SECURITY RISK: displaying "svchost.exe" in Alerts obscures service[Issue Report]

  1. svchost.exe attempts to connect to a remote IP.

  2. The Firewall Alert dialog box displays just ‘svchost.exe’ and indicates that svchost.exe is a trusted application.

  3. However, svchost.exe manages a number of services, one of which is rogue. The user is not aware of this, and allows svchost.exe to connect. This created a false sense of security, the user in effect allowed the rogue service to connect, and now their data is leaked.

  4. A fix would display which service or DLL hosted by svchost.exe initiated the connection. This options seems to have existed in Comodo back in 2006 - see Blocking per module in svchost.exe - Comodo only? | Wilders Security Forums

  5. Screenshots illustrating the bug - attached

  6. Screenshots of related CIS event logs and the Defense+ Active Processes List: not necessary

  7. A CIS config report or file - attached, but not necessary

  8. Crash or freeze dump file: N/A

Your set-up

  1. Comodo Firewall 5.4.189822.1355
  2. a) Have you updated (without uninstall) from CIS 3 or 4: No
  3. a) Have you imported a config from a previous version of CIS: No
  4. Have you made any other major changes to the default config? (eg ticked ‘block all unknown requests’, other egs here.): No
  5. Defense+, Sandbox, Firewall & AV security levels: D+= Clean PC Mode, Sandbox= Disabled, Firewall = Custom Policy, AV = N/A
  6. OS version, service pack, number of bits, UAC setting, & account type: Windows 7 Professional, SP1, 64-bit, “Notify me only when programs try to make changes to my computer”, Administrator account
  7. Other security and utility software installed: none
  8. Virtual machine used (Please do NOT use Virtual box): none

[attachment deleted by admin]

just out of curiosity, how did you identify this rouge dll ?

Thank you for your Issue report.

Moved to verified.

Thank you


I didn’t, actually. I just noticed that whatever DLL it was, it tried to connect to an IP no legitimate service had any business connecting to. This was made way harder by the fact that Comood doesn’t reverse-lookup the IPs in the Alert Window.

Well I’m glad this topic was moved, two years later.

Will Comodo actually DO ANYTHING about it?

Note, I’ve uninstalled it because this security hole is just too ridiculously large to keep using Comodo.

If you can confirm that there is still a vulnerability with version 6.1 please make a new bug report for it.