Not Sure About Alerts

Hello friends at Comodo,

I just got a new PC with Win XP SP2 and I want to make sure everything is right. The first thing I do after Windows boots is enable my NIC, then the Comodo alerts come up. If anyone can identify the alerts below and let me know if they are necessary or if I should be concerned about any of them I would appreciate it.

Info:
CFP version: 2.4.18.184
Internet connection: cable
Log in: Admin
Other apps: Avast AV
Disabled security apps before install: Windows Firewall
Custom rules: none

Date/Time :2007-08-17 09:32:06
Severity :High
Reporter :Application Monitor
Description: Application Access Denied (svchost.exe:xxx.xxx.0.11: :dhcp(68))
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP In
Destination: xxx.xxx.0.11::dhcp(68)

Date/Time :2007-08-17 09:02:12
Severity :Medium
Reporter :Network Monitor
Description: Outbound Policy Violation (Access Denied, Protocol = IGMP)
Protocol:IGMP Outgoing
Source: xxx.xxx.0.11
Destination: 224.0.0.22
Reason: Network Control Rule ID = 5

Date/Time :2007-08-17 09:02:09
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP In
Destination: xxx.xxx.0.11::1036
Details: C:\WINDOWS\explorer.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications.

Date/Time :2007-08-17 09:02:09
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP In
Destination: xxx.xxx.0.11::ntp(123)
Details: C:\WINDOWS\explorer.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications.

Date/Time :2007-08-17 09:02:03
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 239.255.255.250::upnp-mcast(1900)
Details: C:\WINDOWS\explorer.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications.

Date/Time :2007-08-17 09:02:03
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (svchost.exe)
Application: C:\WINDOWS\system32\svchost.exe
Parent: C:\WINDOWS\system32\services.exe
Protocol: UDP Out
Destination: 255.255.255.255::bootp(67)
Details: C:\WINDOWS\explorer.exe has tried to use C:\WINDOWS\system32\svchost.exe through OLE Automation, which can be used to hijack other applications.

Greetings CarvinAbuser,

You should allow these alerts, as svchost.exe is needed for obtaining/updating IP-adress.
Also required for Windows Update to work.
Hope this answers your question :slight_smile:

If you got any more questions, just ask me :wink:

Ragwing

Is there a chance that svchost.exe could be using services.exe for anything dodgy or are they always important system updates, is there a way to tell (ie port numbers etc)?

From what I know, 53, 67, 80 and 443 is the only ports that svchost.exe needs to access.
53 for DNS, 67 for DHCP, 80 and 443 for Windows Update(I think), as 80 is http and 443 is https(SSL).
Services uses same ports as it’s the parent application, and from what I know, neither svchost.exe or services.exe will need access to other ports, except Windows time server possible, but I disabled it, so don’t know what ports it uses for it.
So if you see any other port number, you should check on Google or something what it’s used for.
And there’s always a chance that a malware is trying to access Internet thru services.exe .

Ragwing

EDIT: My bad, 68 is DHCP, 67 is bootp, so 68 is also needed for Internet access.