Meaning of Alert

I’m a recent convert and have had CPF running for a week or so. Today, after connecting to the internet I immediately get a red alert saying - Generic Host trying to act as a Server, with Services as Parent and svchost as the Path trying for explorer.exe to use svchost through OLE… The remote IP address is that of my PC and dhcp(68)-UDP is indicated.
I have also noticed that my provider seems, alternatively when connecting, to link me to a completely different IP address and when this happens the remote changes to the second IP number and - ntp(123)-UDP. Haven’t spotted this before but, they have recently upgraded me to 8mb from 1mb. I can’t think of any changes that I have made that might be the cause of this new alert.
It would be appreciated if anyone can explain what is happening and what action is appropriate.

I have just worked out how to copy the alert info: here goes

Date/Time :2007-08-17 01:23:31
Severity :High
Reporter :Application Monitor
Description: Application Access Denied ( :dhcp(68))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP In

Date/Time :2007-08-17 00:10:07
Severity :High
Reporter :Application Monitor
Description: Application Access Denied ( :ntp(123))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP In

Can anyone help with the meaning of these?
Is it usual to be given totally different IP addresses when connecting? Is it simply the provider connecting me through a different site?

Did your pc install this weeks microsoft updates?

I got the same warnings when I rebooted my pc after these updates.


Thanks for considering this. Yes, it did. And I, also, wondered if it had set something off: they have previously ‘unset’ settings.

This is where I struggle a bit with Comodo. I am mightily impressed with the ethos around here and the product. However, although I know, I think, that dhcp has to do with IP no. allocation and ntp with time synch. - I just cannot put it all together and work out what it is that is going on. I suspect it is normal but the FW has big red crosses and warnings.

Can I raise two further points. When I click ‘deny’ on the alert, this shows in the log entry: if I leave the alert up, say to copy the IP entry to check Whois, and it disappears after timeout, ‘deny’ is not shown in the log entry. How does CFW handle this?

At the same time as I am getting these alerts, but not immediately on connection, I am seeing similar alerts but with the identity of the connection being ‘Level 3 Communications’. They seem to be a perfectly respectable US comms company, from Googling, but I am unaware of any software on my machine, I’m in the UK, that is from this source. Any ideas? Anything to do with Microsoft updates?

Have a Nice Day.

I suspect this is all to do with microsoft updates and the warnings are normal.

Have you defined a trusted network for your router? If you do this I think the warnings will vanish.

What antivirus are you using? I would recommend BOClean as a good addition, it appears to be compatible with most things.

Level 3 are quite well connected with Microsoft:


Ah, hah - that link probably explains it. We don’t use Messenger but my son has a Hotmail account. But, what are they doing??
Have you ‘allowed and remembered’ these alerts?

Are you watching me? I’m sitting here looking at an SMC router that was delivered yesterday - having been sold on the many suggestions that an external firewall greatly adds to security rather than any pressing networking needs. I know where to come now when I get stuck on the install :-))

Perhaps you can help me on another similar issue. My provider has never instructed how to set up the FW for their purposes. Comodo does recognise the connection and that’s not a problem, as a moderator you will be able to see the different IP addresses that get allocated to me on this thread that I mentioned above, but I have not got my head around whether, or what, I should do for the twox2 DNS Server Nos I see on ipconfig /all. Should a rule be set somewhere? How is that done?

I have NOD32 (trial): CounterSpy: TrojanHunter and am a convert from ZASS. I have been thinking of BOC and wondering if it does the same thing as TrojanHunter or if it will complement it. What do you think?

Your help is much appreciated.

Same problem since yesterday, and I downloaded the Wednesdays MS updates.
Sometimes when I boot up and connect via my USB modem I keep getting the SVC host is trying to act as a server. Up to 12 accepts to get connected.
Is this a known fault and will it go away?
Or will there be an update of CFP to cure it?

If you tick for CFP to remember and then click allow then the pop ups should go away.


Sounds like you may need to define a trusted network for your router. The following posts should help.;msg57637#msg57637;msg39466#msg39466

If you are happy with Trojan Hunter then I don’t think you really need BOClean, though I think they would not clash - perhaps someone else knows different?


I’ll check out the links over the weekend when I try to get the router installed. Initially I will use it wired to my Home PC as a replacement for the basic modem provided by the ISP. It will get extended use when the kids come visiting with their laptops.

Thanks for taking the time.

I’ve been getting the very same alerts.It crossed my mind that it might be down to the microsoft updates.After downloading updates, I had to grant internet access to all my programs that had already been allowed,as if I was using Comodo for the first time.Foolishly I also thought it might be Comodo playing up, so I uninstalled,and reinstalled.Anyway,the fact that other people are reporting this problem obviously points to the security updates being involved.One other thing, after re-installing,to get firefox and thunderbird to work I had to allow them to act as server,is that normal.Thanks for any advice.