After sleep, always asked to approve a connection

Every time my computer is started from a sleep state, I am asked to approve the connection shown in the attached pic. It is from the NAS device on my LAN.

Every time I allow it, I have it checked to “remember,” but still get asked the next time.

Why, and is there any way to get it to accept this as an OK connection?

[attachment deleted by admin]

And I also just noticed that the logs have nothing in them except for Defense+
But I have received these alerts every day; how can there be nothing?

All of the items on the right side of the ‘home’ logs page show 0 (zero) instances.

Astounded at the lack of response. :frowning:

The default application rule for svchost.exe is part of rule for a group of programs.

You need to make a separate rule for svchost.exe. When done make sure that it is somewhere above the Windows System Applications rule to make sure it gets triggered before CIS processes the Windows System Applications rule.


Should I enter the rule applying the ruleset “Allowed Application” or a custom of some sort?

Is there any danger in doing this, as in, can svshost ever be used by malware to host a piece of itself?

well, what I did did not work.
I found svchost.exe in 2 places

I put both of these in firewall rules as a file, at the very top, set to ruleset “Allowed application.”

Still get the alert, but I THINK with a different port number each time.

Those are not the correct svchost in the Windows Side by Side folder.

The proper path is:

Well this is interesting on a couple of fronts…
First, my search program, which I LOVED up to this point (Search Everything), did not find those two locations as holding svchost.exe. Have never had it fail before.

When I looked for them with File Explorer, it took Windows 8.1 a LONG time to load the directories.

At any rate, I confirmed that it was in both of those directories, and proceeded to put them into comodo, deleting the previous two. The sysWOW64 entry went in fine, but the System32 entry resulted in a “this already exists” message.

Result after sleep awake with the new entry in (and the other one said to be already there) is still getting the alert.

I did confirm that the port number was different. Also confirmed that the one throwing the alert is the one in System32.

Maybe some kinda broadcast from the NAS for mapping the network. Can you post a firewall log after the next time it does this? Also proving some information on the NAS device could be helpful.

------------------- Export of Log ------------------
COMODO Internet Security Premium Logs

Date Created 2015-02-20 08:26:50
Flags Treat As

Date 2015-02-20 08:21:04
Type Firewall Alert
Description svchost.exe is trying to receive a connection from the Internet

Advice svchost.exe is a safe application. However you are about to receive a connection from another computer. If you are not sure what to do, you should block this request.

Answered 2015-02-20 08:21:17

Answer Allow
------------- End of The Report --------------------------

NAS is a WD “My Cloud”, Firmware Version 04.01.02-417

Well, I’ve solved it, but may have made computer more vulnerable in doing so…

I found the /System32/svchost.exe entry in the rules…
(boy, I wish there was a search function in these tables!)

I changed it from a custom set to “Allowed Application”, and I no longer get the alerts. I probably should have figured out a rule to add rather than allowing anything the application wants to do, but I wouldn’t know what to add anyway.

If you mean in the application rules for the firewall then there is, check screenshot.

[attachment deleted by admin]

Well, you learn something new all the time. There it is.

I forgot to mention, you can also press CTRL+F to open the search field.

That’s an alert log, not the firewall log, which would have the full socket information for making a refined rule. And you can filter the log by clicking the

. You can see more about filtering here: Filtering Firewall Logs, Virus Protection Software | Internet Security

"The Firewall logs can be viewed by selecting ‘Firewall Events’ from the ‘Show’ drop-down of the log viewer interface. "

^^ That’s exactly what I did. I looked again at the ‘view logs’ page, and I do not see any way to get to a different firewall log than the one I opened before. And the help pages seem to describe exactly what I did.

How does one get to this different log you are referring to?

Here is the only different info I can find, but it is from the same window…

2015-02-21 16:07:13 C:\Windows\System32\svchost.exe Asked In UDP 56222 64897

I don’t see socket info here though. Can you give me the drill down to the info you are referring to?

A socket is the paring of IP:Port. What are global rules & System Rule like? Did you ever define a trusted network zone?

There is a Home#1 zone defined, but it seems to only contain "IP (and IP6) IN to [my laptop IP].

I did Chiron’s setup and don’t think I missed anything, but above is all there is.

I deleted the previous “Allowed app” rule for svchost.exe and replaced it with the image.
Should this be less restrictive? More restrictive?
With this rule, I do not get the alerts.

[attachment deleted by admin]

That will work, however if you had a trusted network zone you shouldn’t have gotten the pop up to begin with, as long as you haven’t removed svchost from the system group.