explorer.exe and svchost.exe firewall question

When I had zonealarm pro, the firewall would always tell me that explorer.exe is connecting to the internet and would have automatic rules for svchost.exe, why doesn’t the comodo firewall have these programs listed in the rules?

edit: well, half of my question was answered, svchost.exe = “windows updater application.”

Greetings!

Now I’m not 100% sure, but I think CFP 3 has a default rule for svchost.exe. If you go to Firewall->Advanced->Network Security Policy->Application Rules, you should find an entry for %windir%\system32\svchost.exe. I think it has access to port 53, 67 and 68 by defualt, I’ve done some modification, so I’m not quite sure.

Now about explorer.exe, I don’t think it will ever need Internet access. explorer.exe is just the GUI for Windows, and it also launches most of the applications.

Cheers,
Ragwing

Sorry for digging up this thread, but I’ve been using Comodo Firewall Pro for 2 months now on Custom Policy Mode and only recently and everytime I start the computer, explorer.exe is requiring access to a port 80.

I blocked it, but the behavior of explorer.exe seems a bit strange, it came out of the blue.

Would anyone happen to know sth about it? I googled, but didn’t find sth.

Thank u!!

Here are my rules.

[attachment deleted by admin]

explorer.exe - in Windows XP, explorer.exe phones home to Microsoft with the results when you use the Search feature. In my setup so far, explorer.exe hasn’t had any legitimate need to access the Internet. Then again, I don’t use Windows Explorer as my main file manager.

svchost.exe - according to Microsoft, “svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs).” In Windows XP, svchost.exe will need Internet access when using Windows Update. Giving this exe unrestricted access could result in malware being able to leak out through Microsoft’s BITS service, or through a malware service. As a result of this issue, I have my Alert Frequency Level set to the highest level. You can permanently allow those IPs that belong to Microsoft. However, Windows Update also uses IPs registered to other companies such as Level 3.

and for DNS queries too, if DNS client service is running

Don`t forget DHCP as Ragwing mentioned with regards ports 67 and 68.

It can be confusious ???

I don’t know if this would have any disadvantages, but I have explorer.exe, svchost, dllhost (and internet explorer) all blocked from the internet - in and out.

(If you don’t see this, the above might be the reason).

Same here. I have no need for explorer.exe to access the Internet. Searching for files on my computer work without Internet access. Svchost.exe doesn’t need Internet access if you do like me. As I have a router, I don’t need the DNS Client or DHCP Service, as my router will do it instead. Also, I manually update Windows XP, so no need for BITS to access the Internet.

Cheers,
Ragwing

Well I found out that an application that is hosted under explorer.exe (it could be winword.exe or any other), is trying to connect through explorer.exe to IP adress 131.107.113.76 port 80.

This belongs to host sqm.msn.com, which stands for “Service Quality Monitoring” and apparently means that an application is trying to establish a handshake with Microsoft in order to send some info about errors or sth like that.

I went to Firewall → Common Tasks → My Blocked Network Zones and added host sqm.msn.com.

Never bothered me again :slight_smile:

Could well be Winword, under Tools-Options-General-Service Options. Bit sneaky calling it that and, IIRC, on by default.