i recieved a firewall alert that “C:\windows\SysWOW64\svchost.exe” was trying to connect to the internet.i did nothing to the alert at that moment untill the alert disappeared later.then i checked the Unrecognized Files at Manage File Rating,and found there is no unrecognized files by cis at all on my computer.if every file (include “C:\windows\SysWOW64\svchost.exe” ) on my computer was known to be safe by cis ,why comodo cis still generated a firewall alert ?
Are you sure it was svchost.exe trying to connect to the Internet and not the other way around? CIS will, depending on set up, alert when there is inbound connections (connections that your computer hasn’t requested or initiated)
What are your CIS settings? What configuration are you running? Are BB and HIPS enabled?
What do the D+ and Firewall logs report around the time the firewall alert happened? Can you post screenshots of them?
well,i setted my cis to proactive defence mode,but i tuned off the hips,and setted behavior blocker to sandbox unknown files as untrusted.and at the stealth ports setting,i setted it to block all incoming connections.
here are the photos:
[attachment deleted by admin]
I hoped the screenshots would give a clue to what process was using svchost.exe. But unfortunately not.
Can you check the signature of svchost.exe in the syswow64 folder and make it is valid and from Microsoft?
To know for sure that a system file is the original file you can use Sigcheck to see if it is digitally signed by Microsoft.
Download this zip archive and unpack it to C:\Program Files\SysinternalsSuite\ . When done run sigcheck.reg to add it to the registry.
When this is done navigate to the syswow64 folder, look up and select the file you want to check, click right and choose Signature from the context menu. A black command box will pop up. See if it is signed or not.
do u imply that the file svchost.exe may be not valid and not from microsoft?well,if the file svchost.exe were really not valid and not from microsoft,it should be a unrecognized file to cis.but why counldn’t i found this file at the unrecognized files list of cis after i had met the firewall alarm?
Excellent point. When it is not on the unrecognised files list then the file was not tempered with. Then it was called by an untrusted application.
Excellent point. When it is not on the unrecognised files list then the file was not tempered with. Then it was called by an untrusted application.well,when it is not on the unrecognized files list,it should only be a recognized file by cis.if so there are only 2 possibilities .one posibility is that cis recognized the file as a virus.in this condition,cis would detect the virus and show me a alert.but this has not really happened.the only other posibility is that cis recognized the file as clean,if so why cis still generated firewall alerts for it?that's what i really can not understand. by the way,according to my setting of the behavior blocker of cis,it would Auto-sandbox only unknown applications(not known applications) as untrust .