Often CPF gives these kinds of HIGH alert warnings (below). Should I be worried about them?
Reporter: Application Behavior
Analysis Description: Suspicious Behaviour (svchost.exe)
Protocol: TCP Out
Details: C:\Program Files\Internet Explorer\iexplore.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications.
Date/Time: 2007-09-13 21:23:34
I also get warnings that known apps (Grabit, Winamp, FarCry,) has modified or hooked IExplorer, Firefox, Outlook Express, etc. What do these mean?
-Edited by Soya on the log entry to make it clearer-
In the alerts, the suspiciousness of the behavior is measured. This is important to understand, in order to make a decision whether to allow or not. My father got a message of explorer.exe trying to connect to the internet, via iexplore.exe. This happens to everyone, I think. But he didn’t know the functions of explorer.exe, instead he saw the HIGH warning level. Thus he blocked it (without even knowing that a rule was created in the Application Monitor), and was disconnected from the internet.
If you should be worried or not depends, in my opinion, rather on the specific case than the HIGH level of warning.
Known applications that “modifies” or “hooks” IE, FF etc. just means that they try to connect to the internet via IE, FF etc. This behavior is quite normal, but you should consider if you want to allow them or not. Often they just want to check for updates. But if the program is unknown, or a bit suspicious in general, one should be aware that it may be something that violates your privacy or some spyware.
Hope this clears things out anything, if not, ask again.
I’ve been having to ‘allow’ upwards of 90 to 100 ‘svchost’ popups every time I’m online.
So far today, in less than 40 minutes, there have been 11 interruptions with a cumulative total of 122 and climbing.
They have become irritatingly incessant, often listing ‘X of 15’ or ‘X of 19’ each time despite all of them seemingly having to with the same 'Ports 137 or 138 nbname…’
Not only is it annoying—since the ‘warnings’ all say the same thing—but it is becoming fodder for considering ridding myself of Comodo altogether.
Is there any way to:
–stop the repeated interruptions
–have the ■■■■ thing remember my response
–get more specific information regarding each (something more than the usual ‘kernal’ message?)
'Preciate any enlightenment you can give…
The ‘x of 15’ is because we humans are too slow to respond (in regards to computer speed), so the depth of alerts grows. This doesn’t mean there’s more connection attempts, just means that it attempts over & over so fast we don’t get there in time. You can change that # by changing the amount of popups to display at one time in Security/Advanced/Miscellaneous.
While you’re there, make sure you’re using the safelist - check the box next to “Do not show alerts for applications certified…”.
Turn the Alert Frequency level down to Low or Very Low. This is still safe.
Also go to Security/Tasks and run the Scan for Known Applications. Follow the prompts. REboot when finished.
BTW, the 137 & 138 alerts are related to Windows Services that should be Disabled unless you’re sharing resources (files, printer) on a network (and possibly even then…). Specifically, TCP/IP NetBIOS Helper.
I appreciate the reply.
I have set the number of pop-ups to 5.
I have been using the safelist.
The Alert level was already set to Very low.
In Services, TCP/IP Net Bios was stopped and set to Manual. Any other services (specifically) I should consider re-configuring?
Have run the Scan for Known Apps…and re-booted.
Will give it a day or three to see how it goes…and will let you know.
Meantime, thanks so much for the help.
There’s a process for disabling the feature in your connection settings as well, that I can walk you through; there’s also a non-UPnP driver relating to it, which might be helpful.
You can search the 'net for references to Windows tweaks/hacks/services, Black Viper (a website with a lot of such info), or check TechRepublic (they have a good write-up on Services, explaining the different ramifications). There’s a topic on that here as well…
That would be the place to continue that aspect of the discussion.
Thanks for the links.
I made it as far as the flat top on the earlier thread before ya lost me.
It’ll take me a while to wend through the Black Viper and Tech Republic pages, however.
So far, since disabling the TCP/IP NetBios service and reconfiguring the settings, the svchosts issue has abated somewhat. That is, I’m down to fewer than fifty instances per session.
So I’ll not look my gift horse in the mouth.
Thanks all for your help. Let’s mark this one ‘Resolved’ for now.
If the pop-ups increase again, I’ll be back…at which time I may ask you to walk me through that UPnP driver thingy.
No problem, kas. Just let us know if/how we can help.