Intrusion attempts - I have one repeated one. Is it safe?

Comodo Internet Security - CIS Firewall Help - CIS
1

I have a repeated notification of an intrusion attempt. I’m pretty sure it’s safe but could someone either confirm or give me an idea of what to look for (to see if it’s safe or not)? Thanks!

Details are:

Application: Windows operating system
Action: X Blocked
Protocol: UDP
Source IP: 0.0.0.0
Source port: 68
Destination IP: 255.255.255.255
Destination port: 67

This identical entry seems to appear every 2 to 6 minutes. I don’t think it’s associated with anything I’m doing. Is this something that I need to be concerned about?

Happy to answer more questions if someone needs more info.

Thanks all, guys!!

Mark

2

Please read here
https://forums.comodo.com/firewall-help/000068-25525525525567-t51525.0.html

Dennis

3

Hi Dennis, this does exactly look like my issue. Just to be absolutely clear, this process is basically looking for other clients on my network, and it’s absolutely OK for me to trust it? Apologies if this is a really stupid question, just that I don’t understand networks.

Oh and… which of the many svchost.exe processes do I trust?

Thanks!

4

Here is a screenshot of svchost.exe rules in my VM.

Dennis

[attachment deleted by admin]

5

That was really useful - I was looking in the wrong place to edit this setting. Thanks - now edited and hopefully it will be fine and won’t pester me with these logged events.

Thanks!!

Mark

6

Hi there,

In Network Security Policy (“Application Rules” tab) I have added a rule for svchost.exe that allows both in/out UDP traffic from 0.0.0.0 port 68 to 255.255.255.255 port 67 but unfortunately it’s still coming up in the Firewall Events log as blocked :frowning:

Don’t know what else I need to do - any ideas?

Thanks! Would be great to nail this one…

7

Could you please post a screenshot of the blocked events.

Thanks

Dennis

8

Hi Dennis,

Here’s a set of them

Just wondering what exactly I might have to modify…so any advice really appreciated!

Mark

[attachment deleted by admin]

9

Can you set it to just out only not in/out

Dennis

10

Hi Dennis, done this but still getting the same blocked message.

Do I have to do something in the global rules? In that list they are all “Allow” apart from one which one which says

Block and log IP in from IP any to IP any where protocol is UDP

…but above it in the same list I have

Allow IP out from IP any to IP any where protocol is any

…which seems a bit of a contradiction.

11

Please try to create a global rule as the application rule you have created is doing nothing.

Screenshot of blocked DHCP if application rule was working.

Screenshot of global rule below you can try in/out aswell.

If this does not work please check applications for blocked rules.

Dennis

[attachment deleted by admin]

12

Dennis, thanks for this. Have just got back home and created global rule which now displays as in your screenshot.

Will let CIS run and see what happens & will report back

Thanks again

Mark

13

HI all,

Had a go at applying the global rule (screenshot of global rules as follows)

But firewall still detecting intrusions (2nd gif)

[attachment deleted by admin]

14

Another way of dealing with these alerts is to make the IP addresses 0.0.0.0 and 255.255.255.255 part of your trusted (local) network zone.

15

Hi Eric,

Thanks for this - tried this but am still getting the same message! :frowning:

16

Did you add the two IP addresses to “The Orchards”?

17

Please tell us your network environment.

1.Do you use a Hub(switching)?

2.Do you use a router?

3.What is your OS?

4.How’s your CIS mode and setting?

18

Hi all,

Thanks for the suggestions - in the end I solved it - I uninstalled CIS and then reinstalled it and it’s now happy!

Thanks again everyone though and one day I’ll learn about ports and networks…maybe!