Services.exe, svchost.exe, system are trying to connect to the internet

Hi, I’m new to this forum :slight_smile:

I have been using COMODO v3 firewall for a few months (replacing ZA), and I have a question:

recently I have update the firewall to the latest version, and after this update, several pop up windows are shown occasionally. Either services.exe, svchost.exe, or system, are trying to connect to the internet (or going to receive connection from another computer).

Currently I’m using a DSL connection.

Should I allow those three to connect to the internet?

Those are Windows programs so yes.

thanks :SMLR

I,m getting alerts too,that another computer is trying to connect svchost.exe,I’ve been blocking these.So,should I be allowing ?

No, svchost.exe and etc. should be “out-going only”.

But hey, is not there a way that malware can use the same names to conceal themselves?

hi!
i use CFP 3.0.13.268 and DSL connect in my home network (satic IP 192.168.1.1 - modem/proxy/geteway/DNS/etc., 192.168.1.x - my comps)
If ANY (Firefox, miranda IM, IE, games) program try connect to inet CFP show some like “svchost.exe/“system idle process” try get UDP connection to 192.168.1.1” (next from 192.168.1.1 to some inet adress). Its no problem to sets rules for svchost BUT i NEED know what program try to connect!!! :‘( :’( :‘( :’( :‘( :’(

my last firewall was comodo too ver. 2.x.x.x and he can detect what program connecting.

ps: sorry for my english

my OS Win XP professional Service pack 2 (but i just change CFP 2 → 3 and get this problem ) please help!

Sorry not much help here. All I did was install Comodo and it worked. No errors. No Services trying to access. Try doing a complete uninstall and I mean complete then reinstall using that latest Comodo.

maybe because you do so?

i think its problem only when you use gateway
big minus for comodo ((((((( ver. 2.x.x.x be cool

  • uninstalled and installed Comodo Firewall v3.0.22.349 (x64)
  • no custom rule for svchost
  • safe mode on (both firewall / defense)

and now again I’ve svchost.exe popup !?

mostly from China? why if svchost.exe is a safe tool from Microsoft does it connect to China ??

svchost.exe is trying to receive a conection from the Internet

222.73.204.83 TCP
ms-rpc(135)

IP address: 222.73.204.83
Reverse DNS: [No reverse DNS entry per ns.sta.net.cn.]
Reverse DNS authenticity: [Unknown]
ASN: 4812
ASN Name: CHINANET-SH-AP (China Telecom (Group))
IP range connectivity: 0
Registrar (per ASN): APNIC
Country (per IP registrar): CN [China]
Country Currency: CNY [China Yuan Renminbi]
Country IP Range: 222.64.0.0 to 222.95.255.255
Country fraud profile: Normal
City (per outside source): Shanghai, Shanghai
Country (per outside source): CN [China]
Private (internal) IP? No
IP address registrar: whois.apnic.net
Known Proxy? No

Don’t know why it wants a Chinese takeaway, but I just blocked these 3 from getting out (in Firewall - don’t block 'em in Defence+!) and still seem to be surfing OK.

i’ve a popup how to block only in firewall not in defense ?

if i’m not in front of the computer, i guess will it block by default after expiration of the waiting time ?

why svchost.exe, explorer.exe, lsass.exe, ms-rpc, etc. are not automatically handled by default in Comodo like in most antivirus (ZoneAlarm,…) ?

a simple allow in, deny out (for software calling home) like in ZoneAlarm is a so much easier & secure way…

svchost.exe
124.207.131.91
ms-rpc
port : 135

svchost.exe
61.151.254.31
ms-rpc
port : 135

svchost.exe 118.0.40.26
ms-rpc
port : 135
(Japan)

svchost.exe 83.132.170.196
ms-rpc
port : 135
Portugal

svchost.exe
212.199.8.65
ms-rpc
port 135
Israel Tel Aviv

lsass.exe
193.190.208.38 UDP
Port 500

Application : System
Remote : 71.243.237.212 UDP
Port : nbname(137)
Verizon Internet Services Inc.

64.15.206.217 MS-ds 3478

83.97.212.427 MS-ds 445

D+ wont give you an alert cause its a firewall alert.


http://img107.imageshack.us/img107/9565/comodosvchostpopupid4.jpg

IP address: 72.27.12.9
Reverse DNS: port0009-acf-adsl.cwjamaica.com.
Reverse DNS authenticity: [Verified]
ASN: 10292
ASN Name: CWJ-1
IP range connectivity: 2
Registrar (per ASN): ARIN
Country (per IP registrar): JM [Jamaica]
Country Currency: JMD [Jamaica Dollars]
Country IP Range: 72.27.0.0 to 72.27.127.255
Country fraud profile: Normal
City (per outside source): Unknown
Country (per outside source): JM [Jamaica]
Private (internal) IP? No
IP address registrar: whois.arin.net
Known Proxy? No

I have svchost,system and explorer all OUTGOING Only. See the threads in here and screen shots.


http://img107.imageshack.us/img107/1488/comodomsds445ue4.jpg

thanks for your answer but can a mod tell us why this is not like this by default in Comodo ? (:AGY)

if the user is not in front of the screen will it be accepted or denied?
since by default the choice is (x) Allow this request

so i’ve to add all those rules manually and i will be alright?


http://img208.imageshack.us/img208/2425/comodoapplicationrulesbuh2.png

Default is allowed I believe. If it is aloud you can look at your log then change it. Yes those are all the same I have.