I’m concerned about some behavior from comodo firewall. Lately the firewall has begun blocking svchost.exe hundreds of times a day. I have no idea what this could be, and would like to know it’s origin and if I should be concerned. Any tips on how to deal with this would be greatly appreciated.
I’m including a screen cap for a better idea of what I’m seeing. I will answer any further questions you have if more info is needed.
I’m guessing 192.168.1.1 is your router? If so, you need to find out if there’s some function of the router causing these connections, and also check if port 2051 is open. It may also be useful to find out which svchost process these connections are being directed to. You can do that by opening a command prompt and typing:
Look down the Local address column until you find 192.168.1.1:2051 then look across to the right to find the PID (last column) Once you have that, type:
Find the PID and the identify the services associated with the instance of svchost with that PID.
Just out of interest, are you using and VoIP/SIP devices?
It’s a bit of a mystery, but it’s seems your preferred wireless IP address is changing every couple of minutes. It is almost surely router related. If it doesn’t cause any connectivity issues i would create a block rule to stop the logging, and carry on. Maybe someone else can shed some light on it.
This is what I found in reference to the source port coming from your default gateway
Port 2051/udp is used for the epnsdp service. An example would be when accessed by a web service. Port 2051/udp may be used for several services including EPNSDP and more. Port 2051/udp is known to have vulnerabilities caused by trojans and remote code execution.
Note that not all transport layers use network ports; for example, although UDP and TCP use ports, ICMP does not. By default, the firewall should disallow traffic to port 2051/udp until all security checks have been passed. If an application cannot listen on port 2051/udp, the port 2051/udp is already in use by another application causing the conflict.
Thanks for the replies. Bear in mind I’m almost a noob when it comes to this kind of thing. I know how to follow directions and find my way around if told how to, but other than that I don’t know what any of this means really.
Moving on, I did a netstat -ano in the command prompt and I’m not seeing 192.168.1.1:2051 at all. Seeing a lot of 192.168.1.82, though. I’m guessing 192.168.1.1 is my router as well. I don’t personally use any voip services on my computer, but I’m at a house where I believe someone might on theirs (still not sure as they are not home). However I’m still using my computer and I could check the router if needed, but not sure what to look for. I don’t know what sip is.
I’m using a legal p2p app but that port number isn’t listed as the one being used by it. Not sure what else it could be.
I don’t really have big connectivity problems at this location, other than an occasional dropping of the connection, but I just refresh a page immediately when I get a web page not loading error and it comes back. However, I don’t notice that the internet access icon in the sys tray is changing to disabled or disconnected.
I think we need a little clarification about your network. You mentioned you share a house, could you find out the IP addresses of the other PCs connected to your network. Could you also post the output of the netstat -ano. It would also be helpful to know the make and model of the router.
SIP is the Session Initiation Protocol and it’s used by devices that use VoIP. usually SIP uses different ports to the one we’re seeing here, but there are some manufactures that use 2051.
Just out of interest, from your netstat, the process with PID 3484. is that svchost? If so, can you run the tasklist /svc and tell me which services are associated with it. In the mean time, it might be worth rebooting your router, assuming you haven’t already done so.
Unfortunately, port 2051 has a number of different services associated with it, but it may also have been purely coincidental. From the look of the first image you posted, your router got caught in some kind loop, sending packets to IP addresses from the standard 192.168.1.0/255.255.255.0 block, incrementally. As to the why, at this time it’s impossible to say. I’d suggest keeping an eye on things and it the problem reoccurs, let us know.
When you type ipconfig /all at a command prompt it shows your IPv4 Address about half way down, yesterday it was 192.168.1.86. is it the same?
Just to be clear, after you rebooted the router yesterday these connections stopped, but sometime today they started again. Was this after using the PC for a while, immediately after switching on…
Basically, it looks like your router, for whatever reason, is trying to make connections by cycling through IP addresses that may or may not exist (you said yours was the only PC?) so all fingers point towards something on the router misbehaving