Problem with remembering Decisons - Svchost

When I try to connect to the internet I get the following error:

Severity :HighReporter :Application Behavior AnalysisDescription: Suspicious Behaviour (svchost.exe)Application: C:\WINDOWS\system32\svchost.exeParent: [System Process]Protocol: UDP OutDestination: 255.255.255.255::nbdgram(138)Details: The parent [System Process] refuses communication with COMODO Firewall Pro.

I have to click allow 3 or 4 times but there is not any box to remember this setting. svchost.exe is not blocked so is there any way around this? I can connect to the internet eventually after a few clicks.

Welcome to the forums phil1702 :slight_smile:

I have to say that message is a little strange!

First of all, you need to allow svchost.exe to do its ‘thing(s)’ which are many and varied on XP. One of its tasks is acquiring a DHCP lease (IP address) from your ISP.

In your message that can be seen from the UDP Out 255.255.255.255.

So far so good. What I can’t understand is why it’s using NetBios (nbdgram)? Are you on a private network, do you have a server or are you behind a router?

Toggie

I am using a normal broadband modem usb connection (no router) and I have been using Comodo for months without problem before although I did reinstall Windows XP Professional yesterday. The connection was fine to start with but the problem seemed to occur a few hours in. I have also got a lot of policy violations in the log file. Dont know if this is connected or not.

[attachment deleted by admin]

Can nobody help me with this. I am very annoyed that I have to click 5 or 6 times to connect to the internet (no “remember settings” button). I have uninstalled and reinstalled the firewall but get same error. Is there any way to switch off these alerts in the advanced settings. Failing that could somebody recommend a firewall that actually works?

Hi phil, when you (re)installed CFP, did you ensure the other software (particularly security) were disabled to avoid unforseen conflicts?

Have you filed a support ticket to find out if it’s a possible bug with not providing you with a Remember option on the alerts? http://support.comodo.com → Link them to this thread for reference.

I had NOD32 AV running at the time. This is the only alert which does not give me a remember option - all the rest are ok. I have logged a ticket for the svchost problem but no response as yet.

My personal experience as well as other reports in this forum have had no problems with nod, so that’s most unlikely it. I’m just wondering what exactly is [system process] and why is it surrounded by square brackets.

Dont know although I have now changed the Application Monitor to ignore the parent. Maybe that will help. I have had NOD and Comodo running successfully up till now.

That’s one temporary workaround by disabling the parent check on svchost.exe.

If [system process] is in CFP’s certified database then I recommend leaving the default ‘Do not show any alerts certified…’ option enabled to not be pestered by the alerts.

These network rules could be put on top of the others.
modify your network range accordingly…

BLOCK and LOG TCP or UDP IN FROM IP NOT IN RANGE 192.168.0.0 -192.168.255.255
TO IP RANGE 192.168.0.0 -192.168.255.255 WHERE SOURCE PORT IS [ANY] AND DESTINATION PORT IS IN [135,137,138,139,445]

BLOCK and LOG TCP or UDP OUT FROM IP RANGE 192.168.0.0 -192.168.255.255 TO IP NOT IN RANGE 192.168.0.0 -192.168.255.255 WHERE SOURCE PORT IS IN [135,137,138,139,445] AND DESTINATION PORT IS [ANY]

Next step: Is file & print sharing disabled in your general modem connection options?
Is netbios over tcp disabled in advenced section of tcpip options of your modem?

SPOT: If this post was useful support Comodo Beyond Firewall

(:AGL)[shadow=red,left]Comodo Beyond Firewall[/shadow] (:AGL)

I forgot my basic specialty: searching!

https://forums.comodo.com/index.php/topic,296.0.html
https://forums.comodo.com/index.php/topic,2380.0.html
https://forums.comodo.com/index.php/topic,6217.0.html

(Gibran, are you going to make that your sig?)

So it may be a virus or a trojan…
Reinstalling Windows xp without servicepacks and download them from the internet is a risky operation.
phil1702 did you apply the servicepacks before connecting to internet?

[System Process] should be a valid parent but is an unusual parent for svchost

[System Process] is parent of smss.exe
smss.exe is parent of csrss.exe and winlogon.exe
winlogon.exe is parent of services.exe and lsass.exe
services.exe is parent of svchost.exe and few others…

phil1702 it would be useful to know if every svchost.exe istance has [System Process] as parent in your case

It is a tempting option ;D
But coudn’t it be an unethical subliminal message? :o

Service packs were installed before connecting to the internet (autopatcher.com). svchost has services.exe as parent (2 cases). I did search bur searched for svchost and could not find a solution.

If services.exe is the parent of svchost.exe then it’s the infamous WGA.

https://forums.comodo.com/index.php/topic,7005.0.html
https://forums.comodo.com/index.php/topic,7579.0.html

Ok,

this is your troubleshooting checklist. Don’t miss a thing and post the results.

  1. Follow this article to disable netbios over tcpip but select you modem connection instead of Lan connection
    2 : Is file & print sharing disabled in your general modem connection options in the same list containing tcp/ip?
  2. In Comodo ADVANCED Tab\Miscellaneous configure button\firewall alerts subsection - Is “Do not show any alerts for application certified by comodo” enabled?
  3. Download Process Explorer launch it and reproduce the problem few times looking for svchost.exe

In Process Explorer, if you hover your mouse over any svchost.exe, you’ll see a tooltip of all the services that are operating under that particular configuration of svchost.exe. If you right-click on that process, and choose Properties, you’ll get more details.

In this case we/you need the tcp/ip tab to look for “remote address” column containing 255.255.255.255. You can select that line and click the stack button to copy the list of dll suspected of that connection. Once found which svchost.exe has this connection, hover over it and look at the list of services.
You may need to try this until you nail down which list of services is.

I have decided to reinstall Windows and start from scratch. I have re-installed XP Pro, then windows updates then CFP and will see if any other problems occur.
By the way NetBios was not disabled, File & Printer sharing was on, “Do not show any alerts for application certified by comodo” WAS enabled and no processes showed up in process explorer with that address.

So the checklist was not useful at all.
But please make sure to apply checklist 1 & 2 this time also, this way you’ll disable file and printing sharing over internet.

These network rules could be put on top of the others.
modify your network range accordingly…

BLOCK and LOG TCP or UDP IN FROM IP NOT IN RANGE 192.168.0.0 -192.168.255.255
TO IP RANGE 192.168.0.0 -192.168.255.255 WHERE SOURCE PORT IS [ANY] AND DESTINATION PORT IS IN [135,137,138,139,445]

BLOCK and LOG TCP or UDP OUT FROM IP RANGE 192.168.0.0 -192.168.255.255 TO IP NOT IN RANGE 192.168.0.0 -192.168.255.255 WHERE SOURCE PORT IS IN [135,137,138,139,445] AND DESTINATION PORT IS [ANY]

Hi there,

I just moved from Outpost to CPF, and I’m experiencing a little teething problem. When I connect to internet via my modem CPF asks me if I want to grant svchost access to the internet(duh), but does not offer me an option to remember the answer. I’m wondering if this is normal or is there something I havent done. Its not a problem just an annoyence really.

Heres a Picy.
http://i7.tinypic.com/68lg8jt.jpg

Hi, Irish_Sean. Welcome to the forum.

I’m going to merge your topic to another one on the same issue in a moment.

Edit: done.

Thanks Soya,

Seems like this is an on-going concern. Ill keep an eye on this topic for developments.