Ok so I’m new to comodo firewall and I have a few questions I hoped someone can answer. I just installed comodo and I got a message asking if I should let scvhost.exe except a conection from another computer I blocked it but don’t know if I should have. Also I’m getting intrusion attempts,the application is windows operation system the source ip is 192.168.1.1 and the destination ip is 192.168.1.4 . I was also wondering if its normal for svchost to to have a bunch of udp connections every time i go to a different web page(I can get up to 300 outbound connections if I go to a few sites)? any help is greatly appreciated.
The general thought on these forums in regard to svchost is to have it set to outgoing only in the Firewall Rules. Firewall>Advanced>Network Security Policy>Right click on svchost and click edit and in the box put a tick in the Predefined policy checkbox and from the scroll down list choose outgoing only>Apply >OK and Ok.
I personally would advise any new beginner to apply the Firewall and Defence+ tutors posted by Kyle in the Guides section in these Forums in order to be really secure.
thanks, I’ll read the guides you mentioned
edit-ok so I read the firewall guide ,but I still don’t understand why I keep getting intrusion attempts roughly every 15 minutes, the source ip is the same for all of them.
Can you post a screenshot of the firewall logs?
This might sound stupid but do I go to “view firewall events” to view logs?
Can you tell us a bit more about your network set up? Are you on cable or ADSL? Is there a router in the network? It may be part of the ADSL modem. Do you have any open ports on your router (in case there is a router in the network)?
Can you post a screenshot with the Firewall Events window being maximised? This way I can see what system file is involved.
I can tell for now that the traffic on port 1900 UDP is a broadcast by, most likely, a router for Universal Plug and Play. It is the router calling for uPnP enabled devices and see if there are responses. The traffic on port 2869 TCP is also part of uPnP traffic. Nothing to worry about.
I allowed broadcast traffic in my Global Rules. I will more about it after this.
Ports 67 and 68 are Bootstrap Protocol (BOOTP) Server; also used by Dynamic Host Configuration Protocol (DHCP)
As Eric stated, port 1900 is Microsoft SSDP, Enables discovery of UPnP devices
This is all broadcast traffic.
I think I’m on cable, umm I have a modem that connects to my computer through a wireless router. I don’t think I have any open ports.
The system file is scvhost.exe
whats broadcast traffic ? is there a setting I should change to stop blocking it?
You should also have System set as Outgoing Only.
ok I just changed it,should explorer.exe be outgoing only?
Leave Explorer.exe as Custom (default settings).
opps I changed it ,do you know how I can change it back?
Mine reads as:
Allow IP out from IP any to IP any where Protocol is 41
One thing that is always good is to back up the configuration (export) to another folder.
That way, your working rules will always be safe should anything happen.
Thanks for all the help so far guys!
I don’t really understand how to change the policy to that.
Firewall/Advanced/Network Security Policy. Locate and select Explorer.exe.
Click Edit/Use custom Policy. Select the top policy shown, click Edit. (Click Add if there is no rule showing)
Source Address: Any
Destination Address: Any
IP Details: (drop down box) Custom (type in) 41
If there are any other rules showing, remove them.
Click OK to use this policy.
Thank you very much.
Happy we could help you.