-rules-come-from-t82344.0.html
Perhaps that may have something do do with this?

I'm guessing 192.168.0.1 is your router, if so, you need to check the documentation, for the device,  to find out how to enable/disable/control UPnP.

[aguyonapc]

Ok I will do that.
Any idea why that would just start happening?

It finally stopped after 214 log entries.
All I did was remake the rules I had deleted (from other thread).
Not really sure if that's what fixed it though.

Source Port kept changing... went from 1099 up to 1129.
All other info stayed the same.
View Active Connections showed a connection to 188.121.36.239:80 (after the alerts stopped... may or may not be related).

[Radaghast]

Ok I will do that.
Any idea why that would just start happening?

It finally stopped after 214 log entries.
All I did was remake the rules I had deleted (from other thread).
Not really sure if that's what fixed it though.

Source Port kept changing... went from 1099 up to 1129.
All other info stayed the same.

As I mentioned earlier, these log entries just show SSDP event notifications. Generally, these are in response to a query, sent out by some other UPnP enabled device on your network. On a PC, svchost usually takes responsibility for UPnP/SSDP related connections. If you're using default firewall rules, svchost is allowed to make outbound connections, so seeing your inbound connections as a response, is not really surprising.

If you're not using UPnP, in addition to disabling the option in your router, you can open services.msc from Start/Run and disable the UPnP and SSDP services.

View Active Connections showed a connection to 188.121.36.239:80 (after the alerts stopped... may or may not be related).

Unlikely, the address belongs to GoDaddy, so this is probably a certificate check. Just another normal part of the OS connectivity.

[Tags:]