Hello,
I’m concerned about some behavior from comodo firewall. Lately the firewall has begun blocking svchost.exe hundreds of times a day. I have no idea what this could be, and would like to know it’s origin and if I should be concerned. Any tips on how to deal with this would be greatly appreciated.
I’m including a screen cap for a better idea of what I’m seeing. I will answer any further questions you have if more info is needed.
Thanks!
[attachment deleted by admin]
could you
Start → All Programs → Accessories → Command Prompt → then type " ipconfig/all" and post a screen cap
Indeed
[attachment deleted by admin]
I’m guessing 192.168.1.1 is your router? If so, you need to find out if there’s some function of the router causing these connections, and also check if port 2051 is open. It may also be useful to find out which svchost process these connections are being directed to. You can do that by opening a command prompt and typing:
netstat -ano
Look down the Local address column until you find 192.168.1.1:2051 then look across to the right to find the PID (last column) Once you have that, type:
tasklist /svc
Find the PID and the identify the services associated with the instance of svchost with that PID.
Just out of interest, are you using and VoIP/SIP devices?
It’s a bit of a mystery, but it’s seems your preferred wireless IP address is changing every couple of minutes. It is almost surely router related. If it doesn’t cause any connectivity issues i would create a block rule to stop the logging, and carry on. Maybe someone else can shed some light on it.
This is what I found in reference to the source port coming from your default gateway
Port 2051/udp is used for the epnsdp service. An example would be when accessed by a web service. Port 2051/udp may be used for several services including EPNSDP and more. Port 2051/udp is known to have vulnerabilities caused by trojans and remote code execution.
Note that not all transport layers use network ports; for example, although UDP and TCP use ports, ICMP does not. By default, the firewall should disallow traffic to port 2051/udp until all security checks have been passed. If an application cannot listen on port 2051/udp, the port 2051/udp is already in use by another application causing the conflict.
Thanks for the replies. Bear in mind I’m almost a noob when it comes to this kind of thing. I know how to follow directions and find my way around if told how to, but other than that I don’t know what any of this means really.
Moving on, I did a netstat -ano in the command prompt and I’m not seeing 192.168.1.1:2051 at all. Seeing a lot of 192.168.1.82, though. I’m guessing 192.168.1.1 is my router as well. I don’t personally use any voip services on my computer, but I’m at a house where I believe someone might on theirs (still not sure as they are not home). However I’m still using my computer and I could check the router if needed, but not sure what to look for. I don’t know what sip is.
I’m using a legal p2p app but that port number isn’t listed as the one being used by it. Not sure what else it could be.
I don’t really have big connectivity problems at this location, other than an occasional dropping of the connection, but I just refresh a page immediately when I get a web page not loading error and it comes back. However, I don’t notice that the internet access icon in the sys tray is changing to disabled or disconnected.
Should I go ahead and block port 2051/udp? ???
I think we need a little clarification about your network. You mentioned you share a house, could you find out the IP addresses of the other PCs connected to your network. Could you also post the output of the netstat -ano. It would also be helpful to know the make and model of the router.
SIP is the Session Initiation Protocol and it’s used by devices that use VoIP. usually SIP uses different ports to the one we’re seeing here, but there are some manufactures that use 2051.
Rada,
There is only one other pc that would connect to the router where I’m staying, and it has been turned off for the duration I’ve been here.
As for everything else, the router is a Netgear WNR1000 v2. Also, the netstat is too long to take a screen cap of, so I will post a word doc of it since I know of no better way.
[attachment deleted by admin]
Just out of interest, from your netstat, the process with PID 3484. is that svchost? If so, can you run the tasklist /svc and tell me which services are associated with it. In the mean time, it might be worth rebooting your router, assuming you haven’t already done so.
I’m really not sure. I did a netstat again but I didn’t see 3484. Also did the tasklist and can’t see it there either.
I did reboot the router by power cycling the modem and router, however, and so far I haven’t seen any blocked connections. It hasn’t been very long, though.
What could have rebooting done?
Is anything becoming clearer at all? I still have no idea what port 2051 is for or what epnsdp means.
thanks again for the help.
Unfortunately, port 2051 has a number of different services associated with it, but it may also have been purely coincidental. From the look of the first image you posted, your router got caught in some kind loop, sending packets to IP addresses from the standard 192.168.1.0/255.255.255.0 block, incrementally. As to the why, at this time it’s impossible to say. I’d suggest keeping an eye on things and it the problem reoccurs, let us know.
Sounds good. Thanks everyone. 
Ok, started getting the same thing again today. New log is attached.
[attachment deleted by admin]
So, it’s been quiet since yesterday, but now it’s just started again? What changed? Is the address of your PC in the list of destinations?
Which one is the address of my pc? The one the isp assigns me, the one for my computer or the router? I’m a little confused…
Nothing has changed afaik.
When you type ipconfig /all at a command prompt it shows your IPv4 Address about half way down, yesterday it was 192.168.1.86. is it the same?
Just to be clear, after you rebooted the router yesterday these connections stopped, but sometime today they started again. Was this after using the PC for a while, immediately after switching on…
Basically, it looks like your router, for whatever reason, is trying to make connections by cycling through IP addresses that may or may not exist (you said yours was the only PC?) so all fingers point towards something on the router misbehaving
Right now it says 192.168.1.15
The connection attempts started after a while, not immediately.
Think I should maybe contact Netgear further about this? Not worry about it? Does it look like malware to you?
I think it’s certainly worth checking with Netgear, failing that, we’ll have to think again.