how to respond to incoming connections

Hi, I’ve been using COMODO for a bit of time. However, I can’t respond properly to some “tricky” alerts. One of them is the incoming connections from system and svchost.exe :cry: !! just don’t know when I should allow and when I should bock such connections. ! Please don’t ask me to block all incoming connections because some of them are necessary for some applications to function properly :a0 .
One more thing, I’m a part of a network and I have a network drive, does the whole incoming connection thing have to do with it ? or is it safe to block the incoming connections from system and still can access the network drive.

Any help would be appreciated.

Regards, knk2006

It all comes down to identifying the ‘port’ it’s trying to connect to and ‘know’ what application/service is run behind that.

Next to that being in a LAN network gives all kinds of network scatter that shows up in the logging or will cause alerts. e.g. default windows tries to ‘build’ a list of devices it can find on the network that shows when you open your network neighborhood that’s mostly done over UDP traffic 137 and 138, mostly this is harmless tough it will give someone else a few details about your system, like computer name and the ‘services’ like file server etc it’s running. as there are incoming connections for TCP 139 or 445 those are more ‘dangerous’ as that is a connection attempt against your file shares. Default windows shares your disk(s) as \Computername\C$ those ‘drive mappings’ happen over the 2 mentioned ports.

So if you have more examples please let me know what ports are involved.

thank you for your quick response. I have one more concern though. Is it a good practise to block all incoming connections from those two [ svchost, system] …? is that gonna affect anything that I should be worried about ?

Normally those are not things you have initiated, if an application causes incoming traffic it should be handed to the application not to svchost or system.

The only case I have seen that is if you close a torrent client and clients still think your seeding and are trying to connect to your system, those connections can’t be traced back to any active application and will eventually be handed over to the OS (system) to be dealt with in most cases with an ICMP port unreachable message OR TCP Reset to the sender notifying them the torrent can no longer be found here.

If you don’t know what it it, use block and try to figure out what port is used and for which traffic that normally is, using e.g. google to search for ‘tcp 445’ or something similar.
Also make sure to check if the IP is LAN or WAN(Internet) and determine if you trust your fellow LAN users.

Great, that was really informative sir.

thanks again :slight_smile:

No problem, if you have more please ask.

i see it often that people argument about unrequested ingoing traffic like, “there is traffic, so it must have a meaning”.
thats wrong, or if it has a meaning, most probably its a meaning for someone else (get into your computer). the only traffic that has a meaning for YOU, is the traffic which YOU initiate. (running servers and p2p could need a few exceptions, but not your whole general security setting!)

you should not ask, could it be an important traffic from somewhere in the internet, have i to allow it?

you SHOULD ask, why should i allow something that i didnt initiate? answer is simple: you shouldnt allow.

when you say, dont tell me to block everything ingoing, because something need something… well, why not giving this something the rules it need to have; and for all the rest, block and forget about?
the global setting should be to protect your pc. and not to let all kind of programs easily run without some rules as exception.

“even” for windows update, you dont need ingoing rules. an update request goes OUT, and the requested packets will be allowed as an answer. thats the best example of what i mean.

exception rules for your network (or the VERY few things which really would need unrequested ingoing traffic) have to stand above the global rule, “block IP (means all protocolls in this case) INgoing any any”. rules are “read” from top to last. this global rule, “block IP in any any”, would block all UNREQUESTED ingoing traffic. it will NOT block requested ingoing traffic (which is the answer to an OUTgoing request).
you can use the stealth port wizard in comodo firewall.

thanks for your reply, unfortunately i didn’t get the last paragraph, are you trying to instruct me to make a rule or use the stealth mode or what exactly ? plz bear with me :-*

when i understood right, your worries are your network, and possible programs which could need unrequested ingoing traffic… (your server(?) or p2p ect).
so for these few things you could make exceptions (as strict as possible) from a general-rule in global rules like “block IP in any any”. then you dont have to “worry” about any unimportant or dangerous ingoing questions anymore.
exceptions to a block have to be placed above the block in the list!

the stealth port wizard (in the firewall settings main window) setting 3 would create such a rule under global rules (read about difference between global rules, and application rules). you can test if everything works with that setting. if not, theres another setting to test.
otherwise, exceptions if you need them, and setting 3 (hide me from everyone)… would be my idea.
setting one or three should fit i guess. to avoid useless firewall questions, and to avoid problems.

thanks clockwork, that was really helpful…

That is the biggest problem with Comodo. It firstly asks whether to trust the new network, and upon acceptance by the user, it then still continues to barrage the user with puzzling and unfriendly alerts about svchost etc!!!

CIS is simply not suitable for self-install for most non-tech people, even in the default config, because of these pointless alerts. The whole point should be that the software has some intelligence itself, and not sap the intelligence and patience of the user.

CIS is what I call DIY security (do it yourself). That is why I have now switched several machines to Kaspersky and considering Norton since their massive improvements over the past few years. Comodo need to do much more field testing, real world testing with real users in real environments and stand behind the user to see what really goe on; Geekbuddy is not the answer. CIS is great for tech, and one day it might be great for other intelligent people, and then ultimately for the rest of us!

i would teach people how simple it is to count 5+4, before i would give them a calculator from kaspersky :wink:

for average useage they will understand, that they dont need a calculator in this case, and with experience by time they will never need it.

my first firewall was like a piece of paper… i had to do all myself (wow, so simple?). i never thought, if i had kaspersky.
and i understood, like humans are able to.
these companies have an interest to let people think, its so difficult… because the people should feel the need to buy this suite.

“no no, you dont need school… there are smart persons out there.” (this is what a “super suite does all for you”-program tells me… and THATS why i dont want it!)

[at]knk2006:

SVChost is a huge mystery for the uniitiated.

The biggest flavor you could do yourself in that regard is create a PIF on your desktop whereby you can assess in an insant what the status of SVChost is. Open notepad and paste the following:

Tasklist /FI “IMAGENAME eq svchost.exe” /svc
pause

Now cliick ‘file’ then ‘save’ and navigate to a place where you feel comfortable to store a custom ‘system tool’ forever and save the file with CMD extension (the DOT XXX). Next step: right-click on the desktop and select NEW shortcut. Point the shortcut to the *.CMD file.

You should become intimately familiar with the output of this ‘tool’. It matters not the least what any of the things it shows you do, but you should discern something new and any process that does NOT have a name. At a glance you should be able to discern SVCHost is cool, i.e., it has not been compromised.

Therefor whatever it is doing - despite my not understanding it - must be cool.

Thie FIRST step to SVChost hardening: recognize the abnormal.

Very good suggestion, thanks, I just did it and all is OK. Will watch occasionally. :-TU

Hmmm, I agree to a certain point, but most people are not experts and they need some other experts to include their expertise inside the product. Yes, we should learn and add our own expertise, but scvhost and system are fundamental processes of the OS and not an “unusual” event outside normal parameters, therefore in my view there should not be an alert like this, especially upon installation of CIS for new users. At least if there is some level of uncertainty in CIS, it could monitor and “train” these processes and compare to a baseline, for example Privatefirewall can do this, as can others.

It is not about being clever or dumb, it is about making the right decisions so that the PC is not compromised. Therefore if a typical user makes the wrong decision on an alert then he has already compromised his system. If Comodo can minimise alerts, that would be better.

In fact, several times I have suggested that there are almost 2 CIS products. The first would be almost a “black box” with little intervention, and the second product would be the professional version for experienced and enthusiastic people like you :wink:

gosh you system and svchost.exe ;D but as you gentlemen said, Comodo should handle them not the user :slight_smile: