Here's A Wierd One

WIN XP SP3 Comodo ver. 3.12.111745.560 Firewall only active.

This showed up in my log file today after a resume from standby. Have no clue what generated it. I am concerned since port 2171 is assigned to XP’s firewall that is also disabled. Never had anything using localhost other than JAVA.

10/23/2009 2:45:22 PM C:\WINDOWS\system32\svchost.exe Allowed 2171 2171 UDP

This alert means that service host connected to the machine it works on. The IP address points to the computer its self. You probably have a security program like Avast that scans traffic as a local proxy. Local in this context means at your computer.

What security programs do you have running in the background?

I use unmanaged client Symantec Endpoint 11.4 for AV and HIPS (Proactive Threat). Never installed it’s firewall since it’s really Sygate’s Enterprise one designed for managed operation. Proactive Threat is set to default settings which means parts of it’s real time scanner are not constantly running.

Again I never saw this type of log entry in the four months since I have been running Comodo’s firewall.

Question is why it originated from svchost? Wonder if I should get rid of the Comodo svchost firewall rules I have since I don’t really trust them. Presently, I have the inbound/outbound rules for my trusted network and the single allow all outbound rule defined. Wonder if I should just create outbound rules for UDP 53 (DNS) and port 123 (MS time) to my router only and TCP to ports 80, 443?

This appears to be PnP activity. I noticed an XP event log message appears everytime I resume from standby about Windows Image Aquisiition service starting. I know that exists from past connection of my digital camera.