connection unstable (blocked)

Hi,

I have a broadband connection through a DLink modem which itself also acts as a DHCP server so that the modem itself has the address 10.1.1.1 and my other computers connect to it have 10.1.1.2, etc.

The installed Comodo firewall blocks the internet connection at unclear time span, may be half hour or 2, 3 hours or even longer, and sometimes the whole day OK. I cheked the log info. The most likely related log info are:
Acess denied for application svchost.exe with parent services.exe broadcasting 255.255.255.255 with bootp(67?), or
Acess denied for application svchost.exe with parent services.exe, destionation 10.1.1.1 bootp (67), or
Acess denied for application svchost.exe with parent services.exe, destionation 10.1.1.1 dhcp (68)

The problem is I could not (correctly) set up the application monitor for those svchost.exe and the service.exe, NOR to set up Network Monitor rules to solve this problem. Even I let all applications in the Application Monitor to PASS Comodo, but result was NOT successful.

Some times I clicked “turn off” Application Monitor checkbox, even there was NO svchost.exe or services.exe applications listed, but it worked (connection was ok). Sometimes, the only solutions were to shut down the Comodo Firewall, and turn it on again. It would work for a whole (should be “while”-- edited) and then after an unsure time span, it would be blocked again.

I also set up trusted network (through Tasks panel, result shown in Network Monitor panel) for the internal network like address 10.1.0.0 with mask 255.255.0.0. It still did NOT work.

Please help for what’s going on and how i can solve it?

Btw, I think the thread [url]https://forums.comodo.com/index.php/topic,6880.0.html[url] describes the same problem as mine. And I guess this is a quite common problem.

thanks

Hi,

For a simpler case or more specific, by investigation, the question could be described as:
The Application Monitor has ALLOWed the srchost.exe (parent: services.exe) to pass CFP, but the connection to internet modem (with addr: 10.1.1.1) is still blocked. But once I set the Application Monitor to “turn off”, within 15 seconds, the connection is established immediately.

OK, here is the message I found in the log before connected:
Application Monitor:
Application Access Denied (svchost.exe:10.1.1.1: :dhcp(68))
Application: C:\Windows\System32\srchost.exe
Parent: C:\Windows\System32\services.exe
Protocol: UDP In
Destination: 10.1.1.1: :dhcp(68)

The setting for svchost.exe and services.exe in Application Monitor is:
Application: c:\windows\system32\srchost.exe (edited: should be svchost.exe)
(checked) Specify a parent
Parent Application: c:\windows\system32\services.exe
(checked) Apply the following criteria
Tab – General:
Action: Allow
Protocol: TCP or UDP
Direction: In/Out
Tab – Destination IP:
Any
Tab – Destination Port
Any
Tab Miscellaneous – All unchecked

My OS: Windows 2003 server SP1
My Internal network connection on the same machine: through a second NIC (192.168.x.x) is totally smoothly connected

Question:
Is there any hiden force in the Application Monitor which blocks the internet connection, even I totally set the srchost.exe to pass on both TCP and UDP, until I turn the Application Monitor off? How can I solve this problem as the Application Monitor in CFP should not be turned off, otherwise the Application Monitor losts its function?

Help! Help Needed!!

thanks lot

I thought srchost.exe is a backdoor trojan and svchost.exe is the Windows process.

Following the other thread you referenced, have you disabled Protocol Analysis and rebooted like Pandlouk suggested? (Security → Advanced → Advanced Attack Detection and Prevention → Configure → Miscellaneous)

srchost.exe is a backdoor trojan and svchost.exe is the Windows process

Sorry, my typo:(, the “srchost.exe” should be “svchost.exe”)
The original post also been corrected as “svchost.exe”.

have you disabled Protocol Analysis and rebooted like Pandlouk suggested?
I previously tried Pandlouk’s solution in https://forums.comodo.com/index.php/topic,6758.0.html(but not restarted machine)
Because even I kept enabled Protocol Analysis previously, the connection would be all ok when Windows start, the problem would happen after an unstable time span, like half hour to several hours. so this time, I disabled the Protocol Analysis and restarted Windows, the connection is OK by now, but need sometime to proof it.

OK, I will prompt the result afterwards

thanks

OK, this is the result:

After several hours testing, OK, the connection icon SEEMS to be established stablely, but the problem then my browser Opera could not connect to the internet. The Application Monitor allows the Opera for both TCP and UDP In/Out for any source and dest IP and ports, but CFP alway blocks the Opera. And Once I turn off the Application Monitor “OFF”, then immediately, the Opera can go onto the internet.

The log info shows:
Reporter: Application Monitor
Description: Application Access Denied (Opera.exe:10.1.1.1: :dns(53))
Parent: C:\windows\explorer.exe
Protocol:UDP Out
Destination: 10.1.1.1 :: dns(53)

Really lost in CFP.

Why in Application Monitor, I let Opera go but it would be blocked?

What is the logic for Application Monitor and Network Monitor? Which one is first order? If I set Opera GO in Application Monitor but BLOCK the TCP protocol in Network Monitor, can Opera still go onto the internet surfing?

Sometimes I turn off the Application Monitor, then Opera works. But sometimes, I even need to turn off the whole CFP.

Is there any specific tip for this problem?

thanks

Opera requires TCP loopback. By default, CFP checks for this connection type and if you happened to deny an alert similar to “Opera is trying to act as a server”, it will block it. You can refer to this link to see if that fixes it. A restart of Opera may be necessary.

It’s strange how there are no block rules of svchost.exe or Opera in your Application Monitor…

Note: Opera does not and should not require incoming connections, so you should tighten your rules.