The default application rule for svchost.exe is part of rule for a group of programs.
You need to make a separate rule for svchost.exe. When done make sure that it is somewhere above the Windows System Applications rule to make sure it gets triggered before CIS processes the Windows System Applications rule.
well, what I did did not work.
I found svchost.exe in 2 places
I put both of these in firewall rules as a file, at the very top, set to ruleset “Allowed application.”
Still get the alert, but I THINK with a different port number each time.
Well this is interesting on a couple of fronts…
First, my search program, which I LOVED up to this point (Search Everything), did not find those two locations as holding svchost.exe. Have never had it fail before.
When I looked for them with File Explorer, it took Windows 8.1 a LONG time to load the directories.
At any rate, I confirmed that it was in both of those directories, and proceeded to put them into comodo, deleting the previous two. The sysWOW64 entry went in fine, but the System32 entry resulted in a “this already exists” message.
Result after sleep awake with the new entry in (and the other one said to be already there) is still getting the alert.
I did confirm that the port number was different. Also confirmed that the one throwing the alert is the one in System32.
Well, I’ve solved it, but may have made computer more vulnerable in doing so…
I found the /System32/svchost.exe entry in the rules…
(boy, I wish there was a search function in these tables!)
I changed it from a custom set to “Allowed Application”, and I no longer get the alerts. I probably should have figured out a rule to add rather than allowing anything the application wants to do, but I wouldn’t know what to add anyway.
"The Firewall logs can be viewed by selecting ‘Firewall Events’ from the ‘Show’ drop-down of the log viewer interface. "
^^ That’s exactly what I did. I looked again at the ‘view logs’ page, and I do not see any way to get to a different firewall log than the one I opened before. And the help pages seem to describe exactly what I did.
How does one get to this different log you are referring to?