Comodo doesn't always recognise svchost.exe?

souzapet · March 5, 2008, 8:54pm

HI,
I have and XP machine with SP2 and I am on a broadband connection behind a Linksys wireless router. Twice today I have had pop-ups from Comodo saying it was unable to recognise svchost.exe as it tried to connect to the internet from 255.255.255.255 UDP bootp(67). I blocked the request each time but then could not connect to the internet. I then tried to launch my browser (Firefox) and Comodo asked if I wanted to allow “the safe file” svchost.exe with the same connections.
I have checked the firewall log and the initial blocks were not recorded so have no idea what is going on. Is this some kind of bug? or is some kind of malware trying to disguise itself as svchost.exe which Comodo won’t recognise?
Any help would be much appreciated.
Thanks Souzapet

system · March 5, 2008, 9:32pm

Ports 67 and 68 are used to get you an IP address from your DHCP server. The first UDP message is usually from 0.0.0.0 port 68 to 255.255.255.255 port 67 and is a broadcast message asking if anyone out there is a DHCP server. Then a UDP ack comes back from your router address (192.168.1.1) port 67 to 255.255.255.255 port 68 with the IP address. So you blocked one or the other and didn’t get an IP address. The ones you blocked sometimes show as coming from Windows Operating System, sometimes svchost.exe. You then tried to use Firefox, which discovered there was no Internet connection and tried again to get one-again using svchost.exe which worries about DHCP services. I don’t know why CFP3 doesn’t treat these things more consistently. And log them more consistently. There are bug reports on these topics in process, but don’t know the status of the next release-Comodo hasn’t announced anything yet. For now they are mostly just a nuisance when chasing down issues. .

system · March 5, 2008, 10:33pm

Be sure your router is fully stealthed. That should be your first line of defense.

souzapet · March 9, 2008, 7:45pm

Thank you both for the replies.
Does svchost.exe need to be allowed ICMP?
Have checked my set up on Shields Up and it showed my computer was fully stealthed. My router is configured not to reply to “casual” pings, etc. Is that what you meant?
I think I’m also in a “training-with-safe-mode” just now, so am willing to learn what is and what isn’t safe practise.
Thanks
Souzapet

souzapet · March 12, 2008, 6:20pm

I’m still having the occasional hiccup with my internet connection and svchost.exe, but a reboot seems to sort everything out most of the time.
I’m puzzled as to why svchost.exe would be “using” ICMP - the entry in my firewall log was:
C:\windows\system32\svchost.exe asked icmp 192.168.1.101 Type(8) 192.168.1.1. code (0)
Was it just a harmless ping to any possible network from my router? or was it anything I should worry about?
It’s only happened once in the last week and never since then.
I’m paying more attention to what’s going on in the hope that I’ll learn more!
Any help or answers appreciated.
Thanks,
Souzapet

system · March 12, 2008, 8:31pm

Probably just your router pinging to see who was still out there. Not always easy for a router to tell who is still on the network betwen lease renewals.