This afternoon i got back home to find my internet had gone again. However this time there was a notice for svhostexe trying to gain access to the internet. As i was not at the PC it must of gone down. Can someone tell me should svhostexe have access to the internet and if so is there any spefic bound for it. Its showing as its been trying UDP and UDP/TCP
If you set it for TCP/UDP In/Out you’re certainly covered. You could also wait for a popup and create the rule that way, by selecting “Remember”. A popup is pretty much guaranteed if you move Alert Frequency (security/advanced/miscellaneous) to High; click OK and reboot.
After login, you’ll surely get some alerts for svchost.exe to connect on ports 53, 67, 68, which you can “remember” and allow.
Also by way of example, attached is a screenshot of my rules for svchost.exe. I only allow it to connect to renew DNS and DHCP, in order to get & keep the internet connection; thus these rules are sufficient for my purposes.
For your application rule, you’ve got to allow svchost.exe to have an inbound connection, so you’ll need to change that “block” rule to “allow.” Here’s what happens (short version), and why you lost the connection, as it relates to DHCP…
Your computer sends a request to the DHCP server (via svchost.exe), using port 67. The DHCP server responds with the lease renewal (via svchost.exe), using port 68. Since you have the inbound blocked, the DHCP server response is lost. Thus, the DHCP lease does not get renewed, and the connection is dropped.
I know you’re probably concerned about security in this way, but that’s not an issue. With CFP, an application rule giving Inbound access doesn’t mean that the application can somehow generate or accept an unsolicited inbound attempt; it just means what when an authorized Inbound connection occurs for the application, it can accept it.
In order for it to be an authorized Inbound connection, it has to be allowed by the Network Monitor, and the Network Monitor does not accept unsolicited Inbound connections (this is the purpose of the bottom Block All IP In/Out rule) - provided of course that the user doesn’t add a rule to Allow Inbound traffic across the board. When svchost.exe sends out the request for the DHCP lease, the NetMon allows the Outbound traffic. The DCHP server’s response to that, even tho on a different port, is an Inbound response to an Outbound request. This is the same way you are able to browse the internet, access websites, and download stuff.
So all that said, change that block In rule for svchost.exe to allow, and reboot. You should be good to go.
Pardon my barging in here, but I have a question with svchost and App & Net Mon rules. Since I have the certified apps option enabled and no Net Mon rule to allow any incoming TCP or UDP rule allowed (except for uTorrent), how is it that my net access is not blocked?
On a note about svchost, there are a few things it is used for on a regular basis:
Contact your DNS Server(s) (destination port 53), contact your DHCP Server (destination port 67), receive reply from the DHCP Server (destination port 68), and Windows Automatic Updates (sorry, I don’t know the ports there off the top of my head, as I don’t do auto updates any more; I do it manually from the browser/update website).
It uses UDP for the first three items; I’m not sure on the Updates what protocol it uses.
svchost.exe is also used by the majority of Windows Services that might want to contact the internet. This is part of the reason that I have it limited in the Application Monitor; thus, it is only allowed to establish a connection the way those three rules say.
You can tighten your existing svchost.exe rules, if you want, in this way. However, you need to make sure first that you have it working, and understand how to tighten them up.
As I understand it, the localhost loopbacks are used as a means for applications to communicate (that’s the simplified version; I couldn’t easily understand the technical version, which I think must have been written in a some space alien language).
Without the loopbacks skipped, I have seen svchost.exe connections showing up in the Connections tab for the loopback, but this was a while back…
right ive put svchost to allow for both in/out as in the screen shot a couple of posts up but with allow on both. I reset comodo (hope thats ok dont really want to reboot pc) its due to renew at 14.00 UK time so we shall see if its ok…
What i dont understand was it was all working fine the other week (as stated in previous post) now its gone again… i think it all seems to add up that ive been blocking svchost because the comodo popup says it could be an attempt to hijack your PC or could be a trojan. And if there deneyed the IP wont renew… so maybe this should work
Well, this should get your connectivity back. However, the alert you’re describing is part of Application Behavior Analysis and is a different issue… Well, it’s the cause of the block, as you know, but the question that way is, what exactly was the alert that caused you to block svchost.exe?
If you don’t remember, do you still have the entry in the Activity Logs, or the Logfile? It will be an Application Behavior Analysis entry (as opposed to a Network Monitor, Application Monitor, etc). If so, can you copy/paste that specific alert to your post?
Oh, I see. An OLE Automation message, sounds like. In that scenario, WMP was either open, or had been open at some point in the “recent” past (some users report an hour or more, although I usually only experience it within 30 minutes of closing an internet application). Then svchost.exe goes to access the internet for some reason (probably legit). Because of the way internal communications happen, this shows up as svchost using wmp to access the internet. When that happens, you can either Allow (which will be for that session/instance only), or Deny (which will be for that session/instance only). If you tick the “Remember” box, that will create a rule in the Application Monitor.
There’s been a lot of confusion about this from users (myself included), as we non-programmers really don’t understand how that works, and we’re not used to this from a firewall. The poor development team has really caught grief over this, uh, “feature.” ;D Here’s egemen’s most recent response as to why it’s important: https://forums.comodo.com/index.php/topic,4728.msg35532.html#msg35532
willas00, what is/was your current application rules on svchost.exe, allow everying in and out? If is so, then it must be something causing this disconnect. You can post your log for the past day or week (edited of course) for us.